diff --git a/cyphernomicon b/cyphernomicon new file mode 100644 index 0000000..9409e25 --- /dev/null +++ b/cyphernomicon @@ -0,0 +1,22309 @@ +THE CYPHERNOMICON + +1. Introduction + +1.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +1.2. Foreword +- The Cypherpunks have existed since September, 1992. In that + time, a vast amount has been written on cryptography, key + escrow, Clipper, the Net, the Information Superhighway, cyber + terrorists, and crypto anarchy. We have found ourselves (or + _placed_ ourselves) at the center of the storm. +- This FAQ may help to fill in some gaps about what we're + about, what motivates us, and where we're going. And maybe + some useful knowledge on crypto, remailers, anonymity, + digital cash, and other interesting things. ++ The Basic Issues + + Great Divide: privacy vs. compliance with laws + + free speech and privacy, even if means some criminals + cannot be caught (a stand the U.S. Constitution was + strongly in favor of, at one time) + - a man's home is his castle...the essence of the Magna + Carta systems...rights of the individual to be secure + from random searches + + or invasive tactics to catch criminals, regulate + behavior, and control the population + - the legitimate needs to enforce laws, to respond to + situations + + this parallels the issue of self-protection vs. + protection by law and police + - as seen in the gun debate + - crypto = guns in the sense of being an individual's + preemptive protection + - past the point of no return + - Strong crypto as building material for a new age + + Transnationalism and Increased Degrees of Freedom + - governments can't hope to control movements and + communications of citizens; borders are transparent ++ Not all list members share all views + - This is not "the Official Cypherpunks FAQ." No such thing + can exist. This is the FAQ I wanted written. Views + expressed are my own, with as much input from others, as + much consensus, as I can manage. If you want a radically + different FAQ, write it yourself. If you don't like this + FAQ, don't read it. And tell your friends not to read it. + But don't bog down my mailbox, or the 500 others on the + list, with messages about how you would have worded Section + 12.4.7.2 slightly differently, or how Section 6.9.12 does + not fully reflect your views. For obvious reasons. + - All FAQs are the products of a primary author, sometimes of + a committee. For this FAQ, I am the sole author. At least + of the version you are reading now. Future versions may + have more input from others, though this makes me nervous + (I favor new authors writing their own stuff, or using + hypertext links, rather than taking my basic writing and + attaching their name to it--it is true that I include the + quotes of many folks here, but I do so by explicitly + quoting them in the chunk they wrote....it will be tough + for later authors to clearly mark what Tim May wrote + without excessively cluttering the text. The revisionist's + dilemma. + - The list has a lot of radical libertarians, some anarcho- + capitalists, and even a few socialists + - Mostly computer-related folks, as might be expected. (There + are some political scientists, classical scholars, etc. + Even a few current or ex-lawyers.) + + Do I Speak for Others? + - As I said, no. But sometimes I make claims about what + "most" list members believe, what "many" believe, or what + "some" believe. + - "Most" is my best judgment of what the majority believe, + at least the vocal majority in Cypherpunks discussions + (at the physical meetings, parties, etc.) and on the + List. "Many" means fewer, and "some" fewer still. "A few" + will mean a distinct minority. Note that this is from the + last 18 months of activity (so don't send in + clarifications now to try to "sway the vote"). + - In particular, some members may be quite uncomfortable + being described as anarchists, crypto anarchists, money + launderers, etc. ++ My comments won't please everyone + - on nearly every point ever presented, some have disagreed + - feuds, battles, flames, idee fixes + - on issues ranging from gun control to Dolphin Encrypt to + various pet theories held dearly + - Someone once made a mundane joke about pseudonyms being + like multiple personality disorder--and a flame came back + saying: "That's not funny. I am MPD and my SO is MPD. + Please stop immediately!" + - can't be helped....can't present all sides to all arguments ++ Focus of this FAQ is U.S.-centric, for various reasons + - most on list are in U.S., and I am in U.S. + - NSA and crypto community is largely centered in the U.S., + with some strong European activities + - U.S. law is likely to influence overseas law ++ We are at a fork in the road, a Great Divide + - Surveillance vs. Freedom + - nothing in the middle...either strong crypto and privacy is + strongly limited, or the things I describe here will be + done by some people....hence the "tipping factor" applies + (point of no return, horses out of the barn) ++ I make no claim to speaking "for the group." If you're + offended, write your own FAQ. My focus on things loosely + called "crypto anarchy" is just that: my _focus_. This focus + naturally percolates over into something like this FAQ, just + as someone primarily interested in the mechanics of PGP would + devote more space to PGP issues than I have. + - Gary Jeffers, for example, devotes most of his "CEB" to + issues surrounding PGP. ++ Will leave out some of the highly detailed items... + - Clipper, LEAF, escrow, Denning, etc. + - a myriad of encryption programs, bulk ciphers, variants on + PGP, etc. Some of these I've listed...others I've had to + throw my hands over and just ignore. (Keeping track of + zillions of versions for dozens of platforms...) + - easy to get lost in the details, buried in the bullshit + +1.3. Motivations + 1.3.1. With so much material available, why another FAQ? + 1.3.2. No convenient access to archives of the list....and who could + read 50 MB of stuff anyway? + 1.3.3. Why not Web? (Mosaic, Http, URL, etc.) + - Why not a navigable Web document? + - This is becoming trendy. Lots of URLs are included here, in + fact. But making all documents into Web documents has + downsides. + + Reasons why not: + - No easy access for me. + - Many others also lack access. Text still rules. + - Not at all clear that a collection of hundreds of + fragments is useful + - I like the structured editors available on my Mac + (specifically, MORE, an outline editor) + - + 1.3.4. What the Essential Points Are + - It's easy to lose track of what the core issues are, what + the really important points are. In a FAQ like this, a vast + amount of "cruft" is presented, that is, a vast amount of + miscellaneous, tangential, and epiphenomenal material. + Names of PGP versions, variants on steganograhy, and other + such stuff, all of which will change over the next few + months and years. + + And yet that's partly what a FAQ is for. The key is just + not to lose track of the key ideas. I've mentioned what I + think are the important ideas many times. To wit: + - that many approaches to crypto exist + - that governments essentially cannot stop most of these + approaches, short of establishing a police state (and + probably not even then) + - core issues of identity, authentication, pseudonyms, + reputations, etc. + +1.4. Who Should Read This + 1.4.1. "Should I read this?" + - Yes, reading this will point you toward other sources of + information, will answer the most commonly asked questions, + and will (hopefully) head off the reappearance of the same + tired themes every few months. + - Use a search tool if you have one. Grep for the things that + interest you, etc. The granularity of this FAQ does not + lend itself to Web conversion, at least not with present + tools. + + What _Won't_ Be Covered Here + + basic cryptography + + many good texts, FAQs, etc., written by full-time + cryptologists and educators + - in particular, some of the ideas are not simple, and + take several pages of well-written text to get the + point across + - not the focus of this FAQ + - basic political rants + +1.5. Comments on Style and Thoroughness + 1.5.1. "Why is this FAQ not in Mosaic form?" + - because the author (tcmay, as of 7/94) does not have Mosaic + access, and even if did, would not necessarily.... + - linear text is still fine for some things...can be read on + all platforms, can be printed out, and can be searched with + standard grep and similar tools + 1.5.2. "Why the mix of styles?" + + There are three main types of styles here: + - Standard prose sections, explaining some point or listing + things. Mini-essays, like most posts to Cypherpunks. + + Short, outline-style comments + - that I didn't have time or willpower to expand into + prose format + - that work best in outline format anyway + - like this + + Quotes from others + - Cypherpunks are a bright group. A lot of clever things + have been said in the 600 days x 40 posts/day = 24,000 + posts, and I am trying to use what I can. + + Sadly, only a tiny fraction can be used + - because I simply cannot _read_ even a fraction of + these posts over again (though I've only saved + several thousand of the posts) + - and because including too many of these posts would + simply make the FAQ too long (it's still too long, I + suppose) + - I hope you can handle the changes in tone of voice, in + styles, and even in formats. It'll just too much time to + make it all read uniformly. + 1.5.3. Despite the length of this thing, a vast amount of stuff is + missing. There have been hundreds of incisive analyses by + Cypherpunks, dozens of survey articles on Clipper, and + thousands of clever remarks. Alas, only a few of them here. + - And with 25 or more books on the Internet, hundreds of FAQs + and URLs, it's clear that we're all drowning in a sea of + information about the Net. + - Ironically, good old-fashioned books have a lot more + relevant and timeless information. + 1.5.4. Caveats on the completeness or accuracy of this FAQ + + not all points are fully fleshed out...the outline nature + means that nearly all points could be further added-to, + subdivided, taxonomized, and generally fleshed-out with + more points, counterpoints, examples + - like a giant tree...branches, leaves, tangled hierarchies + + It is inevitable that conflicting points will be made in a + document of this size + - views change, but don't get corrected in all places + - different contexts lead to different viewpoints + - simple failure by me to be fully consistent + - and many points raised here would, if put into an essay + for the Cypherpunks list, generate comments, rebuttals, + debate, and even acrimony....I cannot expect to have all + sides represented fully, especially as the issues are + often murky, unresolved, in dispute, and generally + controversial + - inconsistencies in the points here in this FAQ + +1.6. Corrections and Elaborations ++ "How to handle corrections or clarifications?" + - While I have done my best to ensure accuracy, errors will + no doubt exist. And as anyone can see from reading the + Cypherpunks list, nearly *any* statement made about any + subject can produce a flurry of rebuttals, caveats, + expansions, and whatnot. Some subjects, such as the nature + of money, the role of Cypherpunks, and the role of + reputations, produce dozens of differing opinions every + time they come up! + - So, it is not likely that my points here will be any + different. Fortunately, the sheer number of points here + means that not every one of them will be disagreed with. + But the math is pretty clear: if every reader finds even + one thing to disagree with and then posts his rebuttal or + elaboration....disaster! (Especially if some people can't + trim quotes properly and end up including a big chunk of + text.) + + Recommendations + - Send corrections of _fact_ to me + - If you disagree with my opinion, and you think you can + change my mind, or cause me to include your opinion as an + elaboration or as a dissenting view, then send it. If + your point requires long debate or is a deep + disagreement, then I doubt I have the time or energy to + debate. If you want your views heard, write your own FAQ! + - Ultimately, send what you want. But I of course will + evaluate comments and apply a reputation-based filter to + the traffic. Those who send me concise, well-reasoned + corrections or clarifications are likelier to be listened + to than those who barrage me with minor clarifications + and elaborations. + - In short, this is not a group project. The "stone soup + FAQ" is not what this is. + + More information + - Please don't send me e-mail asking for more information + on a particular topic--I just can't handle custom + research. This FAQ is long enough, and the Glossary at + the end contains additional information, so that I cannot + expand upon these topics (unless there is a general + debate on the list). In other words, don't assume this + FAQ is an entry point into a larger data base I will + generate. I hate to sound so blunt, but I've seen the + requests that come in every time I write a fairly long + article. + + Tips on feedback + - Comments about writing style, of the form "I would have + written it _this_ way," are especially unwelcome. ++ Credit issues + - inevitable that omissions or collisions will occur + - ideas have many fathers + - some ideas have been "in the air" for many years + + slogans are especially problematic + - "They can have my...."...I credit Barlow with this, but + I've heard others use it independently (I think; at least + I used it before hearing Barlow used it) + - "If crypto is outlawed, only outlaws will have crypto" + - "Big Brother Inside" + - if something really bothers you, send me a note + +1.7. Acknowledgements + 1.7.1. Acknowledgements + - My chief thanks go to the several hundred active + Cypherpunks posters, past and present. + - All rights reserved. Copyright Timothy C. May. Don't try to + sell this or incorporate it into anything that is sold. + Quoting brief sections is "fair use"...quoting long + sections is not. + +1.8. Ideas and Notes (not to be printed) + 1.8.1. Graphics for cover + - two blocks...plaintext to cryptotext + - Cypherpunks FAQ + - compiled by Timothy C. May, tcmay@netcom.com + - with help from many Cypherpunks + - with material from other sources + - + 1.8.2. "So don't ask" + +1.9. Things are moving quickly in crypto and crypto policy + 1.9.1. hard to keep this FAQ current, as info changes + 1.9.2. PGP in state of flux + 1.9.3. new versions of tools coming constantly + 1.9.4. And the whole Clipper thing has been turned on its head + recently by the Administration's backing off...lots of points + already made here are now rendered moot and are primarily of + historical interest only. + - Gore's letter to Cantwell + - Whit Diffie described a conference on key escrow systems in + Karlsruhe, Germany, which seemed to contain new ideas + - TIS? (can't use this info?) + +1.10. Notes: The Cyphernomicon: the CypherFAQ and More +1.10.1. 2.3.1. "The Book of Encyphered Names" + - Ibn al-Taz Khallikak, the Pine Barrens Horror. + - Liber Grimoiris....Cifur??? + - spreading from the Sumerian sands, through the gate of + Ishtar, to the back alleys of Damascus, tempered with the + blood of Westerners + - Keys of Solomon, Kool John Dee and the Rapping Cryps Gone + to Croatan + - Peter Krypotkin, the Russian crypto anarchist + - Twenty-nine Primes, California +1.10.2. 2.3.2. THE CYPHERNOMICON: a Cypherpunk FAQ and More--- + Version 0.666 +1.10.3. 1994-09-01, Copyright Timothy C. May, tcmay@netcom.com +1.10.4. + - Written and compiled by Tim May, except as noted by + credits. (Influenced by years of good posts on the + Cypherpunks list.) Permission is granted to post and + distribute this document in an unaltered and complete + state, for non-profit and educational purposes only. + Reasonable quoting under "fair use" provisions is + permitted. See the detailed disclaimer of responsibilities + and liabilities in the Introduction chapter. + +2. MFAQ--Most Frequently Asked Questions + +2.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +2.2. SUMMARY: MFAQ--Most Frequently Asked Questions + 2.2.1. Main Points + - These are the main questions that keep coming up. Not + necessarily the most basic question, just the ones that get + asked a lot. What most FAQs are. + 2.2.2. Connections to Other Sections + 2.2.3. Where to Find Additional Information + - newcomers to crypto should buy Bruce Schneier's "Applied + Cryptography"...it will save many hours worth of + unnecessary questions and clueless remarks about + cryptography. + - the various FAQs publishe in the newsroups (like sci.crypt, + alt.security.pgp) are very helpful. (also at rtfm.mit.edu) + 2.2.4. Miscellaneous Comments + - I wasn't sure what to include here in the MFAQ--perhaps + people can make suggestions of other things to include. + - My advice is that if something interests you, use your + editing/searching tools to find the same topic in the main + section. Usually (but not always) there's more material in + the main chapters than here in the MFAQ. + +2.3. "What's the 'Big Picture'?" + 2.3.1. Strong crypto is here. It is widely available. + 2.3.2. It implies many changes in the way the world works. Private + channels between parties who have never met and who never + will meet are possible. Totally anonymous, unlinkable, + untraceable communications and exchanges are possible. + 2.3.3. Transactions can only be *voluntary*, since the parties are + untraceable and unknown and can withdraw at any time. This + has profound implications for the conventional approach of + using the threat of force, directed against parties by + governments or by others. In particular, threats of force + will fail. + 2.3.4. What emerges from this is unclear, but I think it will be a + form of anarcho-capitalist market system I call "crypto + anarchy." (Voluntary communications only, with no third + parties butting in.) + +2.4. Organizational + 2.4.1. "How do I get on--and off--the Cypherpunks list?" + - Send a message to "cypherpunks-request@toad.com" + - Any auto-processed commands? + - don't send requests to the list as a whole....this will + mark you as "clueless" + 2.4.2. "Why does the Cypherpunks list sometimes go down, or lose the + subscription list?" + - The host machine, toad.com, owned by John Gilmore, has had + the usual problems such machines have: overloading, + shortages of disk space, software upgrades, etc. Hugh + Daniel has done an admirable job of keeping it in good + shape, but problems do occur. + - Think of it as warning that lists and communication systems + remain somewhat fragile....a lesson for what is needed to + make digital money more robust and trustable. + - There is no paid staff, no hardware budget for + improvements. The work done is strictly voluntarily. + 2.4.3. "If I've just joined the Cypherpunks list, what should I do?" + - Read for a while. Things will become clearer, themes will + emerge, and certain questions will be answered. This is + good advice for any group or list, and is especially so for + a list with 500 or more people on it. (We hit 700+ at one + point, then a couple of list outages knocked the number + down a bit.) + - Read the references mentioned here, if you can. The + sci.crypt FAQ should be read. And purchase Bruce Schneier's + "Applied Cryptography" the first chance you get. + - Join in on things that interest you, but don't make a fool + of yourself. Reputations matter, and you may come to regret + having come across as a tedious fool in your first weeks on + the list. (If you're a tedious fool after the first few + weeks, that may just be your nature, of course.) + - Avoid ranting and raving on unrelated topics, such as + abortion (pro or con), guns (pro or con), etc. The usual + topics that usually generate a lot of heat and not much + light. (Yes, most of us have strong views on these and + other topics, and, yes, we sometimes let our views creep + into discussions. There's no denying that certain + resonances exist. I'm just urging caution.) + 2.4.4. "I'm swamped by the list volume; what can I do?" + - This is a natural reaction. Nobody can follow it all; I + spend entirely too many hours a day reading the list, and I + certainly can't follow it all. Pick areas of expertise and + then follow them and ignore the rest. After all, not seeing + things on the list can be no worse than not even being + subscribed to the list! + - Hit the "delete" key quickly + - find someone who will digest it for you (Eric Hughes has + repeatedly said anyone can retransmit the list this way; + Hal Finney has offered an encrypted list) + + Better mailers may help. Some people have used mail-to-news + systems and then read the list as a local newsgroup, with + threads. + - I have Eudora, which supports off-line reading and + sorting features, but I generally end up reading with an + online mail program (elm). + - The mailing list may someday be switched over to a + newsgroup, a la "alt.cypherpunks." (This may affect some + people whose sites do not carry alt groups.) + 2.4.5. "It's very easy to get lost in the morass of detail here. Are + there any ways to track what's *really* important?" + - First, a lot of the stuff posted in the Usenet newsgroups, + and on the Cypherpunks list, is peripheral stuff, + epiphenomenal cruft that will blow away in the first strong + breeze. Grungy details about PGP shells, about RSA + encryption speeds, about NSA supercomputers. There's just + no reason for people to worry about "weak IDEA keys" when + so many more pressing matters exist. (Let the experts + worry.) Little of this makes any real difference, just as + little of the stuff in daily newspapers is memorable or + deserves to be memorable. + - Second, "read the sources." Read "1984," "The Shockwave + Rider," "Atlas Shrugged," "True Names." Read the Chaum + article on making Big Brother obsolete (October 1985, + "Communications of the ACM"). + - Third, don't lose sight of the core values: privacy, + technological solutions over legal solutions, avoiding + taxation, bypassing laws, etc. (Not everyone will agree + with all of these points.) + - Fourth, don't drown in the detail. Pick some areas of + interest and follow _them_. You may not need to know the + inner workings of DES or all the switches on PGP to make + contributions in other areas. (In fact, you surely don't.) + 2.4.6. "Who are the Cypherpunks?" + - A mix of about 500-700 + + Can find out who by sending message to majordomo@toad.com + with the message body text "who cypherpunks" (no quotes, of + course). + - Is this a privacy flaw? Maybe. + - Lots of students (they have the time, the Internet + accounts). Lots of computer science/programming folks. Lots + of libertarians. + - quote from Wired article, and from "Whole Earth Review" + 2.4.7. "Who runs the Cypherpunks?" + - Nobody. There's no formal "leadership." No ruler = no head + = an arch = anarchy. (Look up the etymology of anarchy.) + - However, the mailing list currently resides on a physical + machine, and this machine creates some nexus of control, + much like having a party at someon'e house. The list + administrator is currently Eric Hughes (and has been since + the beginning). He is helped by Hugh Daniel, who often does + maintenance of the toad.com, and by John Gilmore, who owns + the toad.com machine and account. + - In an extreme situation of abuse or neverending ranting, + these folks could kick someone off the list and block them + from resubscribing via majordomo. (I presume they could-- + it's never happened.) + - To emphasize: nobody's ever been kicked off the list, so + far as I know. Not even Detweiler...he asked to be removed + (when the list subscribes were done manually). + - As to who sets policy, there is no policy! No charter, no + agenda, no action items. Just what people want to work on + themselves. Which is all that can be expected. (Some people + get frustrated at this lack of consensus, and they + sometimes start flaming and ranting about "Cypherpunks + never do anything," but this lack of consensus is to be + expected. Nobody's being paid, nobody's got hiring and + firing authority, so any work that gets done has to be + voluntary. Some volunteer groups are more organized than we + are, but there are other factors that make this more + possible for them than it is for us. C'est la vie.) + - Those who get heard on the mailing list, or in the physical + meetings, are those who write articles that people find + interesting or who say things of note. Sounds fair to me. + 2.4.8. "Why don't the issues that interest me get discussed?" + - Maybe they already have been--several times. Many newcomers + are often chagrined to find arcane topics being discussed, + with little discussion of "the basics." + - This is hardly surprising....people get over the "basics" + after a few months and want to move on to more exciting (to + them) topics. All lists are like this. + - In any case, after you've read the list for a while--maybe + several weeks--go ahead and ask away. Making your topic + fresher may generate more responses than, say, asking + what's wrong with Clipper. (A truly overworked topic, + naturally.) + 2.4.9. "How did the Cypherpunks group get started?" +2.4.10. "Where did the name 'Cypherpunks' come from?" + + Jude Milhon, aka St. Jude, then an editor at "Mondo 2000," + was at the earliest meetings...she quipped "You guys are + just a bunch of cypherpunks." The name was adopted + immediately. + - The 'cyberpunk' genre of science fiction often deals with + issues of cyberspace and computer security ("ice"), so + the link is natural. A point of confusion is that + cyberpunks are popularly thought of as, well, as "punks," + while many Cyberpunks are frequently libertarians and + anarchists of various stripes. In my view, the two are + not in conflict. + - Some, however, would prefer a more staid name. The U.K. + branch calls itself the "U.K. Crypto Privacy + Association." However, the advantages of the + name are clear. For one thing, many people are bored by + staid names. For another, it gets us noticed by + journalists and others. + - + - We are actually not very "punkish" at all. About as punkish + as most of our cyberpunk cousins are, which is to say, not + very. + + the name + - Crypto Cabal (this before the sci.crypt FAQ folks + appeared, I think), Crypto Liberation Front, other names + - not everybody likes the name...such is life +2.4.11. "Why doesn't the Cypherpunks group have announced goals, + ideologies, and plans?" + - The short answer: we're just a mailing list, a loose + association of folks interested in similar things + - no budget, no voting, no leadership (except the "leadership + of the soapbox") + - How could such a consensus emerge? The usual approach is + for an elected group (or a group that seized power) to + write the charter and goals, to push their agenda. Such is + not the case here. + - Is this FAQ a de facto statement of goals? Not if I can + help it, to be honest. Several people before me planned + some sort of FAQ, and had they completed them, I certainly + would not have felt they were speaking for me or for the + group. To be consistent, then, I cannot have others think + this way about _this_ FAQ! +2.4.12. "What have the Cypherpunks actually done?" + - spread of crypto: Cypherpunks have helped + (PGP)...publicity, an alternative forum to sci.crypt (in + many ways, better...better S/N ratio, more polite) + - Wired, Whole Earth Review, NY Times, articles + - remailers, encrypted remailers + + The Cypherpunk- and Julf/Kleinpaste-style remailers were + both written very quickly, in just days + - Eric Hughes wrote the first Cypherpunks remailer in a + weekend, and he spent the first day of that weekend + learning enough Perl to do the job. + + Karl Kleinpaste wrote the code that eventually turned + into Julf's remailer (added to since, of course) in a + similarly short time: + - "My original anon server, for godiva.nectar.cs.cmu.edu + 2 years ago, was written in a few hours one bored + afternoon. It + wasn't as featureful as it ended up being, but it was + "complete" for + its initial goals, and bug-free." + [Karl_Kleinpaste@cs.cmu.edu, alt.privacy.anon-server, + 1994-09-01] + - That other interesting ideas, such as digital cash, have + not yet really emerged and gained use even after years of + active discussion, is an interesting contrast to this + rapid deployment of remailers. (The text-based nature of + both straight encryption/signing and of remailing is + semantically simpler to understand and then use than are + things like digital cash, DC-nets, and other crypto + protocols.) + - ideas for Perl scripts, mail handlers + - general discussion, with folks of several political + persuasions + - concepts: pools, Information Liberation Front, BlackNet + - +2.4.13. "How Can I Learn About Crypto and Cypherpunks Info?" +2.4.14. "Why is there sometimes disdain for the enthusiasm and + proposals of newcomers?" + - None of us is perfect, so we sometimes are impatient with + newcomers. Also, the comments seen tend to be issues of + disagreement--as in all lists and newsgroups (agreement is + so boring). + - But many newcomers also have failed to do the basic reading + that many of us did literally _years_ before joining this + list. Cryptology is a fairly technical subject, and one can + no more jump in and expect to be taken seriously without + any preparation than in any other technical field. + - Finally, many of us have answered the questions of + newcomers too many times to be enthusiastic about it + anymore. Familiarity breeds contempt. + + Newcomers should try to be patient about our impatience. + Sometimes recasting the question generates interest. + Freshness matters. Often, making an incisive comment, + instead of just asking a basic question, can generate + responses. (Just like in real life.) + - "Clipper sux!" won't generate much response. +2.4.15. "Should I join the Cypherpunks mailing list?" + - If you are reading this, of course, you are most likely on + the Cypherpunks list already and this point is moot--you + may instead be asking if you should_leave_ the List! + - Only if you are prepared to handle 30-60 messages a day, + with volumes fluctuating wildly +2.4.16. "Why isn't the Cypherpunks list encrypted? Don't you believe + in encryption?" + - what's the point, for a publically-subscribable list? + - except to make people jump through hoops, to put a large + burden on toad (unless everybody was given the same key, so + that just one encryption could be done...which underscores + the foolishness) + + there have been proposals, mainly as a stick to force + people to start using encryption...and to get the encrypted + traffic boosted + - involving delays for those who choose not or can't use + crypto (students on terminals, foreigners in countries + which have banned crypto, corporate subscribers....) +2.4.17. "What does "Cypherpunks write code' mean?" + - a clarifying statement, not an imperative + - technology and concrete solutions over bickering and + chatter + - if you don't write code, fine. Not everyone does (in fact, + probably less than 10% of the list writes serious code, and + less than 5% writes crypto or security software +2.4.18. "What does 'Big Brother Inside' Mean?" + - devised by yours truly (tcmay) at Clipper meeting + - Matt Thomlinson, Postscript + - printed by .... +2.4.19. "I Have a New Idea for a Cipher---Should I Discuss it Here?" + - Please don't. Ciphers require careful analysis, and should + be in paper form (that is, presented in a detailed paper, + with the necessary references to show that due diligence + was done, the equations, tables, etc. The Net is a poor + substitute. + - Also, breaking a randomly presented cipher is by no means + trivial, even if the cipher is eventually shown to be weak. + Most people don't have the inclination to try to break a + cipher unless there's some incentive, such as fame or money + involved. + - And new ciphers are notoriously hard to design. Experts are + the best folks to do this. With all the stuff waiting to be + done (described here), working on a new cipher is probably + the least effective thing an amateur can do. (If you are + not an amateur, and have broken other people's ciphers + before, then you know who you are, and these comments don't + apply. But I'll guess that fewer than a handful of folks on + this list have the necessary background to do cipher + design.) + - There are a vast number of ciphers and systems, nearly all + of no lasting significance. Untested, undocumented, unused- + -and probably unworthy of any real attention. Don't add to + the noise. +2.4.20. Are all the Cypherpunks libertarians? +2.4.21. "What can we do?" + - Deploy strong crypto, to ensure the genie cannot be put in + the bottle + - Educate, lobby, discuss + - Spread doubt, scorn..help make government programs look + foolish + - Sabotage, undermine, monkeywrench + - Pursue other activities +2.4.22. "Why is the list unmoderated? Why is there no filtering of + disrupters like Detweiler?" + - technology over law + - each person makes their own choice + - also, no time for moderation, and moderation is usually + stultifying + + anyone who wishes to have some views silenced, or some + posters blocked, is advised to: + - contract with someone to be their Personal Censor, + passing on to them only approved material + - subscribe to a filtering service, such as Ray and Harry + are providing +2.4.23. "What Can I Do?" + - politics, spreading the word + - writing code ("Cypherpunks write code") +2.4.24. "Should I publicize my new crypto program?" + - "I have designed a crypting program, that I think is + unbreakable. I challenge anyone who is interested to get + in touch with me, and decrypt an encrypted massage." + + "With highest regards, + Babak Sehari." [Babak Sehari, sci.crypt, 6-19-94] + +2.4.25. "Ask Emily Post Crypt" + + my variation on "Ask Emily Postnews" + - for those that don't know, a scathing critique of + clueless postings + + "I just invented a new cipher. Here's a sample. Bet you + can't break it!" + - By all means post your encrypted junk. We who have + nothing better to do with our time than respond will be + more than happy to spend hours running your stuff through + our codebreaking Crays! + - Be sure to include a sample of encrypted text, to make + yourself appear even more clueless. + + "I have a cypher I just invented...where should I post it?" + + "One of the very most basic errors of making ciphers is + simply to add + - layer upon layer of obfuscation and make a cipher which + is nice and + - "complex". Read Knuth on making random number + generators for the + - folly in this kind of approach. " + + "Ciphers carry the presumption of guilt, not innocence. + Ciphers + - designed by amateurs invariably fail under scrutiny by + experts. This + - sociological fact (well borne out) is where the + presumption of + - insecurity arises. This is not ignorance, to assume + that this will + - change. The burden of proof is on the claimer of + security, not upon + - the codebreaker. + + "I've just gotten very upset at something--should I vent my + anger on the mailing list?" + - By all means! If you're fed up doing your taxes, or just + read something in the newspaper that really angered you, + definitely send an angry message out to the 700 or so + readers and help make _them_ angry! + - Find a bogus link to crypto or privacy issues to make it + seem more relevant. +2.4.26. "What are some main Cypherpunks projects?" + + remailers + + better remailers, more advanced features + - digital postage + - padding, batching/latency + - agent features + - more of them + - offshore (10 sites in 5 countries, as a minimum) + - tools, services + - digital cash in better forms + - +2.4.27. "What about sublists, to reduce the volume on the main list." + - There are already half a dozen sub-lists, devoted to + planning meetings, to building hardware, and to exploring + DC-Nets. There's one for remailer operators, or there used + to be. There are also lists devoted to similar topics as + Cypherpunks, including Robin Hanson's "AltInst" list + (Alternative Institutions), Nick Szabo's "libtech-l" list, + the "IMP-Interest" (Internet Mercantile Protocols) list, + and so on. Most are very low volume. + + That few folks have heard of any of them, and that traffic + volumes are extremely low, or zero, is not all that + surprising, and matches experiences elsewhere. Several + reasons: + - Sublists are a bother to remember; most people forget + they exist, and don't think to post to them. (This + "forgetting" is one of the most interesting aspects of + cyberspace; successful lists seem to be Schelling points + that accrete even more members, while unsuccessful lists + fade away into nothingness.) + - There's a natural desire to see one's words in the larger + of two forums, so people tend to post to the main list. + - The sublists were sometimes formed in a burst of + exuberance over some topic, which then faded. + - Topics often span several subinterest areas, so posting + to the main list is better than copying all the relevant + sublists. + - In any case, the Cypherpunks main list is "it," for now, + and has driven other lists effectively out of business. A + kind of Gresham's Law. + +2.5. Crypto + 2.5.1. "Why is crypto so important?" + + The three elements that are central to our modern view of + liberty and privacy (a la Diffie) + - protecting things against theft + - proving who we say we are + - expecting privacy in our conversations and writings + - Although there is no explicit "right of privacy" enumerated + in the U.S. Constitution, the assumption that an individual + is to be secure in his papers, home, etc., absent a valid + warrant, is central. (There has never been a ruling or law + that persons have to speak in a language that is + understandable by eavesdroppers, wiretappers, etc., nor has + there ever been a rule banning private use of encrption. I + mention this to remind readers of the long history of + crypto freedom.) + - "Information, technology and control of both _is_ power. + *Anonymous* telecommunications has the potential to be the + greatest equalizer in history. Bringing this power to as + many as possible will forever change the discourse of power + in this country (and the world)." [Matthew J Miszewski, ACT + NOW!, 1993-03-06] + 2.5.2. "Who uses cryptography?" + - Everybody, in one form or another. We see crypto all around + us...the keys in our pockets, the signatures on our + driver's licenses and other cards, the photo IDs, the + credit cards. Lock combinations, door keys, PIN numbers, + etc. All are part of crypto (although most might call this + "security" and not a very mathematical thing, as + cryptography is usually thought to be). + - Whitticism: "those who regularly + conspire to participate in the political process are + already encrypting." [Whit Diffie] + 2.5.3. "Who needs crypto? What have they got to hide?" + + honest people need crypto because there are dishonest + people + - and there may be other needs for privacy + - There are many reasons why people need privacy, the ability + to keep some things secret. Financial, personal, + psychological, social, and many other reasons. + - Privacy in their papers, in their diaries, in their pesonal + lives. In their financial choices, their investments, etc. + (The IRS and tax authorities in other countries claim to + have a right to see private records, and so far the courts + have backed them up. I disagree.) + - people encrypt for the same reason they close and lock + their doors + - Privacy in its most basic forms + 2.5.4. "I'm new to crypto--where should I start?" + - books...Schneier + - soda + - sci.crypt + - talk.politics.crypto + - FAQs other than this one + 2.5.5. "Do I need to study cryptography and number theory to make a + contribution?" + - Absolutely not! Most cryptographers and mathematicians are + so busy doing their thing that they little time or interest + for political and entrepreneurial activities. + Specialization is for insects and researchers, as someone's + .sig says. + - Many areas are ripe for contribution. Modularization of + functions means people can concentrate in other areas, + just as writers don't have to learn how to set type, or cut + quill pens, or mix inks. + - Nonspecialists should treat most established ciphers as + "black boxes" that work as advertised. (I'm not saying they + do, just that analysis of them is best left to experts...a + little skepticism may not hurt, though). + 2.5.6. "How does public key cryptography work, simply put?" + - Plenty of articles and textbooks describe this, in ever- + increasing detail (they start out with the basics, then get + to the juicy stuff). + + I did find a simple explanation, with "toy numbers," from + Matthew Ghio: + - "You pick two prime numbers; for example 5 and 7. + Multiply them together, equals 35. Now you calculate the + product of one less than each number, plus one. (5-1)(7- + 1)+1=21. There is a mathematical relationship that says + that x = x^21 mod 35 for any x from 0 to 34. Now you + factor 21, yeilds 3 and 7. + + "You pick one of those numbers to be your private key and + the other one is your public key. So you have: + Public key: 3 + Private key: 7 + + "Someone encrypts a message for you by taking plaintext + message m to make ciphertext message c: c=m^3 mod 35 + + "You decrypt c and find m using your private key: m=c^7 + mod 35 + + "If the numbers are several hundred digits long (as in + PGP), it is nearly impossible to guess the secret key." + [Matthew Ghio, alt.anonymous, 1994-09-03] + - (There's a math error here...exercise left for the + student.) + 2.5.7. "I'm a newcomer to this stuff...how should I get started?" + - Start by reading some of the material cited. Don't worry + too much about understanding it all. + - Follow the list. + - Find an area that interests you and concentrate on that. + There is no reason why privacy advocates need to understand + Diffie-Hellman key exchange in detail! + + More Information + + Books + - Schneier + - Brassard + + Journals, etc + - Proceedings + - Journal of Cryptology + - Cryptologia + - Newsgroups + - ftp sites + 2.5.8. "Who are Alice and Bob?" + 2.5.9. "What is security through obscurity"? + - adding layers of confusion, indirection + - rarely is strong in a an infromation-theoretic or + cryptographic sense + - and may have "shortcuts" (like a knot that looks complex + but which falls open if approached the right way) + - encryption algorithms often hidden, sites hidden + - Make no mistake about it, these approaches are often used. + And they can add a little to the overall security (using + file encyption programs like FolderBolt on top of PGP is an + example)... +2.5.10. "Has DES been broken? And what about RSA?" + - DES: Brute-force search of the keyspace in chosen-plaintext + attacks is feeasible in around 2^47 keys, according to + Biham and Shamir. This is about 2^9 times easier than the + "raw" keyspace. Michael Wiener has estimated that a macine + of special chips could crack DES this way for a few + thousand dollars per key. The NSA may have such machines. + - In any case, DES was not expected to last this long by many + (and, in fact, the NSA and NIST proposed a phaseout some + years back, the "CCEP" (Commercial COMSEC Endorsement + Program), but it never caught on and seems forgotten today. + Clipper and EES seem to have grabbed the spotlight. + - IDEA, from Europe, is supposed to be much better. + - As for RSA, this is unlikely. Factoring is not yet proven + to be NP-co +2.5.11. "Can the NSA Break Foo?" + - DES, RSA, IDEA, etc. + - Can the government break our ciphers? +2.5.12. "Can brute-force methods break crypto systems?" + - depends on the system, the keyspace, the ancillary + information avialable, etc. + - processing power generally has been doubling every 12-18 + months (Moore's Law), so.... + - Skipjack is 80 bits, which is probably safe from brute + force attack for 2^24 = 1.68e7 times as long as DES is. + With Wiener's estimate of 3.5 hours to break DES, this + implies 6700 years using today's hardware. Assuming an + optimistic doubling of hardware power per year (for the + same cost), it will take 24 years before the hardware costs + of a brute force attack on Skipjack come down to what it + now costs to attack DES. Assuming no other weaknesses in + Skipjack. + - And note that intelligence agencies are able to spend much + more than what Wiener calculated (recall Norm Hardy's + description of Harvest) +2.5.13. "Did the NSA know about public key ideas before Diffie and + Hellman?" + + much debate, and some sly and possibly misleading innuendo + - Simmons claimed he learned of PK in Gardner's column, and + he certainly should've been in a position to know + (weapons, Sandia) + - + + Inman has claimed that NSA had a P-K concept in 1966 + - fits with Dominik's point about sealed cryptosystem boxes + with no way to load new keys + - and consistent with NSA having essentially sole access to + nation's top mathematicians (until Diffies and Hellmans + foreswore government funding, as a result of the anti- + Pentagon feelings of the 70s) +2.5.14. "Did the NSA know about public-key approaches before Diffie + and Hellman?" + - comes up a lot, with some in the NSA trying to slyly + suggest that _of course_ they knew about it... + - Simmons, etc. + - Bellovin comments (are good) +2.5.15. "Can NSA crack RSA?" + - Probably not. + - Certainly not by "searching the keyspace," an idea that + pops up every few months . It can't be done. 1024-bit keys + implies roughly 512-bit primes, or 153-decimal digit + primes. There are more than 10^150 of them! And only about + 10^73 particles in the entire universe. + - Has the factoring problem been solved? Probably not. And it + probably won't be, in the sense that factoring is probably + in NP (though this has not been proved) and P is probably + not NP (also unproved, but very strongly suspected). While + there will be advances in factoring, it is extremely + unlikely (in the religious sense) that factoring a 300- + digit number will suddenly become "easy." + - Does the RSA leak information so as to make it easier to + crack than it is to factor the modulus? Suspected by some, + but basically unknown. I would bet against it. But more + iffy than the point above. + + "How strong is strong crypto?" + - Basically, stronger than any of the hokey "codes" so + beloved of thriller writers and movie producers. Modern + ciphers are not crackable by "telling the computer to run + through all the combinations" (more precisely, the number + of combinations greatly exceeds the number of atoms in + the universe). +2.5.16. "Won't more powerful computers make ciphers breakable?" + + The effects of increasing computer power confer even + *greater* advantage to the cipher user than to the cipher + breaker. (Longer key lengths in RSA, for example, require + polynomially more time to use, but exponentially more time + to break, roughly speaking.) Stunningly, it is likely that + we are close to being able to use key lengths which cannot + be broken with all the computer power that will ever exist + in the universe. + + Analogous to impenetrable force fields protecting the + data, with more energy required to "punch through" than + exists in the universe + - Vernor Vinge's "bobbles," in "The Peace War." + - Here I am assuming that no short cuts to factoring + exist...this is unproven, but suspected. (No major + shortcuts, i.e., factoring is not "easy.") + + A modulus of thousands of decimal digits may require more + total "energy" to factor, using foreseeable approaches, + than is available + - reversible computation may help, but I suspect not much + - Shor's quantum-mechanical approach is completely + untested...and may not scale well (e.g., it may be + marginally possible to get the measurement precision to + use this method for, say, 100-digit numbers, but + utterly impossible to get it for 120-digit numbers, let + alone 1000-digit numbers) +2.5.17. "Will strong crypto help racists?" + - Yes, this is a consequence of having secure virtual + communities. Free speech tends to work that way! + - The Aryan Nation can use crypto to collect and disseminate + information, even into "controlled" nations like Germany + that ban groups like Aryan Nation. + - Of course, "on the Internet no one knows you're a dog," so + overt racism based on superficial external characteristics + is correspondingly harder to pull off. + - But strong crypto will enable and empower groups who have + different beliefs than the local majority, and will allow + them to bypass regional laws. +2.5.18. Working on new ciphers--why it's not a Cypherpunks priority + (as I see it) + - It's an issue of allocation of resources. ("All crypto is + economics." E. Hughes) Much work has gone into cipher + design, and the world seems to have several stable, robust + ciphers to choose from. Any additional work by crypto + amateurs--which most of us are, relative to professional + mathematicians and cipher designers--is unlikely to move + things forward significantly. Yes, it could happen...but + it's not likely. + + Whereas there are areas where professional cryptologists + have done very little: + - PGP (note that PRZ did *not* take time out to try to + invent his own ciphers, at least not for Version + 2.0)...he concentrated on where his efforts would have + the best payoff + - implementation of remailers + - issues involving shells and other tools for crypto use + - digital cash + - related issues, such as reputations, language design, + game theory, etc. + - These are the areas of "low-hanging fruit," the areas where + the greatest bang for the buck lies, to mix some metaphors + (grapeshot?). +2.5.19. "Are there any unbreakable ciphers?" + - One time pads are of course information-theoretically + secure, i.e., unbreakable by computer power. + + For conventional ciphers, including public key ciphers, + some ciphers may not be breakable in _our_ universe, in any + amount of time. The logic goes as follows: + - Our universe presumably has some finite number of + particles (currently estimated to be 10^73 particles). + This leads to the "even if every particle were a Cray Y- + MP it would take..." sorts of thought experiments. + + But I am considering _energy_ here. Ignoring reversible + computation for the moment, computations dissipate energy + (some disagree with this point). There is some uppper + limit on how many basic computations could ever be done + with the amount of free energy in the universe. (A rough + calculation could be done by calculating the energy + output of stars, stuff falling into black holes, etc., + and then assuming about kT per logical operation. This + should be accurate to within a few orders of magnitude.) + I haven't done this calculation, and won't here, but the + result would likely be something along the lines of X + joules of energy that could be harnessed for computation, + resulting in Y basic primitive computational steps. + + I can then find a modulus of 3000 digits or 5000 digits, + or whatever, that takes *more* than this number of steps + to factor. Therefore, unbreakable in our universe. + - Caveats: + + 1. Maybe there are really shortcuts to factoring. Certainly + improvements in factoring methods will continue. (But of + course these improvements are not things that convert + factoring into a less than exponential-in-length + problem...that is, factoring appears to remain "hard.") + + 2. Maybe reversible computations (a la Landauer, Bennett, + et. al.) actually work. Maybe this means a "factoring + machine" can be built which takes a fixed, or very slowly + growing, amount of energy. In this case, "forever" means + Lefty is probably right. + + 3. Maybe the quantum-mechanical idea of Peter Shor is + possible. (I doubt it, for various reasons.) + +2.5.20. "How safe is RSA?" "How safe is PGP?" "I heard that PGP has + bugs?" + - This cloud of questions is surely the most common sort that + appears in sci.crypt. It sometimes gets no answers, + sometimes gets a rude answer, and only occasionally does it + lead to a fruiful discussion. + - The simple anwer: These ciphers appear to be safe, to have + no obvious flaws. + - More details can be found in various question elsewhere in + this FAQ and in the various FAQs and references others have + published. +2.5.21. "How long does encryption have to be good for?" + - This obviously depends on what you're encrypting. Some + things need only be safe for short periods of time, e.g., a + few years or even less. Other things may come back to haunt + you--or get you thrown in prison--many years later. I can + imagine secrets that have to be kept for many decades, even + centuries (for example, one may fear one's descendents will + pay the price for a secret revealed). + - It is useful to think _now_ about the computer power likely + to be available in the year 2050, when many of you reading + this will still be around. (I'm _not_ arguing that + parallelism, etc., will cause RSA to fall, only that some + key lengths (e.g., 512-bit) may fall by then. Better be + safe and use 1024 bits or even more. Increased computer + power makes longer keys feasible, too.). + +2.6. PGP + 2.6.1. There's a truly vast amount of information out there on PGP, + from current versions, to sites, to keyserver issues, and so + on. There are also several good FAQs on PGP, on MacPGP, and + probably on nearly every major version of PGP. I don't expect + to compete here with these more specialized FAQs. + - I'm also not a PGP expert, using it only for sending and + receiving mail, and rarely doing much more with it. + - The various tools, for all major platforms, are a specialty + unto themselves. + 2.6.2. "Where do I get PGP?" + 2.6.3. "Where can I find PGP?" + - Wait around for several days and a post will come by which + gives some pointers. + - Here are some sites current at this writing: (watch out for + changes) + 2.6.4. "Is PGP secure? I heard someone had...." + - periodic reports, urban legend, that PGP has been + compromised, that Phil Z. has been "persuaded" to.... + + implausible for several reasons + - Phil Z no longer controls the source code by himself + - the source code is available and can be inspected...would + be very difficult to slip in major back doors that would + not be apparent in the source code + - Phil has denied this, and the rumors appear to come from + idle speculation + + But can PGP be broken? + - has not been tested independently in a thorough, + cryptanalytic way, yet (opinion of tcmay) + - NSA isn't saying + + Areas for attack + + IDEA + - some are saying doubling of the number of rounds + should be donee + - the random number generators...Colin Plumb's admission + 2.6.5. "Should I use PGP and other crypto on my company's + workstations?" + - machines owned by corporations and universities, usually on + networks, are generally not secure (that is, they may be + compromised in various ways) + - ironically, most of the folks who sign all their messages, + who use a lot of encryption, are on just such machines + - PCs and Macs and other nonnetworked machines are more + secure, but are harder to use PGP on (as of 1994) + - these are generalizations--there are insecure PCs and + secure workstations + 2.6.6. "I just got PGP--should I use it for all my mail?" + - No! Many people cannot easily use PGP, so if you wish to + communicate with them, don't encrypt everything. Use + encryption where it matters. + - If you just want more people to use encryption, help with + the projects to better integrate crypto into existing + mailers. + 2.6.7. NSA is apparently worried about PGP, worried about the spread + of PGP to other countries, and worried about the growth of + "internal communities" that communicate via "black pipes" or + "encrypted tunnels" that are impenetrable to them. + +2.7. Clipper + 2.7.1. "How can the government do this?" + - incredulity that bans, censorship, etc. are legal + + several ways these things happen + - not tested in the courts + - wartime regulations + + conflicting interpretations + - e.g., "general welfare" clause used to justify + restrictions on speech, freedom of association, etc. + + whenever public money or facilities used (as with + churches forced to hire Satanists) + - and in this increasingly interconnnected world, it is + sometimes very hard to avoid overlap with public + funding, facilities, etc. + 2.7.2. "Why don't Cypherpunks develop their won competing encryption + chip?" + + Many reasons not to: + - cost + - focus + - expertise + - hard to sell such a competing standard + - better to let market as a whole make these choices + 2.7.3. "Why is crypto so frightening to governments?" + + It takes away the state's power to snoop, to wiretap, to + eavesdrop, to control + - Priestly confessionals were a major way the Church kept + tabs on the locals...a worldwide, grassroots system of + ecclesiastical narcs + + Crypto has high leverage + + Unlike direct assaults with bombs, HERF and EMP attacks, + sabotage, etc, crypto is self-spreading...a bootstrap + technology + - people use it, give it to others, put it on networks + - others use it for their own purposes + - a cascade effect, growing geometrically + - and undermining confidence in governments, allowing the + spread of multiple points of view (especially + unapproved views) + 2.7.4. "I've just joined the list and am wondering why I don't see + more debate about Clipper?" + - Understand that people rarely write essays in response to + questions like "Why is Clipper bad?" For most of us, + mandatory key escrow is axiomatically bad; no debate is + needed. + - Clipper was thoroughly trashed by nearly everyone within + hours and days of its announcement, April 16, 1993. + Hundreds of articles and editorials have condemned it. + Cyperpunks currently has no active supporters of mandatory + key escrow, from all indications, so there is nothing to + debate. + +2.8. Other Ciphers and Crypto Products + +2.9. Remailers and Anonymity + 2.9.1. "What are remailers?" + 2.9.2. "How do remailers work?" (a vast number of postings have + dealt with this) + - The best way to understand them is to "just do it," that + is, send a few remailed message to yourself, to see how the + syntax works. Instructions are widely available--some are + cited here, and up to date instructions will appear in the + usual Usenet groups. + - The simple view: Text messages are placed in envelopes and + sent to a site that has agreed to remail them based on the + instructions it finds. Encryption is not necessary--though + it is of course recommended. These "messages in bottles" + are passed from site to site and ultimately to the intended + final recipient. + - The message is pure text, with instructions contained _in + the text_ itself (this was a fortuitous choice of standard + by Eric Hughes, in 1992, as it allowed chaining, + independence from particular mail systems, etc.). + - A message will be something like this: + + :: + Request-Remailing-To: remailer@bar.baz + + Body of text, etc., etc. (Which could be more remailing + instructions, digital postage, etc.) + + - These nested messages make no assumptions about the type of + mailer being used, so long as it can handle straight ASCII + text, which all mailers can of course. Each mail message + then acts as a kind of "agent," carrying instructions on + where it should be mailed next, and perhaps other things + (like delays, padding, postage, etc.) + - It's very important to note that any given remailer cannot + see the contents of the envelopes he is remailing, provided + encryption is used. (The orginal sender picks a desired + trajectory through the labyrinth of remailers, encrypts in + the appropriate sequence (last is innermost, then next to + last, etc.), and then the remailers sequentially decrypt + the outer envelopes as they get them. Envelopes within + envelopes.) + 2.9.3. "Can't remailers be used to harass people?" + - Sure, so can free speech, anonymous physical mail ("poison + pen letters"), etc. + - With e-mail, people can screen their mail, use filters, + ignore words they don't like, etc. Lots of options. "Sticks + and stones" and all that stuff we learned in Kindergarten + (well, I'm never sure what the the Gen Xers learned....). + - Extortion is made somewhat easier by anonymous mailers, but + extortion threats can be made in other ways, such as via + physical mail, or from payphones, etc. + - Physical actions, threats, etc. are another matter. Not the + domain of crypto, per se. + +2.10. Surveillance and Privacy +2.10.1. "Does the NSA monitor this list?" + - Probably. We've been visible enough, and there are many + avenues for monitoring or even subscribing to the List. + Many aliases, many points of presence. + - some concerns that Cypherpunks list has been infiltrated + and is a "round up list" + - There have even been anonymous messages purporting to name + likely CIA, DIA, and NSA spooks. ("Be aware.") + - Remember, the list of subscribers is _not_ a secret--it can + be gotten by sending a "who cypherpunks" message to + majordomo@toad.com. Anyone in the world can do this. +2.10.2. "Is this list illegal?" + - Depends on the country. In the U.S., there are very strong + protections against "prior restraint" for published + material, so the list is fairly well -protected....shutting + it down would create a First Amendment case of major + importance. Which is unlikely. Conspiracy and sedition laws + are more complex to analyze; there are no indications that + material here or on the list is illegal. + - Advocacy of illegal acts (subversion of export laws, + espionage, etc.) is generally legal. Even advocating the + overthrow of the government. + - The situation in other countries is different. Some + countries ban unapproved encryption, so this list is + suspect. + - Practically speaking, anyone reading this list is probably + in a place which either makes no attempt to control + encryption or is unable to monitor what crosses its + borders. +2.10.3. "Can keystrokes really be monitored remotely? How likely is + this?" + - Yes. Van Eck, RF, monitors, easy (it is claimed) to build + this + - How likely? Depends on who you are. Ames, the KGB spy, was + probably monitored near the end, but I doubt many of us + are. The costs are simply too high...the vans outside, the + personnel needed, etc. + - the real hazards involve making it "easy" and "almost + automatic" for such monitoring, such as with Clipper and + EES. Then they essentially just flip a switch and the + monitoring happens...no muss, no fuss. +2.10.4. "Wouldn't some crimes be stopped if the government could + monitor what it wanted to?" + - Sure. This is an old story. Some criminals would be caught + if their diaries could be examined. Television cameras in + all homes would reduce crimes of .... (Are you listening, + Winston?). + - Orwell, fascism, surveillance states, what have you got to + hide, etc. + +2.11. Legal +2.11.1. "Can encryption be banned?" + - ham operators, shortwave + - il gelepal, looi to waptime aolditolq + + how is this any different from requiring speech in some + language? + - Navaho code talkers of WW2,,,,modern parallel +2.11.2. "Will the government try to ban encryption?" + - This is of course the major concern most of us have about + Clipper and the Escrowed Encryption Standard in general. + Even if we think the banning of crypto will ultimately be a + failure ("worse than Prohibition," someone has said), such + a ban could make things very uncomfortable for many and + would be a serious abridgement of basic liberties. + - We don't know, but we fear something along these lines. It + will be difficult to enforce such a ban, as so many avenues + for communication exist, and encrypted messages may be hard + to detect. + - Their goal, however, may be _control_ and the chilling + effect that using "civil forfeiture" may have on potential + crypto users. Like the drug laws. (Whit Diffie was the + first to emphasize this motivation.) +2.11.3. "How could encryption be banned?" + - most likely way: restrictions on networks, a la airwaves or + postal service + - could cite various needs, but absent a mechanism as above, + hard to do + - an outright ban, enforced with civil forfeiture penalties + - wartime sorts of policies (crypto treated as sedition, + treason...some high-profile prison sentences) + - scenario posted by Sandfort? +2.11.4. "What's the situation about export of crypto?" + + There's been much debate about this, with the case of Phil + Zimmermann possibly being an important test case, should + charges be filed. + - as of 1994-09, the Grand Jury in San Jose has not said + anything (it's been about 7-9 months since they started + on this issue) + - Dan Bernstein has argued that ITAR covers nearly all + aspects of exporting crypto material, including codes, + documentation, and even "knowledge." (Controversially, it + may be in violation of ITAR for knowledgeable crypto people + to even leave the country with the intention of developing + crypto tools overseas.) + - The various distributions of PGP that have occurred via + anonymous ftp sources don't imply that ITAR is not being + enforced, or won't be in the future. +2.11.5. "What's the legal status of digital signatures?" + - Not yet tested in court. Ditto for most crypto protocols, + including digital timestamping, electronic contracts, + issues of lost keys, etc. +2.11.6. "Can't I just claim I forgot my password?" +2.11.7. "Is it dangerous to talk openly about these ideas?" + - Depends on your country. In some countries, perhaps no. In + the U.S., there's not much they can do (though folks should + be aware that the Cypherpunks have received a lot of + attention by the media and by policy makers, and so a vocal + presence on this list very likely puts one on a list of + crypto trouble makers). + - Some companies may also feel views expressed here are not + consistent with their corporate policies. Your mileage may + vary. + - Sedition and treason laws are not likely to be applicable. + - some Cypherpunks think so + - Others of us take the First Amendment pretty seriously: + that _all_ talk is permissable + - NSA agents threatened to have Jim Bidzos killed +2.11.8. "Does possession of a key mean possession of *identity*?" + - If I get your key, am I you? + - Certainly not outside the context of the cryptographic + transaction. But within the context of a transaction, yes. + Additional safeguards/speedbumps can be inserted (such as + biometric credentials, additional passphrases, etc.), but + these are essentially part of the "key," so the basic + answer remains "yes." (There are periodically concerns + raised about this, citing the dangers of having all + identity tied to a single credential, or number, or key. + Well, there are ways to handle this, such as by adopting + protocols that limit one's exposure, that limits the amount + of money that can be withdrawn, etc. Or people can adopt + protocols that require additional security, time delays, + countersigning, etc.) + + This may be tested in court soon enough, but the answer for + many contracts and crypto transactions will be that + possession of key = possession of identity. Even a court + test may mean little, for the types of transactions I + expect to see. + - That is, in anonymous systems, "who ya gonna sue?" + - So, guard your key. + +2.12. Digital Cash +2.12.1. "What is digital money?" +2.12.2. "What are the main uses of strong crypto for business and + economic transactions?" + - Secure communications. Ensuring privacy of transaction + records (avoiding eavesdroppes, competitors) + - Digital signatures on contracts (will someday be standard) + - Digital cash. + - Reputations. + - Data Havens. That bypass local laws about what can be + stored and what can't (e.g., silly rules on how far back + credit records can go). +2.12.3. "What are smart cards and how are they used?" + + Most smart cards as they now exist are very far from being + the anonymous digital cash of primary interest to us. In + fact, most of them are just glorified credit cards. + - with no gain to consumers, since consumes typically don't + pay for losses by fraud + - (so to entice consumes, will they offer inducements?) + - Can be either small computers, typically credit-card-sized, + or just cards that control access via local computers. + + Tamper-resistant modules, e.g., if tampered with, they + destroy the important data or at the least give evidence of + having been tampered with. + + Security of manufacturing + - some variant of "cut-and-choose" inspection of + premises + + Uses of smart cards + - conventional credit card uses + - bill payment + - postage + - bridge and road tolls + - payments for items received electronically (not + necessarily anonymously) + +2.13. Crypto Anarchy +2.13.1. "What is Crypto Anarchy?" + - Some of us believe various forms of strong cryptography + will cause the power of the state to decline, perhaps even + collapse fairly abruptly. We believe the expansion into + cyberspace, with secure communications, digital money, + anonymity and pseudonymity, and other crypto-mediated + interactions, will profoundly change the nature of + economies and social interactions. + + Governments will have a hard time collecting taxes, + regulating the behavior of individuals and corporations + (small ones at least), and generally coercing folks when it + can't even tell what _continent_ folks are on! + + Read Vinge's "True Names" and Card's "Ender's Game" for + some fictional inspirations. "Galt's Gulch" in cyberspace, + what the Net is rapidly becoming already. + + I call this set of ideas "crypto anarchy" (or "crypto- + anarchy," as you wish) and have written about this + extensively. The magazines "Wired" (issue 1.2), "Whole + Earth Review" (Summer, 1993), and "The Village Voice" (Aug. + 6th, 1993) have all carried good articles on this. +2.13.2. The Crypto Anarchist Manifesto + - a complete copy of my 1988 pastiche of the Communisto + Manifesto is included in the chapter on Crypto Anarchy. + - it needs rewriting, but for historical sake I've left it + unchanged. + - I'm proud that so much of it remains accurate. +2.13.3. "What is BlackNet?" + - BlackNet -- an experiment in information markets, using + anonymous message pools for exchange of instructions and + items. Tim May's experiment in guerilla ontology. + - BlackNet -- an experimental scheme devised by T. May to + underscore the nature of anonymous information markets. + "Any and all" secrets can be offered for sale via anonymous + mailers and message pools. The experiment was leaked via + remailer to the Cypherpunks list (not by May) and thence to + several dozen Usenet groups by Detweiler. The authorities + are said to be investigating it. +2.13.4. "What effect will crypto have on governments?" + - A huge topic, one I've been thinking about since late 1987 + when it dawned on me that public key crypto and anonymous + digital cash systems, information markets, etc. meant the + end of governments as we know them. (I called this + development "crypto anarchy." Not everyone is a fan of it. + But it's coming, and fast.) + - "Putting the NSA out of business," as the NYT article put + it + - Espionage is changing. To pick one example, "digital dead + drops." Any message can be sent through an untraceable path + with remailers....and then posted in encrypted form in a + newsgroup readable in most countries, including the Former + Soviet Union. This means the old stand by of the microfilm + in a Coke can left by a certain tree on a rural road--a + method fraught with delays, dangers, and hassles--is now + passe. The same message can be send from the comfort of + one's home securely and untraceably. Even with a a digital + signature to prevent spoofing and disinformation. This spy + can be a Lockheed worker on the Aurora program, a SIGINT + officer at Woomera, or a disgruntled chip designer at + Motorola. (Yes, a countermeasure is to limit access to + personal computers, to run only standard software that has + no such crypto capability. Such embargoes may already apply + to some in sensitive positions, and may someday be a + condition of employment.) + - Money-laundering + - Tax collection. International consultants. Perpetual + tourists. Virtual corporations. + - Terrorism, assassination, crime, Triads, Yakuza, Jamaicans, + Russian Mafia...virtual networks... Aryan Nation gone + digital +2.13.5. "How quickly could something like crypto anarchy come?" + - Parts of it are happening already, though the changes in + the world are not something I take any credit for. Rather, + there are ongoing changes in the role of nations, of power, + and of the ability to coerce behaviors. When people can + drop out of systems they don't like, can move to different + legal or tax jurisdictions, then things change. + + But a phase change could occur quickly, just as the Berlin + Wall was impregnable one day, and down the next. + - "Public anger grows quietly and explodes suddenly. T.C. + May's "phase change" may be closer than we think. Nobody + in Russia in 1985 really thought the country would fall + apart in 6 years." [Mike Ingle, 1994-01-01] +2.13.6. "Could strong crypto be used for sick and disgusting and + dangerous purposes?" + - Of course. So can locked doors, but we don't insist on an + "open door policy" (outside of certain quaint sorority and + rooming houses!) So do many forms of privacy allow + plotters, molestors, racists, etc. to meet and plot. + - Crypto is in use by the Aryan Nation, by both pro- and anti- + abortion groups, and probably by other kinds of terrorists. + Expect more uses in the future, as things like PGP continue + to spread. + - Many of us are explicity anti-democratic, and hope to use + encryption to undermine the so-called democratic + governments of the world +2.13.7. "What is the Dining Cryptographers Problem, and why is it so + important?" + + This is dealt with in the main section, but here's David + Chaum's Abstract, from his 1988 paper" + - Abstract: "Keeping confidential who sends which messages, + in a world where any physical transmission can be traced + to its origin, seems impossible. The solution presented + here is unconditionally or cryptographically secure, + depending on whether it is based on one-time-use keys or + on public keys. respectively. It can be adapted to + address efficiently a wide variety of practical + considerations." ["The Dining Cryptographers Problem: + Unconditional Sender and Recipient Untraceability," David + Chaum, Journal of Cryptology, I, 1, 1988.] + - + - DC-nets have yet to be implemented, so far as I know, but + they represent a "purer" version of the physical remailers + we are all so familiar with now. Someday they'll have have + a major impact. (I'm a bigger fan of this work than many + seem to be, as there is little discussion in sci.crypt and + the like.) +2.13.8. "Why won't government simply ban such encryption methods?" + + This has always been the Number One Issue! + - raised by Stiegler, Drexler, Salin, and several others + (and in fact raised by some as an objection to my even + discussing these issues, namely, that action may then be + taken to head off the world I describe) + + Types of Bans on Encryption and Secrecy + - Ban on Private Use of Encryption + - Ban on Store-and-Forward Nodes + - Ban on Tokens and ZKIPS Authentication + - Requirement for public disclosure of all transactions + + Recent news (3-6-92, same day as Michaelangelo and + Lawnmower Man) that government is proposing a surcharge + on telcos and long distance services to pay for new + equipment needed to tap phones! + - S.266 and related bills + - this was argued in terms of stopping drug dealers and + other criminals + - but how does the government intend to deal with the + various forms fo end-user encryption or "confusion" + (the confusion that will come from compression, + packetizing, simple file encryption, etc.) + + Types of Arguments Against Such Bans + - The "Constitutional Rights" Arguments + + The "It's Too Late" Arguments + - PCs are already widely scattered, running dozens of + compression and encryption programs...it is far too + late to insist on "in the clear" broadcasts, whatever + those may be (is program code distinguishable from + encrypted messages? No.) + - encrypted faxes, modem scramblers (albeit with some + restrictions) + - wireless LANs, packets, radio, IR, compressed text and + images, etc....all will defeat any efforts short of + police state intervention (which may still happen) + + The "Feud Within the NSA" Arguments + - COMSEC vs. PROD + + Will affect the privacy rights of corporations + - and there is much evidence that corporations are in + fact being spied upon, by foreign governments, by the + NSA, etc. + + They Will Try to Ban Such Encryption Techniques + + Stings (perhaps using viruses and logic bombs) + - or "barium," to trace the code + + Legal liability for companies that allow employees to use + such methods + - perhaps even in their own time, via the assumption that + employees who use illegal software methods in their own + time are perhaps couriers or agents for their + corporations (a tenuous point) +2.13.9. "Could anonymous markets facilitate repugnant services, such + as killings for hire?" + - Yes, though there are some things which will help lessen + the full impact. + - To make this brutally concrete, here's how escrow makes + murder contracts much safer than they are today to + negotiate. Instead of one party being caught in an FBI + sting, as is so often the case when amateurs try to arrange + hits, they can use an escrow service to insulate themselves + from: + + 1. From being traced, because the exchanges are handled via + pseudonyms + + 2. From the killer taking the money and then not performing + the hit, because the escrow agent holds the money until the + murder is verified (according to some prototocol, such a + newspaper report...again, an area for more work, + thankfully). + + 3. From being arrested when the money is picked up, as this + is all done via digital cash. + + There are some ways to reduce the popularity of this + Murder, Incorporated system. (Things I've been thinking + about for about 6 years, and which we discussed on the + Cypherpunks list and on the Extropians list.) + +2.14. Miscellaneous +2.14.1. "Why can't people just agree on an approach?" + - "Why can't everyone just support my proposal?" + - "I've proposed a new cipher, but nobody's interested...you + Cypherpunks just never _do_ anything!" + - This is one of the most consistently divisive issues on the + list. Often a person will become enamored of some approach, + will write posts exhorting others to become similarly + enamored, urging others to "do something!," and will then, + when no interest is evidenced, become irate. To be more + concrete, this happens most often with various and sundry + proposals for "digital money." A close second is for + various types of "Cypherpunks activism," with proposals + that we get together and collect a few million dollars to + run Ross Perot-type advertisements urging people to use + PGP, with calls for a "Cypherpunks radio show," and so on. + (Nothing wrong with people doing these things, I suppose. + The problem lies in the exhortation of _others_ to do these + things.) + - This collective action is always hard to achieve, and + rightly so, in my opinion. Emergent behavior is more + natural, and more efficient. And hence better. + + the nature of markets, agents, different agendas and goals + - real standards and markets evolve + - sometimes because of a compelling exemplar (the Walkman, + PGP), sometimes because of hard work by standards + committees (NTSC, electric sockets, etc.) + - but almost never by simple appeals to correctness or + ideological rightness +2.14.2. "What are some of the practical limits on the deployment of + crypto, especially things like digital cash and remailers?" + + Lack of reliable services + - Nodes go down, students go home for the summer, downtime + for various reasons + - Lack of robustness +2.14.3. "Is crypto dominated by mistrust? I get the impression that + everything is predicated on mutual mistrust." + - We lock our doors...does this mean we are lacking in trust? + No, it means we understand there are _some_ out there who + will exploit unlocked doors. Ditto for the crypto world. + - "Trust, but verify," as Ronald Reagan used to say. Mutual + mistrust can actually make for a more trustworthy + environment, paradoxical as that may sound. "Even paranoids + have enemies." + - The danger in a trusting environment that lacks other + mechanisms is that "predators" or "defectors" (in game- + theoretic terms) can exploit this trusting environment. + Confidence games, scams, renegging on deals, and even + outright theft. + - Crypto offers the opportunity for "mutually suspicious + agents" to interact without explicit "trust." +2.14.4. "Who is Detweiler?" + + S. Boxx, an12070, ldxxyyy, Pablo Escobar, Hitler, Linda + Lollipop, Clew Lance Simpleton, tmp@netcom.com, Jim + Riverman + - often with my sig block, or variants of it, attached + - even my phone number + - he lost his ColoState account for such tactics... + - electrocrisy + - cypherwonks +2.14.5. "Who is Sternlight?" + - A retired policy analyst who is often contentious in Usenet + groups and supportive of government policies on crypto + policy. Not nearly as bad as Detweiler. + +2.15. More Information and References +2.15.1. "Where can I find more information?" + - Well, this is a start. Also, lots of other FAQs and Mosaic + home pages (URLs) exist, encompassing a vast amount of + knowledge. + - As long as this FAQ is, it can only scratch the surface on + many topics. (I'm especially amused when someone says + they've looked for a FAQ on some obscure topic. No FAQ is + likely to answer all questions, especially obcure ones.) + - Many articles and papers are available at the + ftp.csua.berkeley.edu + site, in pub/cypherpunks. Look around there. The 1981 Chaum + paper on untraceabel e-mail is not (too many equations for + easy scanning), but the 1988 paper on Dining Cryptographers + Nets is. (I laboriously scanned it and OCRed it, back when + I used to have the energy to do such thankless tasks.) + + Some basic sources: + + Sci.crypt FAQ, published regularly, Also available by + anonymous ftp at rtfm.mit.edu. And in various URLs, + including: + - URLs for sci.crypt FAQ: xxxxxx + - RSA Data Security Inc. FAQ + - Bruce Schneier's "Applied Cryptography" book, 1993. Every + reader of this list should get this book! + - The "online generation" tends to want all material online, + I know, but most of the good stuff is to be found in paper + form, in journals and books. This is likely to be the case + for many years to come, given the limitation of ASCII, the + lack of widespread standards (yes, I know about LaTex, + etc.), and the academic prestige associated with bound + journals and books. Fortunately, you can _all_ find + universit libraries within driving range. Take my advice: + if you do not spend at least an entire Saturday immersing + yourself in the crypto literature in the math section of a + large library, perusing the "Proceeedings of the Crypto + Conference" volumes, scanning the textbooks, then you have + a poor foundation for doing any crypto work. +2.15.2. "Things are changing quickly. Not all of the addresses and + URLs given here are valid. And the software versions... How + do I get the latest information?" + - Yes, things are changing quickly. This document can't + possibly keep up with the rapid changes (nor can its + author!). + - Reading the various newsgroups is, as always, the best way + to hear what's happening on a day to day basis. Web pages, + gopher, archie, veronica, etc. should show the latest + versions of popular software packages. +2.15.3. "FUQs: "Frequently Unanswered Questions"?" + - (more to be added) + - With 700 or more people on the Cypherpunks list (as of 94- + 09), it is inevitable that some FAQs will go unanswered + when newbies (or others) ask them. Sometimes the FUQs are + ignored because they're so stale, other times because to + answer them is to continue and unfruitful thread. + + "P = NP?" + - Steve Smale has called this the most important new + unsolved problem of the past half-century. + - If P were (unexpectedly) proved to be NP + + Is RSA and factoring in NP? + - not yet proved + - factoring might be easier + - and RSA might be easier than factoring in general (e.g., + chosen- and known-plaintext may provide clues) + - "Will encryption be outlawed? What will happen?" + + "Is David Sternlight an NSA agent?" + - Seriously, David S. is probably what he claims: a retired + economist who was once very senior in government and + corporate policy circles. I have no reason to doubt him. + - He has views at odds with most of us, and a baiting style + of expressing his views, but this does not mean he is a + government agent as so many people claim. + - Not in the same class as Detweiler. + +3. Cypherpunks -- History, Organization, Agenda + +3.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +3.2. SUMMARY: Cypherpunks -- History, Organization, Agenda + 3.2.1. Main Points + - Cypherpunks formed in September, 1992 + - formed at an opportune time, with PGP 2.0, Clipper, etc. + hitting + - early successes: Cypherpunks remailers, publicity + 3.2.2. Connections to Other Sections + 3.2.3. Where to Find Additional Information + - "Wired," issue 1.2, had a cover story on Cypherpunks. + - "Whole Earth Review," Summer 1993, had a long article on + crypto and Cypherpunks (included in the book "Out of + Control," by Kevin Kelly. + - "Village Voice," August 6th (?). 1993, had cover story on + "Crypto Rebels" (also reprinted in local weeklies) + - and numerous articles in various magazines + 3.2.4. Miscellaneous Comments + - the best way to get a feel for the List is to simply read + it for a while; a few months should do. + +3.3. The Cypherpunks Group and List + 3.3.1. What is it? + + Formal Rules, Charter, etc.? + - no formal rules or charter + - no agreed-upon mission + 3.3.2. "Who are the Cypherpunks?" + - A mix of about 500-700 + + Can find out who by sending message to majordomo@toad.com + with the message body text "who cypherpunks" (no quotes, of + course). + - Is this a privacy flaw? Maybe. + - Lots of students (they have the time, the Internet + accounts). Lots of computer science/programming folks. Lots + of libertarians. + - quote from Wired article, and from "Whole Earth Review" + 3.3.3. "How did the Cypherpunks group get started?" + + History? + - Discussions between Eric Hughes and me, led to Eric's + decision to host a gathering + + First meeting was, by coincidence, the same week that PGP + 2.0 was released...we all got copies that day + - morning session on basics + - sitting on the floor + + afternoon we played the "Crypto Game" + - remailers, digital money, information for sale, etc. + - John Gilmore offered his site to host a mailing list, and + his company's offices to hold monthly meetings + - The mailing list began almost immediately + - The Name "Cypherpunks"? + 3.3.4. "Should I join the Cypherpunks mailing list?" + - If you are reading this, of course, you are most likely on + the Cypherpunks list already and this point is moot--you + may instead be asking if you should_leave_ the List! + - Only if you are prepared to handle 30-60 messages a day, + with volumes fluctuating wildly + 3.3.5. "How can I join the Cypherpunk mailing list?" + - send message to "majordomo@toad.com" with a _body_ text of + "subscribe cypherpunks" (no quote marks in either, of + course). + 3.3.6. "Membership?" + - about 500-700 at any given time + - many folks join, are overwhelmed, and quit + - other groups: Austin, Colorado, Boston, U.K. + 3.3.7. "Why are there so many libertarians on the Cypherpunks list?" + + The same question is often asked about the Net in general. + Lots of suggested reasons: + - A list like Cypherpunks is going to have privacy and + freedom advocates. Not all privacy advocates are + libertarians (e.g., they may want laws restricting data + collection), but many are. And libertarians naturally + gravitate to causes like ours. + - Net grew anarchically, with little control. This appeals + to free-wheeling types, used to making their own choices + and building their own worlds. + - Libertarians are skeptical of central control structures, + as are most computer programming types. They are + skeptical that a centrally-run control system can + coordinate the needs and desires of people. (They are of + course more than just "skeptical" about this.) + - In any case, there's not much of a coherent "opposition + camp" to the anarcho-capitalist, libertarian ideology. + Forgive me for saying this, my non-libertarian friends on + the list, but most non-libertarian ideologies I've seen + expressed on the list have been fragmentary, isolated, and + not coherent...comments about "how do we take care of the + poor?" and Christian fundamentalism, for example. If there + is a coherent alternative to a basically libertarian + viewpoint, we haven't seen it on the list. + - (Of course, some might say that the libertarians outshout + the alternatives...I don't think this is really so.) + 3.3.8. "How did the mailing list get started?" + - Hugh Daniel, Eric Hughes, and I discussed this the day + after the first meeting + - mailing list brought together diverse interests + - How to hoin? + 3.3.9. "How did Cypherpunks get so much early publicity?" + - started at the right time, just as PGP was gaining + popularity, as plans for key escrow were being laid (I + sounded an alarm in October, 1992, six months before the + Clipper announcement), and just as "Wired" was preparing + its first issue + - Kevin Kelly and Steven Levy attended some of our early + meetings, setting the stage for very favorable major + stories in "Wired" (issue 1.2, the cover story), and "Whole + Earth Review" (Summer, 1993) + - a niche for a "renegade" and "monkey-wrenching" group, with + less of a Washington focus + - publicity in "Wired," "The Whole Earth Review," "The + Village Voice" + + Clipper bombshell occupied much of our time, with some + effect on policy + - climate of repudiation + - links to EFF, CPSR, etc. +3.3.10. "Why the name?" + - Jude Milhon nicknames us + - cypherpunkts? (by analogy with Mikropunkts, microdots) +3.3.11. "What were the early meetings like?" + - cypherspiel, Crypto Anarchy Game +3.3.12. "Where are places that I can meet other Cypherpunks?" + - physical meetings + - start your own...pizza place, classroom + + other organizations + - + + "These kind of meetings (DC 2600 meeting at Pentagon City + Mall, 1st Fri. of + - every month in the food court, about 5-7pm or so) might + be good places for + - local cypherpunks gatherings as well. I'm sure there + are a lot of other + - such meetings, but the DC and Baltimore ones are the + ones I know of. + - (note that the DC area already meets...) + - Hackers, raves + - regional meetings +3.3.13. "Is the Cypherpunks list monitored? Has it been infiltrated?" + - Unknown. It wouldn't be hard for anyone to be monitoring + the list. + - As to infiltration, no evidence for this. No suspicious + folks showing up at the physical meetings, at least so far + as I can see. (Not a very reliable indication.) +3.3.14. "Why isn't there a recruiting program to increase the number + of Cypherpunks?" + - Good question. The mailing list reached about 500 + subscribers a year or so ago and has remained relatively + constant since then; many subscribers learned of the list + and its address in the various articles that appeared. + - Informal organizations often level out in membership + because no staff exists to publicize, recruit, etc. And + size is limited because a larger group loses focus. So, + some stasis is achieved. For us, it may be at the 400-700 + level. It seems unlikely that list membership would ever + get into the tens of thousands. +3.3.15. "Why have there been few real achievements in crypto + recently?" + + Despite the crush of crypto releases--the WinPGPs, + SecureDrives, and dozen other such programs--the fact is + that most of these are straightforward variants on what I + think have been the two major product classes to be + introduced in the last several years" + - PGP, and variants. + - Remailers, and variants. + - These two main classes account for about 98% of all product- + or version-oriented debate on the Net, epitomized by the + zillions of "Where can I find PGP2.6ui for the Amiga?" + sorts of posts. + + Why is this so? Why have these dominated? What else is + needed? + + First, PGP gave an incredible impetus to the whole issue + of public use of crypto. It brought crypto to the masses, + or at least to the Net-aware masses. Second, the nearly + simultaneous appearance of remailers (the Kleinpaste/Julf- + style and the Cypherpunks "mix"-style) fit in well with + the sudden awareness about PGP and crypto issues. And + other simultaneous factors appeared: + - the appearance of "Wired" and its spectacular success, + in early 1993 + - the Clipper chip firestorm, beginning in April 1993 + - the Cypherpunks group got rolling in late 1992, + reaching public visibility in several articles in 1993. + (By the end of '93, we seemed to be a noun, as Bucky + might've said.) + + But why so little progress in other important areas? + - digital money, despite at least a dozen reported + projects, programs (only a few of which are really + anything like Chaum's "digital cash") + - data havens, information markets, etc. + - money-laundering schemes, etc. + + What could change this? + - Mosaic, WWW, Web + - A successful digital cash effort + +3.4. Beliefs, Goals, Agenda + 3.4.1. "Is there a set of beliefs that most Cypherpunks support?" + + There is nothing official (not much is), but there is an + emergent, coherent set of beliefs which most list members + seem to hold: + * that the government should not be able to snoop into our + affairs + * that protection of conversations and exchanges is a basic + right + * that these rights may need to be secured through + _technology_ rather than through law + * that the power of technology often creates new political + realities (hence the list mantra: "Cypherpunks write + code") + + Range of Beliefs + - Many are libertarian, most support rights of privacy, + some are more radical in apppoach + 3.4.2. "What are Cypherpunks interested in?" + - privacy + - technology + - encryition + - politics + - crypto anarchy + - digital money + - protocols + 3.4.3. Personal Privacy and Collapse of Governments + - There seem to be two main reasons people are drawn to + Cypherpunks, besides the general attractiveness of a "cool" + group such as ours. The first reason is _personal privacy_. + That is, tools for ensuring privacy, protection from a + surveillance society, and individual choice. This reason is + widely popular, but is not always compelling (after all, + why worry about personal privacy and then join a list that + has been identified as a "subversive" group by the Feds? + Something to think about.) + - The second major is personal liberty through reducing the + power of governments to coerce and tax. Sort of a digital + Galt's Gulch, as it were. Libertarians and + anarchocapitalists are especially drawn to this vision, a + vision which may bother conventional liberals (when they + realize strong crypto means things counter to welfare, + AFDC, antidiscrimination laws....). + - This second view is more controversial, but is, in my + opinion, what really powers the list. While others may + phrase it differently, most of us realize we are on to + something that will change--and already is changing--the + nature of the balance of power between individuals and + larger entities. + 3.4.4. Why is Cypherpunks called an "anarchy"? + - Anarchy means "without a leader" (head). Much more common + than people may think. + - The association with bomb-throwing "anarchists" is + misleading. + 3.4.5. Why is there no formal agenda, organization, etc.? + - no voting, no organization to administer such things + - "if it ain't broke, don't fix it" + - and it's how it all got started and evolved + - also, nobody to arrest and hassle, no nonsense about + filling out forms and getting tax exemptions, no laws about + campaign law violations (if we were a formal group and + lobbied against Senator Foo, could be hit with the law + limiting "special interests," conceivably) + 3.4.6. How are projects proposed and completed? + - If an anarchy, how do things get done? + - The way most things get done: individual actions and market + decisions. + 3.4.7. Future Needs for Cyberspace + + Mark Pesci's ideas for VR and simulations + - distributed, high bandwidth + - a billion users + - spatial ideas....coordinates...servers...holographic + models + - WWW plus rendering engine = spatial VR (Library of + Congress) + - "The Labyrinth" + + says to avoid head-mounted displays and gloves (bad for + you) + + instead, "perceptual cybernetics". + - phi--fecks--psi (phi is external world,Fx = fects are + effectuators and sensors, psi is your internal state) + 3.4.8. Privacy, Credentials without identity + 3.4.9. "Cypherpunks write code" + - "Cypherpunks break the laws they don't like" + - "Don't get mad, get even. Write code." +3.4.10. Digital Free Markets + + strong crypto changes the nature and visibility of many + economic transactionst, making it very difficult for + governments to interfere or even to enforce laws, + contracts, etc. + - thus, changes in the nature of contract enforcement + + (Evidence that this is not hopeless can be found in + several places: + - criminal markets, where governments obviously cannot be + used + - international markets, a la "Law Merchant" + - "uttering a check" + - shopping malls in cyberspace...no identifiable national or + regional jurisdiction...overlapping many borders... + + caveat emptor (though rating agencies, and other filter + agents, may be used by wary customers....ironically, + reputation will matter even more than it now does) + - no ability to repudiate a sale, to be an Indian giver + - in all kinds of information.... +3.4.11. The Role of Money + - in monetarizing transactions, access, remailers---digital + postage +3.4.12. Reductions on taxation + - offshore entities already exempt + - tax havens + - cyberspace localization is problematic +3.4.13. Transnationalism + - rules of nations are ignored +3.4.14. Data Havens + - credit, medical, legal, renter, etc. +3.4.15. MOOs, MUDs, SVRs, Habitat cyberspaces + - "True Names" and "Snow Crash" + - What are + + Habitat....Chip and Randy + - Lucasfilm, Fujitsu + - started as game environment... + - many-user environments + - communications bandwidth is a scarce resource + - object-oriented data representation + + implementation platform unimportant...range of + capabilities + - pure text to Real ity Engines + - never got as far as fully populating the reality + - "detailed central planning is impossible; don't even try" + - 2-D grammar for layouts + + "can't trust anyone" + - someone disassembled the code and found a way to make + themselves invisible + - ways to break the system (extra money) + + future improvements + - multimedia objects, customizable objects, local turfs, + mulitple interfaces + - "Global Cyberspace Infrastructure" (Fujitsu, FINE) + + more bandwidth means more things can be done + - B-ISDN will allow video on demand, VR, etc. + - protocol specs, Joule (secure concurrent operating + system) + - intereaction spaces, topological (not spatial) + + Xerox, Pavel Curtis + + LambdaMOO + - 1200 different users per day, 200 at a time, 5000 total + users + - "social virtual realities"--virtual communities + - how emergent properties emerge + - pseudo-spatial + - rooms, audio, video, multiple screens + - policing, wizards, mediation + - effective telecommuting + - need the richness of real world markets...people can sell + to others + + Is there a set of rules or basic ideas which can form the + basis of a powerfully replicable system? + - this would allow franchises to be disctrubed around the + world + - networks of servers? distinction between server and + client fades... + - money, commercialization? + - Joule language +3.4.16. "Is personal privacy the main interest of Cypherpunks?" + - Ensuring the _right_ and the _technological feasibility_ is + more of the focus. This often comes up in two contexts: + - 1. Charges of hypocrisy because people either use + pseudonyms or, paradoxically, that they _don't_ use + pseudonyms, digital signatures +3.4.17. "Shouldn't crypto be regulated?" + - Many people make comparisons to the regulation of + automobiles, of the radio spectrum, and even of guns. The + comparison of crypto to guns is especially easy to make, + and especially dangerous. + - + + A better comparison is "use of crypto = right to speak as + you wish." + - That is, we cannot demand that people speak in a language + or form that is easily understandable by eavesdroppers, + wiretappers, and spies. + + If I choose to speak to my friends in Latvian, or in + Elihiuish, or in + - triple DES, that's my business. (Times of true war, as + in World War + - II, may be slightly different. As a libertarian, I'm + not advocating + - that, but I understand the idea that in times of war + speaking in code + + is suspect. We are not in a time of war, and haven't + been.) + - + - Should we have "speech permits"? After all, isn't the + regulation of + + speech consistent with the regulation of automobiles? + - + - I did a satirical essay along these lines a while back. + I won't + - included it here, though. (My speech permit for satire + expired and I + + haven't had time to get it renewed.) + - + - In closing, the whole comparison of cryptography to + armaments is + - misleading. Speaking or writing in forms not readily + understandable to + - your enemies, your neighbors, your spouse, the cops, or + your local + - eavesdropper is as old as humanity. +3.4.18. Emphasize the "voluntary" nature of crypto + + those that don't want privacy, can choose not to use crypto + - just as they can take the locks of their doors, install + wiretaps on their phones, remove their curtains so as not + to interfere with peeping toms and police surveillance + teams, etc. + - as PRZ puts it, they can write all their letters on + postcards, because they have "nothing to hide" + - what we want to make sure doesn't happen is _others_ + insisting that we cannot use crypto to maintain our own + privacy + + "But what if criminals have access to crypto and can keep + secrets?" + - this comes up over and over again + - does this mean locks should not exist, or.....? +3.4.19. "Are most Cypherpunks anarchists?" + - Many are, but probably not most. The term "anarchy" is + often misunderstood. + - As Perry Metzger puts it "Now, it happpens that I am an + anarchist, but that isn't what most people associated with + the term "cypherpunk" believe in, and it isn't fair to + paint them that way -- hell, many people on this mailing + list are overtly hostile to anarchism." [P.M., 1994-07-01] + - comments of Sherry Mayo, others + - But the libertarian streak is undeniably strong. And + libertarians who think about the failure of politics and + the implications of cryptgraphy generally come to the + anarcho-capitalist or crypto-anarchist point of view. + - In any case, the "other side" has not been very vocal in + espousing a consistent ideology that combines strong crypto + and things like welfare, entitlements, and high tax rates. + (I am not condemning them. Most of my leftist friends turn + out to believe in roughly the same things I believe + in...they just attach different labels and have negative + reactions to words like "capitalist.") +3.4.20. "Why is there so much ranting on the list?" + - Arguments go on and on, points get made dozens of times, + flaming escalates. This has gotten to be more of a problem + in recent months. (Not counting the spikes when Detweiler + was around.) + + Several reasons: + + the arguments are often matters of opinion, not fact, and + hence people just keep repeating their arguments + - made worse by the fact that many people are too lazy to + do off-line reading, to learn about what they are + expressing an opinion on + - since nothing ever gets resolved, decided, vote upon, + etc., the debates continue + - since anyone is free to speak up at any time, some people + will keep making the same points over and over again, + hoping to win through repetition (I guess) + + since people usually don't personally know the other + members of the list, this promotes ranting (I've noticed + that the people who know each other, such as the Bay Area + folks, tend not to be as rude to each other...any + sociologist or psychologist would know why this is so + immediately). + + the worst ranters tend to be the people who are most + isolated from the other members of the list community; + this is generally a well-known phenomenon of the Net + - and is yet more reason for regional Cypherpunks + groups to occasionally meet, to at least make some + social and conversational connections with folks in + their region. + - on the other hand, rudeness is often warranted; people + who assault me and otherwise plan to deprive me of my + property of deserving of death, not just insults [Don't + be worried, there are only a handful of people on this + list I would be happy to see dead, and on none of them + would I expend the $5000 it might take to buy a contract. + Of course, rates could drop.] +3.4.21. The "rejectionist" stance so many Cypherpunks have + - that compromise rarely helps when very basic issues are + involved + - the experience with the NRA trying compromise, only to find + ever-more-repressive laws passed + - the debacle with the EFF and their "EFF Digital Telephony + Bill" ("We couldn't have put this bill together without + your help") shows the corruption of power; I'm ashamed to + have ever been a member of the EFF, and will of course not + be renewing my membership. + - I have jokingly suggested we need a "Popular Front for the + Liberation of Crypto," by analogy with the PFLP. +3.4.22. "Is the Cypherpunks group an illegal or seditious + organization?" + - Well, there are those "Cypherpunk Criminal" t-shirts a lot + of us have... + - Depends on what country you're in. + - Probably in a couple of dozen countries, membership would + be frowned on + - the material may be illegal in other countries + - and many of us advocate things like using strong crypto to + avoid and evade tzxes, to bypass laws we dislike, etc. + +3.5. Self-organizing Nature of Cypherpunks + 3.5.1. Contrary to what people sometimes claim, there is no ruling + clique of Cypherpunks. Anybody is free to do nearly anything, + just not free to commit others to course of action, or + control the machine resources the list now runs on, or claim + to speak for the "Cypherpunks" as a group (and this last + point is unenforceable except through reptutation and social + repercussions). + 3.5.2. Another reason to be glad there is no formal Cypherpunks + structure, ruling body, etc., is that there is then no direct + target for lawsuits, ITAR vioalation charges, defamation or + copyright infringement claims, etc. + +3.6. Mechanics of the List + 3.6.1. Archives of the Cyperpunks List + - Karl Barrus has a selection of posts at the site + chaos.bsu.edu, available via + gopher. Look in the "Cypherpunks gopher site" directory. + 3.6.2. "Why isn't the list sent out in encrypted form?" + - Too much hassle, no additional security, would only make + people jump through extra hoops (which might be useful, but + probably not worth the extra hassle and ill feelings). + - "We did this about 8 years ago at E&S using DEC VMS NOTES. + We used a plain vanilla secret key algorithm and a key + shared by all legitimate members of the group. We could do + it today -- but why bother? If you have a key that + widespread, it's effectively certain that a "wrong person" + (however you define him/her) will have a copy of the key." + [Carl Ellison, Encrypted BBS?, 1993-08-02] + 3.6.3. "Why isn't the list moderated?" + - This usually comes up during severe flaming episodes, + notably when Detweiler is on the list in one of his various + personnas. Recently, it has not come up, as things have + been relatively quiet. + + Moderation will *not* happen + - nobody has the time it takes + - nobody wants the onus + + hardly consistent with many of our anarchist leanings, is + it? + - (Technically, moderation can be viewed as "my house, my + rules, and hence OK, but I think you get my point.) + - "No, please let's not become a 'moderated' newsgroup. This + would be the end of freedom! This is similar to giving the + police more powers because crime is up. While it is a + tactic to fight off the invaders, a better tactic is + knowledge." [RWGreene@vnet.net, alt.gathering.rainbow, 1994- + 07-06]" + 3.6.4. "Why isn't the list split into smaller lists?" + - What do you call the list outages? + + Seriously, several proposals to split the list into pieces + have resulted in not much + - a hardware group...never seen again, that I know of + - a "moderated cryptography" group, ditto + - a DC-Net group...ditto + - several regional groups and meeting planning groups, + which are apparently moribund + - a "Dig Lib" group...ditto + - use Rishab's comment: + + Reasons are clear: one large group is more successful in + traffic than smaller, low-volume groups...out of sight, + out of mind + - and topics change anyway, so the need for a + "steganography" mailing list (argued vehemently for by + one person, not Romana M., by the way) fades away when + the debate shifts. And so on. + 3.6.5. Critical Addresses, Numbers, etc. + + Cypherpunks archives sites + - soda + - mirror sites + - ftp sites + - PGP locations + - Infobot at Wired + - majordomo@toad.com; "help" as message body + 3.6.6. "How did the Cypherpunk remailers appear so quickly?" + - remailers were the first big win...a weekend of Perl + hacking + +3.7. Publicity + 3.7.1. "What kind of press coverage have the Cypherpunks gotten?" + - " I concur with those who suggest that the solution to the + ignorance manifested in many of the articles concerning the + Net is education. The coverage of the Cypherpunks of late + (at least in the Times) shows me that reasonable accuracy + is possible." [Chris Walsh, news.admin.policy, 1994-07-04] + +3.8. Loose Ends + 3.8.1. On extending the scope of Cypherpunks to other countres + - a kind of crypto underground, to spread crypto tools, to + help sow discord, to undermine corrupt governments (to my + mind, all governments now on the planet are intrinsically + corrupt and need to be undermined) + - links to the criminal underworlds of these countries is one + gutsy thing to consider....fraught with dangers, but + ultimately destabilizing of governments + +4. Goals and Ideology -- Privacy, Freedom, New Approaches + +4.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +4.2. SUMMARY: Goals and Ideology -- Privacy, Freedom, New Approaches + 4.2.1. Main Points + 4.2.2. Connections to Other Sections + - Crypto Anarchy is the logical outgrowth of strong crypto. + 4.2.3. Where to Find Additional Information + - Vernor Vinge's "True Names" + - David Friedman's "Machinery of Freedom" + 4.2.4. Miscellaneous Comments + - Most of the list members are libertarians, or leaning in + that direction, so the bias toward this is apparent. + - (If there's a coherent _non_-libertarian ideology, that's + also consistent with supporting strong crypto, I'm not sure + it's been presented.) + +4.3. Why a Statement of Ideology? + 4.3.1. This is perhaps a controversial area. So why include it? The + main reason is to provide some grounding for the later + comments on many issues. + 4.3.2. People should not expect a uniform ideology on this list. + Some of us are anarcho-capitalist radicals (or "crypto + anarchists"), others of us are staid Republicans, and still + others are Wobblies and other assored leftists. + +4.4. "Welcome to Cypherpunks" + 4.4.1. This is the message each new subscriber to the Cypherpunks + lists gets, by Eric Hughes: + 4.4.2. "Cypherpunks assume privacy is a good thing and wish there + were more of it. Cypherpunks acknowledge that those who want + privacy must create it for themselves and not expect + governments, corporations, or other large, faceless + organizations to grant them privacy out of beneficence. + Cypherpunks know that people have been creating their own + privacy for centuries with whispers, envelopes, closed doors, + and couriers. Cypherpunks do not seek to prevent other + people from speaking about their experiences or their + opinions. + + "The most important means to the defense of privacy is + encryption. To encrypt is to indicate the desire for privacy. + But to encrypt with weak cryptography is to indicate not too + much desire for privacy. Cypherpunks hope that all people + desiring privacy will learn how best to defend it. + + "Cypherpunks are therefore devoted to cryptography. + Cypherpunks wish to learn about it, to teach it, to implement + it, and to make more of it. Cypherpunks know that + cryptographic protocols make social structures. Cypherpunks + know how to attack a system and how to defend it. + Cypherpunks know just how hard it is to make good + cryptosystems. + + "Cypherpunks love to practice. They love to play with public + key cryptography. They love to play with anonymous and + pseudonymous mail forwarding and delivery. They love to play + with DC-nets. They love to play with secure communications + of all kinds. + + "Cypherpunks write code. They know that someone has to write + code to defend privacy, and since it's their privacy, they're + going to write it. Cypherpunks publish their code so that + their fellow cypherpunks may practice and play with it. + Cypherpunks realize that security is not built in a day and + are patient with incremental progress. + + "Cypherpunks don't care if you don't like the software they + write. Cypherpunks know that software can't be destroyed. + Cypherpunks know that a widely dispersed system can't be shut + down. + + "Cypherpunks will make the networks safe for privacy." [Eric + Hughes, 1993-07-21 version] + +4.5. "Cypherpunks Write Code" + 4.5.1. "Cypherpunks write code" is almost our mantra. + 4.5.2. This has come to be a defining statement. Eric Hughes used it + to mean that Cypherpunks place more importance in actually + changing things, in actually getting working code out, than + in merely talking about how things "ought" to be. + - Eric Hughes statement needed here: + - Karl Kleinpaste, author of one of the early anonymous + posting services (Charcoal) said this about some proposal + made: "If you've got serious plans for how to implement + such a thing, please implement it at least skeletally and + deploy it. Proof by example, watching such a system in + action, is far better than pontification about it." + [Karl_Kleinpaste@cs.cmu.edu, news.admin.policy, 1994-06-30] + 4.5.3. "The admonition, "Cypherpunks write code," should be taken + metaphorically. I think "to write code" means to take + unilateral effective action as an individual. That may mean + writing actual code, but it could also mean dumpster diving + at Mycrotronx and anonymously releasing the recovered + information. It could also mean creating an offshore digital + bank. Don't get too literal on us here. What is important + is that Cypherpunks take personal responsibility for + empowering themselves against threats to privacy." [Sandy + Sandfort, 1994-07-08] + 4.5.4. A Cypherpunks outlook: taking the abstractions of academic + conferences and making them concrete + - One thing Eric Hughes and I discussed at length (for 3 days + of nearly nonstop talk, in May, 1992) was the glacial rate + of progress in converting the cryptographic primitive + operations of the academic crypto conferences into actual, + workable code. The basic RSA algorithm was by then barely + available, more than 15 years after invention. (This was + before PGP 2.0, and PGP 1.0 was barely available and was + disappointing, with RSA Data Security's various products in + limited niches.) All the neat stuff on digital cash, DC- + Nets, bit commitment, olivioius transfer, digital mixes, + and so on, was completely absent, in terms of avialable + code or "crypto ICs" (to borrow Brad Cox's phrase). If it + took 10-15 years for RSA to really appear in the real + world, how long would it take some of the exciting stuff to + get out? + - We thought it would be a neat idea to find ways to reify + these things, to get actual running code. As it happened, + PGP 2.0 appeared the week of our very first meeting, and + both the Kleinpaste/Julf and Cypherpunks remailers were + quick, if incomplete, implementations of David Chaum's 1981 + "digital mixes." (Right on schedule, 11 years later.) + - Sadly, most of the abstractions of cryptology remain + residents of academic space, with no (available) + implementations in the real world. (To be sure, I suspect + many people have cobbled-together versions of many of these + things, in C code, whatever. But their work is more like + building sand castles, to be lost when they graduate or + move on to other projects. This is of course not a problem + unique to cryptology.) + - Today, various toolkits and libraries are under + development. Henry Strickland (Strick) is working on a + toolkit based on John Ousterhout's "TCL" system (for Unix), + and of course RSADSI provides RSAREF. Pr0duct Cypher has + "PGP Tools." Other projects are underway. (My own longterm + interest here is in building objects which act as the + cryptography papers would have them act...building block + objects. For this, I'm looking at Smalltalk of some + flavor.) + - It is still the case that most of the modern crypto papers + discuss theoretical abstractions that are _not even close_ + to being implemented as reusable, robust objects or + routines. Closing the gap between theoretical papers and + practical realization is a major Cypherpunk emphasis. + 4.5.5. Prototypes, even if fatally flawed, allow for evolutionary + learning and improvement. Think of it as engineering in + action. + +4.6. Technological empowerment + 4.6.1. (more needed here....) + 4.6.2. As Sandy Sandfort notes, "The real point of Cypherpunks is + that it's better to use strong crypto than weak crypto or no + crypto at all. Our use of crypto doesn't have to be totally + bullet proof to be of value. Let *them* worry about the + technicalities while we make sure they have to work harder + and pay more for our encrypted info than they would if it + were in plaintext." [S.S. 1994-07-01] + +4.7. Free Speech Issues + 4.7.1. Speech + - "Public speech is not a series of public speeches, but + rather one's own + words spoken openly and without shame....I desire a society + where all may speak freely about whatever topic they will. + I desire that all people might be able to choose to whom + they wish to speak and to whom they do not wish to speak. + I desire a society where all people may have an assurance + that their words are directed only at those to whom they + wish. Therefore I oppose all efforts by governments to + eavesdrop and to become unwanted listeners." [Eric Hughes, + 1994-02-22] + - "The government has no right to restrict my use of + cryptography in any way. They may not forbid me to use + whatever ciphers I may like, nor may they require me to use + any that I do not like." [Eric Hughes, 1993-06-01] + 4.7.2. "Should there be _any_ limits whatsoever on a person's use of + cryptography?" + - No. Using the mathematics of cryptography is merely the + manipulation of symbols. No crime is involved, ipso facto. + - Also, as Eric Hughes has pointed out, this is another of + those questions where the normative "should" or "shouldn't" + invokes "the policeman inside." A better way to look at is + to see what steps people can take to make any question of + "should" this be allowed just moot. + - The "crimes" are actual physical acts like murder and + kidnapping. The fact that crypto may be used by plotters + and planners, thus making detection more difficult, is in + no way different from the possibility that plotters may + speak in an unusual language to each other (ciphers), or + meet in a private home (security), or speak in a soft voice + when in public (steganography). None of these things should + be illegal, and *none of them would be enforceable* except + in the most rigid of police states (and probably not even + there). + - "Crypto is thoughtcrime" is the effect of restricting + cryptography use. + 4.7.3. Democracy and censorship + - Does a community have the right to decide what newsgroups + or magazines it allows in its community? Does a nation have + the right to do the same? (Tennessee, Iraq, Iran, France. + Utah?) + - This is what bypasses with crypto are all about: taking + these majoritarian morality decisions out of the hands of + the bluenoses. Direct action to secure freedoms. + +4.8. Privacy Issues + 4.8.1. "Is there an agenda here beyond just ensuring privacy?" + - Definitely! I think I can safely say that for nearly all + political persuasions on the Cypherpunks list. Left, right, + libertarian, or anarchist, there's much more to to strong + crypto than simple privacy. Privacy qua privacy is fairly + uninteresting. If all one wants is privacy, one can simply + keep to one's self, stay off high-visibility lists like + this, and generally stay out of trouble. + - Many of us see strong crypto as the key enabling technology + for a new economic and social system, a system which will + develop as cyberspace becomes more important. A system + which dispenses with national boundaries, which is based on + voluntary (even if anonymous) free trade. At issue is the + end of governments as we know them today. (Look at + interactions on the Net--on this list, for example--and + you'll see many so-called nationalities, voluntary + interaction, and the almost complete absence of any "laws." + Aside from their being almost no rules per se for the + Cypherpunks list, there are essentially no national laws + that are invokable in any way. This is a fast-growing + trend.) + + Motivations for Cypherpunks + - Privacy. If maintaining privacy is the main goal, there's + not much more to say. Keep a low profile, protect data, + avoid giving out personal information, limit the number + of bank loans and credit applications, pay cash often, + etc. + - Privacy in activism. + + New Structures. Using cryptographic constructs to build + new political, economic, and even social structures. + - Political: Voting, polling, information access, + whistleblowing + - Economic: Free markets, information markets, increased + liquidity, black markets + - Social: Cyberspatial communities, True Names + - Publically inspectable algorithms always win out over + private, secret algorithms + 4.8.2. "What is the American attitude toward privacy and + encryption?" + + There are two distinct (and perhaps simultaneously held) + views that have long been found in the American psyche: + - "A man's home is his castle." "Mind your own business." + The frontier and Calvinist sprit of keeping one's + business to one's self. + - "What have you got to hide?" The nosiness of busybodies, + gossiping about what others are doing, and being + suspicious of those who try too hard to hide what they + are doing. + + The American attitude currently seems to favor privacy over + police powers, as evidenced by a Time-CNN poll: + - "In a Time/CNN poll of 1,000 Americans conducted last + week by Yankelovich Partners, two-thirds said it was more + important to protect the privacy of phone calls than to + preserve the ability of police to conduct wiretaps. When + informed about the Clipper Chip, 80% said they opposed + it." [Philip Elmer-Dewitt, "Who Should Keep the Keys," + _TIME_, 1994-03-04.] + - The answer given is clearly a function of how the question + is phrased. Ask folks if they favor "unbreakable + encryption" or "fortress capabilities" for terrorists, + pedophiles, and other malefactors, and they'll likely give + a quite different answer. It is this tack now being taken + by the Clipper folks. Watch out for this! + - Me, I have no doubts. + - As Perry Metzger puts it, "I find the recent disclosures + concerning U.S. Government testing of the effects of + radiation on unknowing human subjects to be yet more + evidence that you simply cannot trust the government with + your own personal safety. Some people, given positions of + power, will naturally abuse those positions, often even if + such abuse could cause severe injury or death. I see little + reason, therefore, to simply "trust" the U.S. government -- + and given that the U.S. government is about as good as they + get, its obvious that NO government deserves the blind + trust of its citizens. "Trust us, we will protect you" + rings quite hollow in the face of historical evidence. + Citizens must protect and preserve their own privacy -- the + government and its centralized cryptographic schemes + emphatically cannot be trusted." [P.M., 1994-01-01] + 4.8.3. "How is 1994 like 1984?" + - The television ad for Clipper: "Clipper--why 1994 _will_ be + like 1984" + + As Mike Ingle puts it: + - 1994: Wiretapping is privacy + Secrecy is openness + Obscurity is security + 4.8.4. "We anticipate that computer networks will play a more and + more important role in many parts of our lives. But this + increased computerization brings tremendous dangers for + infringing privacy. Cypherpunks seek to put into place + structures which will allow people to preserve their privacy + if they choose. No one will be forced to use pseudonyms or + post anonymously. But it should be a matter of choice how + much information a person chooses to reveal about himself + when he communicates. Right now, the nets don't give you + that much choice. We are trying to give this power to + people." [Hal Finney, 1993-02-23] + 4.8.5. "If cypherpunks contribute nothing else we can create a real + privacy advocacy group, advocating means of real self- + empowerment, from crypto to nom de guerre credit cards, + instead of advocating further invasions of our privacy as the + so-called privacy advocates are now doing!" [Jim Hart, 1994- + 09-08] + +4.9. Education Issues + 4.9.1. "How can we get more people to use crypto?" + - telling them about the themes of Cypherpunks + - surveillance, wiretapping, Digital Telephony, Clipper, NSA, + FinCEN, etc....these things tend to scare a lot of folks + - making PGP easier to use, better integration with mailers, + etc. + - (To be frank, convincing others to protect themselves is + not one of my highest priorities. Then why have I written + this megabyte-plus FAQ? Good question. Getting more users + is a general win, for obvious reasons.) + 4.9.2. "Who needs to encrypt?" + + Corporations + - competitors...fax transmissions + + foreign governments + - Chobetsu, GCHQ, SDECE, Mossad, KGB + + their own government + - NSA intercepts of plans, investments + + Activist Groups + - Aryan Nation needs to encrypt, as FBI has announced their + intent to infiltrate and subvert this group + - RU-486 networks + - Amnesty International + + Terrorists and Drug Dealers + - clearly are clueless at times (Pablo Escobar using a + cellphone!) + - Triads, Russian Mafia, many are becoming crypto-literate + - (I've been appoached-'nuff said) + + Doctors, lawyers, psychiatrists, etc. + - to preserve records against theft, snooping, casual + examination, etc. + - in many cases, a legal obligation has been attached to + this (notably, medical records) + - the curious situation that many people are essentially + _required_ to encrypt (no other way to ensure standards + are met) and yet various laws exists to limit + encryption...ITAR, Clipper, EES + - (Clipper is a partial answer, if unsatisfactory) + 4.9.3. "When should crypto be used?" + - It's an economic matter. Each person has to decide when to + use it, and how. Me, I dislike having to download messages + to my home machine before I can read them. Others use it + routinely. + +4.10. Libertarian Issues +4.10.1. A technological approach to freedom and privacy: + - "Freedom is, practically, given as much (or more) by the + tools we can build to protect it, as it is by our ability + to convince others who violently disagree with us not to + attack us. On the Internet we have tools like anon + remailers and PGP that give us a great deal of freedom + from coercion even in the midst of censors. Thus, these + tools piss off fans of centralized information control, the + defenders of the status quo, like nothing else on the + Internet." [ (Nobody), libtech- + l@netcom.com, 1994-06-08] + + Duncan Frissell, as usual, put it cogently: + - "If I withhold my capital from some country or enterprise + I am not threatening to kill anyone. When a "Democratic + State" decides to do something, it does so with armed + men. If you don't obey, they tend to shoot....[I]f + technological change enhances the powers of individuals, + their power is enhanced no matter what the government + does. + + "If the collective is weakened and the individual + strengthened by the fact that I have the power of cheap + guns, cars, computers, telecoms, and crypto then the + collective has been weakened and we should ease the + transition to a society based on voluntary rather than + coerced interaction. + + "Unless you can figure out a new, improved way of + controlling others; you have no choice." [D.F., Decline + and Fall, 1994-06-19] +4.10.2. "They that can give up essential liberty to obtain a little + temporary safety deserve neither liberty nor safety." + [Benjamin Franklin] +4.10.3. a typical view of government + - "As I see it, it's always a home for bullies masquerading + as a collective defense. Sometimes it actually it actually + has to perform its advertised defense function. Like naked + quarks, + purely defensive governments cannot exist. They are + bipolar by nature, with some poles (i.e., the bullying + part) being "more equal than others." [Sandy Sandfort, 1994- + 09-06] +4.10.4. Sadly, several of our speculative scenarios for various laws + have come to pass. Even several of my own, such as: + - "(Yet Another May Prediction Realized)...The text of a + "digital stalking bill" was just sent to Cyberia-l." [L. + Todd Masco, 1994-08-31] (This was a joking prediction I + made that "digital stalking" would soon be a crime; there + had been news articles about the horrors of such + cyberspatial stalkings, regardless of there being no real + physical threats, so this move is not all that surprising. + Not surprising in an age when free speech gets outlawed as + "assault speech.") +4.10.5. "Don't tread on me." +4.10.6. However, it's easy to get too negative on the situation, to + assume that a socialist state is right around the corner. Or + that a new Hitler will come to power. These are unlikely + developments, and not only because of strong crypto. + Financial markets are putting constraints on how fascist a + government can get...the international bond markets, for + example, will quickly react to signs like this. (This is the + theory, at least.) +4.10.7. Locality of reference, cash, TANSTAAFL, privacy + - closure, local computation, local benefits + - no accounting system needed + - markets clear + - market distortions like rationing, coupons, quotas, all + require centralized record-keeping + - anything that ties economic transactions to identity + (rationing, entitlements, insurance) implies identity- + tracking, credentials, etc. + + Nonlocality also dramatically increases the opportunities + for fraud, for scams and con jobs + - because something is being promised for future delivery + (the essence of many scams) and is not verifiable locally + - because "trust" is invoked + - Locality also fixes the "policeman inside" problem: the + costs of decisions are borne by the decider, not by others. + +4.11. Crypto Anarchy +4.11.1. The Crypto Anarchy Principle: Strong crypto permits + unbreakable encrypion, unforgeable signatures, untraceable + electronic messages, and unlinkable pseudonomous identities. + This ensures that some transactions and communications can be + entered into only voluntarily. External force, law, and + regulation cannot be applied. This is "anarchy," in the sense + of no outside rulers and laws. Voluntary arrangements, back- + stopped by voluntarily-arranged institutions like escrow + services, will be the only form of rule. This is "crypto + anarchy." +4.11.2. crypto allows a return to contracts that governments cannot + breach + - based on reputation, repeat business + - example: ordering illegal material untraceably and + anonymously,,,governments are powerless to do anything + - private spaces, with the privacy enforced via cryptographic + permissions (access credentials) + - escrows (bonds) +4.11.3. Technological solutions over legalistic regulations + + Marc Ringuette summarized things nicely: + - "What we're after is some "community standards" for + cyberspace, and what I'm suggesting is the fairly + libertarian standard that goes like this: + + " Prefer technological solutions and self-protection + solutions + over rule-making, where they are feasible. + + "This is based on the notion that the more rules there + are, the more people will call for the "net police" to + enforce them. If we can encourage community standards + which emphasize a prudent level of self-protection, then + we'll be able to make do with fewer rules and a less + intrusive level of policing."[Marc Ringuette, 1993-03-14] + + Hal Finney has made cogent arguments as to why we should + not become too complacent about the role of technology vis- + a-vis politics. He warns us not to grow to confident: + - "Fundamentally, I believe we will have the kind of + society that most people want. If we want freedom and + privacy, we must persuade others that these are worth + having. There are no shortcuts. Withdrawing into + technology is like pulling the blankets over your head. + It feels good for a while, until reality catches up. The + next Clipper or Digital Telephony proposal will provide a + rude awakening." [Hal Finney, POLI: Politics vs + Technology, 1994-01-02] + - "The idea here is that the ultimate solution to the low + signal-to-noise ratio on the nets is not a matter of + forcing people to "stand behind their words". People can + stand behind all kinds of idiotic ideas. Rather, there + will need to be developed better systems for filtering news + and mail, for developing "digital reputations" which can be + stamped on one's postings to pass through these smart + filters, and even applying these reputations to pseudonyms. + In such a system, the fact that someone is posting or + mailing pseudonymously is not a problem, since nuisance + posters won't be able to get through." [Hal Finney, 1993- + 02-23] +4.11.4. Reputations +4.11.5. I have a moral outlook that many will find unacceptable or + repugnant. To cut to the chase: I support the killing of + those who break contracts, who steal in serious enough ways, + and who otherwise commit what I think of as crimes. + + I don't mean this abstractly. Here's an example: + - Someone is carrying drugs. He knows what he's involved + in. He knows that theft is punishable by death. And yet + he steals some of the merchandise. + - Dealers understand that they cannot tolerate this, that + an example must be made, else all of their employees will + steal. + - Understand that I'm not talking about the state doing the + killing, nor would I do the killing. I'm just saying such + things are the natural enforcement mechanism for such + markets. Realpolitik. + - (A meta point: the drug laws makes things this way. + Legalize all drugs and the businesses would be more like + "ordinary" businesses.) + - In my highly personal opinion, many people, including most + Congressrodents, have committed crimes that earn them the + death penalty; I will not be sorry to see anonymous + assassination markets used to deal with them. +4.11.6. Increased espionage will help to destroy nation-state-empires + like the U.S., which has gotten far too bloated and far too + dependent on throwing its weight around; nuclear "terrorism" + may knock out a few cities, but this may be a small price to + pay to undermine totally the socialist welfare states that + have launched so many wars this century. + +4.12. Loose Ends +4.12.1. "Why take a "no compromise" stance?" + - Compromise often ends up in the death of a thousand cuts. + Better to just take a rejectionist stance. + - The National Rifle Association (NRA) learned this lesson + the hard way. EFF may eventually learn it; right now they + appear to be in the "coopted by the power center" mode, + luxuriating in their inside-the-Beltway access to the Veep, + their flights on Air Force One, and their general + schmoozing with the movers and shakers...getting along by + going along. + - Let's not compromise on basic issues. Treat censorship as a + problem to be routed around (as John Gilmore suggests), not + as something that needs to be compromised on. (This is + directed at rumblings about how the Net needs to "police + itself," by the "reasonable" censorship of offensive posts, + by the "moderation" of newsgroups, etc. What should concern + us is the accomodation of this view by well-meaning civil + liberties groups, which are apparently willing to play a + role in this "self-policing" system. No thanks.) + - (And since people often misunderstand this point, I'm not + saying private companies can't set whatever policies they + wish, that moderated newsgroups can't be formed, etc. + Private arrangements are just that. The issue is when + censorship is forced on those who have no other + obligations. Government usually does this, often aided and + abetted by corporations and lobbying groups. This is what + we need to fight. Fight by routing around, via technology.) +4.12.2. The inherent evils of democracy + - To be blunt about it, I've come to despise the modern + version of democracy we have. Every issue is framed in + terms of popular sentiment, in terms of how the public + would vote. Mob rule at its worst. + - Should people be allowed to wear blue jeans? Put it to a + vote. Can employers have a policy on blue jeans? Pass a + law. Should health care be provided to all? Put it to a + vote. And so on, whittling away basic freedoms and rights. + A travesty. The tyranny of the majority. + - De Toqueville warned of this when he said that the American + experiment in democracy would last only until citizens + discovered they could pick the pockets of their neighbors + at the ballot box. + - But maybe we can stop this nonsense. I support strong + crypto (and its eventual form, crypto anarchy) because it + undermines this form of democracy. It takes some (and + perhaps many) transactions out of the realm of popularity + contests, beyond the reach of will of the herd. (No, I am + not arguing there will be a complete phase change. As the + saying goes, "You can't eat cyberspace." But a lot of + consulting, technical work, programming, etc., can in fact + be done with crypto anarchic methods, with the money gained + transferred in a variety of ways into the "real world." + More on this elsewhere.) + + Crypto anarchy effectively allows people to pick and choose + which laws they support, at least in cyberspatial contexts. + It empowers people to break the local bonds of their + majoritarian normative systems and decide for themselves + which laws are moral and which are bullshit. + - I happen to have faith that most people will settle on a + relatively small number of laws that they'll (mostly) + support, a kind of Schelling point in legal space. +4.12.3. "Is the Cypherpunks agenda _too extreme_?" + - Bear in mind that most of the "Cypherpunks agenda," to the + extent we can identify it, is likely to provoke ordinary + citizens into _outrage_. Talk of anonymous mail, digital + money, money laundering, information markets, data havens, + undermining authority, transnationalism, and all the rest + (insert your favorite idea) is not exactly mainstream. +4.12.4. "Crypto Anarchy sounds too wild for me." + - I accept that many people will find the implications of + crypto anarchy (which follows in turn from the existence of + strong cryptography, via the Crypto Anarchy Principle) to + be more than they can accept. + - This is OK (not that you need my OK!). The house of + Cypherpunks has many rooms. + +5. Cryptology + +5.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +5.2. SUMMARY: Cryptology + 5.2.1. Main Points + - gaps still exist here...I treated this as fairly low + priority, given the wealth of material on cryptography + 5.2.2. Connections to Other Sections + - detailed crypto knowledge is not needed to understand many + of the implications, but it helps to know the basics (it + heads off many of the most wrong-headed interpretations) + - in particular, everyone should learn enough to at least + vaguely understand how "blinding" works + 5.2.3. Where to Find Additional Information + + a dozen or so major books + - Schneier, "Applied Cryptography"--is practically + "required reading" + - Denning + - Brassard + - Simmons + - Welsh, Dominic + - Salomaa + - "CRYPTO" Proceedings + - Other books I can take or leave + - many ftp sites, detailed in various places in this doc + - sci.crypt, alt.privacy.pgp, etc. + - sci.crypt.research is a new group, and is moderated, so it + should have some high-quality, technical posts + - FAQs on sci.crypt, from RSA, etc. + - Dave Banisar of EPIC (Electronic Privacy Information + Center) reports: "...we have several hundred files on + encryption available via ftp/wais/gopher/WWW from cpsr.org + /cpsr/privacy/crypto." [D.B., sci.crypt, 1994-06-30] + 5.2.4. Miscellaneous Comments + - details of algorithms would fill several books...and do + - hence, will not cover crypto in depth here (the main focus + of this doc is the implications of crypto, the + Cypherpunkian aspects, the things not covered in crypto + textbooks) + - beware of getting lost in the minutiae, in the details of + specific algorithms...try to keep in the mind the + _important_ aspects of any system + +5.3. What this FAQ Section Will Not Cover + 5.3.1. Why a section on crypto when so many other sources exist? + - A good question. I'll be keeping this section brief, as + many textbooks can afford to do a much better job here than + I can. + - not just for those who read number theory books with one + hand + 5.3.2. NOTE: This section may remain disorganized, at least as + compared to some of the later sections. Many excellent + sources on crypto exist, including readily available FAQs + (sci.crypt, RSADSI FAQ) and books. Schneier's books is + especially recommended, and should be on _every_ Cypherpunk's + bookshelf. + +5.4. Crypto Basics + 5.4.1. "What is cryptology?" + - we see crypto all around us...the keys in our pockets, the + signatures on our driver's licenses and other cards, the + photo IDs, the credit cards + + cryptography or cryptology, the science of secret + writing...but it's a lot more...consider I.D. cards, locks + on doors, combinations to safes, private + information...secrecy is all around us + - some say this is bad--the tension between "what have you + got to hide?" and "none of your business" + - some exotic stuff: digital money, voting systems, advanced + software protocols + - of importance to protecting privacy in a world of + localizers (a la Bob and Cherie), credit cards, tags on + cars, etc....the dossier society + + general comments on cryptography + - chain is only as strong as its weakest link + - assume opponnent knows everything except the secret key + - + - Crypto is about economics + + Codes and Ciphers + + Simple Codes + - Code Books + + Simple Ciphers + + Substitution Ciphers (A=C, B=D, etc.) + - Caesar Shift (blocks) + + Keyword Ciphers + + Vigenre (with Caesar) + + Rotor Machines + - Hagelin + - Enigma + - Early Computers (Turing, Colossus) + + Modern Ciphers + + 20th Century + + Private Key + + One-Time Pads (long strings of random numbers, + shared by both parties) + + not breakable even in principle, e.g., a one-time + pad with random characters selected by a truly + random process (die tosses, radioactive decay, + certain types of noise, etc.) + - and ignoring the "breakable by break-ins" + approach of stealing the one-time pad, etc. + ("Black bag cryptography") + - Computer Media (Floppies) + + CD-ROMs and DATs + - "CD ROM is a terrible medium for the OTP key + stream. First, you want exactly two copies of + the random stream. CD ROM has an economic + advantage only for large runs. Second, you want + to destroy the part of the stream already used. + CD ROM has no erase facilities, outside of + physical destruction of the entire disk." + [Bryan G. Olson, sci.crypt, 1994-08-31] + + DES--Data Encryption Standard + - Developed from IBM's Lucifer, supported by NSA + - a standard since 1970s + + But is it "Weak"? + + DES-busting hardware and software studied + + By 1990, still cracked + - But NSA/NIST has ordered a change + + Key Distribution Problem + + Communicating with 100 other people means + distributing and securing 100 keys + - and each of those 100 must keep their 100 keys + secure + - no possibility of widespread use + + Public Key + + 1970s: Diffie, Hellman, Merkle + + Two Keys: Private Key and Public Key + + Anybody can encrypt a message to Receiver with + Receiver's PUBLIC key, but only the Receiver's + PRIVATE key can decrypt the message + + Directories of public keys can be published + (solves the key distribution problem) + + Approaches + + One-Way Functions + - Knapsack (Merkle, Hellman) + + RSA (Rivest, Shamir, Adleman) + - relies on difficulty of factoring + large numbers (200 decimal digits) + - believed to be "NP-hard" + + patented and licensed to "carefully + selected" customers + - RSA, Fiat-Shamir, and other + algorithms are not freely usable + - search for alternatives continues + 5.4.2. "Why does anybody need crypto?" + + Why the Need + - electronic communications...cellular phones, fax + machines, ordinary phone calls are all easily + intercepted...by foreign governments, by the NSA, by + rival drug dealers, by casual amateurs + + transactions being traced....credit card receipts, + personal checks, I.D. cards presented at time of + purchase...allows cross-referencing, direct mail data + bases, even government raids on people who buy greenhouse + supplies! + - in a sense, encryption and digital money allows a + return to cash + - Why do honest people need encryption? Because not + everyone is honest, and this applies to governments as + well. Besides, some things are no one else's business. + - Why does anybody need locks on doors? Why aren't all + diaries available for public reading? + + Whit Diffie, one of the inventors of public key + cryptography (and a Cypherpunk) points out that human + interaction has largely been predicated on two important + aspects: + - that you are who you say you are + - expectation of privacy in private communications + - Privacy exists in various forms in various cultures. But + even in police states, certain concepts of privacy are + important. + - Trust is not enough...one may have opponents who will + violate trust if it seems justified + + The current importance of crypto is even more striking + + needed to protect privacy in cyberspace, networks, etc. + - many more paths, links, interconnects + - read Vinge's "True Names" for a vision + + digital money...in a world of agents, knowbots, high + connectivity + - (can't be giving out your VISA number for all these + things) + + developing battle between: + - privacy advocates...those who want privacy + - government agencies...FBI, DOJ, DEA, FINCEN, NSA + + being fought with: + - attempts to restrict encryption (S.266, never passed) + - Digital Telephony Bill, $10K a day fine + - trial balloons to require key registration + - future actions + + honest people need crypto because there are dishonest + people + - and there may be other needs for privacy + - Phil Zimmerman's point about sending all mail, all letters, + on postcards--"What have you got to hide?" indeed! + - the expectation of privacy in out homes and in phone + conversations + + Whit Diffie's main points: + + proving who you say you are...signatures, authentications + - like "seals" of the past + - protecting privacy + - locks and keys on property and whatnot + + the three elements that are central to our modern view of + liberty and privacy (a la Diffie) + - protecting things against theft + - proving who we say we are + - expecting privacy in our conversations and writings + 5.4.3. What's the history of cryptology? + 5.4.4. Major Classes of Crypto + - (these sections will introduce the terms in context, though + complete definitions will not be given) + + Encryption + - privacy of messages + - using ciphers and codes to protect the secrecy of + messages + - DES is the most common symmetric cipher (same key for + encryption and decryption) + - RSA is the most common asymmetric cipher (different keys + for encryption and decryption) + + Signatures and Authentication + - proving who you are + - proving you signed a document (and not someone else) + + Authentication + + Seals + + Signatures (written) + + Digital Signatures (computer) + - Example: Numerical codes on lottery tickets + + Using Public Key Methods (see below) + - Digital Credentials (Super Smartcards) + - Tamper-responding Systems + + Credentials + - ID Cards, Passports, etc. + + Biometric Security + - Fingerprints, Retinal Scans, DNA, etc. + + Untraceable Mail + - untraceable sending and receiving of mail and messages + - focus: defeating eavesdroppers and traffic analysis + - DC protocol (dining cryptographers) + + Cryptographic Voting + - focus: ballot box anonymity + - credentials for voting + - issues of double voting, security, robustness, efficiency + + Digital Cash + - focus: privacy in transactions, purchases + - unlinkable credentials + - blinded notes + - "digital coins" may not be possible + + Crypto Anarchy + - using the above to evade gov't., to bypass tax + collection, etc. + - a technological solution to the problem of too much + government + + Security + + Locks + - Key Locks + + Combination Locks + - Cardkey Locks + + Tamper-responding Systems (Seals) + + Also known as "tamper-proof" (misleading) + - Food and Medicine Containers + - Vaults, Safes (Alarms) + + Weapons, Permissive Action Links + - Nuclear Weapons + - Arms Control + - Smartcards + - Currency, Checks + + Cryptographic Checksums on Software + - But where is it stored? (Can spoof the system by + replacing the whole package) + + Copy Protection + - Passwords + - Hardware Keys ("dongles") + - Call-in at run-time + + Access Control + - Passwords, Passphrases + - Biometric Security, Handwritten Signatures + - For: Computer Accounts, ATMs, Smartcards + 5.4.5. Hardware vs. Software + - NSA says only hardware implementations can really be + considered secure, and yet most Cypherpunks and ordinary + crypto users favor the sofware approach + - Hardware is less easily spoofable (replacement of modules) + - Software can be changed more rapidly, to make use of newer + features, faster modules, etc. + - Different cultures, with ordinary users (many millions) + knowing they are less likely to have their systems black- + bag spoofed (midnight engineering) than are the relatively + fewer and much more sensitive military sites. + 5.4.6. "What are 'tamper-resistant modules' and why are they + important?" + - These are the "tamper-proof boxes" of yore: display cases, + vaults, museum cases + - that give evidence of having been opened, tampered with, + etc. + + modern versions: + - display cases + - smart cards + + chips + - layers of epoxy, abrasive materials, fusible links, + etc. + - (goal is to make reverse engineering much more + expensive) + - nuclear weapon "permissive action links" (PALs) + 5.4.7. "What are "one way functions"?" + - functions with no inverses + - crypto needs functions that are seemingly one-way, but + which actually have an inverse (though very hard to find, + for example) + - one-way function, like "bobbles" (Vinge's "Marooned in + Realtime") + 5.4.8. When did modern cryptology start? + + "What are some of the modern applications of cryptology?" + + "Zero Knowledge Interactive Proof Systems" (ZKIPS) + - since around 1985 + - "minimum disclosure proofs" + + proving that you know something without actually + revealing that something + + practical example: password + + can prove you have the password without actually + typing it in to computer + - hence, eavesdroppers can't learn your password + - like "20 questions" but more sophisticated + - abstract example: Hamiltonian circuit of a graph + + Digital Money + + David Chaum: "RSA numbers ARE money" + - checks, cashiers checks, etc. + - can even know if attempt is made to cash same check + twice + + so far, no direct equivalent of paper currency or + coins + - but when combined with "reputation-based systems," + there may be + + Credentials + + Proofs of some property that do not reveal more than + just that property + - age, license to drive, voting rights, etc. + - "digital envelopes" + + Fiat-Shamir + - passports + + Anonymous Voting + - protection of privacy with electronic voting + - politics, corporations, clubs, etc. + - peer review of electronic journals + - consumer opinions, polls + + Digital Pseudonyms and Untraceable E-Mail + + ability to adopt a digital pseudonym that is: + - unforgeable + - authenticatable + - untraceable + - Vinge's "True Names" and Card's "Ender's Game" + + Bulletin Boards, Samizdats, and Free Speech + + banned speech, technologies + - e.g., formula for RU-486 pill + - bootleg software, legally protected material + + floating opinions without fears for professional + position + - can even later "prove" the opinions were yours + + "The Labyrinth" + - store-and-forward switching nodes + + each with tamper-responding modules that decrypt + incoming messages + + accumulate some number (latency) + + retransmit to next address + - and so on.... + + relies on hardware and/or reputations + + Chaum claims it can be done solely in software + - "Dining Cryptographers" + 5.4.9. What is public key cryptography? +5.4.10. Why is public key cryptography so important? + + The chief advantage of public keys cryptosystems over + conventional symmetric key (one key does both encryption + and decryption) is one _connectivity_ to recipients: one + can communicate securely with people without exchanging key + material. + - by looking up their public key in a directory + - by setting up a channel using Diffie-Hellman key exchange + (for example) +5.4.11. "Does possession of a key mean possession of *identity*?" + - If I get your key, am I you? + - Certainly not outside the context of the cryptographic + transaction. But within the context of a transaction, yes. + Additional safeguards/speedbumps can be inserted (such as + biometric credentials, additional passphrases, etc.), but + these are essentially part of the "key," so the basic + answer remains "yes." (There are periodically concerns + raised about this, citing the dangers of having all + identity tied to a single credential, or number, or key. + Well, there are ways to handle this, such as by adopting + protocols that limit one's exposure, that limits the amount + of money that can be withdrawn, etc. Or people can adopt + protocols that require additional security, time delays, + countersigning, etc.) + + This may be tested in court soon enough, but the answer for + many contracts and crypto transactions will be that + possession of key = possession of identity. Even a court + test may mean little, for the types of transactions I + expect to see. + - That is, in anonymous systems, "who ya gonna sue?" + - So, guard your key. +5.4.12. What are digital signatures? + + Uses of Digital Signatures + - Electronic Contracts + - Voting + - Checks and other financial instruments (similar to + contracts) + - Date-stamped Transactions (augmenting Notary Publics) +5.4.13. Identity, Passports, Fiat-Shamir + - Murdoch, is-a-person, national ID cards, surveillance + society + + "Chess Grandmaster Problem" and other Frauds and Spoofs + - of central importance to proofs of identity (a la Fiat- + Shamir) + - "terrorist" and "Mafia spoof" problems +5.4.14. Where else should I look? +5.4.15. Crypto, Technical + + Ciphers + - traditional + - one-time pads, Vernams ciphers, information-theoretically + secure + + "I Have a New Idea for a Cipher---Should I Discuss it + Here?" + - Please don't. Ciphers require careful analysis, and + should be in paper form (that is, presented in a + detailed paper, with the necessary references to show + that due diligence was done, the equations, tables, + etc. The Net is a poor substitute. + - Also, breaking a randomly presented cipher is by no + means trivial, even if the cipher is eventually shown + to be weak. Most people don't have the inclination to + try to break a cipher unless there's some incentive, + such as fame or money involved. + - And new ciphers are notoriously hard to design. Experts + are the best folks to do this. With all the stuff + waiting to be done (described here), working on a new + cipher is probably the least effective thing an amateur + can do. (If you are not an amateur, and have broken + other people's ciphers before, then you know who you + are, and these comments don't apply. But I'll guess + that fewer than a handful of folks on this list have + the necessary background to do cipher design.) + - There are a vast number of ciphers and systems, nearly + all of no lasting significance. Untested, undocumented, + unused--and probably unworthy of any real attention. + Don't add to the noise. + - What is DES and can it be broken? + + ciphers + - RC4, stream cipher + + DolphinEncrypt + - + + "Last time Dolphin Encrypt reared its insecure head + in this forum, + - these same issues came up. The cipher that DE uses + is not public and + - was not designed by a person of known + cryptographicc competence. It + - should therefore be considered extremely weak. + + + RSA + - What is RSA? + - Who owns or controls the RSA patents? + - Can RSA be broken? + - What alternatives to RSA exist? + + One-Way Functions + - like diodes, one-way streets + - multiplying two large numbers together is + easy....factoring the product is often very hard + - (this is not enough for a usable cipher, as the recipient + must be able to perform the reverse operation..it turns + out that "trapdoors" can be found) + - Digital Signatures + + Digital Cash + - What is digital cash? + - How does digital cash differ from VISA and similar + electronic systems? + - Clearing vs. Doublespending Detection + - Zero Knowledge + - Mixes and Remailers + - Dining Cryptographers + + Steganography + - invisible ink + - microdots + - images + - sound files + + Random Number Generators + + von Neumann quote about living in a state of sin + - also paraphrased (I've heard) to include _analog_ + methods, presumably because the nonrepeating (form an + initial seed/start) nature makes repeating experiments + impossible + + Blum-Blum-Shub + + How it Works + - "The Blum-Blum-Shub PRNG is really very simple. + There is source floating around on the crypto ftp + sites, but it is a set of scripts for the Unix bignum + calculator "bc", plus some shell scripts, so it is + not very portable. + + "To create a BBS RNG, choose two random primes p and + q which are congruent to 3 mod 4. Then the RNG is + based on the iteration x = x*x mod n. x is + initialized as a random seed. (x should be a + quadratic residue, meaning that it is the square of + some number mod n, but that can be arranged by + iterating the RNG once before using its output.)" + [Hal Finney, 1994-05-14] + - Look for blum-blum-shub-strong-randgen.shar and related + files in pub/crypt/other at ripem.msu.edu. (This site + is chock-full of good stuff. Of course, only Americans + are allowed to use these random number generators, and + even they face fines of $500,000 and imprisonment for + up to 5 years for inappopriate use of random numbers.) + - source code at ripem ftp site + - "If you don't need high-bandwidth randomness, there are + several good PRNG, but none of them run fast. See the + chapter on PRNG's in "Cryptology and Computational + Number Theory"." [Eric Hughes, 1994-04-14] + + "What about hardware random number generators?" + + Chips are available + - + + "Hughes Aircraft also offers a true non-deterministic + chip (16 pin DIP). + - For more info contact me at kephart@sirena.hac.com" + <7 April 94, sci.crypt> + + "Should RNG hardware be a Cypherpunks project?" + - Probably not, but go right ahead. Half a dozen folks + have gotten all fired up about this, proposed a project- + -then let it drop. + - can use repeated applications of a cryptographic has + function to generate pretty damn good PRNs (the RSAREF + library has hooks for this) + + "I need a pretty good random number generator--what + should I use?" + - "While Blum-Blum-Shub is probably the cool way to go, + RSAREF uses repeated iterations of MD5 to generate its + pseudo-randoms, which can be reasonably secure and use + code you've probably already got hooks from perl + for.[BillStewart,1994-04-15] + + Libraries + - Scheme code: ftp://ftp.cs.indiana.edu/pub/scheme- + repository/scm/rand.scm + + P and NP and all that jazz + - complexity, factoring, + + can quantum mechanics help? + - probably not + + Certification Authorities + - heierarchy vs. distributed web of trust + - in heierarchy, individual businesses may set themselves + up as CAs, as CommerceNet is talking about doing + + Or, scarily, the governments of the world may insist that + they be "in the loop" + - several ways to do this: legal system invocation, tax + laws, national security....I expect the legal system to + impinge on CAs and hence be the main way that CAs are + partnered with the government + - I mention this to give people some chance to plan + alternatives, end-runs + - This is one of the strongest reasons to support the + decoupling of software from use (that is, to reject the + particular model RSADSI is now using) +5.4.16. Randomness + - A confusing subject to many, but also a glorious subject + (ripe with algorithms, with deep theory, and readily + understandable results). + + Bill Stewart had a funny comment in sci.crypt which also + shows how hard it is to know if something's really random + or not: "I can take a simple generator X[i] = DES( X[i-1], + K ), which will produce nice random white noise, but you + won't be able to see that it's non-random unless you rent + time on NSA's DES-cracker." [B.S. 1994-09-06] + - In fact, many seemingly random strings are actually + "cryptoregular": they are regular, or nonrandom, as soon + as one uses the right key. Obviously, most strings used + in crypto are cryptoregular in that they _appear_ to be + random, and pass various randomness measures, but are + not. + + "How can the randomness of a bit string be measured?" + - It can roughly be estimated by entropy measures, how + compressible it is (by various compression programs), + etc. + - It's important to realize that measures of randomness + are, in a sense, "in the eye of the beholder"--there just + is no proof that a string is random...there's always room + for cleverness, if you will + + Chaitin-Kolmogoroff complexity theory makes this clearer. + To use someone else's words: + - "Actually, it can't be done. The consistent measure of + entropy for finite objects like a string or a (finite) + series of random numbers is the so-called ``program + length complexity''. This is defined as the length of + the shortest program for some given universal Turing + machine + which computes the string. It's consistent in the + sense that it has the familiar properties of + ``ordinary'' (Shannon) entropy. Unfortunately, it's + uncomputable: there's no algorithm which, given an + arbitrary finite string S, computes the program-length + complexity of S. + + Program-length complexity is well-studied in the + literature. A good introductory paper is ``A Theory of + Program Size Formally Identical to Information Theory'' + by G. J. Chaitin, _Journal of the ACM_, 22 (1975) + reprinted in Chaitin's book _Information Randomness & + Incompleteness_, World Scientific Publishing Co., + 1990." [John E. Kreznar, 1993-12-02] + + "How can I generate reasonably random numbers?" + - I say "reasonably" becuae of the point above: no number + or sequence is provably "random." About the best that can + be said is that a number of string is the reuslt of a + process we call "random." If done algorithimically, and + deterministically, we call this process "pseudo-random." + (And pseudorandom is usually more valuable than "really + random" because we want to be able to generate the same + sequence repeatedly, to repeat experiments, etc.) +5.4.17. Other crypto and hash programs + + MDC, a stream cipher + - Peter Gutman, based on NIST Secure Hash Algorithm + - uses longer keys than IDEA, DES + - MD5 + - Blowfish + - DolphinEncrypt +5.4.18. RSA strength + - casual grade, 384 bits, 100 MIPS-years (Paul Leyland, 3-31- + 94) + - RSA-129, 425 bits, 4000 MIPS-years + - 512 bits...20,000 MIPS-years + - 1024 bits... +5.4.19. Triple DES + - "It involves three DES cycles, in encrypt-decrypt-encrypt + order. THe keys used may be either K1/K2/K3 or K1/K2/K1. + The latter is sometimes caled "double-DES". Combining + two DES operations like this requires twice as much work to + break as one DES, and a lot more storage. If you have the + storage, it just adds one bit to the effective key size. " + [Colin Plumb, colin@nyx10.cs.du.edu, sci.crypt, 4-13-94] +5.4.20. Tamper-resistant modules (TRMs) (or tamper-responding) + + usually "tamper-indicating", a la seals + - very tough to stop tampering, but relatively easy to see + if seal has been breached (and then not restored + faithfully) + - possession of the "seal" is controlled...this is the + historical equivalent to the "private key" in a digital + signature system, with the technological difficulty of + forging the seal being the protection + + usually for crypto. keys and crypto. processing + - nuclear test monitoring + - smart cards + - ATMs + + one or more sensors to detect intrusion + - vibration (carborundum particles) + - pressure changes (a la museum display cases) + - electrical + - stressed-glass (Corning, Sandia) + + test ban treaty verification requires this + - fiber optic lines sealing a missile... + - scratch patterns... + - decals.... + + Epoxy resins + - a la Intel in 1970s (8086) + + Lawrence Livermore: "Connoisseur Project" + - gov't agencies using this to protect against reverse + engineering, acquisition of keys, etc. + + can't stop a determined effort, though + - etches, solvents, plasma ashing, etc. + - but can cause cost to be very high (esp. if resin + formula is varied frequently, so that "recipe" can't be + logged) + + can use clear epoxy with "sparkles" in the epoxy and + careful 2-position photography used to record pattern + - perhaps with a transparent lid? + + fiber optic seal (bundle of fibers, cut) + - bundle of fibers is looped around device, then sealed and + cut so that about half the fibers are cut; the pattern of + lit and + unlit fibers is a signature, and is extremely difficult + to reproduce + - nanotechnology may be used (someday) +5.4.21. "What are smart cards?" + - Useful for computer security, bank transfers (like ATM + cards), etc. + - may have local intelligence (this is the usual sense) + - microprocessors, observor protocol (Chaum) + + Smart cards and electronic funds transfer + - Tamper-resistant modules + + Security of manufacturing + - some variant of "cut-and-choose" inspection of + premises + + Uses of smart cards + - conventional credit card uses + - bill payment + - postage + - bridge and road tolls + - payments for items received electronically (not + necessarily anonymously) + +5.5. Cryptology-Technical, Mathematical + 5.5.1. Historical Cryptography + + Enigma machines + - cracked by English at Bletchley Park + - a secret until mid-1970s + + U.K. sold hundreds of seized E. machines to embassies, + governments, even corporations, in late 1940s, early + 1950s + - could then crack what was being said by allies + + Hagelin, Boris (?) + - U.S. paid him to install trapdoors, says Kahn + + his company, Crypto A.G., was probably an NSA front + company + - Sweden, then U.S., then Sweden, then Zug + - rotor systems cracked + 5.5.2. Public-key Systems--HISTORY + + Inman has admitted that NSA had a P-K concept in 1966 + - fits with Dominik's point about sealed cryptosystem boxes + with no way to load new keys + - and consistent with NSA having essentially sole access to + nation's top mathematicians (until Diffies and Hellmans + foreswore government funding, as a result of the anti- + Pentagon feelings of the 70s) + - Merkle's "puzzle" ideas, circa mid-70s + - Diffie and Hellman + - Rivest, Shamir, and Adleman + 5.5.3. RSA and Alternatives to RSA + + RSA and other P-K patents are strangling development and + dissemination of crypto systems + - perhaps out of marketing stupidity, perhaps with the help + of the government (which has an interest in keeping a + monopoly on secure encryption) + + One-way functions and "deposit-only envelopes" + - one-way functions + - deposit-only envelopes: allow additions to envelopes and + only addressee can open + - hash functions are easy to implement one-way functions + (with no need for an inverse) + 5.5.4. Digital Signatures + + Uses of Digital Signatures + - Electronic Contracts + - Voting + - Checks and other financial instruments (similar to + contracts) + - Date-stamped Transactions (augmenting Notary Publics) + - Undeniable digital signatures + + Unforgeable signatures, even with unlimited computational + power, can be achieved if the population is limited (a + finite set of agents) + - using an untraceable sending protocol, such as "the + Dining Cryptographers Problem" of Chaum + 5.5.5. Randomness and incompressibility + + best definition we have is due to Chaitin and Kolmogoroff: + a string or any structure is "random" if it has no shorter + description of itself than itself. + - (Now even specific instances of "randomly generated + strings" sometimes will be compressible--but not very + often. Cf. the works of Chaitin and others for more on + these sorts of points.) + 5.5.6. Steganography: Methods for Hiding the Mere Existence of + Encrypted Data + + in contrast to the oft-cited point (made by crypto purists) + that one must assume the opponent has full access to the + cryptotext, some fragments of decrypted plaintext, and to + the algorithm itself, i.e., assume the worst + - a condition I think is practically absurd and unrealistic + - assumes infinite intercept power (same assumption of + infinite computer power would make all systems besides + one-time pads breakable) + - in reality, hiding the existence and form of an encrypted + message is important + + this will be all the more so as legal challenges to + crypto are mounted...the proposed ban on encrypted + telecom (with $10K per day fine), various governmental + regulations, etc. + - RICO and other broad brush ploys may make people very + careful about revealing that they are even using + encryption (regardless of how secure the keys are) + + steganography, the science of hiding the existence of + encrypted information + - secret inks + - microdots + - thwarting traffic analysis + - LSB method + + Packing data into audio tapes (LSB of DAT) + + LSB of DAT: a 2GB audio DAT will allow more than 100 + megabytes in the LSBs + - less if algorithms are used to shape the spectrum to + make it look even more like noise + - but can also use the higher bits, too (since a real- + world recording will have noise reaching up to perhaps + the 3rd or 4th bit) + + will manufacturers investigate "dithering" circuits? + (a la fat zero?) + - but the race will still be on + + Digital video will offer even more storage space (larger + tapes) + - DVI, etc. + - HDTV by late 1990s + + Messages can be put into GIFF, TIFF image files (or even + noisy faxes) + - using the LSB method, with a 1024 x 1024 grey scale image + holding 64KB in the LSB plane alone + - with error correction, noise shaping, etc., still at + least 50KB + - scenario: already being used to transmit message through + international fax and image transmissions + + The Old "Two Plaintexts" Ploy + - one decoding produces "Having a nice time. Wish you were + here." + - other decoding, of the same raw bits, produces "The last + submarine left this morning." + - any legal order to produce the key generates the first + message + + authorities can never prove-save for torture or an + informant-that another message exists + - unless there are somehow signs that the encrypted + message is somehow "inefficiently encrypted, suggesting + the use of a dual plaintext pair method" (or somesuch + spookspeak) + - again, certain purist argue that such issues (which are + related to the old "How do you know when to stop?" + question) are misleading, that one must assume the + opponent has nearly complete access to everything except + the actual key, that any scheme to combine multiple + systems is no better than what is gotten as a result of + the combination itself + - and just the overall bandwidth of data... + + Several programs exist: + - Stego + - etc. (described elsewhere) + 5.5.7. The Essential Impossibility of Breaking Modern Ciphers and + Codes + - this is an important change from the past (and from various + thriller novels that have big computers cracking codes) + - granted, "unbreakable" is a misleading term + + recall the comment that NSA has not really broken any + Soviet systems in many years + - except for the cases, a la the Walker case, where + plaintext versions are gotten, i.e., where human screwups + occurred + - the image in so many novels of massive computers breaking + codes is absurd: modern ciphers will not be broken (but the + primitive ciphers used by so many Third World nations and + their embassies will continue to be child's play, even for + high school science fair projects...could be a good idea + for a small scene, about a BCC student who has his project + pulled) + + But could novel computational methods crack these public + key ciphers? + + some speculative candidates + + holographic computers, where large numbers are + factored-or at least the possibilities are somehown + narrowed-by using arrays that (somehow) represent the + numbers to be factored + - perhaps with diffraction, channeling, etc. + - neural networks and evolutionary systems (genetic + algorithms) + - the idea is that somehow the massive computations can be + converted into something that is inherently parallel + (like a crystal) + + hyperspeculatively: finding the oracle for these problems + using nonconventional methods such as ESP and lucid + dreaming + - some groups feel this is worthwhile + 5.5.8. Anonymous Transfers + - Chaum's digital mixes + - "Dining Cryptographers" + + can do it with exchanged diskettes, at a simple level + - wherein each person can add new material + + Alice to Bob to Carol....Alice and Carol can conspire to + determine what Bob had added, but a sufficient "mixing" + of bits and pieces is possible such that only if + everybody conspires can one of the participants be caught + - perhaps the card-shuffling results? + + may become common inside compute systems... + - by this vague idea I mean that various new OS protocols + may call for various new mechanisms for exchanging + information + 5.5.9. Miscellaneous Abstract Ideas + - can first order logic predicates be proven in zero + knowledge? + - Riemannn hypothesis + + P = NP? + - would the universe change? + - Smale has shown that if the squares have real numbers in + them, as opposed to natural numbers (integers), then P = + NP; perhaps this isn't surprising, as a real implies sort + of a recursive descent, with each square having unlimited + computer power + + oracles + - speculatively, a character asks if Tarot cards, etc., + could be used (in addition to the normal idea that such + devices help psychologically) + - "a cascade of changes coming in from hundreds of + decimal places out" + + Quantum cryptography + - bits can be exchanged-albeit at fairly low + efficiencies-over a channel + - with detection of taps, via the change of polarizations + + Stephen Wiesner wrote a 1970 paper, half a decade before + the P-K work, which outlined this-not published until + much later + - speculate that the NSA knew about this and quashed the + publication + + But could novel computational methods crack these public + key ciphers? + + some speculative candidates + + holographic computers, where large numbers are + factored-or at least the possibilities are somehown + narrowed-by using arrays that (somehow) represent the + numbers to be factored + - perhaps with diffraction, channeling, etc. + - neural networks and evolutionary systems (genetic + algorithms) + - the idea is that somehow the massive computations can be + converted into something that is inherently parallel + (like a crystal) + + hyperspeculatively: finding the oracle for these problems + using nonconventional methods such as ESP and lucid + dreaming + - some groups feel this is worthwhile + - links to knot theory + - "cut and choose" protocols (= zero knowledge) + + can a "digital coin" be made? + - this is formally similar to the idea of an active agent + that is unforgeable, in the sense that the agent or coin + is "standalone" + + bits can always be duplicated (unless tied to hardware, + as with TRMs), so must look elsewhere + + could tie the bits to a specific location, so that + duplication would be obvious or useless + - the idea is vaguely that an agent could be placed in + some location...duplications would be both detectable + and irrelevant (same bits, same behavior, + unmodifiable because of digital signature) + + coding theory and cryptography at the "Discrete + Mathematics" + - http://www.win.tue.nl/win/math/dw/index.html +5.5.10. Tamper-resistant modules (TRMs) (or tamper-responding) + + usually "tamper-indicating", a la seals + - very tough to stop tampering, but relatively easy to see + if seal has been breached (and then not restored + faithfully) + - possession of the "seal" is controlled...this is the + historical equivalent to the "private key" in a digital + signature system, with the technological difficulty of + forging the seal being the protection + + usually for crypto. keys and crypto. processing + - nuclear test monitoring + - smart cards + - ATMs + + one or more sensors to detect intrusion + - vibration (carborundum particles) + - pressure changes (a la museum display cases) + - electrical + - stressed-glass (Corning, Sandia) + + test ban treaty verification requires this + - fiber optic lines sealing a missile... + - scratch patterns... + - decals.... + + Epoxy resins + - a la Intel in 1970s (8086) + + Lawrence Livermore: "Connoisseur Project" + - gov't agencies using this to protect against reverse + engineering, acquisition of keys, etc. + + can't stop a determined effort, though + - etches, solvents, plasma ashing, etc. + - but can cause cost to be very high (esp. if resin + formula is varied frequently, so that "recipe" can't be + logged) + + can use clear epoxy with "sparkles" in the epoxy and + careful 2-position photography used to record pattern + - perhaps with a transparent lid? + + fiber optic seal (bundle of fibers, cut) + - bundle of fibers is looped around device, then sealed and + cut so that about half the fibers are cut; the pattern of + lit and + unlit fibers is a signature, and is extremely difficult + to reproduce + - nanotechnology may be used (someday) + +5.6. Crypto Programs and Products + 5.6.1. PGP, of course + - it's own section, needless to say + 5.6.2. "What about hardware chips for encryption?" + - Speed can be gotten, for sure, but at the expense of + limiting the market dramatically. Good for military uses, + not so good for civilian uses (especially as most civilians + don't have a need for high speeds, all other things being + equal). + 5.6.3. Carl Ellison's "tran" and mixing various ciphers in chains + - "tran.shar is available at ftp.std.com:/pub/cme + - des | tran | des | tran | des + - to make the job of the attacker much harder, and to make + differential cryptanalyis harder + - "it's in response to Eli's paper that I advocated prngxor, + as in: + des | prngxor | tran | des | tran | des + with the DES instances in ECB mode (in acknowledgement of + Eli's attack). The prngxor destroys any patterns from the + input, which was the purpose of CBC, without using the + feedback path which Eli exploited."[ Carl Ellison, 1994-07- + 15] + 5.6.4. The Blum-Blum-Shub RNG + - about the strongest algorithmic RNG we know of, albeit slow + (if they can predict the next bit of BBS, they can break + RSA, so.... + - ripem.msu.edu:/pub/crypt/other/blum-blum-shub-strong- + randgen.shar + 5.6.5. the Blowfish cipher + + BLOWFISH.ZIP, written by Bruce Schneier,1994. subject of an + article in Dr. Dobb's Journal: + - ftp.dsi.unimi.it:/pub/security/crypt/code/schneier- + blowfish.c.gz + +5.7. Related Ideas + 5.7.1. "What is "blinding"?" + + This is a basic primitive operation of most digital cash + systems. Any good textbook on crypto should explain it, and + cover the math needed to unerstand it in detail. Several + people have explained it (many times) on the list; here's a + short explanation by Karl Barrus: + - "Conceptually, when you blind a message, nobody else can + read it. A property about blinding is that under the + right circumstances if another party digitally signs a + blinded message, the unblinded message will contain a + valid digital signature. + + "So if Alice blinds the message "I owe Alice $1000" so + that it reads (say) "a;dfafq)(*&" or whatever, and Bob + agrees to sign this message, later Alice can unblind the + message Bob signed to retrieve the original. And Bob's + digital signature will appear on the original, although + he didn't sign the original directly. + + "Mathematically, blinding a message means multiplying it + by a number (think of the message as being a number). + Unblinding is simply dividing the original blinding + factor out." [Karl Barrus, 1993-08-24] + + And another explanation by Hal Finney, which came up in the + context of how to delink pharmacy prescriptions from + personal identity (fears of medial dossiers(: + - "Chaum's "blinded credential" system is intended to solve + exactly this kind of problem, but it requires an + extensive infrastructure. There has to be an agency + where you physically identify yourself. It doesn't have + to know anything about you other than some physical ID + like fingerprints. You and it cooperate to create + pseudonyms of various classes, for example, a "go to the + doctor" pseudonym, and a "go to the pharmacy" pseudonym. + These pseudonyms have a certain mathematical relationship + which allows you to re-blind credentials written to one + pseudonym to apply to any other. But the agency uses + your physical ID to make sure you only get one pseudonym + of each kind....So, when the doctor gives you a + prescription, that is a credential applied to your "go to + the doctor" pseudonym. (You can of course also reveal + your real name to the doctor if you want.) Then you show + it at the pharmacy using your "go to the pharmacy" + pseudonym. The credential can only be shown on this one + pseudonym at the pharamacy, but it is unlinkable to the + one you got at the doctor's. " [Hal Finney, 1994-09-07] + 5.7.2. "Crypto protocols are often confusing. Is there a coherent + theory of these things?" + - Yes, crypto protocols are often expressed as scenarios, as + word problems, as "Alice and Bob and Eve" sorts of + complicated interaction protocols. Not exactly game theory, + not exactly logic, and not exactly anything else in + particular...its own area. + - Expert systems, proof-of-correctness calculi, etc. + - spoofing, eavesdropping, motivations, reputations, trust + models + + In my opinion, much more work is needed here. + - Graphs, agents, objects, capabilities, goals, intentions, + logic + - evolutionary game theory, cooperation, defection, tit-for- + tat, ecologies, economies + - mostly ignored, to date, by crypto community + 5.7.3. The holder of a key *is* the person, basically + - that's the bottom line + - those that worry about this are free to adopt stronger, + more elaborate systems (multi-part, passphrases, biometric + security, limits on account access, etc.) + - whoever has a house key is essentially able to gain access + (not saying this is the legal situation, but the practical + one) + 5.7.4. Strong crypto is helped by huge increases in processor power, + networks + + Encryption *always wins out* over cryptanalysis...gap grows + greater with time + - "the bits win" + + Networks can hide more bits...gigabits flowing across + borders, stego, etc. + - faster networks mean more "degrees of freedom," more + avenues to hide bits in, exponentially increasing efforts + to eavesdrop and track + - (However, these additional degrees of freedome can mean + greater chances for slipping up and leaving clues that + allow correlation. Complexity can be a problem.) + + "pulling the plug" hurts too much...shuts down world + economy to stop illegal bits ("naughty bits"?) + - one of the main goals is to reach the "point of no + return," beyond which pulling the plug hurts too much + - this is not to say they won't still pull the plug, damage + be damned + 5.7.5. "What is the "Diffie-Hellman" protocol and why is it + important?" + + What it is + - Diffie-Hellman, first described in 1976, allows key + exchange over insecure channels. + + Steve Bellovin was one of several people to explaine D-H + to the list (every few months someone does!). I'm + including his explanation, despite its length, to help + readers who are not cryptologists get some flavor of the + type of math involved. The thing to notice is the use of + *exponentiations* and *modular arithmetic* (the "clock + arithmetic" of our "new math" childhoods, except with + really, really big numbers!). The difficulty of inverting + the exponention (the discrete log problem) is what makes + this a cryptographically interesting approach. + - "The basic idea is simple. Pick a large number p + (probably a prime), and a base b that is a generator of + the group of integers modulo p. Now, it turns out that + given a known p, b, and (b^x) mod p, it's extremely + hard to find out x. That's known as the discrete log + problem. + + "Here's how to use it. Let two parties, X and Y, pick + random numbers x and y, 1 < x,y < p. They each + calculate + + (b^x) mod p + + and + + (b^y) mod p + + and transmit them to each other. Now, X knows x and + (b^y) mod p, so s/he can calculate (b^y)^x mod p = + (b^(xy)) mod p. Y can do the same calculation. Now + they both know (b^(xy)) mod p. But eavesdroppers know + only (b^x) mod p and (b^y) mod p, and can't use those + quantities to recover the shared secret. Typically, of + course, X and Y will use that shared secret as a key to + a conventional cryptosystem. + + "The biggest problem with the algorithm, as outlined + above, is that there is no authentication. An attacker + can sit in the middle and speak that protocol to each + legitimate party. + + "One last point -- you can treat x as a secret key, and + publish + (b^X) mod p as a public key. Proof is left as an + exercise for + the reader." [Steve Bellovin, 1993-07-17] + - Why it's important + + Using it + + Matt Ghio has made available Phil Karn's program for + generating numbers useful for D-H: + - ftp cs.cmu.edu: + /afs/andrew.cmu.edu/usr12/mg5n/public/Karn.DH.generator + + Variants and Comments + + Station to Station protocol + - "The STS protocol is a regular D-H followed by a + (delicately designed) exchange of signatures on the key + exchange parameters. The signatures in the second + exchange that they can't be separated from the original + parameters.....STS is a well-thought out protocol, with + many subtleties already arranged for. For the issue at + hand, though, which is Ethernet sniffing, it's + authentication aspects are not required now, even + though they certainly will be in the near future." + [Eric Hughes, 1994-02-06] + 5.7.6. groups, multiple encryption, IDEA, DES, difficulties in + analyzing + 5.7.7. "Why and how is "randomness" tested?" + - Randomness is a core concept in cryptography. Ciphers often + fail when things are not as random as designers thought + they would be. + - Entropy, randomness, predictablility. Can never actually + _prove_ a data set is random, though one can be fairly + confident (cf. Kolmogorov-Chaitin complexity theory). + - Still, tricks can make a random-looking text block look + regular....this is what decryption does; such files are + said to be cryptoregular. + + As to how much testing is needed, this depends on the use, + and on the degree of confidence needed. It may take + millions of test samples, or even more, to establish + randomness in set of data. For example: + - "The standard tests for 'randomness' utilized in govt + systems requires 1X10^6 samples. Most of the tests are + standard probability stuff and some are classified. " + [Wray Kephart, sci.crypt, 1994-08-07] + - never assume something is really random just becuase it + _looks_ random! (Dynamic Markov compressors can find + nonrandomness quickly.) + 5.7.8. "Is it possible to tell if a file is encrypted?" + - Not in general. Undecideability and all that. (Can't tell + in general if a virus exists in code, Adleman showed, and + can't tell in general if a file is encrypted, compressed, + etc. Goes to issues of what we mean by encrypted or + compressed.) + + Sometimes we can have some pretty clear signals: + - headers are attached + - other characteristic signs + - entropy per character + + But files encrypted with strong methods typically look + random; in fact, randomness is closely related to + encyption. + + regularity: all symbols represented equally, in all bases + (that is, in doubles, triples, and all n-tuples) + - "cryptoregular" is the term: file looks random + (regular) until proper key is applied, then the + randomness vaDCharles Bennett, "Physics of Computation + Workshop," 1993] + - "entropy" near the maximum (e.g., near 6 or 7 bits per + character, whereas ordinary English has roughly 1.5-2 + bits per character of entropy) + 5.7.9. "Why not use CD-ROMs for one-time pads?" + - The key distribution problem, and general headaches. Theft + or compromise of the keying material is of course the + greatest threat. + - And one-time pads, being symmetric ciphers, give up the + incredible advantages of public key methods. + - "CD ROM is a terrible medium for the OTP key stream. + First, you want exactly two copies of the random stream. + CD ROM has an economic advantage only for large runs. + Second, you want to destroy the part of the stream already + used. CD ROM has no erase facilities, outside of physical + destruction of the entire disk." [Bryan G. Olson, + sci.crypt, 1994-08-31] + - If you have to have a one-time pad, a DAT makes more sense; + cheap, can erase the bits already used, doesn't require + pressing of a CD, etc. (One company claims to be selling CD- + ROMs as one-time pads to customers...the security problems + here should be obvious to all.) + +5.8. The Nature of Cryptology + 5.8.1. "What are the truly basic, core, primitive ideas of + cryptology, crypto protocols, crypto anarchy, digital cash, + and the things we deal with here?" + - I don't just mean things like the mechanics of encryption, + but more basic conceptual ideas. + 5.8.2. Crypto is about the creation and linking of private spaces... + 5.8.3. The "Core" Ideas of Cryptology and What we Deal With + - Physics has mass, energy, force, momentum, angular + momentum, gravitation, friction, the Uncertainty Principle, + Complementarity, Least Action, and a hundred other such + concepts and prinicples, some more basic than others. Ditto + for any other field. + + It seems to many of us that crypto is part of a larger + study of core ideas involving: identity, proof, complexity, + randomness, reputations, cut-and-choose protocols, zero + knowledge, etc. In other words, the buzzwords. + - But which of these are "core" concepts, from which others + are derived? + - Why, for example, do the "cut-and-choose" protocols work + so well, so fairly? (That they do has been evident for a + long time, and they literally are instances of Solomonic + wisdom. Game theory has explanations in terms of payoff + matrices, Nash equilibria, etc. It seems likely to me + that the concepts of crypto will be recast in terms of a + smaller set of basic ideas taken from these disparate + fields of economics, game theory, formal systems, and + ecology. Just my hunch.) + + statements, assertions, belief, proof + - "I am Tim" + + possession of a key to a lock is usually treated as proof + of... + - not always, but that's the default assumption, that + someone who unlocks a door is one of the proper + people..access privileges, etc. + 5.8.4. We don't seem to know the "deep theory" about why certain + protocols "work." For example, why is "cut-and-choose," where + Alice cuts and Bob chooses (as in fairly dividing a pie), + such a fair system? Game theory has a lot to do with it. + Payoff matrices, etc. + - But many protocols have not been fully studied. We know + they work, but I think we don't know fully why they work. + (Maybe I'm wrong here, but I've seen few papers looking at + these issues in detail.) + - Economics is certainly crucial, and tends to get overlooked + in analysis of crypto protocols....the various "Crypto + Conference Proceedings" papers typically ignore economic + factors (except in the area of measuring the strength of a + system in terms of computational cost to break). + - "All crypto is economics." + - We learn what works, and what doesn't. My hunch is that + complex crypto systems will have emergent behaviors that + are discovered only after deployment, or good simulation + (hence my interest in "protocol ecologies"). + 5.8.5. "Is it possible to create ciphers that are unbreakable in any + amount of time with any amount of computer power?" + + Information-theoretically secure vs. computationally-secure + + not breakable even in principle, e.g., a one-time pad + with random characters selected by a truly random process + (die tosses, radioactive decay, certain types of noise, + etc.) + - and ignoring the "breakable by break-ins" approach of + stealing the one-time pad, etc. ("Black bag + cryptography") + - not breakable in "reasonable" amounts of time with + computers + - Of course, a one-time pad (Vernam cipher) is theoretically + unbreakable without the key. It is "information- + theoretically secure." + - RSA and similar public key algorithms are said to be only + "computationally-secure," to some level of security + dependent on modulus lenght, computer resources and time + available, etc. Thus, given enough time and enough computer + power, these ciphers are breakable. + - However, they may be practically impossible to break, given + the amount of energy in the universe.Not to split universes + here, but it is interesting to consider that some ciphers + may not be breakable in _our_ universe, in any amount of + time. Our universe presumably has some finite number of + particles (currently estimated to be 10^73 particles). This + leads to the "even if every particle were a Cray Y-MP it + would take..." sorts of thought experiments. + + But I am considering _energy_ here. Ignoring reversible + computation for the moment, computations dissipate energy + (some disagree with this point). There is some uppper limit + on how many basic computations could ever be done with the + amount of free energy in the universe. (A rough calculation + could be done by calculating the energy output of stars, + stuff falling into black holes, etc., and then assuming + about kT per logical operation. This should be accurate to + within a few orders of magnitude.) I haven't done this + calculation, and won't today, but the result would likely + be something along the lines of X joules of energy that + could be harnessed for computation, resulting in Y basic + primitive computational steps. + + I can then find a modulus of 3000 digits or 5000 digits, or + whatever,that takes more than this number of steps to + factor. + + Caveats: + + 1. Maybe there are really shortcuts to factoring. Certainly + improvements in factoring methods will continue. (But of + course these improvements are not things that convert + factoring into a less than exponential-in-length + problem...that is, factoring appears to remain "hard.") + + 2. Maybe reversible computations (a la Landauer, Bennett, + et. al.) actually work. Maybe this means a "factoring + machine" can be built which takes a fixed, or very slowly + growing, amount of energy. + + 3. Maybe the quantum-mechanical idea of Shore is possible. + (I doubt it, for various reasons.) + + I continue to find it useful to think of very large numbers + as creating "force fields" or "bobbles" (a la Vinge) around + data. A 5000-decimal-digit modulus is as close to being + unbreakable as anything we'll see in this universe. + +5.9. Practical Crypto + 5.9.1. again, this stuff is covered in many of the FAQs on PGP and + on security that are floating around... + 5.9.2. "How long should crypto be valid for?" + + That is, how long should a file remain uncrackable, or a + digital signature remain unforgeable? + - probabalistic, of course, with varying confidence levels + - depends on breakthroughs, in math and in computer power + + Some messages may only need to be valid for a few days or + weeks. Others, for decades. Certain contracts may need to + be unforgeable for many decades. And given advances in + computer power, what appears to be a strong key today may + fail utterly by 2020 or 2040. (I'm of course not + suggesting that a 300- or 500-digit RSA modulus will be + practical by then.) + + many people only need security for a matter of months or + so, while others may need it (or think they need it) for + decades or even for generations + - they may fear retaliation against their heirs, for + example, if certain communications were ever made + public + - "If you are signing the contract digitally, for instance, + you would want to be sure that no one could forge your + signature to change the terms after the fact -- a few + months isn't enough for such purposes, only something that + will last for fifteen or twenty years is okay." [Perry + Metzger, 1994-07-06] + 5.9.3. "What about commercial encryption programs for protecting + files?" + - ViaCrypt, PGP 2.7 + - Various commercial programs have existed for years (I got + "Sentinel" back in 1987-8...long since discontinued). Check + reviews in the leading magazines. + + Kent Marsh, FolderBolt for Macs and Windows + - "The best Mac security program....is CryptoMactic by Kent + Marsh Ltd. It uses triple-DES in CBC mode, hashes an + arbitrary-length password into a key, and has a whole lot + of Mac-interface features. (The Windows equivalent is + FolderBolt for Windows, by the way.)" [Bruce Schneier, + sci.crypt, 1994-07-19] + 5.9.4. "What are some practical steps to take to improve security?" + - Do you, like most of us, leave backup diskettes laying + around? + - Do you use multiple-pass erasures of disks? If not, the + bits may be recovered. + - (Either of these can compromise all encrypted material you + have, all with nothing more than a search warrant of your + premises.) + 5.9.5. Picking (and remembering) passwords + - Many of the issues here also apply to choosing remailers, + etc. Things are often trickier than they seem. The + "structure" of these spaces is tricky. For example, it may + seem really sneaky (and "high entropy" to permute some + words in a popular song and use that as a pass + phrase....but this is obviously worth only a few bits of + extra entropy. Specifically, the attacker will like take + the thousand or so most popular songs, thousand or so most + popular names, slogans, speeches, etc., and then run many + permutations on each of them. + - bits of entropy + - lots of flaws, weaknesses, hidden factors + - avoid simple words, etc. + - hard to get 100 or more bits of real entropy + - As Eli Brandt puts it, "Obscurity is no substitute for + strong random numbers." [E.B., 1994-07-03] + - Cryptanalysis is a matter of deduction, of forming and + refining hypotheses. For example, the site + "bitbucket@ee.und.ac.za" is advertised on the Net as a + place to send "NSA food" to...mail sent to it gets + discarded. So , a great place to send cover traffic to, no? + No, as the NSA will mark this site for what it is and its + usefulness is blown. (Unless its usefulness is actually + something else, in which case the recursive descent has + begun.) + - Bohdan Tashchuk suggests [1994-07-04] using telephone-like + numbers, mixed in with words, to better fit with human + memorization habits; he notes that 30 or more bits of + entropy are routinely memorized this way. + 5.9.6. "How can I remember long passwords or passphrases?" + - Lots of security articles have tips on picking hard-to- + guess (high entropy) passwords and passphrases. + + Just do it. + - People can learn to memorize long sequences. I'm not good + at this, but others apparently are. Still, it seems + dangerous, in terms of forgetting. (And writing down a + passphrase may be vastly more risky than a shorter but + more easily memorized passphrase is. I think theft + of keys and keystroke capturing on compromised machines + are much + more important practical weaknesses.) + + The first letters of long phrases that have meaning only to + the owner. + - e.g., "When I was ten I ate the whole thing."---> + "wiwtiatwt" (Purists will quibble that prepositional + phrases like "when i was" have lower entropy. True, but + better than "Joshua.") + + Visual systems + - Another approach to getting enough entropy in + passwords/phrases is a "visual key" where one mouses from + position to position in a visual environment. That is, + one is presented with a scene containg some number of + nodes, perhaps representing familiar objects from one's + own home, and a path is chosen. The advantage is that + most people can remember fairly complicated + (read: high entropy) "stories." Each object triggers a + memory of the next object to visit. (Example: door to + kitchen to blender to refrigerator to ..... ) This is the + visual memory system said to be favored by Greek epic + poets. This also gets around the keyboard-monitoring + trick (but not necessarily the CRT-reading trick, of + course). + + It might be an interesting hack to offer this as a front + end for PGP. Even a simple grid of characters which could + be moused on could be an assist in using long + passphrases. + +5.10. DES +5.10.1. on the design of DES + - Biham and Shamir showed how "differential cryptanalyis" + could make the attack easier than brute-force search of the + 2^56 keyspace. Wiener did a thought experiment design of a + "DES buster" machine (who ya gonna call?) that could break + a DES key in a matter of days. (Similar to the Diffie and + Hellman analysis of the mid-70s, updated to current + technology.) + + The IBM designers knew about differential cryptanalyis, it + is now clear, and took steps to optimize DES. After Shamir + and Biham published, Don Coppersmith acknowledged this. + He's written a review paper: + - Coppersmith, D., "The Data Encryption Standard (DES) and + its strength against attacks." IBM Journal of Research + and Development. 38(3): 243-250. (May 1994) + +5.11. Breaking Ciphers +5.11.1. This is not a main Cypherpunks concern, for a variety of + reasons (lots of work, special expertise, big machines, not a + core area, ciphers always win in the long run). Breaking + ciphers is something to consider, hence this brief section. +5.11.2. "What are the possible consequences of weaknesses in crypto + systems?" + - maybe reading messages + - maybe forging messages + - maybe faking timestamped documents + - maybe draining a bank account in seconds + - maybe winning in a crypto gambling system + - maybe matters of life and death +5.11.3. "What are the weakest places in ciphers, practically + speaking?" + - Key management, without a doubt. People leave their keys + lying around , write down their passphrases. etc. +5.11.4. Birthday attacks +5.11.5. For example, at Crypto '94 it was reported in a rump session + (by Michael Wiener with Paul van Oorschot) that a machine to + break the MD5 ciphers could be built for about $10 M (in 1994 + dollars, of course) and could break MD5 in about 20 days. + (This follows the 1993 paper on a similar machine to break + DES.) + - Hal Finney did some calculations and reported to us: + - "I mentioned a few days ago that one of the "rump session" + papers at the crypto conference claimed that a machine + could be built which would find MD5 collisions for $10M in + about 20 days.....The net result is that we have taken + virtually no more time (the 2^64 creations of MD5 will + dominate) and virtually no space (compared to 2^64 stored + values) and we get the effect of a birthday attack. This + is another cautionary data point about the risks of relying + on space costs for security rather than time costs." [Hal + Finney, 1994-09-09] +5.11.6. pkzip reported broken + - "I finally found time to take a closer look at the + encryption algorithm by Roger Schlafly that is used in + PKZIP and have developed a practical known plaintext attack + that can find the entire 96-bit internal state." [Paul Carl + Kocher, comp.risks, 1994-09-04] +5.11.7. Gaming attacks, where loopholes in a system are exploited + - contests that are defeated by automated attacks + - the entire legal system can be viewed this way, with + competing teams of lawyers looking for legal attacks (and + the more complex the legal code, the more attacks can be + mounted) + - ecologies, where weaknesses are exploited ruthlessly, + forcing most species into extinction + - economies, ditto, except must faster + - the hazards for crypto schemes are clear + + And there are important links to the issue of overly formal + systems, or systems in which ordinary "discretion" and + "choice" is overridden by rules from outside + - as with rules telling employers in great detail when and + how they can discharge employees (cf. the discussion of + "reasonable rules made mandatory," elsewhere) + - such rules get exploited by employees, who follow the + "letter of the law" but are performing in a way + unacceptable to the employer + - related to "locality of reference" points, in that + problem should be resolved locally, not with intervention + from afar. + - things will never be perfect, from the perspetive of all + parties, but meddling from outside makes things into a + game, the whole point of this section + + Implications for digital money: overly complex legal + systems, without the local advantages of true cash (settled + locally) + + may need to inject some supra-legal enforcement + mechanisms into the system, to make it converge + - offshore credit databases, beyond reach of U.S. and + other laws + + physical violence (one reason people don't "play games" + with Mafia, Triads, etc., is that they know the + implications) + - it's not unethical, as I see it, for contracts in + which the parties understand that a possible or even + likely consequence of their failure to perform is + death +5.11.8. Diffie-Hellman key exchange vulnerabilities + - "man-in-the-midle" attack + + phone systems use voice readback of LCD indicated number + - as computer power increases, even _this_ may be + insufficient +5.11.9. Reverse engineering of ciphers + - A5 code used in GSM phones was reverse engineered from a + hardware description + - Graham Toal reports (1994-07-12) that GCHQ blocked a public + lectures on this + +5.12. Loose Ends +5.12.1. "Chess Grandmaster Problem" and other Frauds and Spoofs + - of central importance to proofs of identity (a la Fiat- + Shamir) + - "terrorist" and "Mafia spoof" problems + +6. The Need For Strong Crypto + +6.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +6.2. SUMMARY: The Need For Strong Crypto + 6.2.1. Main Points + - Strong crypto reclaims the power to decide for one's self, + to deny the "Censor" the power to choose what one reads, + watches, or listens to. + 6.2.2. Connections to Other Sections + 6.2.3. Where to Find Additional Information + 6.2.4. Miscellaneous Comments + - this section is short, but is less focussed than other + sections; it is essentially a "transition" chapter. + +6.3. General Uses of and Reasons for Crypto + 6.3.1. (see also the extensive listing of "Reasons for Anonymity," + which makes many points about the need and uses for strong + crypto) + 6.3.2. "Where is public key crypto really needed?" + - "It is the case that there is relatively little need for + asymmetric key cryptography in small closed populations. + For example, the banks get along quite well without. The + advantage of public key is that it permits private + communication in a large and open population and with a + minimum of prearrangement." [WHMurray, sci.crypt, 1994-08- + 25] + - That is, symmetric key systems (such as conventional + ciphers, one time pads, etc.) work reasonably well by + prearrangement between parties. And of course one time pads + have the additional advantage of being information- + theoretically secure. But asymmetric or public key methods + are incredibly useful when: the parties have not met + before, when key material has not been exchanged, and when + concerns exist about storing the key material. The so- + called "key management problem" when N people want to + communicate pairwise with each other is well-founded. + - And of course public key crypto makes possible all the + other useful stuff like digital money, DC-Nets, zero + knowledge proofs, secret sharing, etc. + 6.3.3. "What are the main reasons to use cryptography?" + - people encrypt for the same reason they close and lock + their doors + + Privacy in its most basic forms + - text -- records, diaries, letters, e-mail + - sound -- phone conversations + - other --video + + phones, intercepts, cellular, wireless, car phones, + scanners + + making listening illegal is useless (and wrong-headed) + - and authorites are exempt from such laws + - people need to protect, end to end + + "How should I protect my personal files, and my phone + calls?" + - Personally, I don't worry too much. But many people do. + Encryption tools are widely available. + - Cellular telephones are notoriously insecure, as are + cordless phones (even less secure). There are laws + about monitoring, small comfort as that may be. (And + I'm largely opposed to such laws, for libertarian + reasons and because it creates a false sense of + security.) + - Laptops are probably less vulnerable to Van Eck types + of RF monitoring than are CRTs. The trend to lower + power, LCDs, etc., all works toward decreasing + vulnerability. (However, computer power for extracting + weak signals out of noise is increasing faster than RF + are decreasing....tradeoffs are unclear.) + + encrypting messages because mail delivery is so flaky + - that is, mail is misdelivered,via hosts incorrectly + processing the addresses + - encryption obviously prevents misunderstandings (though + it does little to get the mail delivered correctly) + + Encryption to Protect Information + - the standard reason + + encryption of e-mail is increasing + - the various court cases about employers reading + ostensibly private e-mail will sharpen this debate (and + raise the issue of employers forbidding encryption; + resonances with the mostly-settled issue of reasonable + use of company phones for private calls-more efficient + to let some personal calls be made than to lose the + time of employees going to public phones) + + encryption of faxes will increase, too, especially as + technology advances and as the dangers of interception + become more apparent + - also, tighter links between sender and receive, as + opposed to the current "dial the number and hope it's + the right one" approach, will encourage the additional + use of encryption + - "electronic vaulting" of large amounts of information, + sent over T1 and T3 data networks, e.g., backup material + for banks and large corporations + + the miles and miles of network wiring within a + corporation-LANs, WANs, Novell, Ethernet, TCP-IP, Banyan, + and so on-cannot all be checked for taps...who would even + have the records to know if some particular wire is going + where it should? (so many undocumented hookups, lost + records, ad hoc connections, etc.) + - the solution is to have point-to-point encryption, even + withing corporations (for important items, at least) + - wireless LANs + + corporations are becoming increasingly concerned about + interception of important information-or even seemingly + minor information-and about hackers and other intruders + - calls for network security enhancement + - they are hiring "tiger teams" to beef up security + + cellular phones + - interceptions are common (and this is becoming + publicized) + - modifications to commercial scanners are describe in + newsletters + - something like Lotus Notes may be a main substrate for + the effective introduction of crypto methods (ditto for + hypertext) + - encryption provides "solidity" to cyberspace, in the + sense of creating walls, doors, permanent structures + - there may even be legal requirements for better security + over documents, patient files, employee records, etc. + + Encryption of Video Signals and Encryption to Control + Piracy + - this is of course a whole technology and industry + - Videocypher II has been cracked by many video hackers + - a whole cottage industry in cracking such cyphers + - note that outlawing encryption would open up many + industries to destruction by piracy, which is yet + another reason a wholesale ban on encryption is doomed + to failure + - Protecting home videos--several cases of home burglaries + where private x-rated tapes of stars were taken, then + sold (Leslile Visser, CBS Sports) + - these general reasons will make encryption more common, + more socially and legally acceptable, and will hence make + eventual attempts to limit the use of crypto anarchy + methods moot + + Digital Signatures and Authentication + + for electronic forms of contracts and digital + timestamping + - not yet tested in the courts, though this should come + soon (perhaps by 1996) + + could be very useful for proving that transactions + happened at a certain time (Tom Clancy has a situation + in "Debt of Honor" in which all Wall Street central + records of stock trades are wiped out in a software + scheme: only the records of traders are useful, and + they are worried about these being fudged to turn + profits...timestamping would help immensely) + - though certain spoofs, a la the brilliant penny scam, + are still possible (register multiple trades, only + reveal the profitable ones) + - negotiations + - AMIX, Xanadu, etc. + + is the real protection against viruses (since all other + scanning methods will increasingly fail) + - software authors and distributors "sign" their + work...no virus writer can possibly forge the digital + signature + + Proofs of identity, passwords, and operating system use + - ZKIPS especially in networks, where the chances of seeing + a password being transmitted are much greater (an obvious + point that is not much discussed) + + operating systems and databases will need more secure + procedures for access, for agents and the like to pay for + services, etc. + - unforgeable tokens + + Cyberspace will need better protection + - to ensure spoofing and counterfeiting is reduced + (recall Habitat's problems with people figuring out the + loopholes) + + if OH is also working on "world- building" at Los + Alamos, he may be using evolutionary systems and + abstract math to help build better and more "coherent" + worlds + - agents, demons, structures, persistent objects + - encryption to protect these structures + + the abstract math part of cyberspace: abstract + measure spaces, topologies, distance metrics + - may figure in to the balance between user + malleabilty and rigidity of the space + - Chaitin's AIT...he has obtained measures for these + + Digital Contracts + - e-mail too easily forged, faked (and lost, misplaced) + + Anonymity + - remailing + - law avoidance + - samizdats, + - Smart cards, ATMs, etc. + - Digital Money + - Voting + + Information Markets + - data havens, espionage + + Privacy of Purchases + - for general principles, to prevent a surveillance society + + specialized mailing lists + - vendors pay to get names (Crest labels) + - Smalltalk job offers + - in electronic age, will be much easier to "troll" for + specialized names + - people will want to "selectively disclose" their + interests (actually, some will, some won't) + 6.3.4. "What may limit the use of crypto?" + + "It's too hard to use" + - multiple protocols (just consider how hard it is to + actually send encrypted messages between people today) + - the need to remember a password or passphrase + + "It's too much trouble" + - the argument being that people will not bother to use + passwords + - partly because they don't think anything will happen to + them + + "What have you got to hide?" + - e.g.,, imagine some comments I'd have gotten at Intel had + I encrypted everything + - and governments tend to view encryption as ipso facto + proof that illegalities are being committed: drugs, money + laundering, tax evasion + - recall the "forfeiture" controversy + + Government is taking various steps to limit the use of + encryption and secure communication + - some attempts have failed (S.266), some have been + shelved, and almost none have yet been tested in the + courts + - see the other sections... + + Courts Are Falling Behind, Are Overcrowded, and Can't Deal + Adequately with New Issues-Such as Encryption and Cryonics + - which raises the issue of the "Science Court" again + - and migration to private adjudication (regulatory + arbitrage) + - BTW, anonymous systems are essentially the ultimate merit + system (in the obvious sense) and so fly in the face of the + "hiring by the numbers" de facto quota systems now + creeeping in to so many areas of life....there may be rules + requiring all business dealings to keep track of the sex, + race, and "ability group" (I'm kidding, I hope) of their + employees and their consultants + 6.3.5. "What are some likely future uses of crypto?" + - Video conferencing: without crypto, or with government + access, corporate meetings become public...as if a + government agent was sitting in a meeting, taking notes. + (There may be some who think this is a good idea, a check + on corporate shenanigans. I don't. Much too high a price to + pay for marginal or illusory improvements.) + - presenting unpopular views + + getting and giving medical treatments + - with or without licenses from the medical union (AMA) + - unapproved treatments + - bootleg medical treatments + - information markets + + sanctuary movements, underground railroads + - for battered wives + - and for fathers taking back their children + - (I'm not taking sides) + - smuggling + - tax evasion + - data havens + - bookies, betting, numbers games + - remailers, anonymity + - religious networks (digital confessionals) + - digital cash, for privacy and for tax evasion + - digital hits + - newsgroup participation -- archiving of Netnews is + commonplace, and increases in storage density make it + likely that in future years one will be able to purchase + disks with "Usenet, 1985-1995" and so forth (or access, + search, etc. online sites) + 6.3.6. "Are there illegal uses of crypto?" + - Currently, there are no blanket laws in the U.S. about + encryption. + + There are specific situations in which encryption cannot be + freely used (or the use is spelled out) + - over the amateur radio airwave...keys must be provided + + Carl Elllison has noted many times that cryptography has + been in use for many centuries; the notion that it is a + "military" technology that civilians have some how gotten + ahold of is just plain false. + - and even public key crypto was developed in a university + (Stanford, then MIT) + +6.4. Protection of Corporate and Financial Privacy + 6.4.1. corporations are becoming increasingly concerned about + interception of important information-or even seemingly minor + information-and about hackers and other intruders + - calls for network security enhancement + - they are hiring "tiger teams" to beef up security + + cellular phones + - interceptions are common (and this is becoming + publicized) + - modifications to commercial scanners are describe in + newsletters + - something like Lotus Notes may be a main substrate for the + effective introduction of crypto methods (ditto for + hypertext) + 6.4.2. Corporate Espionage (or "Business Research") + + Xeroxing of documents + - recall the way Murrray Woods inspected files of Fred + Buch, suspecting he had removed the staples and Xeroxed + the documents for Zilog (circa late 1977) + - a precedent: shapes of staples + + colors of the paper and ink...blues, for example + - but these low-tech schemes are easy to circumvent + + Will corporations crack down on use of modems? + + after all, the specs of a chip or product could be mailed + out of the company using the companies own networks! + - applies to outgoing letters as well (and I've never + heard of any company inspecting to this detail, though + it may happen at defense contractors) + + and messages can still be hidden (covert channels) + - albeit at much lower bandwidths and with more effort + required (it'll stop the casual leakage of information) + - the LSB method (though this still involves a digital + storage means, e.g., a diskette, which might be + restricted) + - various other schemes: buried in word processing format + (at low bandwidth) + - subtleties such as covert channels are not even + considered by corporations-too many leakage paths! + + it seems likely that government workers with security + clearances will face restrictions on their access to AMIX- + like systems, or even to "private" use of conventional + databases + - at least when they use UseNet, the argument will go, + they can be overseen to some extent + + Offsite storage and access of stolen material + + instead of storing stolen blueprints and schematics on + company premises, they may be stored at a remote location + - possiby unknown to the company, via cryptoanarchy + techniques + + "Business research" is the euphemism for corporate + espionage + - often hiring ex-DIA and CIA agents + + American companies may step up their economic espionage + once it is revealed just how extensive the spying by + European and Japanese companies has been + - Chobetsu reports to MITI + - Mossad aids Israeli companies, e.g., Elscint. Elbit + + Bidzos calls this "a digital Pearl Harbor" (attacks on + network security) + - would be ironic if weaknesses put into encryption gear + came back to haunt us + + corporations will want an arms length relationship with + corporate spies, to protect themselves against lawsuits, + criminal charges, etc. + - third party research agencies will be used + 6.4.3. Encryption to Protect Information + - the standard reason + + encryption of e-mail is increasing + - the various court cases about employers reading + ostensibly private e-mail will sharpen this debate (and + raise the issue of employers forbidding encryption; + resonances with the mostly-settled issue of reasonable + use of company phones for private calls-more efficient to + let some personal calls be made than to lose the time of + employees going to public phones) + + encryption of faxes will increase, too, especially as + technology advances and as the dangers of interception + become more apparent + - also, tighter links between sender and receive, as + opposed to the current "dial the number and hope it's the + right one" approach, will encourage the additional use of + encryption + - "electronic vaulting" of large amounts of information, sent + over T1 and T3 data networks, e.g., backup material for + banks and large corporations + + the miles and miles of network wiring within a + corporation-LANs, WANs, Novell, Ethernet, TCP-IP, Banyan, + and so on-cannot all be checked for taps...who would even + have the records to know if some particular wire is going + where it should? (so many undocumented hookups, lost + records, ad hoc connections, etc.) + - the solution is to have point-to-point encryption, even + withing corporations (for important items, at least) + - wireless LANs + - encryption provides "solidity" to cyberspace, in the sense + of creating walls, doors, permanent structures + - there may even be legal requirements for better security + over documents, patient files, employee records, etc. + 6.4.4. U.S. willing to seize assets as they pass through U.S. + (Haiti, Iraq) + 6.4.5. Privacy of research + - attacks on tobacco companies, demanding their private + research documents be turned over to the FDA (because + tobacco is 'fair game" for all such attacks, ...) + 6.4.6. Using crypto-mediated business to bypass "deep pockets" + liability suits, abuse of regulations, of the court system, + etc. + + Abuses of Lawsuits: the trend of massive + judgments...several million for a woman burned when she + spilled hot coffee at a MacDonald's ($160K for damages, the + rest for "punitive damages") + - billions of dollars for various jury decisions + - "deep pockets" lawsuits are a new form of populism, of de + Tocqueville's pocket-picking + + For example, a shareware author might collect digital cash + without being traceable by those who feel wronged + - Is this "right"? Well , what does the contract say? If + the customer bought or used the product knowing that the + author/seller was untraceable, and that no additional + warranties or guarantees were given, what fraud was + committed? + + crypto can, with some costs, take interactions out of the + reach of courts + - replacing the courts with PPL-style private-produced + justice + 6.4.7. on anonymous communication and corporations + - Most corporations will avoid anonymous communications, + fearing the repercussions, the illegality (vis-a-vis + antitrust law), and the "unwholesomeness" of it + + Some may use it to access competitor intelligence, offshore + data havens, etc. + - Even here, probably through "arm's length" relationships + with outside consultants, analogous to the cutouts used + by the CIA and whatnot to insulate themselves from + charges + - Boldest of all will be the "crypto-zaibatsu" that use + strong crypto of the crypto anarchy flavor to arrange + collusive deals, to remove competitors via force, and to + generally pursue the "darker side of the force," to coin a + phrase. + +6.5. Digital Signatures + 6.5.1. for electronic forms of contracts + - not yet tested in the courts, though this should come soon + (perhaps by 1996) + 6.5.2. negotiations + 6.5.3. AMIX, Xanadu, etc. + 6.5.4. is the real protection against viruses (since all other + scanning methods will increasingly fail) + - software authors and distributors "sign" their work...no + virus writer can possibly forge the digital signature + +6.6. Political Uses of Crypto + 6.6.1. Dissidents, Amnesty International + - Most governments want to know what their subjects are + saying... + - Strong crypto (including steganography to hide the + existence of the communications) is needed + - Myanmar (Burma) dissidents are known to be using PGP + 6.6.2. reports that rebels in Chiapas (Mexico, Zapatistas) are on + the Net, presumably using PGP + - (if NSA can really crack PGP, this is probably a prime + target for sharing with the Mexican government) + 6.6.3. Free speech has declined in America--crypto provides an + antidote + - people are sued for expressing opinions, books are banned + ("Loompanics Press" facing investigations, because some + children ordered some books) + + SLAPP suits (Strategic Lawsuiits Against Public + Participation), designed to scare off differing opinions by + threatening legal ruination in the courts + - some judges have found for the defendants and ordered the + SLAPPers to pay damages themselves, but this is still a + speech-chilling trend + - crypto untraceability is good immunity to this trend, and + is thus *real* free speech + +6.7. Beyond Good and Evil, or, Why Crypto is Needed + 6.7.1. "Why is cryptography good? Why is anonymity good?" + - These moral questions pop up on the List once in a while, + often asked by someone preparing to write a paper for a + class on ethics or whatnot. Most of us on the list probably + think the answers are clearly "yes," but many in the public + may not think so. The old dichotomy between "None of your + damned business" and "What have you got to hide?" + - "Is it good that people can write diaried unread by + others?" "Is it good that people can talk to each other + without law enforcement knowing what they're saying?" "Is + it good that people can lock their doors and hide from + outsiders?" These are all essentially equivalent to the + questions above. + - Anonymity may not be either good or not good, but the + _outlawing_ of anonymity would require a police state to + enforce, would impinge on basic ideas about private + transactions, and would foreclose many options that some + degree of anonymity makes possible. + - "People should not be anonymous" is a normative statement + that is impractical to enforce. + 6.7.2. Speaking of the isolation from physical threats and pressures + that cyberspace provides, Eric Hughes writes: "One of the + whole points of anonymity and pseudonymity is to create + immunity from these threats, which are all based upon the + human body and its physical surroundings. What is the point + of a system of anonymity which can be pierced when something + "bad" happens? These systems do not reject the regime of + violence; rather, they merely mitigate it slightly further + and make their morality a bit more explicit.....I desire + systems which do not require violence for their existence and + stability. I desire anonymity as an ally to break the hold + of morality over culture." [Eric Hughes, 1994-08-31] + 6.7.3. Crypto anarchy means prosperity for those who can grab it, + those competent enough to have something of value to offer + for sale; the clueless 95% will suffer, but that is only + just. With crypto anarchy we can painlessly, without + initiation of aggression, dispose of the nonproductive, the + halt and the lame. (Charity is always possible, but I suspect + even the liberal do-gooders will throw up their hands at the + prospect of a nation of mostly unskilled and essentially + illiterate and innumerate workers being unable to get + meaninful, well-paying jobs.) + 6.7.4. Crypto gets more important as communication increases and as + computing gets distributed + + with bits and pieces of one's environment scattered around + - have to worry about security + - others have to also protect their own products, and yet + still provide/sell access + - private spaces needed in disparate + locations...multinationals, teleconferencing, video + +6.8. Crypo Needed for Operating Systems and Networks + 6.8.1. Restrictions on cryptography--difficult as they may be to + enforce--may also impose severe hardships on secure operating + system design, Norm Hardy has made this point several times. + - Agents and objects inside computer systems will likely need + security, credentials, robustness, and even digital money + for transactions. + 6.8.2. Proofs of identity, passwords, and operating system use + - ZKIPS especially in networks, where the chances of seeing a + password being transmitted are much greater (an obvious + point that is not much discussed) + + operating systems and databases will need more secure + procedures for access, for agents and the like to pay for + services, etc. + - unforgeable tokens + 6.8.3. An often unmentioned reason why encyption is needed is for + the creation of private, or virtual, networks + - so that channels are independent of the "common carrier" + + to make this clear: prospects are dangerously high for a + consolidation under government control of networks + - in parallel with roads + + and like roads, may insist on equivalent of licenses + - is-a-person + - bans on encryption + - The Nightmare Scenario: "We own the networks, we won't + let anyone install new networks without our approval, and + we will make the laws about what gets carried, what + encryption can be used, and how taxes will be collected." + - Fortunately, I doubt this is enforceable...too many ways + to create virtual networks...satellites like Iridium, + fiber optics, ways to hide crypto or bury it in other + traffic + + cyberspace walls... + + more than just crypto: physical security is needed (and + for much the same reason no "digital coin" exists) + - processes running on controlled-accesss machines (as + with remailers) + - access by crypto + + a web of mutually suspicious machines may be sufficient + - robust cyberspaces built with DC-Net ("dining + cryptographers") methods? + +6.9. Ominous Trends + 6.9.1. Ever-increasing numbers of laws, complexities of tax codes, + etc. + - individuals no longer can navigate + 6.9.2. National ID cards + - work permits, immigration concerns, welfare fraud, stopping + terrorists, collecting taxes + - USPS and other proposals + 6.9.3. Key Escrow + 6.9.4. Extension of U.S. law around the world + - Now that the U.S. has vanquished the U.S.S.R., a free field + ahead of it for spreading the New World Order, led of + course by the U.S.A. and its politicians. + - treaties, international agreements + - economic hegemony + - U.N. mandates, forces, "blue helmets" + 6.9.5. AA BBS case means cyberspace is not what we though it was + +6.10. Loose Ends +6.10.1. "Why don't most people pay more attention to security + issues?" + - Fact is, most people never think about real security. + - Safe manufacturers have said that improvements in safes + (the metal kind) were driven by insurance rates. A direct + incentive to spend more + money to improve security (cost of better safe < cost of + higher insurance rate). + - Right now there is almost no economic incentive for people + to worry + about PIN security, about protecting their files, etc. + (Banks eat the + costs and pass them on...any bank which tried to save a few + bucks in + losses by requiring 10-digit PINs--which people would + *write down* + anyway!--would lose customers. Holograms and pictures on + bank cards + are happening because the costs have dropped enough.) + - Crypto is economics. People will begin to really care when + it costs them. + +6.10.2. What motivates an attackers is not the intrinsic value of the + data but his perception of the value of the data. +6.10.3. Crypto allows more refinement of permissions...access to + groups, lists + - beyond such crude methods as banning domain names or "edu" + sorts of accounts +6.10.4. these general reasons will make encryption more common, more + socially and legally acceptable, and will hence make eventual + attempts to limit the use of crypto anarchy methods moot +6.10.5. protecting reading habits.. + - (Imagine using your MicroSoftCashCard for library + checkouts...) +6.10.6. Downsides + - loss of trust + - markets in unsavory things + - espionage + + expect to see new kinds of con jobs + - confidence games + - "Make Digital Money Fast" +6.10.7. Encryption of Video Signals and Encryption to Control Piracy + - this is of course a whole technology and industry + - Videocypher II has been cracked by many video hackers + - a whole cottage industry in cracking such cyphers + - note that outlawing encryption would open up many + industries to destruction by piracy, which is yet another + reason a wholesale ban on encryption is doomed to failure + +7. PGP -- Pretty Good Privacy + +7.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +7.2. SUMMARY: PGP -- Pretty Good Privacy + 7.2.1. Main Points + - PGP is the most important crypto tool there is, having + single-handedly spread public key methods around the world + - many other tools are being built on top of it + 7.2.2. Connections to Other Sections + - ironically, almost no understanding of how PGP works in + detail is needed; there are plenty of experts who + specialize in that + 7.2.3. Where to Find Additional Information + - newsgroups carry up to date comments; just read them for a + few weeks and many things will float by + - various FAQs on PGP + + even an entire book, by Simpson Garfinkel: + - PGP: Pretty Good Privacy + by Simson Garfinkel + 1st Edition November 1994 (est.) + 250 pages (est),ISBN: 1-56592-098-8, $17.95 (est) + 7.2.4. Miscellaneous Comments + - a vast number of ftp sites, URLs, etc., and these change + - this document can't possibly stay current on these--see the + pointers in the newsgroups for the most current sites + +7.3. Introduction + 7.3.1. Why does PGP rate its own section? + - Like Clipper, PGP is too big a set of issues not to have + its own section + 7.3.2. "What's the fascination in Cypherpunks with PGP?" + - Ironically, our first meeting, in September 1992, coincided + within a few days of the release of PGP 2.0. Arthur Abraham + provided diskettes of 2.0, complete with laser-printed + labels. Version 2.0 was the first truly useful version of + PGP (so I hear....I never tried Version 1.0, which had + limited distribution). So PGP and Cypherpunks shared a + history--and Phil Zimmermann has been to some physical + meetings. + - A practical, usable, understandable tool. Fairly easy to + use. In contrast, many other developments are more abstract + and do not lend themselves to use by hobbyists and + amateurs. This alone ensures PGP an honored place (and + might be an object lesson for developers of other tools). + 7.3.3. The points here focus on PGP, but may apply as well to + similar crypto programs, such as commercial RSA packages + (integrated into mailers, commercial programs, etc.). + +7.4. What is PGP? + 7.4.1. "What is PGP?" + 7.4.2. "Why was PGP developed?" + 7.4.3. Who developed PGP? + +7.5. Importance of PGP + 7.5.1. PGP 2.0 arrived at an important time + - in September 1992, the very same week the Cypherpunks had + their first meeting, in Oakland, CA. (Arthur Abraham + printed up professional-looking diskette labels for the PGO + 2.0 diskettes distributed. A general feeling that we were + forming at the "right time.") + - just 6 months before the Clipper announcement caused a + firestorm of interest in public key cryptography + 7.5.2. PGP has been the catalyst for major shifts in opinion + - has educated tens of thousands of users in the nature of + strong crypto + - has led to other tools, including encrypted remailers, + experiments in digital money, etc. + 7.5.3. "If this stuff is so important, how come not everyone is + digitally signing their messages?" + - (Me, for example. I never sign my messages, and this FAQ is + not signed. Maybe I will, later.) + - convenience, ease of use, "all crypto is economics" + - insecurity of host Unix machines (illusory) + - better integration with mailers needed + 7.5.4. Ripem appears to be dead; traffic in alt.security.ripem is + almost zero. PGP has obviously won the hearts and minds of + the user community; and now that it's "legal"... + +7.6. PGP Versions + 7.6.1. PGP Versions and Implementations + - 2.6ui is the version compatible with 2.3 + + What is the difference between versions 2.6 and 2.6ui? + - "PGP 2.6 is distributed from MIT and is legally available + to US and Canadian residents. It uses the RSAREF library. + It has code that will prevent interoperation with earlier + versions of PGP. + "PGP 2.6ui is a modified version of PGP 2.3a which + functions almost identically to MIT PGP 2.6, without the + "cripple code" of MIT PGP 2.6. It is legally available + outside the US and Canada only." [Rat + , alt.security.pgp, 1994-07-03] + + DOS + - Versions + + Pretty Good Shell + - "When your Microsoft Mail supports an external Editor, + you might want to try PGS (Pretty Good Shell), + available as PGS099B.ZIP at several ftp sites. It + enables you to run PGP from a shell, with a easy way to + edit/encrypt files." [HHM LIMPENS, 1994-07-01] + - Windows + + Sun + - "I guess that you should be able to use PGPsendmail, + available at ftp.atnf.csiro.au:/pub/people/rgooch' + [eric@terra.hacktic.nl (Eric Veldhuyzen), PGP support for + Sun's Mailtool?, alt.security.pgp, 1994-06-29] + + Mark Grant has been working on a tool + to replace Sun's mailtool. "Privtool ("Privacy Tool") is + intended to be a PGP-aware replacement for the standard + Sun Workstation mailtool program, with a similar user + interface and automagick support for PGP-signing and PGP- + encryption." [MG, 1994-07-03] + - "At the moment, the Beta release is available from + ftp.c2.org in /pub/privtool as privtool-0.80.tar.Z, and + I've attached the README.1ST file so that you can check + out the features and bugs before you download it. .... + Currently the program requires the Xview toolkit to + build, and has only been compiled on SunOS 4.1 and + Solaris 2.1." + + MacPGP + - 2.6ui: reports of problems, bombs (remove Preferencs set + by previous versions from System folder) + - "MacPGP 2.6ui is fully compatible with MIT's MacPGP 2.6, + but offers several advantages, a chief one being that + MacPGP 2.6ui is controllable via AppleScript. This is a + very powerful feature, and pre-written AppleScripts are + already available. A set of AppleScripts called the + Interim Macintosh PGP Interface (IMPI) support + encryption, decryption, and signing of files via drag-n- + drop, finder selection, the clipboard, all accessible + from a system-wide menu. Eudora AppleScripts also exist + to interface MacPGP with the mail program Eudora. + + "MacPGP 2.6ui v1.2 is available via anonymous ftp from: + + FTP SITE DIRECTORY + CONTENTS + -------- --------- + -------- + ftp.darmstadt.gmd.de pub/crypto/macintosh/MacPGP + MacPGP 2.6ui, source + + AppleScripts for 2.6ui are available for U.S. and + Canadian citizens ONLY + via anonymous ftp from: + + FTP SITE DIRECTORY + CONTENTS + -------- --------- + -------- + ftp.csn.net mpj + IMPI & Eudora scripts + + MacPGP 2.6ui, source + [phinely@uhunix.uhcc.Hawaii.Edu (Peter Hinely), + alt.security.pgp, 1994-06-28] + - Amiga + + VMS + - 2.6ui is said to compile and run under VMS. + + German version + - MaaPGP0,1T1,1 + - dtp8//dtp,dapmqtadt,gmd,de/ilaomilg/MaaP + - Ahpiqtoph_Pagalies@hh2.maus. + - (source: andreas.elbert@gmd.de (A.Elbert). by way of + qwerty@netcom.com (-=Xenon=-), 3-31-94 + 7.6.2. What versions of PGP exist? + - PGP 2.7 is ViaCrypt's commercial version of PGP 2.6 + 7.6.3. PGP 2.6 issues + - There has been much confusion, in the press and in + discussion groups, about the issues surrounding 2.5, 2.6, + 2.6ui, and various versions of these. Motivations, + conspiracies, etc., have all been discussed. I'm not + involved as others on our list are, so I'm often confused + too. + + Here are some comments by Phil Zimmermann, in response to a + misleading press report: + - "PGP 2.6 will always be able to read messages, + signatures, and keys from olderversions, even after + September 1st. The older versions will not be able to + read messages, signatures and keys produced by PGP 2.6 + after September 1st. This is an entirely different + situation. There is every reason for people to switch to + PGP 2.6, because it will be able to handle both data + formats, while the older versions will not. Until + September, the new PGP will continue to produce the old + format that can be read by older versions, but will start + producing the new format after that date. This delay + allows time for everyone to obtain the new version of + PGP, so that they will not be affected by the change. + Key servers will still be able to carry the keys made in + the old format, because PGP 2.6 will still read them with + no problems. " [Phil Zimmermann, 1994-07-07, also posted + to Usenet groups] [all dates here refer to 1994] + - "I developed PGP 2.6 to be released by MIT, and I think + this new + arrangement is a breakthrough in the legal status of PGP, + of benefit to + all PGP users. I urge all PGP users to switch to PGP + 2.6, and abandon + earlier versions. The widespread replacement of the old + versions with + this new version of PGP fits in with future plans for the + creation of a + PGP standard." [Phil Zimmermann, 1994-07-07, also posted + to Usenet groups] + 7.6.4. PGP version 2.6.1 + - "MIT will be releasing Pretty Good Privacy (PGP) version + 2.6.1 real soon now. By tomorrow, I think. The MSDOS + release filename will be pgp261.zip, and the source code + will be in pgp261s.zip. The MIT FTP site is net- + dist@mit.edu, in the pub/PGP directory." [corrected by + Derek Atkins to be: net-dist.mit.edu, not net- + dist@mit.edu.] + + "This new version has a lot of bug fixes over version 2.6. + I hope this is the final release of this family of PGP + source code. We've been working on an entirely new version + of PGP, rewritten from scratch, which is much cleaner and + faster, and better suited for the future enhancements we + have planned. All PGP development efforts will be + redirected toward this new code base, after this 2.6.1 + release." [Phil Zimmermann, Cypherpunks list, 1994-09-02] + +7.7. Where to Get PGP? + 7.7.1. "Where can I get PGP on CompuServe?" + - Note: I can't keep track of the major ftp sites for the + various crypto packages, let alone info on services like + this. But, here it is; + - "Current as of 5-Jul-1994:" + GO EURFORUM / Utilities PGP26UI.ZIP PGP 2.6ui + GO PWOFORUM / New uploads PGP26.ZIP PGP 2.6 + PWOFORUM also has the source code and documentation, plus + a number of shell utilities for PGP. Version 2.3a is also + still around." [cannon@panix.com, Kevin Martin, PGP on + Compuserve??, alt.security.pgp, 1994-07-08] + 7.7.2. Off line PGP + + ftp.informatik.uni- + hamburg.de:/pub/virus/crypt/pgp/tools/pgp-elm.zip + - another place: Crosspoint: ftp.uni- + kl.de:/pub3/pc/dos/terminal/xpoint XP302*.EXE + + "I highly recommend Offline AutoPGP v2.10. It works + seamlessly with virtually any offline mail reader that + supports .QWK packets. Shareware registration is $10.00 + US. The author is Staale Schumacher, a student at the + University of Oslo, is reachable at staale@ifi.uio.no . + The program should be pretty widely available on US bbs's + by now. I use the program constantly for bbs mail. It's + really quite a slick piece of work. If you have any + trouble finding it, drop me a note." + [bhowatt@eis.calstate.edu Brent H. Howatt, PGP in an + offline reader?, alt.security.pgp, 1994-07-05] + - oak.oakland.edu in /pub/msdos/offline, version 2.11 + - ftp.informatik.uni- + hamburg.de:/pub/virus/crypt/pgp/tools/apgp211.zip + 7.7.3. "Should I worry about obtaining and compiling the PGP + sources?" + - Well, unless you're an expert on the internals of PGP, why + bother? And a subtle bug in the random number generator + eluded even Colin Plumb for a while. + - The value of the source being available is that others can, + if they wish, make the confirmation that the executable + correspond to the source. That this _can_ be done is enough + for me. (Strategy: Hold on to the code for a while, wait + for reports of flaws or holes, then use with confidence.) + - Signatures can be checked. Maybe timestamped versions, + someday. + - Frankly, the odds are much higher that one's messages or + pseudonymous identity will be exposed in others ways than + that PGP has been compromised. Slip-ups in sending messages + sometimes reveal identities, as do inadvertent comments and + stylistic cues. + +7.8. How to Use PGP + 7.8.1. How does PGP work? + 7.8.2. "How should I store the secret part of my key? Can I memorize + it?" + - Modern ciphers use keys that are far beyond memorization + (or even typing in!). The key is usually stored on one's + home machine, or a machine that is reasonably secure, or on + diskette. The passphrase should always be memorized or + written down (ugh) in one's wallet or other such place. + Secure "dongles" worn around the neck, or a ring or watch, + may eventually be used. Smartcards and PDAs are a more + likely intermediate solution (many PCs now have PCMCIA card + slots). + 7.8.3. "How do I sign messages?" + - cf. the PGP docs + + however, this has come up on the List, and: + - + + pgp -sta +clearsig=on message.txt + - + - That's from pgpdoc2.txt. Hope it helps. You might + wish to set up your mail + - user agent to invoke this command upon exiting your + default message editor, + - with "message.txt" set to whatever your editor calls + the temporary message + - file. + 7.8.4. Why isn't PGP easier to use? + - Compared to other possible crypto applications (like + digital money or voting systems), it is actually _very_ + easy to use + - semantic gap...learning + 7.8.5. How should I learn PGP? + 7.8.6. "What's the status of PGP integration with other programs?" + + Editors + + emacs + + emacs supports pgp, probably in various flavors (I've + seen several reports of different packages)..the built- + in language certainly helps + - Rick Busdiecker has an emacs front + end to PGP available + - Jin S. Choi once described a + package he wrote in elisp which supported GNU emacs: + "mailcrypt" + - there are probably many more + + Mailers + - That is, are there any mailers that have a good link to + PGP? Hooks into existing mailers are needed + + emacs + + emacs supports pgp, probably in various flavors (I've + seen several reports of different packages)..the built- + in language certainly helps + - Rick Busdiecker has an emacs front + end to PGP available + - Jin S. Choi once described a + package he wrote in elisp which supported GNU emacs: + "mailcrypt" + - there are probably many more + - elm + - Eudora + + PGP sendmail, etc. + - "Get the PGPsendmail Suite, announced here a few days + ago. It's available for anonymous ftp from: + ftp.atnf.csiro.au: pub/people/rgooch (Australia) + ftp.dhp.com: pub/crypto/pgp/PGPsendmail(U.S.A.) + ftp.ox.ac.uk: src/security (U.K.)... It works by + wrapping around the regular sendmail programme, so + you get automatic encryption for all mailers, not just + Rmail. " [Richard Gooch, alt.security.pgp, 1994-07-10] + + MIME + - MIME and PGP + - [the following material taken from an announcement + forwarded to the Cypherpunks list by + remijn@athena.research.ptt.nl, 1994-07-05] + - "MIME [RFC-1341, RFC-1521] defines a format and + general framework for the representation of a wide + variety of data types in Internet mail. This document + defines one particular type of MIME data, the + application/pgp type, for "pretty good" privacy, + authentication, and encryption in Internet mail. The + application/pgp MIME type is intended to facilitate the + wider interoperation of private mail across a wide + variety of hardware and software platforms. + + Newsreaders + - useful for automatic signing/verification, and e-mail + from withing newsreader + - yarn + - tin + - The "yarn" newsreader reportedly has PGP built in. + 7.8.7. "How often should I change my key or keys?" + - Hal Finney points out that many people seem to think PGP + keys are quasi-permanent. In fact, never changing one's key + is an invitation to disaster, as keys may be compromised in + various ways (keystroke capture programs, diskettes left + lying around, even rf monitoring) and may conceivably be + cracked. + - " + + "What is a good interval for key changes? I would suggest + every year or so + - makes sense, especially if infrastructure can be + developed to make it easier + - to propagate key changes. Keys should be overlapped in + time, so that you make + - a new key and start using it, while continuing to support + the old key for a + - time. + - Hal also recommends that remailer sites change their keys + even more frequently, perhaps monthly. + +7.9. Keys, Key Signings, and Key Servers + 7.9.1. Web of trust vs. heierarchical key management + - A key innovations of Phil Zimmermann was the use of a "web + of trust" model for distributed trust in keys. + - locality, users bear costs + - by contrast, government estimates $1-2 B a year to run key + certification agencies for a large fraction of the + population + - "PGP is about choice and constructing a web of trust that + suits your needs. PGP supports a completely decentralized, + personalized web of trust and also the most highly + structured bureaucratic centralized scheme you could + imagine. One problem with relying solely on a personalized + web of trust is that it limitsyour universe of + correspondents. We can't expect Phil Zimmermann and a few + well-known others to sign everyone's key, and I would not + want to limit my private correspondence to just those + people I know and trust plus those people whose keys have + been signed by someone I know and trust." [William + Stallings, SLED key verification, alt.security.pgp, 1994-09- + 01] + 7.9.2. Practical approaches to signing the keys of others + + sign keys of folks you know and wish to communicate with + - face-to-face encounters ("Here is my key.") + + trust--to varying extents--the keys signed by others you + know + - web-of-trust + - trust--to a lesser extent--the keys of people in key + registries + 7.9.3. Key Servers + + There are several major sites which appear to be stable + + MIT PGP Public Key Server + - via www.eff.org + + Vesselin Bontchev at University of Hamburg operates a + very stable one: + - Ftp: ftp.informatik.uni-hamburg.de + IP: 134.100.4.42 + Dir: /pub/virus/crypt/pgp/ + File: pubkring.pgp + E-Mail: pgp-public-keys@fbihh.informatik.uni-hamburg.de + - pgpkeys.io.com + + http://martigny.ai.mit.edu/~bal/pks-commands.html + - This is a PGP keyserver in Zurich. + - + 7.9.4. Use of PGP key fingerprints + - "One of the better uses for key fingerprints is for + inclusion in signature files and other places that a key + itself is too bulky. By widespread dissemination of the + fingerprint, the chances of a bogus key being undetected + are decreased, since there are more channels for the + fingerprint to get to recipients, and more channels for the + owner of a key to see any bogus fingerprints out on the + net. [Bill Stewart, 1994-08-31] + 7.9.5. "How should address changes be handled? Do old keys have to + be revoked?" + - Future versions of PGP may handle better + - One way is to issue .... "User-id revocation certificates + are a *good* idea and the PGP key format allows for them - + maybe one day PGP will do something about it." [Paul Allen, + alt.security.pgp, 1994-07-01] + - Persistent e-mail addresses is one approach. Some people + are using organization like the ACM to provide this (e.g., + Phil Zimmermann is prz@acm.org). Others are using remapping + services. For example, "I signed up with the SLED (Stable + Large E-mail Database), which is a cross-referencing + database for linking old, obsolete E-mail addresses with + current ones over the course of time.... Anyone using this + key will always be able to find me on the SLED by + conducting a search with "blbrooks..." as the keyword. Thus + my key and associated sigs always remain good.... If you + are interested in the SLED, its address is + sled@drebes.com." [Robert Brooks, alt.security.pgp, 1994-07- + 01] + 7.9.6. "How can I ensure that my keys have not been tampered with?" + + Keep your private key secure + + if on an unsecured machine, take steps to protect it + - offlline storage (Perry Metzger loads his key(s) every + morning, and removes it when he leaves the machine) + + memorize your PGP passphrase and don't write it down, at + least not anywhere near where the private key is + available + - sealed envelopes with a lawyer, safe deposit boxes, + etc., are possibilities + - given the near-impossibility of recovering one's files + if the passphrase is lost permanently, I recommend + storing it _someplace_, despite the slight loss in + security (this is a topic of debate...I personally feel + a lot more comfortable knowing my memory is backed up + somewhere) + - Colin Plumb has noted that if someone has accesss to your + personal keyring, they also probably have access to your + PGP program and could make modifications to it *directly*. + - Derek Atkins answered a similar question on sci.crypt: + "Sure. You can use PGP to verify your keyring, and using + the web-of-trust, you can then have it verify your + signatures all the keys that you signed, and recurse + through your circle-of-friends. To verify that your own + key was not munged, you can sign something with your secret + key and then try to verify it. This will ensure that your + public key wasn't munged." [Derek Atkins, sci.crypt, 1994- + 07-06] + 7.9.7. "Why are key revocations needed?" + - Key revocation is the "ebb-of-trust" + - "There are a number of real reasons. Maybe you got coerced + into signing the key, or you think that maybe the key was + signed incorrectly, or maybe that person no longer uses + that email address, because they lost the account, or that + maybe you don't believe that the binding of key to userID + is valid for any number of reasons." [Derek Atkins, 4-28- + 94] + 7.9.8. "Is-a-person" registries + + There have been proposals that governments could and should + create registries of "legal persons." This is known in the + crypto community as "is-a-person" credentialling, and + various papers (notably Fiat-Shamir) have dealt with issues + - of spoofing by malicious governments + - of the dangers of person-tracking + + We need to be very careful here! + - this could limit the spread of 'ad hoc crypto' (by which + I mean the use of locally-generated keys for reasons + other than personal use...digital cash, pseudonyms etc.) + - any system which "issues" permission slips to allow keys + to be generated is dangerous! + + Could be an area that governments want to get into. + - a la Fiat-Shamir "passport" issues (Murdoch, Libyan + example) + - I favor free markets--no limitations on which registries I + can use + 7.9.9. Keyservers (this list is constantly changing, but most share + keys, so all one needs is one). Send "help" message. For + current information, follow alt.security.pgp. + - about 6000 keys on the main keyservers, as of 1994-08. + - pgp-public-keys@martigny.ai.mit.edu + - pgp-public-keys@dsi.unimi.it + - pgp-public-keys@kub.nl + - pgp-public-keys@sw.oz.au + - pgp-public-keys@kiae.su + - pgp-public-keys@fbihh.informatick.uni-hamburg.de + - and wasabi.io.com offers public keys by finger (I couldn't + get it to work) +7.9.10. "What are key fingerprints and why are they used?" + - "Distributing the key fingerprint allows J. Random Human to + correlate a key supplied via one method with that supplied + via another. For example, now that I have the fingerprint + for the Betsi key, I can verify whether any other alleged + Betsi key I see is real or not.....It's a lot easier to + read off & cross-check 32-character fingerprints than the + entire key block, especially as signatures are added and + the key block grows in size." [Paul Robichaux, 1994-08-29] +7.9.11. Betsi + - Bellcore + - key signing +7.9.12. on attacks on keyservers... + + flooding attacks on the keyservers have started; this may + be an attempt to have the keyservers shut down by using + obscene, racist, sexist phrases as key names (Cypherpunks + would not support shutting down a site for something so + trivial as abusive, offensive language, but many others + would.) + - "It appears that some childish jerk has had a great time + generating bogus PGP keys and uploading them to the + public keyservers. Here are some of the keys I found on a + keyserver:...[keys elided]..." [staalesc@ifi.uio.no, + alt.security.pgp, 1994-09-05] + +7.10. PGP Front Ends, Shells, and Tools +7.10.1. Many can be found at this ftp site: + + ftp.informatik.uni-hamburg.de:/pub/virus/crypt/pgp/shells/ + - for various shells and front-ends for PGP +7.10.2. William Stallings had this to say in a Usenet post: + - "PGPShell: runs directly on the DOS version, doesn't need + Windows. Nice, simple interface. freeware + + "PGP Winfront: freeware windows front end. Uses a "control + panel" style, with many options displayed in a compact + fashion. + + "WinPGP: shareware ($45). Uses a drop-down menu style, + common to many Windows applications." [William Stallings, + Looking for PGP front end, alt.security, 1994-08-31] +7.10.3. Rick Busdiecker has an emacs front end to + PGP available +7.10.4. Pr0duct Cypher's tools: + + ftp.informatik.uni- + hamburg.de:/pub/virus/crypt/pgp/tools/PGPTools.tar.gz + - Pr0duct Cypher's tools, and other tools in general + +7.11. Other Crypto Programs And Tools +7.11.1. Other Ciphers and Tools + - RIPEM + - PEM + - MD5 + + SFS (Secure FileSystem) 1.0 + - "SFS (Secure FileSystem) is a set of programs which + create and manage a number of encrypted disk volumes, and + runs under both DOS and Windows. Each volume appears as + a normal DOS drive, but all data stored on it is encryped + at the individual-sector level....SFS 1.1 is a + maintenance release which fixes a few minor problems in + 1.0, and adds a number of features suggested by users. + More details on changes are given in in the README file." + [Peter Gutmann, sci.crypt, 1994-08-25] + - not the same thing as CFS! + - 512-bit key using a MDC/SHS hash. (Fast) + - only works on a386 or better (says V. Bontchev) + - source code not available? + - implemented as a device driver (rather than a TSR, like + SecureDrive) + - "is vulnerable to a special form of attack, which was + mentioned once here in sci.crypt and is described in + detaills in the SFS documentation. Take a loot at the + section "Encryption Considerations"." [Vesselin Bontchev, + sci.crypt, 1994-07-01] + - Comparing SFS to SecureDrive: "Both packages are + approximately equal in terms of user interface, but SFS + seems to be quite a bit faster. And comments from + various people (previous message thread) seems to + indicate that it is more "secure" as well." [Bill Couture + , sci.crypt, 1994-0703] + + SecureDrive + - encrypts a disk (always be very careful!) + - SecureDrive 1.3D, 128-bit IDEA cypher is based on an MD5 + hash of the passphrase + - implemented as a TSR (rather than a device driver, like + CFS) + - source code available + + Some problems reported (your mileage may vary) + - "I have been having quite a bit of difficulty with my + encrypted drive mangling files. After getting secure + drive 1.3d installed on my hard drive, I find that + various files are being corrupted and many times after + accessing the drive a bunch of crosslinked files are + present." [Vaccinia@uncvx1.oit.unc.edu, 1994-07-01] + - Others report being happy with, under both DOS and + Windows + - no OS/2 or Mac versions reported; some say an OS/2 device + driver will have to be used (such as Stacker for OS/2 + uses) + + SecureDevice + - "If you can't find it elsewhere, I have it at + ftp://ftp.ee.und.ac.za/pub/crypto/secdev13.arj, but + that's at the end of a saturated 64kbps link." [Alan + Barrett, 1994-07-01] +7.11.2. MDC and SHS (same as SHA?) + - "The MDC cyphers are believed to be as strong as it is + difficult to invert the cryptographic hash function they + are using. SHS was designed by the NSA and is believed to + be secure. There might be other ways to attack the MDC + cyphers, but nobody who is allowed to speak knows such + methods." [Vesselin Bontchev, sci.crypt, 1994-07-01] + + Secure Hash Standard's algorithm is public, and hence can + be analyzed and tested for weaknesses (in strong contrast + with Skipjack). + - may replace MD5 in future versions of PGP (a rumor) + - Speed of MDC: "It's a speed tradeoff. MDC is a few times + faster than IDEA, so SFS is a few times faster than + SecureDrive. But MDC is less proven." [Colin Plumb, + sci.crypt, 1994-07-04] + + Rumors of problems with SHA + - "The other big news is a security problem with the Secure + Hash Algorithm (SHA), discussed in the Apr 94 DDJ. The + cryptographers at NSA have found a problem with the + algorithm. They won't tell anyone what it is, or even + how serious it is, but they promise a fix soon. Everyone + is waiting with baited breath." [Bruce Schneier, reprot + on Eurocrypt '94, 1994-07-01] +7.11.3. Stego programs + + DOS + - S-Tools (or Stools?). DOS? Encrypts in .gif and .wav + (SoundBlaster format) files. Can set to not indicate + encrypted files are inside. + - Windows + + Macintosh + - Stego + + sound programs + - marielsn@Hawaii.Edu (Nathan Mariels) has written a + program which "takes a file and encrypts it with IDEA + using a MD5 hash of the password typed in by the user. + It then stores the file in the lowest bit (or bits, + user selectable) of a sound file." +7.11.4. "What about "Pretty Good Voice Privacy" or "Voice PGP" and + Other Speech Programs?" + + Several groups, including one led by Phil Zimmermann, are + said to be working on something like this. Most are using + commercially- and widely-available sound input boards, a la + "SoundBlaster" boards. + - proprietary hardware or DSPs is often a lose, as people + won't be able to easily acquire the hardware; a software- + only solution (possibly relying on built-in hardware, or + readily-available add-in boards, like SoundBlasters) is + preferable. + + Many important reasons to do such a project: + - proliferate more crypto tools and systems + - get it out ahead of "Digital Telephony II" and Clipper- + type systems; make the tools so ubiquitous that outlawing + them is too difficult + - people understand voice communcations in a more natural + way than e-,mail, so people who don't use PGP may + nevertheless use a voice encryption system + + Eric Blossom has his own effort, and has demonstrated + hardware at Cypherpunks meetings: + - "At this moment our primary efforts are on developing a + family of extensible protocols for both encryption and + voice across point to point links. We indend to use + existing standards where ever possible. + + "We are currently planning on building on top of the RFCs + for PPP (see RFCs 1549, 1548, and 1334). The basic idea + is to add a new Link Control Protocol (or possibly a + Network Control Protocol) that will negotiate base and + modulus and perform DH key exchange. Some forms of + Authentication are already supported by RFCs. We're + looking at others." [Eric Blossom, 1994-04-14] + + Building on top of multimedia capabilities of Macintoshes + and Windows may be an easier approach + - nearly all Macs and Windows machines will be + multimedia/audiovisual-capable soon + - "I realize that it is quite possible to design a secure + phone + with a Vocoder, a modem and some cpu power to do the + encryption, but I think that an easier solution may be on + the horizon. ....I believe that Microsoft and many others + are exploring hooking phones to PCs so people can do + things like ship pictures of their weekend fun to + friends. When PC's can easily access phone + communications, then developing encrypted conversations + should be as easy as programming for Windows :-)." + [Peter Wayner, 1993--07-08] +7.11.5. Random Number Generators + - A huge area... + + Chaotic systems, pendula + - may be unexpected periodicities (phase space maps show + basins of attraction, even though behavior is seemingly + random) +7.11.6. "What's the situation on the dispute between NIST and RSADSI + over the DSS?" + - NIST claims it doesn't infringe patents + - RSADSI bought the Schnorr patent and claims DSS infringes + it + - NIST makes no guarantees, nor does it indemnify users + [Reginald Braithwaite-Lee, talk.politics.crypto, 1994-07- + 04] +7.11.7. "Are there any programs like telnet or "talk" that use pgp?" + - "Don't know about Telnet, but I'd like to see "talk" + secured like that... It exists. (PGP-ized ytalk, that is.) + Have a look at ftp.informatik.uni- + hamburg.de:/pub/virus/crypto/pgp/tools/pgptalk.2.0.tar.gz" + [Vesselin Bontchev, alt.security.pgp, 1994-07-4] +7.11.8. Digital Timestamping + + There are two flavors: + - toy or play versions + - real or comercial version(s) + + For a play version, send a message to + "timestamp@lorax.mv.com" and it will be timestamped and + returned. Clearly this is not proof of much, has not been + tested in court, and relies solely on the reputation of the + timestamper. (A fatal flaw: is trivial to reset system + clocks on computes and thereby alter dates.) + - "hearsay" equivalent: time stamps by servers that are + *not* using the "widely witnessed event" approach of + Haber and Stornetta + - The version of Haber and Stornetta is of course much more + impressive, as it relies on something more powerful than + mere trust that they have set the system clocks on their + computers correctly! + +7.12. Legal Issues with PGP +7.12.1. "What is RSA Data Security Inc.'s position on PGP?" + I. They were strongly opposed to early versions +II. objections + - infringes on PKP patents (claimed infringements, not + tested in court, though) + - breaks the tight control previously seen + - brings unwanted attention to public key approaches (I + think PGP also helped RSA and RSADSI) + - bad blood between Zimmermann and Bidzos +III. objections + - infringes on PKP patents (claimed infringements, not + tested in court, though) + - breaks the tight control previously seen + - brings unwanted attention to public key approaches (I + think PGP also helped RSA and RSADSI) + - bad blood between Zimmermann and Bidzos +IV. Talk of lawsuits, actions, etc. + V. The 2.6 MIT accomodation may have lessened the tension; + purely speculative +7.12.2. "Is PGP legal or illegal"? +7.12.3. "Is there still a conflict between RSADSI and PRZ?" + - Apparently not. The MIT 2.6 negotiations seem to have + buried all such rancor. At least officially. I hear there's + still animosity, but it's no longer at the surface. (And + RSADSI is now facing lawsuits and patent suits.) + +7.13. Problems with PGP, Flaws, Etc. +7.13.1. Speculations on possible attacks on PGP + + There are periodically reports of problems, most just + rumors. These are swatted-down by more knowledgeable + people, for the most part. True flaws may exist, of course, + as in any piece of software. + - Colin Plumb acknowledged a flaw in the random number + generation process in PGP 2.6, to be fixed in later + versions. + + spreading fear, uncertainty and doubt + - rumors about security of PGP versions + - selective prosecution of PGP users + - death threats (a la against Bidzos) + - sowing confusion in the user community + - fragmenting it (perhaps via multiple, noninteroperable + versions...such as we're beginning to see now?) +7.13.2. What does the NSA know about flaws in PGP? + - They're not saying. Ironically, this violates the part of + their charter that deals with making commercial security + stronger. Now that PGP is kosher, they should help to make + it stronger, and certainly should not keep mum about + weaknesses they know about. But for them to help strengthen + PGP is not really too likely. +7.13.3. The PGP timebomb + - (As I've said elsewhere, it all gets very confusing. Many + versions, many sites, many viewpoints, many tools, many + shells, many other things. Fortunately, most of it is + flotsam.) + - I take no point of view--for various reasons--on avoiding + the "timebomb" by using 2.6ui. Here's someone else's + comment: "I would like to take this time to encourage you + to upgrade to 2.6ui which will overcome mit's timebomb and + not exclude PGP 2.3a from decrypting messages.....DON'T USE + MIT's 2.6, use PGP 2.6ui available from soda.berkeley.edu + : /pub/cypherpunks/pgp" [Matrix at Cypherpunks, BLACK + THURSAY!, alt.security.pgp, 1994-09-01] + + can also be defeated with the "legal kludge": + - ftp.informatik.uni-hamburg.de : + /pub/virus/crypt/pgp/legal_kludge.txt +7.13.4. Spoofing + - "Suitable timing constraints, and in particular real-time + constraints, can be used to hinder, and perhaps defeat, + spoofing attacks. But with a store-and-forward e-mail + system (such as PGP is designed to work with) these + constraints cannot, in general, be set." [Ken Pizzini , + sci.crypt, 1994-07-05] +7.13.5. "How do we know that PGP doesn't have a back door or some + other major flaw? After all, not all of us are programmers or + cryptologists." + - Yes, but many of us are. Many folks have analyzed the + source code in PGP, have compiled the code themselves (a + fairly common way to get the executable), and have examined + the random number generators, the selection of primes, and + all of the other math. + + It would take only a single sharp-eyed person to blow the + whistle on a conspiracy to insert flaws or backdoors. This + has not been done. (Though Colin Plumb ackknowledged a + slight weakness in the RNG of 2.6...being fixed.) + - "While having source code available doesn't guarantee + that the program is secure, it helps a lot. Even though + many users are not programmers or cryptographers, others + are, and many of these will examine the code carefully + and publicly yell about weaknesses that they notice or + think they notice. For example, apparently there was a + big discussion here about the xorbytes() bug in PGP 2.6. + Contrast this with a commercial program, where such a bug + might go undetected for years." [Paul Rubin, + alt.security.pgp, 1994-09-06] +7.13.6. "Can I run PGP on a machine I don't control, e.g., the campus + computer system?" + - Sure, but the sysops and others may then have access to + your key and passphrase. Only machines the user directly + controls, and that are adequately firewalled from other + machines, offer reasonable amounts of security. Arguing + about whether 1024-bit keylengths are "enough" is rather + moot if the PGP program is being run on a corportate + computer, or a university network. The illusion of security + may be present, but no real security. Too many people are + kidding themselves that their messages are secure. That + their electronic identities cannot be spoofed. + - I'm not interested in the various elm and emacs PGP + packages (several such shells and wrappers exist). Any + sysop can not only obtain your secret key, stored on + hissystem, but he can also capture your passphrase as you + feed it to the PGP program (assuming you do...many people + automate this part as well). Since this sysop or one of his + cronies can then compromise your mail, sign messages and + contracts as "you," I consider this totally unacceptable. + Others apparently don't. + - What can be done? Many of us only run PGP on home machines, + or on machines we directly control. Some folks who use PGP + on such machines at least take steps to better secure + things....Perry Metzger, for example, once described the + multi-stage process he went through each day to reload his + key material in a way he felt was quasi-safe. + - Until the "Internet-in-a-box" or TIA-type products are more + widespread, many people will be connecting home or office + machines to other systems they don't control. (To put this + in sharper focus: do you want your electronic money being + run out of an account that your sysop and his friends can + monitor? Not hardly. "Electronic purses," which may be + smart cards, Newton-like PDAs, or dongle-like rings or + pendants, are clearly needed. Another entire discussion.) + +7.14. The Future of PGP +7.14.1. "Does PGP help or hurt public key methods in general and RSA + Data Security Inc. in particular?" + - The outcome is not final, but on balance I think the + position of RSADSI is helped by the publicity PGP has + generated. Users of PGP will "graduate" to fully-licensed + versions, in many cases. Corporations will then use + RSADSI's products. + + Interestingly, PGP could do the "radical" things that + RSADSI was not prepared to do. (Uses familiar to + Cypherpunks.) + - bypassing export restrictions is an example of this + - incorporation into experimental digital cash systems + - Parasitism often increases the rate of evolution. Certainly + PGP has helped to light a fire under RSADSI. +7.14.2. Stealth PGP + - Xenon, Nik, S-Tools, +7.14.3. "Should we work on a more advanced version, a *Really Good + Privacy*?" + - easier said than done...strong committment of time + - not clear what is needed... +7.14.4. "Can changes and improvements be made to PGP?" + - I consider it one of the supreme ironies of our age that + Phil Zimmermann has denounced Tom Rollins for making + various changes to a version of PGP he makes available. + + Issues: + - Phil's reputation, and that of PGP + - intellectual property + - GNU Public license + - the mere name of PGP + - Consider that RSA said much the same thing, that PGP + would degrade the reputation of public key (esp. as Phil + was an "amateur," the same exact phrasing PRZ uses to + criticize Tom Rollins!) + - I'm not taking a stand here....I don't know the details. + Just some irony. + +7.15. Loose Ends +7.15.1. Security measures on login, passwords, etc. + - Avoid entering passwords over the Net (such as in rlogins + or telnets). If someone or some agent asks for your + password, be paranoid. + - Can use encrypted telnet, or something like Kerberos, to + avoid sending passwords in the clear between machines. Lots + of approaches, almost none of them commonly used (at least + I never see them). + +8. Anonymity, Digital Mixes, and Remailers + +8.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +8.2. SUMMARY: Anonymity, Digital Mixes, and Remailers + 8.2.1. Main Points + - Remailers are essential for anonymous and pseudonymous + systems, because they defeat traffic analysis + - Cypherpunks remailers have been one of the major successes, + appearing at about the time of the Kleinpaste/Julf + remailer(s), but now expanding to many sites + - To see a list of sites: finger remailer- + list@kiwi.cs.berkeley.edu + ( or http://www.cs.berkeley.edu/~raph/remailer-list.html) + - Anonymity in general is a core idea + 8.2.2. Connections to Other Sections + - Remailers make the other technologies possible + 8.2.3. Where to Find Additional Information + - Very little has been written (formally, in books and + journals) about remailers + - David Chaum's papers are a start + 8.2.4. Miscellaneous Comments + - This remains one of the most jumbled and confusing + sections, in my opinion. It needs a lot more reworking and + reorganizing. + + Partly this is because of several factors + - a huge number of people have worked on remailers, + contributing ideas, problems, code, and whatnot + - there are many versions, many sites, and the sites change + from day to day + - lots of ideas for new features + - in a state of flux + - This is an area where actual experimentation with remailers + is both very easy and very instructive...the "theory" of + remailers is straighforward (compared to, say, digital + cash) and the learning experience is better than theory + anyway. + - There are a truly vast number of features, ideas, + proposals, discussion points, and other such stuff. No FAQ + could begin to cover the ground covered in the literally + thousands of posts on remailers. + +8.3. Anonymity and Digital Pseudonyms + 8.3.1. Why is anonymity so important? + - It allows escape from past, an often-essential element of + straighening out (an important function of the Western + frontier, the French Foreign Legion, etc., and something we + are losing as the dossiers travel with us wherever we go) + - It allows new and diverse types of opinions, as noted below + - More basically, anonymity is important because identity is + not as important as has been made out in our dossier + society. To wit, if Alice wishes to remain anonymous or + pseudonymous to Bob, Bob cannot "demand" that she provide + here "real" name. It's a matter of negotiation between + them. (Identity is not free...it is a credential like any + other and cannot be demanded, only negotiated.) + - Voting, reading habits, personal behavior...all are + examples where privacy (= anonymity, effectively) are + critical. The next section gives a long list of reasons for + anonymity. + 8.3.2. What's the difference between anonymity and pseudonymity? + + Not much, at one level...we often use the term "digital + pseudonym" in a strong sense, in which the actual identity + cannot be deduced easily + - this is "anonymity" in a certain sense + - But at another level, a pseudonym carries reputations, + credentials, etc., and is _not_ "anonymous" + - people use pseudonyms sometimes for whimsical reasons + (e.g., "From spaceman.spiff@calvin.hobbes.org Sep 6, 94 + 06:10:30"), sometimes to keep different mailing lists + separate (different personnas for different groups), etc. + 8.3.3. Downsides of anonymity + - libel and other similar dangers to reputations + + hit-and-runs actions (mostly on the Net) + + on the other hand, such rantings can be ignored (KILL + file) + - positive reputations + - accountability based on physical threats and tracking is + lost + + Practical issue. On the Cypherpunks list, I often take + "anonymous" messages less seriously. + - They're often more bizarre and inflammatory than ordinary + posts, perhaps for good reason, and they're certainly + harder to take seriously and respond to. This is to be + expected. (I should note that some pseudonyms, such as + Black Unicorn and Pr0duct Cypher, have established + reputable digital personnas and are well worth replying + to.) + - repudiation of debts and obligations + + infantile flames and run-amok postings + - racism, sexism, etc. + - like "Rumormonger" at Apple? + - but these are reasons for pseudonym to be used, where the + reputation of a pseudonym is important + + Crimes...murders, bribery, etc. + - These are dealt with in more detail in the section on + crypto anarchy, as this is a major concern (anonymous + markets for such services) + 8.3.4. "How will privacy and anonymity be attacked?" + - the downsides just listed are often cited as a reason we + can't have "anonymity" + - like so many other "computer hacker" items, as a tool for + the "Four Horsemen": drug-dealers, money-launderers, + terrorists, and pedophiles. + - as a haven for illegal practices, e.g., espionage, weapons + trading, illegal markets, etc. + + tax evasion ("We can't tax it if we can't see it.") + - same system that makes the IRS a "silent partner" in + business transactions and that gives the IRS access to-- + and requires--business records + + "discrimination" + - that it enables discrimination (this _used_ to be OK) + - exclusionary communities, old boy networks + 8.3.5. "How will random accusations and wild rumors be controlled in + anonymous forums?" + - First off, random accusations and hearsay statements are + the norm in modern life; gossip, tabloids, rumors, etc. We + don't worry obsessively about what to do to stop all such + hearsay and even false comments. (A disturbing trend has + been the tendency to sue, or threaten suits. And + increasingly the attitude is that one can express + _opinions_, but not make statements "unless they can be + proved." That's not what free speech is all about!) + - Second, reputations matter. We base our trust in statements + on a variety of things, including: past history, what + others say about veracity, external facts in our + possession, and motives. + 8.3.6. "What are the legal views on anonymity?" + + Reports that Supreme Court struck down a Southern law + requiring pamphlet distributors to identify themselves. 9I + don't have a cite on this.) + - However, Greg Broiles provided this quote, from _Talley + v. State of California_, 362 U.S. 60, 64-65, 80 S.Ct. + 536, 538-539 (1960) : "Anonymous pamphlets, leaflets, + brochures and even books have played an important role in + the progress of mankind. Persecuted groups and sects from + time to time throughout history have been able to + criticize oppressive practices and laws either + anonymously or not at all." + + Greg adds: "It later says "Even the Federalist Papers, + written in favor of the adoption of our Constitution, + were published under fictitious names. It is plain that + anonymity has sometimes been assumed for the most + constructive purposes." [Greg Broiles, 1994-04-12] + + + And certainly many writers, journalists, and others use + pseudonyms, and have faced no legal action. + - Provided they don't use it to evade taxes, evade legal + judgments, commit fraud, etc. + - I have heard (no cites) that "going masked for the purpose + of going masked" is illegal in many jurisdictions. Hard to + believe, as many other disguises are just as effective and + are presumably not outlawed (wigs, mustaches, makeup, + etc.). I assume the law has to do with people wearning ski + masks and such in "inappropriate" places. Bad law, if real. + 8.3.7. Some Other Uses for Anonymous Systems: + + Groupware and Anonymous Brainstorming and Voting + - systems based on Lotus Notes and designed to encourage + wild ideas, comments from the shy or overly polite, etc. + - these systems could initially start in meeting and then + be extended to remote sites, and eventually to nationwide + and international forums + - the NSA may have a heart attack over these trends... + + "Democracy Wall" for encrypted messages + - possibly using time-delayed keys (where even the public + key, for reading the plaintext, is not distributed for + some time) + - under the cover of an electronic newspaper, with all of + the constitutional protections that entails: letters to + the editor can be anonymous, ads need not be screened for + validity, advertising claims are not the responsibility + of the paper, etc. + + Anonymous reviews and hypertext (for new types of journals) + + the advantages + - honesty + - increased "temperature" of discourse + + disadvantages + - increased flames + - intentional misinformation + + Store-and-forward nodes + - used to facillitate the anonymous voting and anonymous + inquiry (or reading) systems + - Chaum's "mix" + + telephone forwarding systems, using digital money to pay + for the service + - and TRMs? + + Fiber optics + + hard to trace as millions of miles are laid, including + virtually untraceable lines inside private buildings + - suppose government suspects encrypted packets are going + in to the buildings of Apple...absent any direct + knowledge of crimes being aided and abetted, can the + government demand a mapping of messages from input to + output? + - That is, will the government demand full disclosure of + all routings? + - high bandwidth means many degrees of freedom for such + systems to be deployed + + Within systems, i.e., user logs on to a secure system and + is given access to his own processor + - in a 288-processor system like the NCR/ATT 3600 (or even + larger) + - under his cryptonym he can access certain files, generate + others, and deposit message untraceably in other mail + locations that other agents or users can later retrieve + and forward.... + - in a sense, he can use this access to launch his own + agent processes (anonymity is essential for many agent- + based systems, as is digital money) + + Economic incentives for others to carry mail to other + sites... + - further diffusion and hiding of the true functions + + Binary systems (two or more pieces needed to complete the + message) + - possibly using viruses and worms to handle the + complexities of distributing these messages + - agents may handle the transfers, with isolation between + the agents, so routing cannot be traced (think of scene + in "Double-Crossed" where bales of marijuana are passed + from plane to boat to chopper to trucks to cars) + - this protects against conspiracies + + Satellites + + physical security, in that the satellites would have to + be shot down to halt the broadcasting + + scenario: WARC (or whomever) grants broadcast rights in + 1996 to some country or consortium, which then accepts + any and all paying customers + - cold cash + - the BCCI of satellite operators + + VSATs, L-Band, Satellites, Low-Earth Orbit + - Very Small Aperture Terminals + - L-Band...what frequency? + + LEO, as with Motorola's Iridium, offers several + advantages + - lower-power receivers and smaller antennas + - low cost to launch, due to small size and lower need + for 10-year reliability + - avoidance of the "orbital slot" licensing morass + (though I presume some licensing is still involved) + - can combine with impulse or nonsinusoidal transmissions + 8.3.8. "True Names" + 8.3.9. Many ways to get pseudonyms: + - Telnet to "port 25" or use SLIP connections to alter domain + name; not very secure + - Remailers +8.3.10. "How is Pseudonymity Compromised?" + - slip-ups in style, headers, sig blocks, etc. + - inadvertent revealing, via the remailers + - traffic analysis of remailers (not very likely, at least + not for non-NSA adversaries) + - correlations, violations of the "indistinguishability + principle" +8.3.11. Miscellaneous Issues + - Even digital pseudonyms can get confusing...someone + recently mistook "Tommy the Tourist" for being such an + actual digital pseudonym (when of course that is just + attached to all posts going througha particular remailer). + +8.4. Reasons for Anonymity and Digital Pseudonyms (and Untraceable E- +Mail) + 8.4.1. (Thre are so many reasons, and this is asked so often, that + I've collected these various reasons here. More can be added, + of course.) + 8.4.2. Privacy in general + 8.4.3. Physical Threats + + "corporate terrrorism" is not a myth: drug dealers and + other "marginal" businessmen face this every day + - extortion, threats, kidnappings + + and many businesses of the future may well be less + "gentlemanly" than the conventional view has it + - witness the bad blood between Intel and AMD, and then + imagine it getting ten times worse + - and national rivalries, even in ostensibly legal + businesses (think of arms dealers), may cause more use of + violence + + Mafia and other organized crime groups may try to extort + payments or concessions from market participants, causing + them to seek the relative protection of anonymous systems + - with reputations + + Note that calls for the threatened to turn to the police + for protection has several problems + - the activities may be illegal or marginally illegal + (this is the reason the Mafia can often get involved + and why it may even sometimes have a positive effect, + acting as the cop for illegal activities) + - the police are often too busy to get involved, what + with so much physical crime clogging the courts + - extortion and kidnappings can be done using these very + techniques of cryptoanarchy, thus causing a kind of arms + race + + battered and abused women and families may need the + equivalent of a "witness protection program" + + because of the ease of tracing credit card purchases, + with the right bribes and/or court orders (or even + hacking), battered wives may seek credit cards under + pseudonyms + - and some card companies may oblige, as a kind of + politically correct social gesture + + or groups like NOW and Women Against Rape may even + offer their own cards + - perhaps backed up by some kind of escrow fund + - could be debit cards + + people who participate in cyberspace businesses may fear + retaliation or extortion in the real world + - threats by their governments (for all of the usual + reasons, plus kickbacks, threats to close them down, + etcl) + - ripoffs by those who covet their success... + 8.4.4. Voting + - We take it for granted in Western societies that voting + should be "anonymous"--untraceable, unlinkable + - we don't ask people "What have you got to hide?" or tell + them "If you're doing something anonymously, it must be + illegal." + - Same lesson ought to apply to a lot of things for which the + government is increasingly demanding proof of identity for + + Anonymous Voting in Clubs, Organizations, Churches, etc. + + a major avenue for spreading CA methods: "electronic + blackballing," weighted voting (as with number of shares) + + e.g., a corporation issues "voting tokens," which can + be used to vote anonymously + - or even sold to others (like selling shares, except + selling only the voting right for a specific election + is cheaper, and many people don't much care about + elections) + + a way to protect against deep pockets lawsuits in, say, + race discrimination cases + - wherein a director is sued for some action the + company takes-anonymity will give him some legal + protection, some "plausible deniability" + + is possible to set up systems (cf. Salomaa) in which + some "supervotes" have blackball power, but the use of + these vetos is indistinguishable from a standard + majority rules vote + - i.e., nobody, except the blackballer(s), will know + whether the blackball was used! + + will the government seek to limit this kind of + protocol? + - claiming discrimination potential or abuse of + voting rights? + + will Justice Department (or SEC) seek to overturn + anonymous voting? + - as part of the potential move to a "full disclosure" + society? + - related to antidiscrimination laws, accountability, + etc. + + Anonymous Voting in Reputation-Based Systems (Journals, + Markets) + + customers can vote on products, on quality of service, + on the various deals they've been involved in + - not clear how the voting rights would get distributed + - the idea is to avoid lawsuits, sanctions by vendors, + etc. (as with the Bose suit) + + Journals + - a canonical example, and one which I must include, as + it combines anonymous refereeing (already standard, + in primitive forms), hypertext (links to reviews), + and basic freedom of speech issues + - this will likely be an early area of use + - this whole area of consumer reviews may be a way to get + CA bandwidth up and running (lots of PK-encrypted + traffic sloshing around the various nets) + 8.4.5. Maintenance of free speech + - protection of speech + + avoiding retaliation for controversial speech + - this speech may be controversial, insulting, horrific, + politically incorrect, racist, sexist, speciesist, and + other horrible...but remailers and anonymity make it all + impossible to stop + - whistleblowing + + political speech + - KKK, Aryan Resistance League, Black National Front, + whatever + - cf. the "debate" between "Locke" and "Demosthenes" in + Orson Scott Card's novel, "Ender's Game." + - (Many of these reasons are also why 'data havens' will + eventually be set up...indeed, they already exist...homolka + trial, etc.) + 8.4.6. Adopt different personnas, pseudonyms + 8.4.7. Choice of reading material, viewing habits, etc. + - to prevent dossiers on this being formed, anonymous + purchases are needed (cash works for small items, not for + video rentals, etc.) + + video rentals + - (Note: There are "laws" making such releases illegal, + but...) + - cable t.v. viewing habits + + mail-order purchases + - yes, they need your address to ship to, but there may be + cutouts that delink (e.g., FedEx might feature such a + service, someday + 8.4.8. Anonymity in Requesting Information, Services, Goods + + a la the controversy over Caller ID and 900 numbers: people + don't want their telephone numbers (and hence identities) + fed into huge consumer-preference data banks + - of the things they buy, the videos they rent, the books + they read. etc. (various laws protect some of these + areas, like library books, video rentals) + - subscription lists are already a booming resale + market...this will get faster and more finely "tuned" + with electronic subscriptions: hence the desire to + subscribe anonymously + + some examples of "sensitive" services that anonymity may be + desired in (especially related to computers, modems, BBSes) + + reading unusual or sensitive groups: alt.sex.bondage, + etc. + - or posting to these groups! + - recent controversy over NAMBLA may make such + protections more desirable to some (and parallel calls + for restrictions!) + - posting to such groups, especially given that records are + perpetual and that government agencies read and file + postings (an utterly trivial thing to do) + - requesting help on personal issues (equivalent to the + "Name Witheld" seen so often) + + discussing controversial political issues (and who knows + what will be controversial 20 years later when the poster + is seeking a political office, for example?) + - given that some groups have already (1991) posted the + past postings of people they are trying to smear! + + Note: the difference between posting to a BBS group or + chat line and writing a letter to an editor is + significant + - partly technological: it is vastly easier to compile + records of postings than it is to cut clippings of + letters to editors (though this will change rapidly as + scanners make this easy) + - partly sociological: people who write letters know the + letters will be with the back issues in perpetuity, + that bound issues will preserve their words for many + decades to come (and could conceivably come back to + haunt them), but people who post to BBSes probably + think their words are temporary + + and there are some other factors + - no editing + - no time delays (and no chance to call an editor and + retract a letter written in haste or anger) + + and letters can, and often are, written with the + "Name Witheld" signature-this is currently next to + impossible to do on networks + - though some "forwarding" services have informally + sprung up + + Businesses may wish to protect themselves from lawsuits + over comments by their employees + + the usual "The opinions expressed here are not those of + my employer" may not be enough to protect an employer + from lawsuits + - imagine racist or sexist comments leading to lawsuits + (or at least being brought up as evidence of the type + of "attitude" fostered by the company, e.g., "I've + worked for Intel for 12 years and can tell you that + blacks make very poor engineers.") + + employees may make comments that damage the reputations + of their companies + - Note: this differs from the current situation, where + free speech takes priority over company concerns, + because the postings to a BBS are carried widely, may + be searched electronically (e.g., AMD lawyers search + the UseNet postings of 1988-91 for any postings by + Intel employees besmirching the quality or whatever of + AMD chips), + - and so employees of corporations may protect themselves, + and their employers, by adopting pseudonyms + + Businesses may seek information without wanting to alert + their competitors + - this is currently done with agents, "executive search + firms," and lawyers + - but how will it evolve to handle electronic searches? + + there are some analogies with filings of "Freedom of + Information Act" requests, and of patents, etc. + + these "fishing expeditions" will increase with time, as + it becomes profitable for companies to search though + mountains of electronically-filed materials + - environmental impact studies, health and safety + disclosures, etc. + - could be something that some companies specialize in + + Anonymous Consultation Services, Anonymous Stringers or + Reporters + + imagine an information broker, perhaps on an AMIX-like + service, with a network of stringers + + think of the arms deal newsletter writer in Hallahan's + The Trade, with his network of stringers feeding him + tips and inside information + - instead of meeting in secretive locations, a very + expensive proposition (in time and travel), a secure + network can be used + - with reputations, digital pseudonyms, etc. + + they may not wish their actual identities known + - threats from employers, former employers, government + agencies + + harassment via the various criminal practices that will + become more common (e.g., the ease with which + assailants and even assassins can be contracted for) + - part of the overall move toward anonymity + - fears of lawsuits, licensing requirements, etc. + + Candidates for Such Anonymous Consultation Services + + An arms deals newsletter + - an excellent reputation for accuracy and timely + information + + sort of like an electronic form of Jane's + - with scandals and government concern + - but nobody knows where it comes from + + a site that distributes it to subscribers gets it + with another larger batch of forwarded material + - NSA, FBI, Fincen, etc. try to track it down + + "Technology Insider" reports on all kinds of new + technologies + - patterned after Hoffler's Microelectronics News, the + Valley's leading tip sheet for two decades + - the editor pays for tips, with payments made in two + parts: immediate, and time-dependent, so that the + accuracy of a tip, and its ultimate importance (in + the judgment of the editor) can be proportionately + rewarded + + PK systems, with contributors able to encrypt and + then publicly post (using their own means of + diffusion) + - with their messages containing further material, + such as authentications, where to send the + payments, etc. + + Lundberg's Oil Industry Survey (or similar) + - i.e., a fairly conventional newsletter with publicly + known authors + - in this case, the author is known, but the identities + of contributors is well-protected + + A Conspiracy Newsletter + - reporting on all of the latest theories of + misbehavior (as in the "Conspiracies" section of this + outline) + + a wrinkle: a vast hypertext web, with contributors + able to add links and nodes + + naturally, their real name-if they don't care about + real-world repercussions-or one of their digital + pseudonyms (may as well use cryptonyms) is attached + + various algorithms for reputations + - sum total of everything ever written, somehow + measured by other comments made, by "voting," + etc. + - a kind of moving average, allowing for the fact + that learning will occur, just as a researcher + probably gets better with time, and that as + reputation-based systems become better + understood, people come to appreciate the + importance of writing carefully + + and one of the most controversial of all: Yardley's + Intelligence Daily + - though it may come out more than daily! + + an ex-agent set this up in the mid-90s, soliciting + contributions via an anonymous packet-switching sysem + - refined over the next couple of years + - combination of methods + - government has been trying hard to identify the + editor, "Yardley" + - he offers a payback based on value of the + information, and even has a "Requests" section, and a + Classifed Ad section + - a hypertext web, similar to the Conspiracy Newsletter + above + + Will Government Try to Discredit the Newsletter With + False Information? + - of course, the standard ploy in reputation-based + systems + + but Yardley has developed several kinds of filters + for this + - digital pseudonyms which gradually build up + reputations + - cross-checking of his own sort + - he even uses language filters to analyze the text + + and so what? + - the world is filled with disinformation, rumors, + lies, half-truths, and somehow things go on.... + + Other AMIX-like Anonymous Services + + Drug Prices and Tips + - tips on the quality of various drugs (e.g., + "Several reliable sources have told us that the + latest Maui Wowie is very intense, numbers + below...") + + synthesis of drugs (possibly a separate + subscription) + - designer drugs + - home labs + - avoiding detection + + The Hackers Daily + - tips on hacking and cracking + - anonymous systems themselves (more tips) + - Product evaluations (anonymity needed to allow honest + comments with more protection against lawsuits) + + Newspapers Are Becoming Cocerned with the Trend Toward + Paying for News Tips + - by the independent consultation services + - but what can they do? + + lawsuits are tried, to prevent anonymous tips when + payments are involved + - their lawyers cite the tax evasion and national + security aspects + + Private Data Bases + + any organization offering access to data bases must be + concerned that somebody-a disgruntled customer, a + whistleblower, the government, whoever-will call for an + opening of the files + - under various "Data Privacy" laws + - or just in general (tort law, lawsuits, "discovery") + + thus, steps will be taken to isolate the actual data from + actual users, perhaps via cutouts + + e.g., a data service sells access, but subcontracts out + the searches to other services via paths that are + untraceable + + this probably can't be outlawed in general-though any + specific transaction might later be declared illegal, + etc., at which time the link is cut and a new one is + established-as this would outlaw all subcontracting + arrangements! + - i.e., if Joe's Data Service charges $1000 for a + search on widgets and then uses another possibly + transitory (meaning a cutout) data service, the + most a lawsuit can do is to force Joe to stop using + this untraceble service + - levels of indirection (and firewalls that stop the + propagation of investigations) + + Medical Polls (a la AIDS surveys, sexual practices surveys, + etc.) + + recall the method in which a participant tosses a coin to + answer a question...the analyst can still recover the + important ensemble information, but the "phase" is lost + - i.e., an individual answering "Yes" to the question + "Have you ever had xyz sex?" may have really answered + "No" but had his answer flipped by a coin toss + + researchers may even adopt sophisticated methods in which + explicit diaries are kept, but which are then transmitted + under an anonymous mailing system to the researchers + - obvious dangers of authentication, validity, etc. + + Medical testing: many reasons for people to seek anonymity + - AIDS testing is the preeminent example + - but also testing for conditions that might affect + insurablity or employment (e.g., people may go to + medical havens in Mexico or wherever for tests that might + lead to uninsurability should insurance companies learn + of the "precondition") + + except in AIDS and STDs, it is probably both illegal and + against medical ethics to offer anonymous consultations + - perhaps people will travel to other countries + 8.4.9. Anonymity in Belonging to Certain Clubs, Churches, or + Organizations + + people fear retaliation or embarassment should their + membership be discovered, now or later + - e.g., a church member who belongs to controversial groups + or clubs + - mainly, or wholly, those in which physical contact or other + personal contact is not needed (a limited set) + - similar to the cell-based systems described elsewhere + + Candidates for anonymous clubs or organizations + - Earth First!, Act Up, Animal Liberation Front, etc. + - NAMBLA and similar controversial groups + - all of these kinds of groups have very vocal, very visible + members, visible even to the point of seeking out + television coverage + - but there are probably many more who would join these + groups if there identities could be shielded from public + group, for the sake of their careers, their families, etc. + + ironically, the corporate crackdown on outside activities + considered hostile to the corporation (or exposing them to + secondary lawsuits, claims, etc.) may cause greater use of + anonymous systems + - cell-based membership in groups + - the growth of anonymous membership in groups (using + pseudonyms) has a benefit in increasing membership by + people otherwise afraid to join, for example, a radical + environmental group +8.4.10. Anonymity in Giving Advice or Pointers to Information + - suppose someone says who is selling some illegal or + contraband product...is this also illegal? + - hypertext systems will make this inevitable +8.4.11. Reviews, Criticisms, Feedback + - "I am teaching sections for a class this term, and tomorrow + I am going to: 1) tell my students how to use a remailer, + and 2) solicit anonymous feedback on my teaching. + + "I figure it will make them less apprehensive about making + honest suggestions and comments (assuming any of them + bother, of course)." [Patrick J. LoPresti + patl@lcs.mit.edu, alt.privacy.anon-server, 1994-09-08] +8.4.12. Protection against lawsuits, "deep pockets" laws + + by not allowing the wealth of an entity to be associated + with actions + - this also works by hiding assets, but the IRS frowns on + that, so unlinking the posting or mailing name with + actual entity is usually easier + + "deep pockets" + - it will be in the interest of some to hide their + identities so as to head off these kinds of lawsuits + (filed for whatever reasons, rightly or wrongly) + - postings and comments may expose the authors to lawsuits + for libel, misrepresentation, unfair competition, and so + on (so much for free speech in these beknighted states) + + employers may also be exposed to the same suits, + regardless of where their employees posted from + - on the tenuous grounds that an employee was acting on + his employer's behalf, e.g., in defending an Intel + product on Usenet + - this, BTW, is another reason for people to seek ways to + hide some of their assets-to prevent confiscation in deep + pockets lawsuits (or family illnesses, in which various + agencies try to seize assets of anybody they can) + - and the same computers that allow these transactions will + also allow more rapid determination of who has the + deepest pockets! + + by insulating the entity from repercussions of "sexist" or + "racist" comments that might provoke lawsuits, etc. + - (Don't laugh--many companies are getting worried that + what their employees write on Usenet may trigger lawsuits + against the companies.) + + many transactions may be deemed illegal in some + jursidictions + + even in some that the service or goods provider has no + control over + - example: gun makers being held liable for firearms + deaths in the District of Columbia (though this was + recently cancelled) + - the maze of laws may cause some to seek anonymity to + protect themselves against this maze + + Scenario: Anonymous organ donor banks + + e.g., a way to "market" rare blood types, or whatever, + without exposing one's self to forced donation or other + sanctions + - "forced donation" involves the lawsuits filed by the + potential recipient + - at the time of offer, at least...what happens when the + deal is consummated is another domain + - and a way to avoid the growing number of government + stings +8.4.13. Journalism and Writing + + writers have had a long tradtion of adopting pseudonyms, + for a variety of reasons + - because they couldn't get published under their True + Names, because they didn't _want_ their true names + published, for the fun of it, etc. + - George Elliot, Lewis Carroll, Saki, Mark Twain, etc. + - reporters + + radio disc jockeys + - a Cypherpunk who works for a technology company uses the + "on air personna" of "Arthur Dent" ("Hitchhiker's Guide") + for his part-time radio broadcasting job...a common + situation, he tells me + + whistleblowers + - this was an early use + + politically sensitive persons + - " + + I subsequently got myself an account on anon.penet.fi as + the "Lt. + - Starbuck" entity, and all later FAQ updates were from + that account. + - For reasons that seemed important at the time, I took + it upon myself to + - become the moderator/editor of the FAQ." + - + + Example: Remailers were used to skirt the publishing ban on + the Karla Homolka case + - various pseudonymous authors issued regular updates + - much consternation in Canada! + + avoidance of prosecution or damage claims for writing, + editing, distributing, or selling "damaging" materials is + yet another reason for anonymous systems to emerge: those + involved in the process will seek to immunize themselves + from the various tort claims that are clogging the courts + - producers, distributors, directors, writers, and even + actors of x-rated or otherwise "unacceptable" material + may have to have the protection of anonymous systems + - imagine fiber optics and the proliferation of videos and + talk shows....bluenoses and prosecutors will use "forum + shopping" to block access, to prosecute the producers, + etc. +8.4.14. Academic, Scientific, or Professional + - protect other reputations (professional, authorial, + personal, etc.) + - wider range of actions and behaviors (authors can take + chances) + - floating ideas out under pseudonyms + - later linking of these pseudonyms to one's own identity, if + needed (a case of credential transfer) + - floating unusual points of view + - Peter Wayner writes: "I would think that many people who + hang out on technical newsgroups would be very familiar + with the anonymous review procedures practiced by academic + journals. There is some value when a reviewer can speak + their mind about a paper without worry of revenge. Of + course everyone assures me that the system is never really + anonymous because there are alwys only three or four people + qualified to review each paper. :-) ....Perhaps we should + go out of our way to make anonymous, technical comments + about papers and ideas in the newsgroups to fascilitate the + development of an anonymous commenting culture in + cypberspace." [Peter Wayner, 1993-02-09] +8.4.15. Medical Testing and Treatment + - anonymous medical tests, a la AIDS testing +8.4.16. Abuse, Recovery + + personal problem discussions + - incest, rape, emotional, Dear Abby, etc. +8.4.17. Bypassing of export laws + - Anonymous remailers have been useful for bypassing the + ITARs...this is how PGP 2.6 spread rapidly, and (we hope!) + untraceably from MIT and U.S. sites to offshore locations. +8.4.18. Sex groups, discussions of controversial topics + - the various alt.sex groups + - People may feel embarrassed, may fear repercussions from + their employers, may not wish their family and friends to + see their posts, or may simply be aware that Usenet is + archived in many, many places, and is even available on CD- + ROM and will be trivially searchable in the coming decades + + the 100% traceability of public postings to UseNet and + other bulletin boards is very stifling to free expression + and becomes one of the main justifications for the use of + anonymous (or pseudononymous) boards and nets + - there may be calls for laws against such compilation, as + with the British data laws, but basically there is little + that can be done when postings go to tens of thousands of + machines and are archived in perpetuity by many of these + nodes and by thousands of readers + - readers who may incorporate the material into their own + postings, etc. (hence the absurdity of the British law) +8.4.19. Avoiding political espionage + + TLAs in many countries monitor nearly all international + communications (and a lot of domestic communications, too) + - companies and individuals may wish to avoid reprisals, + sanctions, etc. + - PGP is reported to be in use by several dissident groups, + and several Cypherpunks are involved in assisting them. + - "...one legitimate application is to allow international + political groups or companies to exchange authenticated + messages without being subjected to the risk of + espionage/compromise by a three letter US agency, foreign + intelligence agency, or third party." [Sean M. Dougherty, + alt.privacy.anon-server, 1994-09-07] +8.4.20. Controversial political discussion, or membership in + political groups, mailing lists, etc. + + Recall House UnAmerican Activities Committee + - and it's modern variant: "Are you now, or have you ever + been, a Cypherpunk?" +8.4.21. Preventing Stalking and Harassment + - avoid physical tracing (harassment, "wannafucks," stalkers, + etc.) + - women and others are often sent "wannafuck?" messages from + the males that outnumber them 20-to-1 in many newsgroups-- + pseudonyms help. + - given the ease with which net I.D.s can be converted to + physical location information, many women may be worried. + + males can be concerned as well, given the death threats + issued by, for example, S. Boxx/Detweiler. + - as it happens, S. Boxx threatened me, and I make my home + phone number and location readily known...but then I'm + armed and ready. +8.4.22. pressure relief valve: knowing one can flee or head for the + frontier and not be burdened with a past + - perhaps high rate of recidivism is correlated with this + inability to escape...once a con, marked for life + (certainly denied access to high-paying jobs) +8.4.23. preclude lawsuits, subpoenas, entanglement in the legal + machinery +8.4.24. Business Reasons + + Corporations can order supplies, information, without + tipping their hand + - the Disney purchase of land, via anonymous cutouts (to + avoid driving the price way up) + - secret ingredients (apocryphally, Coca Cola) + - avoiding the "deep pockets" syndrome mentioned above + - to beat zoning and licensing requirements (e.g., a certain + type of business may not be "permitted" in a home office, + so the homeowner will have to use cutouts to hide from + enforcers) + - protection from (and to) employers + + employees of corporations may have to do more than just + claim their view are not those of their employer + - e.g., a racist post could expose IBM to sanctions, + charges + + thus, many employees may have to further insulate their + identities + - blanc@microsoft.com is now + blanc@pylon.com...coincidence? + + moonlighting employees (the original concern over Black Net + and AMIX) + - employers may have all kinds of concerns, hence the need + for employees to hide their identities + - note that this interects with the licensing and zoning + aspects + - publishers, service-prividers + + Needed for Certain Kinds of Reputation-Based Systems + + a respected scientist may wish to float a speculative + idea + - and be able to later prove it was in fact his idea +8.4.25. Protection against retaliation + - whistleblowing + + organizing boycotts + - (in an era of laws regulating free speech, and "SLAPP" + lawsuits) + + the visa folks (Cantwell and Siegel) threatening those who + comment with suits + - the law firm that posted to 5,000 groups....also raises + the issue again of why the Net should be subsidized + - participating in public forums + + as one person threatened with a lawsuit over his Usenet + comments put it: + - "And now they are threatening me. Merely because I openly + expressed my views on their extremely irresponsible + behaviour. Anyways, I have already cancelled the article + from my site and I publicly appologize for posting it in + the first place. I am scared :) I take all my words back. + Will use the anonymous service next time :)" +8.4.26. Preventing Tracking, Surveillance, Dossier Society + + avoiding dossiers in general + - too many dossiers being kept; anonymity allows people to + at least hold back the tide a bit + + headhunting, job searching, where revealing one's identity + is not always a good idea + - some headhunters are working for one's current employer! + - dossiers +8.4.27. Some Examples from the Cypherpunks List + + S, Boxx, aka Sue D. Nym, Pablo Escobar, The Executioner, + and an12070 + - but Lawrence Detweiler by any other name + + he let slip his pseudonym-true name links in several ways + - stylistic cues + - mention of things only the "other" was likely to have + heard + + sysops acknowledged certain linkings + - *not* Julf, though Julf presumably knew the identity + of "an12070" + + Pr0duct Cypher + - Jason Burrell points out: "Take Pr0duct Cypher, for + example. Many believe that what (s)he's doing(*) is a + Good Thing, and I've seen him/her using the Cypherpunk + remailers to conceal his/her identity....* If you don't + know, (s)he's the person who wrote PGPTOOLS, and a hack + for PGP 2.3a to decrypt messages written with 2.6. I + assume (s)he's doing it anonymously due to ITAR + regulations." [J.B., 1994-09-05] + + Black Unicorn + - Is the pseudonym of a Washington, D.C. lawyer (I think), + who has business ties to conservative bankers and + businessmen in Europe, especially Liechtenstein and + Switzerland. His involvement with the Cypherpunks group + caused him to adopt this pseudonym. + - Ironically, he got into a battle with S. Boxx/Detweiler + and threated legal action. This cause a rather + instructive debate to occur. + +8.5. Untraceable E-Mail + 8.5.1. The Basic Idea of Remailers + - Messages are encrypted, envelopes within envelopes, thus + making tracing based on external appearance impossible. If + the remailer nodes keep the mapping between inputs and + outputs secret, the "trail" is lost. + 8.5.2. Why is untraceable mail so important? + + Bear in mind that "untraceable mail" is the default + situation for ordinary mail, where one seals an envelope, + applies a stamp, and drops it anonymously in a letterbox. + No records are kept, no return address is required (or + confirmed), etc. + - regional postmark shows general area, but not source + mailbox + + Many of us believe that the current system of anonymous + mail would not be "allowed" if introduced today for the + first time + - Postal Service would demand personalized stamps, + verifiable return addresses, etc. (not foolproof, or + secure, but...) + + Reasons: + - to prevent dossiers of who is contacting whom from being + compiled + - to make contacts a personal matter + - many actual uses: maintaining pseudonyms, anonymous + contracts, protecting business dealings, etc. + 8.5.3. How do Cypherpunks remailers work? + 8.5.4. How, in simple terms, can I send anonymous mail? + 8.5.5. Chaum's Digital Mixes + - How do digital mixes work? + 8.5.6. "Are today's remailers secure against traffic analysis?" + - Mostly not. Many key digital mix features are missing, and + the gaps can be exploited. + + Depends on features used: + - Reordering (e.g., 10 messages in, 10 messages out) + - Quantization to fixed sizes (else different sizes give + clues) + - Encryption at all stages (up to the customer, of course) + - But probably not, given that current remailers often lack + necessary features to deter traffic analysis. Padding is + iffy, batching is often not done at all (people cherish + speed, and often downcheck remailers that are "too slow") + - Best to view today's remailers as experiments, as + prototypes. + +8.6. Remailers and Digital Mixes (A Large Section!) + 8.6.1. What are remailers? + 8.6.2. Cypherpunks remailers compared to Julf's + + Apparently long delays are mounting at the penet remailer. + Complaints about week-long delays, answered by: + - "Well, nobody is stopping you from using the excellent + series of cypherpunk remailers, starting with one at + remail@vox.hacktic.nl. These remailers beat the hell out + of anon.penet.fi. Either same day or at worst next day + service, PGP encryption allowed, chaining, and gateways + to USENET." [Mark Terka, The normal delay for + anon.penet.fi?, alt.privacy.anon-server, 1994-08-19] + + "How large is the load on Julf's remailer?" + - "I spoke to Julf recently and what he really needs is + $750/month and one off $5000 to upgrade his feed/machine. + I em looking at the possibility of sponsorship (but don't + let that stop other people trying).....Julf has buuilt up + a loyal, trusting following of over 100,000 people and + 6000 messages/day. Upgrading him seems a good + idea.....Yes, there are other remailers. Let's use them + if we can and lessen the load on Julf." [Steve Harris, + alt.privacy.anon-server, 1994-08-22] + - (Now if the deman on Julf's remailer is this high, seems + like a great chance to deploy some sort of fee-based + system, to pay for further expansion. No doubt many of + the users would drop off, but such is the nature of + business.) + 8.6.3. "How do remailers work?" + - (The MFAQ also has some answers.) + - Simply, they work by taking an incoming text block and + looking for instructions on where to send the remaining + text block, and what to do with it (decryption, delays, + postage, etc.) + + Some remailers can process the Unix mail program(s) outputs + directly, operating on the mail headers + - names of programs... + + I think the "::" format Eric Hughes came up with in his + first few days of looking at this turned out to be a real + win (perhaps comparable to John McCarthy's decision to use + parenthesized s-expressions in Lisp?). + - it allows arbitary chaining, and all mail messages that + have text in standard ASCII--which is all mailers, I + believe--can then use the Cypherpunks remailers + 8.6.4. "What are some uses of remailers?" + - Thi is mostly answered in other sections, outlining the + uses of anonymity and digital pseudonyms: remailers are of + course the enabling technology for anonymity. + + using remailers to foil traffic analysis + - An interesting comment from someone not part of our + group, in a discussion of proposal to disconnect U.K. + computers from Usenet (because of British laws about + libel, about pornography, and such): "PGP hides the + target. The remailers discard the source info. THe more + paranoid remailers introduce a random delay on resending + to foil traffic analysis. You'd be suprised what can be + done :-).....If you use a chain then the first remailer + knows who you are but the destination is encrypted. The + last remailer knows the destination but cannot know the + source. Intermediate ones know neither." [Malcolm + McMahon, JANET (UK) to ban USENET?, comp.org.eff.talk, + 1994-08-30] + - So, word is spreading. Note the emphasis on Cyphepunks- + type remailers, as opposed to Julf-style anonymous + services. + + options for distributing anonymous messages + + via remailers + - the conventional approach + - upsides: recipient need not do anything special + - downsides: that's it--recipient may not welcome the + message + + to a newsgroup + - a kind of message pool + - upsides: worldwide dist + - to an ftp site, or Web-reachable site + - a mailing list + 8.6.5. "Why are remailers needed?" + + Hal Finney summarized the reasons nicely in an answer back + in early 1993. + - "There are several different advantages provided by + anonymous remailers. One of the simplest and least + controversial would be to defeat traffic analysis on + ordinary email.....Two people who wish to communicate + privately can use PGP or some other encryption system to + hide the content of their messages. But the fact that + they are communicating with each other is still visible + to many people: sysops at their sites and possibly at + intervening sites, as well as various net snoopers. It + would be natural for them to desire an additional amount + of privacy which would disguise who they were + communicating with as well as what they were saying. + + "Anonymous remailers make this possible. By forwarding + mail between themselves through remailers, while still + identifying themselves in the (encrypted) message + contents, they have even more communications privacy than + with simple encryption. + + "(The Cypherpunk vision includes a world in which + literally hundreds or thousands of such remailers + operate. Mail could be bounced through dozens of these + services, mixing in with tens of thousands of other + messages, re-encrypted at each step of the way. This + should make traffic analysis virtually impossible. By + sending periodic dummy messages which just get swallowed + up at some step, people can even disguise _when_ they are + communicating.)" [Hal Finney, 1993-02-23] + + "The more controversial vision associated with anonymous + remailers is expressed in such science fiction stories as + "True Names", by Vernor + Vinge, or "Ender's Game", by Orson Scott Card. These + depict worlds in which computer networks are in + widespread use, but in which many people choose to + participate through pseudonyms. In this way they can + make unpopular arguments or participate in frowned-upon + transactions without their activities being linked to + their true identities. It also allows people to develop + reputations based on the quality of their ideas, rather + than their job, wealth, age, or status." [Hal Finney, + 1993-02-23] + - "Other advantages of this approach include its extension to + electronic on-line transactions. Already today many + records are kept of our financial dealings - each time we + purchase an item over the phone using a credit card, this + is recorded by the credit card company. In time, even more + of this kind of information may be collected and possibly + sold. One Cypherpunk vision includes the ability to engage + in transactions anonymously, using "digital cash", which + would not be traceable to the participants. Particularly + for buying "soft" products, like music, video, and software + (which all may be deliverable over the net eventually), it + should be possible to engage in such transactions + anonymously. So this is another area where anonymous mail + is important." [Hal Finney, 1993-02-23] + 8.6.6. "How do I actually use a remailer?" + + (Note: Remailer instructions are posted _frequently_. There + is no way I can keep up to date with them here. Consult the + various mailing lists and finger sites, or use the Web + docs, to find the most current instructions, keys, uptimes, + etc._ + + Raph Levien's finger site is very impressive: + + Raph Levien has an impressive utility which pings the + remailers and reports uptime: + - finger remailer-list@kiwi.cs.berkeley.edu + - or use the Web at + http://www.cs.berkeley.edu/~raph/remailer-list.html + - Raph Levien also has a remailer chaining script at + ftp://kiwi.cs.berkeley.edu/pub/raph/premail- + 0.20.tar.gz + + Keys for remailers + - remailer-list@chaos.bsu.edu (Matthew Ghio maintains) + + "Why do remailers only operate on headers and not the body + of a message? Why aren't signatures stripped off by + remailers?" + - "The reason to build mailers that faithfully pass on the + entire body of + the message, without any kind of alteration, is that it + permits you to + send ANY body through that mailer and rely on its + faithful arrival at the + destination." [John Gilmore, 93-01-01] + - The "::" special form is an exception + - Signature blocks at the end of message bodies + specifically should _not_ be stripped, even though this + can cause security breaches if they are accidentally left + in when not intended. Attempting to strip sigs, which + come in many flavors, would be a nightmare and could + strip other stuff, too. Besides, some people may want a + sig attached, even to an encrypted message. + - As usual, anyone is of course free to have a remailer + which munges message bodies as it sees fit, but I expect + such remailers will lose customers. + - Another possibility is another special form, such as + "::End", that could be used to delimit the block to be + remailed. But it'll be hard getting such a "frill" + accepted. + + "How do remailers handle subject lines?" + - In various ways. Some ignore it, some preserve it, some + even can accept instructions to create a new subject line + (perhaps in the last remailer). + - There are reasons not to have a subject line propagated + through a chain of remailers: it tags the message and + hence makes traffic analysis trivial. But there are also + reasons to have a subject line--makes it easier on the + recipient--and so these schemes to add a subject line + exist. + + "Can nicknames or aliases be used with the Cypherpunks + remailers?" + - Certainly digitally signed IDs are used (Pr0duct Cypher, + for example), but not nicknames preserved in fields in + the remailing and mail-to-Usenet gateways. + - This could perhaps be added to the remailers, as an extra + field. (I've heard the mail fields are more tolerant of + added stuff than the Netnews fields are, making mail-to- + News gateways lose the extra fields.) + + Some remailer sites support them + - "If you want an alias assigned at vox.hacktic.nl, one - + only- needs to send some empty mail to + and the adress the mail was send + from will be inculded in the data-base.....Since + vox.hacktic.nl is on a UUCP node the reply can take + some time, usually something like 8 to 12 hours."[Alex + de Joode, , 1994-08-29] + + "What do remailers do with the various portions of + messages? Do they send stuff included after an encrypted + block? Should they? What about headers?" + + There are clearly lots of approaches that may be taken: + - Send everything as is, leaving it up to the sender to + ensure that nothing incriminating is left + - Make certain choices + - I favor sending everything, unless specifically told not + to, as this makes fewer assumptions about the intended + form of the message and thus allows more flexibility in + designing new functions. + + For example, this is what Matthew Ghio had to to say + about his remailer: + - "Everything after the encrypted message gets passed + along in the clear. If you don't want this, you can + remove it using the cutmarks feature with my remailer. + (Also, remail@extropia.wimsey.com doesn't append the + text after the encrypted message.) The reason for this + is that it allows anonymous replies. I can create a + pgp message for a remailer which will be delivered to + myself. I send you the PGP message, you append some + text to it, and send it to the remailer. The remailer + decrypts it and remails it to me, and I get your + message. [M.G., alt.privacy.anon-server, 1994-07-03] + 8.6.7. Remailer Sites + - There is no central administrator of sites, of course, so a + variety of tools are the best ways to develop one's own + list of sites. (Many of us, I suspect, simply settle on a + dozen or so of our favorites. This will change as hundreds + of remailers appear; of course, various scripting programs + will be used to generate the trajectories, handled the + nested encryption, etc.) + - The newsgroups alt.privacy.anon-server, alt.security.pgp, + etc. often report on the latest sites, tools, etc. + + Software for Remailers + + Software to run a remailer site can be found at: + - soda.csua.berkeley.edu in /pub/cypherpunks/remailer/ + - chaos.bsu.edu in /pub/cypherpunks/remailer/ + + Instructions for Using Remailers and Keyservers + + on how to use keyservers + - "If you have access to the World Wide Web, see this + URL: http://draco.centerline.com:8080/~franl/pgp/pgp- + keyservers.html" [Fran Litterio, alt.security.pgp, 1994- + 09-02] + + Identifying Remailer Sites + + finger remailer-list@chaos.bsu.edu + - returns a list of active remailers + - for more complete information, keys, and instructions, + finger remailer.help.all@chaos.bsu.edu + - gopher://chaos.bsu.edu/ + + Raph Levien has an impressive utility which pings the + remailers and reports uptime: + - finger remailer-list@kiwi.cs.berkeley.edu + - or use the Web at + http://www.cs.berkeley.edu/~raph/remailer-list.html + - Raph Levien also has a remailer chaining script at + ftp://kiwi.cs.berkeley.edu/pub/raph/premail-0.20.tar.gz + + Remailer pinging + - "I have written and installed a remailer pinging script + which + collects detailed information about remailer features and + reliability. + + To use it, just finger remailer- + list@kiwi.cs.berkeley.edu + + There is also a Web version of the same information, at: + http://www.cs.berkeley.edu/~raph/remailer-list.html" + [Raph Levien, 1994-08-29] + + Sites which are down?? + - tamsun.tamu.edu and tamaix.tamu.edu + 8.6.8. "How do I set up a remailer at my site?" + - This is not something for the casual user, but is certainly + possible. + - "Would someone be able to help me install the remailer + scripts from the archives? I have no Unix experience and + have *no* idea where to begin. I don't even know if root + access is needed for these. Any help would be + appreciated." [Robert Luscombe, 93-04-28] + - Sameer Parekh, Matthew Ghio, Raph Levien have all written + instructions.... + 8.6.9. "How are most Cypherpunks remailers written, and with what + tools?" + - as scripts which manipulate the mail files, replacing + headers, etc. + - Perl, C, TCL + - "The cypherpunks remailers have been written in Perl, which + facilitates experimenting and testing of new interfaces. + The idea might be to migrate them to C eventually for + efficiency, but during this experimental phase we may want + to try out new ideas, and it's easier to modify a Perl + script than a C program." [Hal Finney, 93-01-09] + - "I do appreciate the cypherpunks stuff, but perl is still + not a very + widely used standard tool, and not everyone of us want to + learn the + ins and outs of yet another language... So I do applaud + the C + version..." [Johan Helsingius, "Julf," 93-01-09] +8.6.10. Dealing with Remailer Abuse + + The Hot Potato + - a remailer who is being used very heavily, or suspects + abuse, may choose to distribute his load to other + remailers. Generally, he can instead of remailing to the + next site, add sites of his own choosing. Thus, he can + both reduce the spotlight on him and also increase cover + traffic by scattering some percentage of his traffic to + other sites (it never reduces his traffic, just lessens + the focus on him). + + Flooding attacks + - denial of service attacks + - like blowing whistles at sports events, to confuse the + action + - DC-Nets, disruption (disruptionf of DC-Nets by flooding + is a very similar problem to disruption of remailers by + mail bombs) + + "How can remailers deal with abuse?" + - Several remailer operators have shut down their + remailers, either because they got tired of dealing with + the problems, or because others ordered them to. + - Source level blocking + - Paid messages: at least this makes the abusers _pay_ and + stops certain kinds of spamming/bombing attacks. + - Disrupters are dealt with in anonymous ways in Chaum's DC- + Net schemes; there may be a way to use this here. + + Karl Kleinpaste was a pioneer (circa 1991-2) of remailers. + He has become disenchanted: + - "There are 3 sites out there which have my software: + anon.penet.fi, tygra, and uiuc.edu. I have philosophical + disagreement with the "universal reach" policy of + anon.penet.fi (whose code is now a long-detached strain + from the original software I gave Julf -- indeed, by now + it may be a complete rewrite, I simply don't know); + ....Very bluntly, having tried to run anon servers twice, + and having had both go down due to actual legal + difficulties, I don't trust people with them any more." + [Karl_Kleinpaste@cs.cmu.edu, alt.privacy.anon-server, + 1994-08-29] + - see discussions in alt.privacy.anon-server for more on + his legal problems with remailers, and why he shut his + down +8.6.11. Generations of Remailers + + First Generation Remailer Characteristics--Now (since 1992) + - Perl scripts, simple processing of headers, crypto + + Second Generation Remailer Characteristics--Maybe 1994 + - digital postage of some form (perhaps simple coupons or + "stamps") + - more flexible handling of exceptions + - mail objects can tell remailer what settings to use + (delays, latency, etc.( + + Third Generation Remailer Characteristics--1995-7? + - protocol negotiation + + Chaum-like "mix" characteristics + - tamper-resistant modules (remailer software runs in a + sealed environment, not visible to operator) + + Fourth Generation Remailer Characteristics--1996-9? + - Who knows? + - Agent-based (Telescript?) + - DC-Net-based +8.6.12. Remailer identity escrow + + could have some uses... + - what incentives would anyone have? + - recipients could source-block any remailer that did not + have some means of coping with serious abuse...a perfect + free market solution + - could also be mandated +8.6.13. Remailer Features + + There are dozens of proposed variations, tricks, and + methods which may or may not add to overall remailer + security (entropy, confusion). These are often discussed on + the list, one at a time. Some of them are: + + Using one's self as a remailer node. Route traffic back + through one's own system. + - even if all other systems are compromised... + - Random delays, over and above what is needed to meet + reordering requirements + - MIRVing, sending a packet out in multiple pieces + - Encryption is of course a primary feature. + + Digital postage. + - Not so much a feature as an incentive/inducement to get + more remailers and support them better. + + "What are features of a remailer network?" + - A vast number of features have been considered; some are + derivative of other, more basic features (e.g., "random + delays" is not a basic feature, but is one proposed way + of achieving "reordering," which is what is really + needed. And "reordering" is just the way to achieve + "decorrelation" of incoming and outgoing messages). + + The "Ideal Mix" is worth considering, just as the "ideal + op amp" is studied by engineers, regardless of whether + one can ever be built. + - a black box that decorrelates incoming and outgoing + packets to some level of diffusion + - tamper-proof, in that outside world cannot see the + internal process of decorrelation (Chaum envisioned + tamper-resistant or tamper-responding circuits doing + the decorrelation) + + Features of Real-World Mixes: + + Decorrelation of incoming and outgoing messages. This + is the most basic feature of any mix or remailer: + obscuring the relationship between any message entering + the mix and any message leaving the mix. How this is + achieve is what most of the features here are all + about. + - "Diffusion" is achieved by batching or delaying + (danger: low-volume traffic defeats simple, fixed + delays) + - For example, in some time period, 20 messages enter a + node. Then 20 or so (could be less, could be + more...there is no reason not to add messages, or + throw away some) messages leave. + + Encryption should be supported, else the decorrelation + is easily defeated by simple inspection of packets. + - public key encryption, clearly, is preferred (else + the keys are available outside) + - forward encryption, using D-H approaches, is a useful + idea to explore, with keys discarded after + transmission....thus making subpoenas problematic + (this has been used with secure phones, for example). + + Quanitzed packet sizes. Obviously the size of a packet + (e.g., 3137 bytes) is a strong cue as to message + identity. Quantizing to a fixed size destroys this cue. + + But since some messages may be small, and some large, + a practical compromise is perhaps to quantize to one + of several standards: + - small messages, e.g., 5K + - medium messages, e.g., 20K + - large messages....handled somehow (perhaps split + up, etc.) + - More analysis is needed. + + Reputation and Service + - How long in business? + - Logging policy? Are messages logged? + - the expectation of operating as stated + + The Basic Goals of Remailer Use + + decorrelation of ingoing and outgoing messages + - indistinguishability + + "remailed messages have no hair" (apologies to the + black hole fans out there) + - no distinguishing charateristics that can be used to + make correlations + - no "memory" of previous appearance + + this means message size padding to quantized sizes, + typically + - how many distinct sizes depends on a lot fo things, + like traffic, the sizes of other messages, etc. + + Encryption, of course + - PGP + - otherwise, messages are trivially distinguishable + + Quantization or Padding: Messages + - padded to standard sizes, or dithered in size to obscure + oringinal size. For example, 2K for typical short + messages, 5K for typical Usenet articles, and 20K for + long articles. (Messages much longer are hard to hide in + a sea of much shorter messages, but other possibilities + exist: delaying the long messages until N other long + messages have been accumulated, splitting the messages + into smaller chunks, etc.) + + "What are the quanta for remailers? That is, what are the + preferred packet sizes for remailed messages?" + - In the short term, now, the remailed packet sizes are + pretty much what they started out to be, e.g, 3-6KB or + so. Some remailers can pad to quantized levels, e.g., + to 5K or 10K or more. The levels have not been settled + on. + - In the long term, I suspect much smaller packets will + be selected. Perhaps at the granularity of ATM packets. + "ATM Remailers" are likely to be coming. (This changes + the nature of traffic analyis a bit, as the _number_ of + remailed packets increases. + - A dissenting argument: ATM networks don't give sender + the control over packets... + - Whatever, I think packets will get smaller, not larger. + Interesting issues. + - "Based on Hal's numbers, I would suggest a reasonable + quantization for message sizes be a short set of + geometrically increasing values, namely, 1K, 4K, 16K, + 64K. In retrospect, this seems like the obvious + quantization, and not arithmetic progressions." [Eric + Hughes, 1994-08-29] + - (Eudora chokes at 32K, and so splits messages at about + 25K, to leave room for comments without further + splitting. Such practical considerations may be important + to consider.) + + Return Mail + - A complicated issue. May have no simple solution. + + Approaches: + - Post encrypted message to a pool. Sender (who provided + the key to use) is able to retrieve anonymously by the + nature of pools and/or public posting. + + Return envelopes, using some kind of procedure to + ensure anonymity. Since software is by nature never + secure (can always be taken apart), the issues are + complicated. The security may be gotten by arranging + with the remailers in the return path to do certain + things to certain messages. + - sender sends instructions to remailers on how to + treat messages of certain types + - the recipient who is replying cannot deduce the + identity, because he has no access to the + instructions the remailers have. + - Think of this as Alice sending to Bob sending to + Charles....sending to Zeke. Zeke sends a reply back + to Yancy, who has instructions to send this back to + Xavier, and so on back up the chain. Only if Bob, + Charles, ..., Yancy collude, can the mapping in the + reverse direction be deduced. + - Are these schemes complicated? Yes. But so are lot of + other protocols, such as getting fonts from a screen + to a laser printer + + Reordering of Messages is Crucial + + latency or fanout in remailers + + much more important than "delay" + - do some calculations! + + the canard about "latency" or delay keeps coming up + - a "delay" of X is neither necessary nor sufficient + to achieve reordering (think about it) + - essential for removing time correlation information, + for removing a "distinguishing mark" ("ideal remailed + messages have no hair") + + The importance of pay as you go, digital postage + + standard market issues + - markets are how scarece resources are allocated + - reduces spamming, overloading, bombing + - congestion pricing + - incentives for improvement + + feedback mechanisms + - in the same way the restaurants see impacts quickly + - applies to other crypto uses besides remailers + + Miscellaneous + - by having one's own nodes, further ensures security + (true, the conspiring of all other nodes can cause + traceability, but such a conspiracy is costly and would + be revealed) + + the "public posting" idea is very attractive: at no point + does the last node know who the next node will be...all + he knows is a public key for that node + + so how does the next node in line get the message, + short of reading all messages? + - first, security is not much compromised by sorting + the public postings by some kind of order set by the + header (e.g., "Fred" is shorthand for some long P-K, + and hence the recipient knows to look in the + Fs...obviously he reads more than just the Fs) + + outgoing messages can be "broadcast" (sent to many nodes, + either by a literal broadcast or public posting, or by + randomly picking many nodes) + - this "blackboard" system means no point to point + communication is needed + + Timed-release strategies + + encrypt and then release the key later + - "innocuously" (how?) + - through a remailing service + - DC-Net + - via an escrow service or a lawyer (but can the lawyer + get into hot water for releasing the key to + controversial data?) + - with a series of such releases, the key can be + "diffused" + - some companies may specialize in timed-release, such + as by offering a P-K with the private key to be + released some time later + - in an ecology of cryptoid entities, this will increase + the degrees of freedom + + this reduces the legal liability of + retransmitters...they can accurately claim that they + were only passing data, that there was no way they + could know the content of the packets + - of course they can already claim this, due to the + encrypted nature + + One-Shot Remailers + - "You can get an anonymous address from + mg5n+getid@andrew.cmu.edu. Each time you request an + anon address, you get a different one. You can get as + many as you like. The addresses don't expire, however, + so maybe it's not the ideal 'one-shot' system, but it + allows replies without connecting you to your 'real + name/address' or to any of your other posts/nyms." [ + Matthew Ghio, 1994-04-07] +8.6.14. Things Needed in Remailers + + return receipts + - Rick Busdiecker notes that "The idea of a Return-Receipt- + To: field has been around for a while, but the semantics + have never been pinned down. Some mailer daemons + generate replies meaning that the bits were delivered." + [R.B., 1994-08-08] + + special handling instructions + - agents, daemons + - negotiated procedures + + digital postage + - of paramount importance! + - solves many problems, and incentivizes remailers + + padding + + padding to fixed sizes + - padding to fixed powers of 2 would increase the average + message size by about a third + - lots of remailers + - multiple jursidictions + - robustness and consistency + + running in secure hardware + - no logs + - no monitoring by operator + - wipe of all temp files + - instantiated quickly, fluidly + - better randomization of remailers +8.6.15. Miscellaneous Aspects of Remailers + + "How many remailer nodes are actually needed?" + - We strive to get as many as possible, to distribute the + process to many jurisdictions and with many opeators. + - Curiously, as much theoretical diffusivity can occur with + a single remailer (taking in a hundred messages and + sending out a hundred, for example) as with many + remailers. Our intuition is, I think, that many remailers + offer better diffusivity and better hiding. Why this is + so (if it is) needs more careful thinking than I've seen + done so far. + - At a meta-level, we think multiple remailers lessens the + chance of them being compromised (this, however, is not + directly related to the diffusivity of a remailer network- + -important, but not directly related). + - (By the way, a kind of sneaky idea is to try to always + declare one's self to be a remailer. If messages were + somehow traced back to one's own machine, one could + claim: 'Yes, I'm a remailer." In principle, one could be + the only remailer in the universe and still have high + enough diffusion and confusion. In practice, being the + only remailer would be pretty dangerous.) + + Diffusion and confusion in remailer networks + + Consider a single node, with a message entering, and + two messages leaving; this is essentially the smallest + "remailer op" + - From a proof point of view, either outgoing message + could be the one + - and yet neither one can be proved to be + - Now imagine those two messages being sent through 10 + remailers...no additional confusion is added...why? + - So, with 10 messages gong into a chain of 10 remailers, + if 10 leave... + - The practical effect of N remailers is to ensure that + compromise of some fraction of them doesn't destroy + overall security + + "What do remailers do with misaddressed mail?" + - Depends on the site. Some operators send notes back + (which itself causes concern), some just discard + defective mail. This is a fluid area. At least one + remailer (wimsey) can post error messages to a message + pool--this idea can be generalized to provide "delivery + receipts" and other feedback. + - Ideal mixes, a la Chaum, would presumably discard + improperly-formed mail, although agents might exist to + prescreen mail (not mandatory agents, of course, but + voluntarily-selected agents) + - As in so many areas, legislation is not needed, just + announcement of policies, choice by customers, and the + reputation of the remailer. + - A good reason to have robust generation of mail on one's + own machine, so as to minimize such problems. + + "Can the NSA monitor remailers? Have they?" + + Certainly they _can_ in various ways, either by directly + monitoring Net traffic or indirectly. Whether they _do_ + is unknown. + - There have been several rumors or forgeries claiming + that NSA is routinely linking anonymous IDs to real IDs + at the penet remailer. + + Cypherpunks remailers are, if used properly, more + secure in key ways: + - many of them + - not used for persistent, assigned IDs + - support for encryption: incoming and outgoing + messages look completely unlike + - batching, padding, etc. supported + - And properly run remailers will obscure/diffuse the + connection between incoming and outgoing messages--the + main point of a remailer! + + The use of message pools to report remailer errors + - A good example of how message pools can be used to + anonymously report things. + - "The wimsey remailer has an ingenious method of returning + error messages anonymously. Specify a subject in the + message sent to wimsey that will be meaningful to you, + but won't identify you (like a set of random letters). + This subject does not appear in the remailed message. + Then subscribe to the mailing list + + errors-request@extropia.wimsey.com + + by sending a message with Subject: subscribe. You will + receive a msg + for ALL errors detected in incoming messages and ALL + bounced messages." [anonymous, 93-08-23] + - This is of course like reading a classified ad with some + cryptic message meaningful to you alone. And more + importantly, untraceable to you. + + there may be role for different types of remailers + - those that support encryption, those that don't + + as many in non-U.S. countries as possible + - especially for the *last* hop, to avoid subpoena issues + - first-class remailers which remail to *any* address + + remailers which only remail to *other remailers* + - useful for the timid, for those with limited support, + etc. + - + + "Should mail faking be used as part of the remailer + strategy?" + - "1. If you fake mail by talking SMTP directly, the IP + address or domain name of the site making the outgoing + connection will appear in a Received field in the header + somewhere." + + "2. Fake mail by devious means is generally frowned upon. + There's no need to take a back-door approach here--it's + bad politically, as in Internet politics." [Eric Hughes, + 94-01-31] + - And if mail can really be consistently and robustly + faked, there would be less need for remailers, right? + (Actually, still a need, as traffic analysis would likely + break any "Port 25" faking scheme.) + - Furthermore, such a strategy would not likely to be + robust over time, as it relies on exploiting transitory + flaws and vendor specifics. A bad idea all around. + + Difficulties in getting anonymous remailer networks widely + deployed + - "The tricky part is finding a way to preserve anonymity + where the majority of sites on the Internet continue to + log traffic carefully, refuse to install new software + (especially anon-positive software), and are + administrated by people with simplistic and outdated + ideas about identity and punishment. " [Greg Broiles, + 1994-08-08] + + Remailer challenge: insulating the last leg on a chain from + prosecution + + Strategy 1: Get them declared to be common carriers, like + the phone company or a mail delivery service + + e.g., we don't prosecute an actual package + deliveryperson, or even the company they work for, for + delivery of an illegal package + - contents assumed to be unknown to the carrier + - (I've heard claims that only carriers who make other + agreements to cooperate with law enforcement can be + treated as common carriers.) + + Strategy 2: Message pools + + ftp sites + - with plans for users to "subscribe to" all new + messages (thus, monitoring agencies cannot know + which, if any, messages are being sought) + - this gets around the complaint about too much volume + on the Usenet (text messages are a tiny fraction of + other traffic, especially images, so the complaint is + only one of potentiality) + + Strategy 3: Offshore remailers as last leg + - probably set by sender, who presumably knows the + destination + - A large number of "secondary remailers" who agree to + remail a limited number... + + "Are we just playing around with remailers and such?" + - It pains me to say this, but, yes, we are just basically + playing around here! + - Remailer traffic is so low, padding is so haphazard, that + making correlations between inputs and outputs is not + cryptographically hard to do. (It might _seem_ hard, with + paper and pencil sorts of calculations, but it'll be + child's play for the Crays at the Fort.) + - Even if this is not so for any particular message, + maintaining a persistent ID--such as Pr0duct Cypher does, + with digital sigs--without eventually providing enough + clues will be almost impossible. At this time. + - Things will get better. Better and more detailed + "cryptanalysis of remailer chains" is sorely needed. + Until then, we are indeed just playing. (Play can be + useful, though.) + + The "don't give em any hints" principle (for remailers) + - avoid giving any information + - dont't say which nodes are sources and which are sinks; + let attackers assume everyone is a remailer, a source + - don't say how long a password is + - don't say how many rounds are in a tit-for-tat tournament + +8.7. Anonymous Posting to Usenet + 8.7.1. Julf's penet system has historically been the main way to + post anonymously to Usenet (used by no less a luminary than + L. Detweiler, in his "an12070/S. Boxx" personna). This has + particulary been the case with postings to "support" groups, + or emotional distress groups. For example, + alt.sexual.abuse.recovery. + 8.7.2. Cryptographically secure remailes are now being used + increasingly (and scaling laws and multiple jurisdictions + suggest even more will be used in the future). + 8.7.3. finger remailer.help.all@chaos.bsu.edu gives these results + [as of 1994-09-07--get a current result before using!] + - "Anonymous postings to usenet can be made by sending + anonymous mail to one of the following mail-to-usenet + gateways: + + group.name@demon.co.uk + group.name@news.demon.co.uk + group.name@bull.com + group.name@cass.ma02.bull.com + group.name@undergrad.math.uwaterloo.ca + group.name@charm.magnus.acs.ohio-state.edu + group.name@comlab.ox.ac.uk + group.name@nic.funet.fi + group.name@cs.dal.ca + group.name@ug.cs.dal.ca + group.name@paris.ics.uci.edu (removes headers) + group.name.usenet@decwrl.dec.com (Preserves all headers)" + +8.8. Anonymous Message Pools, Newsgroups, etc. + 8.8.1. "Why do some people use message pools?" + - Provides untracable communication + - messages + - secrets + - transactions + + Pr0duct Cypher is a good example of someone who + communicates primarily via anonymous pools (for messages to + him). Someone recently asked about this, with this comment: + - "Pr0duct Cypher chooses to not link his or her "real + life" identity with the 'nym used to sign the software he + or she wrote (PGP Tools, Magic Money, ?). This is quite + an understandable sentiment, given that bad apples in the + NSA are willing to go far beyond legal hassling, and make + death threats against folks with high public visibility + (see the threads about an NSA agent threatening to run + Jim Bidzos of RSA over in his parking lot)." [Richard + Johnson, alt.security.pgp, 1994-07-02] + 8.8.2. alt.anonymous.messages is one such pool group + - though it's mainly used for test messages, discussions of + anonymity (though there are better groups), etc. + 8.8.3. "Could there be truly anonymous newsgroups?" + - One idea: newgroup a moderated group in which only messages + sans headers and other identifiers would be accepted. The + "moderator"--which could be a program--would only post + messages after this was ensured. (Might be an interesting + experiment.) + + alt.anonymous.messages was newgrouped by Rick Busdiecker, + 1994-08. + - Early uses were, predictably, by people who stumbled + across the group and imputed to it whatever they wished. + +8.9. Legal Issues with Remailers + 8.9.1. What's the legal status of remailers? + - There are no laws against it at this time. + - No laws saying people have to put return addresses on + messages, on phone calls (pay phones are still legal), etc. + - And the laws pertaining to not having to produce identity + (the "flier" case, where leaflet distributors did not have + to produce ID) would seem to apply to this form of + communication. + + However, remailers may come under fire: + + Sysops, MIT case + - potentially serious for remailers if the case is + decided such that the sysop's creation of group that + was conducive to criminal pirating was itself a + crime...that could make all involved in remailers + culpable + 8.9.2. "Can remailer logs be subpoenaed?" + - Count on it happening, perhaps very soon. The FBI has been + subpoenaing e-mail archives for a Netcom customer (Lewis De + Payne), probably because they think the e-mail will lead + them to the location of uber-hacker Kevin Mitnick. Had the + parties used remailers, I'm fairly sure we'd be seeing + similar subpoenas for the remailer logs. + - There's no exemption for remailers that I know of! + + The solutions are obvious, though: + - use many remailers, to make subpoenaing back through the + chain very laborious, very expensive, and likely to fail + (if even one party won't cooperate, or is outside the + court's jurisdiction, etc.) + - offshore, multi-jurisdictional remailers (seleted by the + user) + - no remailer logs kept...destroy them (no law currently + says anybody has to keep e-mail records! This may + change....) + - "forward secrecy," a la Diffie-Hellman forward secrecy + 8.9.3. How will remailers be harassed, attacked, and challenged? + 8.9.4. "Can pressure be put on remailer operators to reveal traffic + logs and thereby allow tracing of messages?" + + For human-operated systems which have logs, sure. This is + why we want several things in remailers: + * no logs of messages + * many remailers + * multiple legal jurisdictions, e.g., offshore remailers + (the more the better) + * hardware implementations which execute instructions + flawlessly (Chaum's digital mix) + 8.9.5. Calls for limits on anonymity + + Kids and the net will cause many to call for limits on + nets, on anonymity, etc. + - "But there's a dark side to this exciting phenomenon, one + that's too rarely understood by computer novices. + Because they + offer instant access to others, and considerable + anonymity to + participants, the services make it possible for people - + especially computer-literate kids - to find themselves in + unpleasant, sexually explicit social situations.... And + I've gradually + come to adopt the view, which will be controversial among + many online + users, that the use of nicknames and other forms of + anonymity + must be eliminated or severly curbed to force people + online into + at least as much accountability for their words and + actions as + exists in real social encounters." [Walter S. Mossberg, + Wall Street Journal, 6/30/94, provided by Brad Dolan] + - Eli Brandt came up with a good response to this: "The + sound-bite response to this: do you want your child's + name, home address, and phone number available to all + those lurking pedophiles worldwide? Responsible parents + encourage their children to use remailers." + - Supreme Court said that identity of handbill distributors + need not be disclosed, and pseudonyms in general has a long + and noble tradition + - BBS operators have First Amendment protections (e.g.. + registration requirements would be tossed out, exactly as + if registration of newspapers were to be attempted) + 8.9.6. Remailers and Choice of Jurisdictions + - The intended target of a remailed message, and the subject + material, may well influence the set of remailers used, + especially for the very important "last remailer' (Note: it + should never be necessary to tell remailers if they are + first, last, or others, but the last remailer may in fact + be able to tell he's the last...if the message is in + plaintext to the recipient, with no additional remailer + commands embedded, for example.) + - A message involving child pornography might have a remailer + site located in a state like Denmark, where child porn laws + are less restrictive. And a message critical of Islam might + not be best sent through a final remailer in Teheran. Eric + Hughes has dubbed this "regulatory arbitrage," and to + various extents it is already common practice. + - Of course, the sender picks the remailer chain, so these + common sense notions may not be followed. Nothing is + perfect, and customs will evolve. I can imagine schemes + developing for choosing customers--a remailer might not + accept as a customer certain abusers, based on digital + pseudonyms < hairy). + 8.9.7. Possible legal steps to limit the use of remailers and + anonymous systems + - hold the remailer liable for content, i.e., no common + carrier status + - insert provisions into the various "anti-hacking" laws to + criminalize anonymous posts + 8.9.8. Crypto and remailers can be used to protect groups from "deep + pockets" lawsuits + - products (esp. software) can be sold "as is," or with + contracts backed up by escrow services (code kept in an + escrow repository, or money kept there to back up + committments) + + jurisdictions, legal and tax, cannot do "reach backs" which + expose the groups to more than they agreed to + - as is so often the case with corporations in the real + world, which are taxed and fined for various purposes + (asbestos, etc.) + - (For those who panic at the thought of this, the remedy for + the cautious will be to arrange contracts with the right + entities...probably paying more for less product.) + 8.9.9. Could anonymous remailers be used to entrap people, or to + gather information for investigations? + - First, there are so few current remailers that this is + unlikely. Julf seems a non-narc type, and he is located in + Finland. The Cypherpunks remailers are mostly run by folks + like us, for now. + - However, such stings and set-ups have been used in the past + by narcs and "red squads." Expect the worse from Mr. + Policeman. Now that evil hackers are identified as hazards, + expect moves in this direction. "Cryps" are obviously + "crack" dealers. + - But use of encryption, which CP remailers support (Julf's + does not), makes this essentially moot. + +8.10. Cryptanalysis of Remailer Networks +8.10.1. The Need for More Detailed Analysis of Mixes and Remailers + + "Have remailer systems been adequately cryptanalyzed?" + - Not in my opinion, no. Few calculations have been done, + just mostly some estimates about how much "confusion" has + been created by the remailer nodes. + - But thinking that a lot of complication and messiness + makes a strong crypto system is a basic mistake...sort of + like thinking an Enigma rotor machine makes a good cipher + system, by today's standards, just because millions of + combinations of pathways through the rotor system are + possible. Not so. + + Deducing Patterns in Traffic and Deducing Nyms + - The main lesson of mathematical cryptology has been that + seemingly random things can actually be shown to have + structure. This is what cryptanalysis is all about. + - The same situation applies to "seemingly random" message + traffic, in digital mixes, telephone networks, etc. + "Cryptanalysis of remailers" is of course possible, + depending on the underlying model. (Actually, it's always + possible, it just may not yield anything, as with + cryptanalysis of ciphers.) + + on the time correlation in remailer cryptanalysis + - imagine Alice and Bob communicating through + remailers...an observer, unable to follow specific + messages through the remailers, could still notice + pairwise correlations between messages sent and + received by these two + + like time correlations between events, even if the + intervening path or events are jumbled + - e.g., if within a few hours of every submarine's + departure from Holy Loch a call is placed to Moscow, + one may make draw certain conclusions about who is a + Russian spy, regardless of not knowing the + intermediate paths + - or, closer to home, correlating withdrawals from one + bank to deposits in another, even if the intervening + transfers are jumbled + + just because it seems "random" does not mean it is + - Scott Collins speculates that a "dynamic Markov + compressor" could discern or uncover the non- + randomness in remailer uses + - Cryptanalysis of remailers has been woefully lacking. A + huge fraction of posts about remailer improvements make + hand-waving arguments about the need for more traffic, + longer delays, etc. (I'm not pointing fingers, as I make + the same informal, qualitative comments, too. What is + needed is a rigorous analysis of remailer security.) + - We really don't have any good estimates of overall security + as a function of number of messages circulating, the + latency ( number of stored messages before resending), the + number of remailer hops, etc. This is not cryptographically + "exciting" work, but it's still needed. There has not been + much focus in the academic community on digital mixes or + remailers, probably because David Chaum's 1981 paper on + "Untraceable E-Mail" covered most of the theoretically + interesting material. That, and the lack of commercial + products or wide usage. + + Time correlations may reveal patterns that individual + messages lack. That is, repeated communicatin between Alice + and Bob, even if done through remailers and even if time + delays/dwell times are built-in, may reveal nonrandom + correlations in sent/received messages. + - Scott Collins speculates that a dynamic Markov compressor + applied to the traffic would have reveal such + correlations. (The application of such tests to digital + cash and other such systems would be useful to look at.) + - Another often overlooked weakness is that many people + send test messages to themselves, a point noted by Phil + Karn: "Another way that people often let themselves be + caught is that they inevitably send a test message to + themselves right before the forged message in question. + This shows up clearly in the sending system's sendmail + logs. It's a point to consider with remailer chains too, + if you don't trust the last machine on the chain." [P.K., + 1994-09-06] + + What's needed: + - aggreement on some terminology (this doesn't require + consensus, just a clearly written paper to de facto + establish the terminology) + - a formula relating degree of untraceability to the major + factors that go into remailers: packet size and + quantization, latency (# of messages), remailer policies, + timing, etc. + - Also, analysis of how deliberate probes or attacks might + be mounted to deduce remailer patterns (e.g., Fred always + remails to Josh and Suzy and rarely to Zeke). + - I think this combinatorial analysis would be a nice little + monograph for someone to write. +8.10.2. A much-needed thing. Hal Finney has posted some calculations + (circa 1994-08-08), but more work is sorely needed. +8.10.3. In particular, we should be skeptical of hand-waving analyses + of the "it sure looks complicated to follow the traffic" + sort. People think that by adding "messy" tricks, such as + MIRVing messages, that security is increased. Maybe it is, + maybe it isn't. But it needs formal analysis before claims + can be confidantly believed. +8.10.4. Remailers and entropy + - What's the measure of "mixing" that goes on in a mix, or + remailer? + - Hand=waving about entropy and reordering may not be too + useful. + + Going back to Shannon's concept of entropy as measuring the + degree of uncertainty... + + trying to "guess" or "predict' where a message leaving + one node will exit the system + - not having clear entrance and exit points adds to the + difficulty, somewhat analogously to having a password + of unknown length (an attacker can't just try all 10- + character passwords, as he has no idea of the length) + - the advantages of every node being a remailer, of + having no clearly identified sources and sinks + + This predictability may depend on a _series_ of messages + sent between Alice and Bob...how? + - it seems there may be links to Persi Diaconis' work on + "perfect shuffles" (a problem which seemed easy, but + which eluded solving until recently...should give us + comfort that our inability to tackle the real meat of + this issue is not too surprising +8.10.5. Scott Collins believes that remailer networks can be + cryptanalyzed roughly the same way as pseudorandom number + generators are analyzed, e.g., with dynamic Markov + compressors (DNCs). (I'm more skeptical: if each remailer is + using an information-theoretically secure RNG to reorder the + messages, and if all messages are the same size and (of + course) are encypted with information-theoretically secure + (OTP) ciphers, then it seems to me that the remailing would + itself be information-theoretically secure.) + +8.11. Dining Cryptographers +8.11.1. This is effectively the "ideal digital mix," updated from + Chaum's original hardware mix form to a purely software-based + form. +8.11.2. David Chaum's 1988 paper in Journal of Crypology (Vol 1, No + 1) outlines a way for completely untraceable communication + using only software (no tamper-resistant modules needed) + - participants in a ring (hence "dining cryptographers") + - Chaum imagines that 3 cryptographers are having dinner and + are informed by their waiter that their dinner has already + been paid for, perhaps by the NSA, or perhaps by one of + themselves...they wish to determine which of these is true, + without revealing which of them paid! + - everyone flips a coin (H or T) and shows it to his neighbor + on the left + + everyone reports whether he sees "same" or "different" + - note that with 2 participants, they both already know + the other's coin (both are to the left!) + - however, someone wishing to send a message, such as Chaum's + example of "I paid for dinner," instead says the opposite + of what he sees + + some analysis of this (analyze it from the point of view of + one of the cryptographers) shows that the 3 cryptographers + will know that one of them paid (if this protocol is + executed faithfully), but that the identity can't be + "localized" + - a diagram is needed... + + this can be generalized... + + longer messages + - use multiple rounds of the protocol + + faster than coin-flipping + - each participant and his left partner share a list of + "pre-flipped" coins, such as truly random bits + (radioactive decay, noise, etc.) stored on a CD-ROM or + whatever + - they can thus "flip coins" as fast as they can read the + disk + + simultaneous messages (collision) + - use back-off and retry protocols (like Ethernet uses) + + collusion of participants + - an interesting issue...remember that participants are + not restricted to the simple ring topology + - various subgraphs can be formed + - a participant who fears collusion can pick a subgraph + that includes those he doubts will collude (a tricky + issue) + + anonymity of receiver + - can use P-K to encrypt message to some P-K and then + "broadcast" it and force every participant to try to + decrypt it (only the anonymous recipient will actually + succeed) + - Chaum's complete 1988 "Journal of Cryptology" article is + available at the Cypherpunks archive site, + ftp.soda.csua.edu, in /pub/cypherpunks +8.11.3. What "DC-Net" Means + - a system (graph, subgraphs, etc.) of communicating + participants, who need not be known to each other, can + communicate information such that neither the sender nor + the recipient is known + + unconditional sender untraceability + - the anonymity of the broadcaster can be information- + theoretically secure, i.e., truly impossible to break and + requiring no assumptions about public key systems, the + difficulty of factoring, etc. + + receiver untraceability depends on public-key protocols, so + traceability is computationally-dependent + - but this is believed to be secure, of course + + bandwidth can be increased by several means + - shared keys + - block transmission by accumulating messages + - hiearchies of messages, subgraphs, etc. + +8.12. Future Remailers +8.12.1. "What are the needed features for the Next Generation + Remailer?" + + Some goals + - generally, closer to the goals outlined in Chaum's 1981 + paper on "Untraceable E-Mail" + - Anonymity + - Digital Postage, pay as you go, ,market pricing + - Traffic Analysis foiled + + Bulletproof Sites: + - Having offshore (out of the U.S.) sites is nice, but + having sites resistant to pressures from universities and + corporate site administrators is of even greater + practical consequence. The commercial providers, like + Netcom, Portal, and Panix, cannot be counted on to stand + and fight should pressures mount (this is just my guess, + not an aspersion against their backbones, whether organic + or Internet). + - Locating remailers in many non-U.S. countries is a Good + Idea. As with money-laundering, lots of countries means + lots of jurisdictions, and the near impossibility of + control by one country. + + Digital Postage, or Pay-as-you-Go Services: + - Some fee for the service. Just like phone service, modem + time, real postage, etc. (But unlike highway driving, + whose usage is largely subsidized.) + - This will reduce spamming, will incentivize remailer + services to better maintain their systems, and will + - Rates would be set by market process, in the usual way. + "What the traffic will bear." Discounts, favored + customers, rebates, coupons, etc. Those that don't wish + to charge, don't have to (they'll have to deal with the + problems). + + Generations + - 1st Gen--Today's Remailer: + - 2nd Gen--Near Future (c. 1995) + - 3rd Gen- + - 4th Gen-- +8.12.2. Remailing as a side effect of mail filtering + - Dean Tribble has proposed... + - "It sounds like the plan is to provide a convenient mail + filtering tool which provides remailer capability as a SIDE + EFFECT! What a great way to spread remailers!" [Hal Finney, + 93-01-03] +8.12.3. "Are there any remailers which provide you with an anonymous + account to which other people may send messages, which are + then forwarded to you in a PGP-encrypted form?" [Mikolaj + Habryn, 94-04] + - "Yes, but it's not running for real yet. Give me a few + months until I get the computer + netlink for it. (It's + running for testing though, so if you want to test it, mail + me, but it's not running for real, so don't *use* it.)" + [Sameer Parekh, 94-04-03] +8.12.4. "Remailer Alliances" + + "Remailer's Guild" + - to make there be a cost to flakiness (expulsion) and a + benefit to robustness, quality, reliability, etc. + (increased business) + - pings, tests, cooperative remailing + - spreading the traffic to reduce effectiveness of attacks + - which execute protocols + - e.g., to share the traffic at the last hop, to reduce + attacks on any single remailer + +8.13. Loose Ends +8.13.1. Digital espionage + + spy networks can be run safely, untraceably, undetectably + - anonymous contacts, pseudonyms + - digital dead drops, all done electronically...no chance + of being picked up, revealed as an "illegal" (a spy with + no diplomatic cover to save him) and shot + + so many degrees of freedom in communications that + controlling all of them is essentially impossible + - Teledesic/Iridium/etc. satellites will increase this + capability further + + unless crypto is blocked--and relatively quickly and + ruthlessly--the situation described here is unstoppable + - what some call "espionage" others would just call free + communication + - (Some important lessons for keeping corporate or business + secrets...basically, you can't.) +8.13.2. Remailers needs some "fuzziness," probably + + for example, if a remailer has a strict policy of + accumulating N messages, then reordering and remailing + them, an attacker can send N - 1 messages in and know which + of the N messages leaving is the message they want to + follow; some uncertainly helps here + - the mathematics of how this small amount of uncertainty, + or scatter, could help is something that needs a detailed + analysis + - it may be that leaving some uncertainty, as with the + keylength issue, can help +8.13.3. Trying to confuse the eavesdroppers, by adding keywords they + will probably pick up on + + the "remailer@csua.berkeley.edu" remailer now adds actual + paragraphs, such as this recent example: + - "I fixed the SKS. It came with a scope and a Russian + night scope. It's killer. My friend knows about a + really good gunsmith who has a machineshop and knows how + to convert stuff to automatic." + + - How effective this ploy is is debatable +8.13.4. Restrictions on anonymous systems + - Anonymous AIDS testing. Kits for self-testing have been + under FDA review for 5 years, but counseling advocates have + delayed release on the grounds that some people will react + badly and perhaps kill themselves upon getting a positive + test result...they want the existing system to prevail. (I + mention this to show that anonymous systems are somtimes + opposed for ideological reasons.) + +9. Policy: Clipper,Key Escrow, and Digital Telephony + +9.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +9.2. SUMMARY: Policy: Clipper,Key Escrow, and Digital Telephony + 9.2.1. Main Points + - Clipper has been a main unifying force, as 80% of all + Americans, and 95% of all computer types, are opposed. + - "Big Brother Inside" + 9.2.2. Connections to Other Sections + - the main connections are _legal_ + - some possible implications for limits on crypto + 9.2.3. Where to Find Additional Information + - There have been hundreds of articles on Clipper, in nearly + all popular magazines. Many of these were sent to the + Cypherpunks list and may be available in the archives. (I + have at least 80 MB of Cypherpunks list stuff, a lot of it + newspaper and magazine articles on Clipper!) + + more Clipper information can be found at: + - "A good source is the Wired Online Clipper Archive. Send + e-mail to info-rama@wired.com. with no subject and the + words 'get help' and 'get clipper/index' in the body of + the message." [students@unsw.EDU.AU, alt.privacy.clipper, + 1994-09-01] + 9.2.4. Miscellaneous Comments + - As with a couple of other sections, I won't try to be as + complete as some might desire. Just too many thousands of + pages of stuff to consider. + +9.3. Introduction + 9.3.1. What is Clipper? + - government holds the skeleton keys + - analogies to other systems + 9.3.2. Why do most Cypherpunks oppose Clipper? + - fear of restrictions on crypto, derailing so many wonderful + possibilities + 9.3.3. Why does Clipper rate its own section? + - The announcement of the "Escrowed Encryption Standard," + EES, on April 16, 1993, was a galvanizing event for + Cypherpunks and for a large segment of the U. S. + population. The EES was announced originally as "Clipper," + despite the use of the name Clipper by two major products + (the Intergraph CPU and a dBase software tool), and the + government backed off on the name. Too late, though, as the + name "Clipper" had become indelibly linked to this whole + proposal. + 9.3.4. "Is stopping Clipper the main goal of Cypherpunks?" + - It certainly seems so at times, as Clipper has dominated + the topics since the Clipper announcement in April, 1993. + + it has become so, with monkeywrenching efforts in several + areas + - lobbying and education against it (though informal, such + lobbying has been successful...look at NYT article) + - "Big Brother Inside" and t-shirts + - technical monkeywrenching (Matt Blaze...hesitate to claim + any credit, but he has been on our list, attended a + meeting, etc.) + - Although it may seem so, Clipper is just one + aspect...step...initiative. + - Developing new software tools, writing code, deploying + remailers and digital cash are long-range projects of great + importance. + - The Clipper key escrow proposal came along (4-93) at an + opportune time for Cypherpunks and became a major focus. + Emergency meetings, analyses, etc. + +9.4. Crypto Policy Issues + 9.4.1. Peter Denning on crypto policy: + + provided by Pat Farrell, 1994-08-20; Denning comments are + 1992-01-22, presented at Computers, Freedom, and Privacy 2. + Peter D. uses the metaphor of a "clearing,"as in a forest, + for the place where people meet to trade, interact, etc. + What others call markets, agoras, or just "cyberspace." + - "Information technology in producing a clearing in which + individuals and corporations are key players besides + government. Any attempt by government to control the flow + of information over networks will be ignored or met with + outright hostility. There is no practical way that + government can control information except information + directly involved in the business of governing. It + should not try." [Peter Denning, PUBLIC POLICY FOR THE + 21ST CENTURY, DRAFT 1/22/92] + - No word on how this view squares with his wife's control + freak views. + 9.4.2. Will government and NSA in particular attempt to acquire some + kind of control over crypto companies? + + speculations, apparently unfounded, that RSA Data Security + is influenced by NSA wishes + - weaknesses in the DES keys picked? + - and companies may be dramatically influenced by contracts + (and the witholding of them) + 9.4.3. NIST and DSS + 9.4.4. Export restrictions, Munitions List, ITAR + 9.4.5. old crypto machines sold to Third World governments, cheaply + - perhaps they think they can make some changes and outsmart + the NSA (which probably has rigged it so any changes are + detectable and can be factored in) + - and just knowing the type of machine is a huge advantage + 9.4.6. 4/28/97 The first of several P-K and RSA patents expires + + U.S. Patent Number: 4200770 + - Title: Cryptographic Apparatus and Method + - Inventors: Hellman, Diffie, Merkle + - Assignee: Stanford University + - Filed: September 6, 1977 + - Granted: April 29, 1980 + - [Expires: April 28, 1997] + + remember that any one of these several patents held by + Public Key Partners (Stanford and M.I.T., with RSA Data + Security the chief dispenser of licenses) can block an + effort to bypass the others + - though this may get fought out in court + 9.4.7. encryption will be needed inside computer systems + - for operating system protection + - for autonomous agents (active agents) + - for electronic money + +9.5. Motivations for Crypto Laws + 9.5.1. "What are the law enforcement and FBI worries?" + - "FBI Director Louis Freeh is worried. The bad guys are + beginning to see the light, and it is digital. ... Freeh + fears some pretty nasty folks have discovered they can + commit highway robbery and more, without even leaving home. + Worse, to Freeh and other top cops, by using some pretty + basic technologies, savvy criminals can do their crimes + without worrying about doing time. + + "Some crooks, spies, drug traffickers, terrorists and + frauds already use the tools of the information age to + outfox law enforcement officers. Hackers use PBXs to hide + their tracks as they rip off phone companies and poke + around in other people's files. Reprogrammed cellular + phones give cops fits." [LAN Magazine,"Is it 1984?," by Ted + Bunker, August 1994] + - Their fears have some validity...in the same way that the + rulers in Gutenberg's time could have some concerns about + the implications of books (breaking of guilds, spread of + national secrets, pornography, atheism, etc.). + 9.5.2. "What motivated Clipper? What did the Feds hope to gain?" + - ostensibly to stop terrorists (only the unsophisticated + ones, if alternatives are allowed) + - to force a standard on average Americans + - possibly to limit crypto development + + Phil Karn provides an interesting motivation for Clipper: + "Key escrow exists only because the NSA doesn't want to + risk blame if some terrorist or drug dealer were to use an + unescrowed NSA-produced .....The fact that a terrorist or + drug dealer can easily go elsewhere and obtain other strong + or stronger algorithms without key escrow is irrelevant. + The NSA simply doesn't care as long as *they* can't be + blamed for whatever happens. Classic CYA, nothing + more.....A similar analysis applies to the export control + regulations regarding cryptography." [Phil Karn, 1994-08- + 31] + - Bill Sommerfeld notes: "If this is indeed the case, Matt + Blaze's results should be particularly devastating to + them." [B.S., 1994-09-01] + 9.5.3. Steve Witham has an interesting take on why folks like + Dorothy Denning and Donn Parker support key escrow so + ardently: + - "Maybe people like Dot and Don think of government as a + systems-administration sort of job. So here they are, + security experts advising the sys admins on things like... + + setting permissions + allocating quotas + registering users and giving them passwords..... + deciding what utilities are and aren't available + deciding what software the users need, and installing it + (grudgingly, based on who's yelling the loudest) + setting up connections to other machines + deciding who's allowed to log in from "foreign hosts" + getting mail set up and running + buying new hardware from vendors + specifying the hardware to the vendors + ... + + "These are the things computer security experts advise on. + Maybe hammer experts see things as nails. + + "Only a country is not a host system owned and administered + by the government, and citizens are not guests or users." + [Steve Witham, Government by Sysadmin, 1994-03-23] + + 9.5.4. Who would want to use key escrow? + 9.5.5. "Will strong crypto really thwart government plans?" + - Yes, it will give citizens the basic capabilities that + foreign governments have had for many years + + Despite talk about codebreakes and the expertise of the + NSA, the plain fact is that no major Soviet ciphers have + been broken for many years + + recall the comment that NSA has not really broken any + Soviet systems in many years + - except for the cases, a la the Walker case, where + plaintext versions are gotten, i.e., where human + screwups occurred + - the image in so many novels of massive computers breaking + codes is absurd: modern ciphers will not be broken (but the + primitive ciphers used by so many Third World nations and + their embassies will continue to be child's play, even for + high school science fair projects...could be a good idea + for a small scene, about a BCC student who has his project + pulled) + 9.5.6. "Why does the government want short keys?" + - Commercial products have often been broken by hackers. The + NSA actually has a charter to help businesses protect their + secrets; just not so strongly that the crypto is + unbreakable by them. (This of course has been part of the + tension between the two sides of the NSA for the past + couple of decades.) + + So why does the government want crippled key lengths? + - "The question is: how do you thwart hackers while + permitting NSA access? The obvious answer is strong + algorithm(s) and relatively truncated keys." [Grady Ward, + sci.crypt, 1994-08-15] + +9.6. Current Crypto Laws + 9.6.1. "Has crypto been restricted in countries other than the + U.S.?" + - Many countries have restrictions on civilian/private use of + crypto. Some even insist that corporations either send all + transmissions in the clear, or that keys be provided to the + government. The Phillipines, for example. And certainly + regimes in the Communists Bloc, or what's left of it, will + likely have various laws restricting crypto. Possibly + draconian laws....in many cultures, use of crypto is + tantamount to espionage. + +9.7. Crypto Laws Outside the U.S. + 9.7.1. "International Escrow, and Other Nation's Crypto Policies?" + - The focus throughout this document on U.S. policy should + not lull non-Americans into complacency. Many nations + already have more Draconian policies on the private use of + encryption than the U.S. is even contemplating + (publically). France outlaws private crypto, though + enforcement is said to be problematic (but I would not want + the DGSE to be on my tail, that's for sure). Third World + countries often have bans on crypto, and mere possession of + random-looking bits may mean a spying conviction and a trip + to the gallows. + + There are also several reports that European nations are + preparing to fall in line behind the U.S. on key escrow + - Norway + - Netherlands + - Britain + + A conference in D.C. in 6/94, attended by Whit Diffie (and + reported on to us at the 6/94 CP meeting) had internation + escrow arrangements as a topic, with the crypto policy + makers of NIST and NSA describing various options + - bad news, because it could allow bilateral treaties to + supercede basic rights + - could be plan for getting key escrow made mandatory + + there are also practical issues + + who can decode international communications? + - do we really want the French reading Intel's + communications? (recall Matra-Harris) + - satellites? (like Iridium) + - what of multi-national messages, such as an encrypted + message posted to a message pool on the Internet...is + it to be escrowed with each of 100 nations? + 9.7.2. "Will foreign countries use a U.S.-based key escrow system?" + - Lots of pressure. Lots of evidence of compliance. + 9.7.3. "Is Europe Considering Key Escrow?" + - Yes, in spades. Lots of signs of this, with reports coming + in from residents of Europe and elsewhere. The Europeans + tend to be a bit more quiet in matters of public policy (at + least in some areas). + - "The current issue of `Communications Week International' + informs us that the European Union's Senior Officials Group + for Security of Information Systems has been considering + plans for standardising key escrow in Europe. + + "Agreement had been held up by arguments over who should + hold the keys. France and Holland wanted to follow the + NSA's lead and have national governments assume this role; + other players wanted user organisations to do this." [ + rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow + in Europe too, 1994-06-29] + 9.7.4. "What laws do various countries have on encryption and the + use of encryption for international traffic?" + + "Has France really banned encryption?" + - There are recurring reports that France does not allow + unfettered use of encryption. + - Hard to say. Laws on the books. But no indications that + the many French users of PGP, say, are being prosecuted. + - a nation whose leader, Francois Mitterand, was a Nazi + collaborationist, working with Petain and the Vichy + government (Klaus Barbie involved) + + Some Specific Countries + - (need more info here) + + Germany + - BND cooperates with U.S. + - Netherlands + - Russia + + Information + - "Check out the ftp site at csrc.ncsl.nist.gov for a + document named something like "laws.wp" (There are + several of these, in various formats.) This contains a + survey of the positions of various countries, done for + NIST by a couple of people at Georgetown or George + Washington or some such university." [Philip Fites, + alt.security.pgp, 1994-07-03] + 9.7.5. France planning Big Brother smart card? + - "PARIS, FRANCE, 1994 MAR 4 (NB) -- The French government + has confirmed its plans to replace citizen's paper-based ID + cards with credit card-sized "smart card" ID cards. + ..... + "The cards contain details of recent transactions, as well + as act as an "electronic purse" for smaller value + transactions using a personal identification number (PIN) + as authorization. "Purse transactions" are usually separate + from the card credit/debit system, and, when the purse is + empty, it can be reloaded from the card at a suitable ATM + or retailer terminal." (Steve Gold/19940304)" [this was + forwarded to me for posting] + 9.7.6. PTTs, local rules about modem use + 9.7.7. "What are the European laws on "Data Privacy" and why are + they such a terrible idea?" + - Various European countries have passed laws about the + compiling of computerized records on people without their + explicit permission. This applies to nearly all + computerized records--mailing lists, dossiers, credit + records, employee files, etc.--though some exceptions exist + and, in general, companies can find ways to compile records + and remain within the law. + - The rules are open to debate, and the casual individual who + cannot afford lawyers and advisors, is likely to be + breaking the laws repeatedly. For example, storing the + posts of people on the Cypherpunks list in any system + retrievable by name would violate Britain's Data Privacy + laws. That almost no such case would ever result in a + prosecution (for practical reasons) does not mean the laws + are acceptable. + - To many, these laws are a "good idea." But the laws miss + the main point, give a false sense of security (as the real + dossier-compilers are easily able to obtain exemptions, or + are government agencies themselves), and interfere in what + people do with information that properly and legally comes + there way. (Be on the alert for "civil rights" groups like + the ACLU and EFF to push for such data privacy laws. The + irony of Kapor's connection to Lotus and the failed + "Marketplace" CD-ROM product cannot be ignored.) + - Creating a law which bans the keeping of certain kinds of + records is an invitation to having "data inspectors" + rummaging through one's files. Or some kind of spot checks, + or even software key escrow. + - (Strong crypto makes these laws tough to enforce. Either + the laws go, or the counties with such laws will then have + to limit strong crypto....not that that will help in the + long run.) + - The same points apply to well-meaning proposals to make + employer monitoring of employees illegal. It sounds like a + privacy-enhancing idea, but it tramples upon the rights of + the employer to ensure that work is being done, to + basically run his business as he sees fit, etc. If I hire a + programmer and he's using my resources, my network + connections, to run an illegal operation, he exposes my + company to damages, and of course he isn't doing the job I + paid him to do. If the law forbids me to monitor this + situation, or at least to randomly check, then he can + exploit this law to his advantage and to my disadvantage. + (Again, the dangers of rigid laws, nonmarket + solutions,(lied game theory.) + 9.7.8. on the situation in Australia + + Matthew Gream [M.Gream@uts.edu.au] informed us that the + export situation in Oz is just as best as in the U.S. [1994- + 09-06] (as if we didn't know...much as we all like to dump + on Amerika for its fascist laws, it's clear that nearly all + countries are taking their New World Order Marching Orders + from the U.S., and that many of them have even more + repressive crypto laws alredy in place...they just don't + get the discussion the U.S. gets, for apparent reasons) + - "Well, fuck that for thinking I was living under a less + restrictive regime -- and I can say goodbye to an + international market for my software.] + - (I left his blunt language as is, for impact.) + 9.7.9. "For those interested, NIST have a short document for FTP, + 'Identification & Analysis of Foreign Laws & Regulations + Pertaining to the Use of Commercial Encryption Products for + Voice & Data Communications'. Dated Jan 1994." [Owen Lewis, + Re: France Bans Encryption, alt.security.pgp, 1994-07-07] + +9.8. Digital Telephony + 9.8.1. "What is Digital Telephony?" + - The Digital Telephony Bill, first proposed under Bush and + again by Clinton, is in many ways much worse than Clipper. + It has gotten less attention, for various reasons. + - For one thing, it is seen as an extension by some of + existing wiretap capabilities. And, it is fairly abstract, + happening behind the doors of telephone company switches. + - The implications are severe: mandatory wiretap and pen + register (who is calling whom) capaibilities, civil + penalties of up to $10,000 a day for insufficient + compliance, mandatory assistance must be provided, etc. + - If it is passed, it could dictate future technology. Telcos + who install it will make sure that upstart technologies + (e.g., Cypherpunks who find ways to ship voice over + computer lines) are also forced to "play by the same + rules." Being required to install government-accessible tap + points even in small systems would of course effectively + destroy them. + - On the other hand, it is getting harder and harder to make + Digital Telephony workable, even by mandate. As Jim + Kallstrom of the FBI puts it: ""Today will be the cheapest + day on which Congress could fix this thing," Kallstrom + said. "Two years from now, it will be geometrically more + expensive."" [LAN Magazine,"Is it 1984?," by Ted Bunker, + August 1994] + - This gives us a goal to shoot for: sabotage the latest + attempt to get Digital Telephony passed into law and it may + make it too intractable to *ever* be passed. + + "Today will be the cheapest day on which + - Congress could fix this thing," Kallstrom said. "Two + years from now, + - it will be geometrically more expensive." + - The message is clear: delay Digital Telephony. Sabotage it + in the court of public opinion, spread the word, make it + flop. (Reread your "Art of War" for Sun Tsu's tips on + fighting your enemy.) + - + 9.8.2. "What are the dangers of the Digital Telephony Bill?" + - It makes wiretapping invisible to the tappee. + + If passed into law, it makes central office wiretapping + trivial, automatic. + - "What should worry people is what isn't in the news (and + probably never will until it's already embedded in comm + systems). A true 'Clipper' will allow remote tapping on + demand. This is very easily done to all-digital + communications systems. If you understand network routers + and protocol it's easy to envision how simple it would be + to 're-route' a copy of a target comm to where ever you + want it to go..." [domonkos@access.digex.net (andy + domonkos), comp.org.eff.talk, 1994-06-29] + 9.8.3. "What is the Digital Telephony proposal/bill? + - proposed a few years ago...said to be inspiration for PGP + - reintroduced Feb 4, 1994 + - earlier versrion: + + "1) DIGITAL TELEPHONY PROPOSAL + - "To ensure law enforcement's continued ability to conduct + court- + - authorized taps, the administration, at the request of + the + - Dept. of Justice and the FBI, proposed ditigal telephony + - legislation. The version submitted to Congress in Sept. + 1992 + - would require providers of electronic communication + services + - and private branch exchange (PBX) operators to ensure + that the + - government's ability to lawfully intercept communications + is not + - curtailed or prevented entirely by the introduction of + advanced + - technology." + +9.9. Clipper, Escrowed Encyption Standard + 9.9.1. The Clipper Proposal + - A bombshell was dropped on April 16, 1993. A few of us saw + it coming, as we'd been debating... + 9.9.2. "How long has the government been planning key escrow?" + - since about 1989 + - ironically, we got about six months advance warning + - my own "A Trial Balloon to Ban Encryption" alerted the + world to the thinking of D. Denning....she denies having + known about key escorw until the day before it was + announced, which I find implausible (not calling her a + liar, but...) + + Phil Karn had this to say to Professor Dorothy Denning, + several weeks prior to the Clipper announcement: + - "The private use of strong cryptography provides, for the + very first time, a truly effective safeguard against this + sort of government abuse. And that's why it must continue + to be free and unregulated. + - "I should credit you for doing us all a very important + service by raising this issue. Nothing could have lit a + bigger fire under those of us who strongly believe in a + citizens' right to use cryptography than your proposals + to ban or regulate it. There are many of us out here who + share this belief *and* have the technical skills to turn + it into practice. And I promise you that we will fight + for this belief to the bitter end, if necessary." [Phil + Karn, 1993-03-23] + - + - + 9.9.3. Technically, the "Escrowed Encryption Standard," or EES. But + early everyone still calls it "Clipper, " even if NSA + belatedly realized Intergraph's won product has been called + this for many years, a la the Fairchild processor chip of the + same name. And the database product of the same name. I + pointed this out within minutes of hearing about this on + April 16th, 1993, and posted a comment to this effect on + sci.crypt. How clueless can they be to not have seen in many + months of work what many of us saw within seconds? + 9.9.4. Need for Clipper + 9.9.5. Further "justifications" for key escrow + + anonymous consultations that require revealing of + identities + - suicide crisis intervention + - confessions of abuse, crimes, etc. (Tarasoff law) + - corporate records that Feds want to look at + + Some legitimate needs for escrowed crypto + - for corporations, to bypass the passwords of departed, + fired, deceased employees, + 9.9.6. Why did the government develop Clipper? + 9.9.7. "Who are the designated escrow agents?" + - Commerce (NIST) and Treasury (Secret Service). + 9.9.8. Whit Diffie + - Miles Schmid was architect + + international key escrow + - Denning tried to defend it.... + 9.9.9. What are related programs? +9.9.10. "Where do the names "Clipper" and "Skipjack" come from? + - First, the NSA and NIST screwed up big time by choosing the + name "Clipper," which has long been the name of the 32-bit + RISC processor (one of the first) from Fairchild, later + sold to Intergraph. It is also the name of a database + compiler. Most of us saw this immediately. + - + + Clippers are boats, so are skipjacks ("A small sailboat + having a + - bottom shaped like a flat V and vertical sides" Am + Heritage. 3rd). + - Suggests a nautical theme, which fits with the + Cheseapeake environs of + - the Agency (and small boats have traditionally been a way + for the + + Agencies to dispose of suspected traitors and spies). + - + - However, Capstone is not a boat, nor is Tessera, so the + trend fails. + +9.10. Technical Details of Clipper, Skipjack, Tessera, and EES +9.10.1. Clipper chip fabrication details + + ARM6 core being used + - but also rumors of MIPS core in Tessera + - MIPS core reportedly being designed into future versions + - National also built (and may operate) a secure wafer fab + line for NSA, reportedly located on the grounds of Ft. + Meade--though I can't confirm the location or just what + National's current involvement still is. May only be for + medium-density chips, such as key material (built under + secure conditions). +9.10.2. "Why is the Clipper algorithm classified?" + - to prevent non-escrow versions, which could still use the + (presumably strong) algorithm and hardware but not be + escrowed + - cryptanalysis is always easier if the algorithms are known + :-} + - general government secrecy + - backdoors? +9.10.3. If Clipper is flawed (the Blaze LEAF Blower), how can it + still be useful to the NSA? + - by undermining commercial alternatives through subsidized + costs (which I don't think will happen, given the terrible + PR Clipper has gotten) + - mandated by law or export rules + - and the Blaze attack is--at present--not easy to use (and + anyone able to use it is likely to be sophisticated enough + to use preencryption anyway) +9.10.4. What about weaknesses of Clipper? + - In the views of many, a flawed approach. That is, arguing + about wrinkles plays into the hands of the Feds. +9.10.5. "What are some of the weaknesses in Clipper?" + - the basic idea of key escrow is an infringement on liberty + + access to the keys + - " + + "There's a big door in the side with a + - big neon sign saying "Cops and other Authorized People + Only"; + - the trapdoor is the fact that anybody with a fax + machine can make + - themselves and "Authorized Person" badge and walk in. + + - possible back doors in the Skipjace algorithm + + generation of the escrow keys + - + + "There's another trapdoor, which is that if you can + predict the escrow + - keys by stealing the parameters used by the Key + Generation Bureau to + - set them, you don't need to get the escrow keys from + the keymasters, + - you can gen them yourselves. " +9.10.6. Mykotronx + - MYK-78e chip, delays, VTI, fuses + - National Semiconductor is working with Mykotronx on a + faster implementation of the + Clipper/Capstone/Skipjack/whatever system. (May or may not + be connected directly with the iPower product line. Also, + the MIPS processor core may be used, instead of the ARM + core, which is said to be too slow.) +9.10.7. Attacks on EES + - sabotaging the escrow data base + + stealing it, thus causing a collapse in confidence + - Perry Metzger's proposal + - FUD +9.10.8. Why is the algorithm secret? +9.10.9. Skipjack is 80 bits, which is 24 bits longer than the 56 bits + of DES. so +9.10.10. "What are the implications of the bug in Tessera found by + Matt Blaze?" + - Technically, Blaze's work was done on a Tessera card, which + implements the Skipjace algorithm. The Clipper phone system + may be slightly different and details may vary; the Blaze + attack may not even work, at least not practically. + - " The announcement last month was about a discovery that, + with a half-hour or so of time on an average PC, a user + could forge a bogus LEAF (the data used by the government + to access the back door into Clipper encryption). With such + a bogus LEAF, the Clipper chip on the other end would + accept and decrypt the communication, but the back door + would not work for the government." [ Steve Brinich, + alt.privacy.clipper, 1994-07-04] + - "The "final" pre-print version (dated August 20, 1994) of + my paper, "Protocol Failure in the Escrowed Encryption + Standard" is now available. You can get it in PostScript + form via anonymous ftp from research.att.com in the file + /dist/mab/eesproto.ps . This version replaces the + preliminary draft (June 3) version that previously occupied + the same file. Most of the substance is identical, + although few sections are expanded and a few minor errors + are now corrected." [Matt Blaze, 1994-09-04] + +9.11. Products, Versions -- Tessera, Skipjack, etc. +9.11.1. "What are the various versions and products associated with + EES?" + - Clipper, the MYK-78 chip. + - Skipjack. + + Tessera. The PCMCIA card version of the Escrowed Encryption + Standard. + - the version Matt Blaze found a way to blow the LEAF + - National Semiconductor "iPower" card may or may not + support Tessera (conflicting reports). +9.11.2. AT&T Surety Communications + - NSA may have pressured them not to release DES-based + products +9.11.3. Tessera cards + - iPower + - Specifications for the Tessera card interface can be found + in several places, including " csrc.ncsl.nist.gov"--see the + file cryptcal.txt [David Koontz, 1994-08-08]. + +9.12. Current Status of EES, Clipper, etc. +9.12.1. "Did the Administration really back off on Clipper? I heard + that Al Gore wrote a letter to Rep. Cantwell, backing off." + - No, though Clipper has lost steam (corporations weren't + interested in buying Clipper phones, and AT&T was very late + in getting "Surety" phones out). + - The Gore announcement may actually indicate a shift in + emphasis to "software key escrow" (my best guess). + - Our own Michael Froomkin, a lawyer, writes: "The letter is + a nullity. It almost quotes from testimony given a year + earlier by NIST to Congress. Get a copy of Senator Leahy's + reaction off the eff www server. He saw it for the empty + thing it is....Nothing has changed except Cantwell dropped + her bill for nothing." [A.Michael Froomkin, + alt.privacy.clipper, 1994-09-05] + +9.13. National Information Infrastructure, Digital Superhighway +9.13.1. Hype on the Information Superhighway + - It's against the law to talk abou the Information + Superhighway without using at least one of the overworked + metaphors: road kill, toll boths, passing lanes, shoulders, + on-ramps, off-ramps, speeding, I-way, Infobahn, etc. + - Most of what is now floating around the suddenly-trendy + idea of the Digital Superduperway is little more than hype. + And mad metaphors. Misplaced zeal, confusing tangential + developments with real progress. Much like libertarians + assuming the space program is something they should somehow + be working on. + - For example, the much-hyped "Pizza Hut" on the Net (home + pizza pages, I guess). It is already being dubbed "the + first case of true Internet commerce." Yeah, like the Coke + machines on the Net so many years ago were examples of + Internet commerce. Pure hype. Madison Avenue nonsense. Good + for our tabloid generation. +9.13.2. "Why is the National Information Infrastructure a bad idea?" + - NII = Information Superhighway = Infobahn = Iway = a dozen + other supposedly clever and punning names + + Al Gore's proposal: + - links hospitals, schools, government + + hard to imagine that the free-wheeling anarchy of the + Internet would persist..more likely implications: + - "is-a-person" credentials, that is, proof of identity, + and hence tracking, of all interactions + - the medical and psychiatric records would be part of + this (psychiatrists are leery of this, but they may + have no choice but to comply under the National Health + Care plans being debated) + + There are other bad aspects: + - government control, government inefficiency, government + snooping + - distortion of markets ("universal access') + - restriction of innovation + - is not needed...other networks are doing perfectly well, + and will be placed where they are needed and will be + locally paid for +9.13.3. NII, Video Dialtone + + "Dialtone" + - phone companies offer an in-out connection, and charge + for the connection, making no rulings on content (related + to the "Common Carrier" status) + + for video-cable, I don't believe there is an analogous + set-up being looked at + + cable t.v. + - Carl Kadie's comments to Sternlight +9.13.4. The prospects and dangers of Net subsidies + - "universal access," esp. if same happens in health care + - those that pay make the rules + + but such access will have strings attached + - limits on crypto + - + - universal access also invites more spamming, a la the + "Freenet" spams, in which folks keep getting validated as + new users: any universal access system that is not pay-as- + you-go will be sensitive to this *or* will result in calls + for universal ID system (is-a-person credentialling) +9.13.5. NII, Superhighway, I-way + - crypto policy + - regulation, licensing + +9.14. Government Interest in Gaining Control of Cyberspace +9.14.1. Besides Clipper, Digital Telephony, and the National + Information Infrastructure, the government is interested in + other areas, such as e-mail delivery (US Postal Service + proposal) and maintenance of network systems in general. +9.14.2. Digital Telephony, ATM networks, and deals being cut + - Rumblings of deals being cut + - a new draft is out [John Gilmore, 1994-08-03] + - Encryption with hardware at full ATM speeds + - and SONET networks (experimental, Bay Area?) +9.14.3. The USPS plans for mail, authentication, effects on + competition, etc. + + This could have a devastating effect on e-mail and on + cyberspace in general, especially if it is tied in to other + government proposals in an attempt to gain control of + cyberspace. + - Digital Telelphony, Clipper, pornography laws and age + enforcement (the Amateur Action case), etc. + + "Does the USPS really have a monopoly on first class mail?" + - and on "routes"? + - "The friendly PO has recently been visiting the mail + rooms of 2) The friendly PO has recently been visiting + the mail rooms of corporations in the Bay Area, opening + FedX, etc. packages (not protected by the privacy laws of + the PO's first class mail), and fining companies ($10,000 + per violation, as I recall), for sending non-time- + sensitive documents via FedX when they could have been + sent via first-class mail." [Lew Glendenning, USPS + digital signature annoucement, sci.crypt, 1994-08-23] (A + citation or a news story would make this more credible, + but I've heard of similar spot checks.) + - The problems with government agencies competing are well- + known. First, they often have shoddy service..civil service + jobs, unfireable workers, etc. Second, they often cannot be + sued for nonperformance. Third, they often have government- + granted monopolies. + + The USPS proposal may be an opening shot in an attempt to + gain control of electronic mail...it never had control of e- + mail, but its monopoly on first-class mail may be argued by + them to extend to cyberspace. + - Note: FedEx and the other package and overnight letter + carriers face various restrictions on their service; for + example, they cannot offer "routes" and the economies + that would result in. + - A USPS takeover of the e-mail business would mean an end + to many Cypherpunks objectives, including remailers, + digital postage, etc. + - The challenge will be to get these systems deployed as + quickly as possible, to make any takeover by the USPS all + the more difficult. + +9.15. Software Key Escrow +9.15.1. (This section needs a lot more) +9.15.2. things are happening fast.... +9.15.3. TIS, Carl Ellison, Karlsruhe +9.15.4. objections to key escrow + - "Holding deposits in real estate transactions is a classic + example. Built-in wiretaps are *not* escrow, unless the + government is a party to your contract. As somebody on the + list once said, just because the Mafia call themselves + "businessmen" doesn't make them legitimate; calling + extorted wiretaps "escrow" doesn't make them a service. + + "The government has no business making me get their + permission to talk to anybody about anything in any + language I choose, and they have no business insisting I + buy "communication protection service" from some of their + friends to do it, any more than the aforenamed + "businessmen" have any business insisting I buy "fire + insurance" from *them*." [Bill Stewart, 1994-07-24] +9.15.5. Micali's "Fair Escrow" + - various efforts underway + - need section here + - Note: participants at Karlsruhe Conference report that a + German group may have published on software key escrow + years before Micali filed his patent (reports that NSA + officials were "happy") + +9.16. Politics, Opposition +9.16.1. "What should Cypherpunks say about Clipper?" + - A vast amount has been written, on this list and in dozens + of other forums. + - Eric Hughes put it nicely a while back: + - "The hypothetical backdoor in clipper is a charlatan's + issue by comparison, as is discussion of how to make a key + escrow system + 'work.' Do not be suckered into talking about an issue + that is not + important. If someone want to talk about potential back + doors, refuse to speculate. The existence of a front door + (key escrow) make back door issues pale in comparison. + + "If someone wants to talk about how key escrow works, + refuse to + elaborate. Saying that this particular key escrow system + is bad has a large measure of complicity in saying that + escrow systems in general are OK. Always argue that this + particular key escrow system is bad because it is a key + escrow system, not because it has procedural flaws. + + "This right issue is that the government has no right to my + private communications. Every other issue is the wrong + issue and detracts from this central one. If we defeat one + particular system without defeating all other possible such + systems at the same time, we have not won at all; we have + delayed the time of reckoning." [ Eric Hughes, Work the + work!, 1993-06-01] +9.16.2. What do most Americans think about Clipper and privacy?" + - insights into what we face + + "In a Time/CNN poll of 1,000 Americans conducted last week + by Yankelovich + - Partners, two-thirds said it was more important to + protect the privacy of phone + - calls than to preserve the ability of police to conduct + wiretaps. + - When informed about the Clipper Chip, 80% said they + opposed it." + - Philip Elmer-Dewitt, "Who Should Keep the Keys", Time, + Mar. 4, 1994 +9.16.3. Does anyone actually support Clipper? + + There are actually legitimate uses for forms of escrow: + - corporations + - other partnerships +9.16.4. "Who is opposed to Clipper?" + - Association for Computing Machinery (ACM). "The USACM urges + the Administration at this point to withdraw the Clipper + Chip proposal and to begin an open and public review of + encryption policy. The escrowed encryption initiative + raises vital issues of privacy, law enforcement, + competitiveness and scientific innovation that must be + openly discussed." [US ACM, DC Office" , + USACM Calls for Clipper Withdrawal, press release, 1994-06- + 30] +9.16.5. "What's so bad about key escrow?" + + If it's truly voluntary, there can be a valid use for this. + + Are trapdoors justified in some cases? + + Corporations that wish to recover encrypted data + + several scenarios + - employee encrypts important files, then dies or is + otherwise unavailable + + employee leaves company before decrypting all files + - some may be archived and not needed to be opened + for many years + - employee may demand "ransom" (closely related to + virus extortion cases) + - files are found but the original encryptor is + unknown + + Likely situation is that encryption algorithms will be + mandated by corporation, with a "master key" kept + available + - like a trapdoor + - the existence of the master key may not even be + publicized within the company (to head off concerns + about security, abuses, etc.) + + Government is trying to get trapdoors put in + - S.266, which failed ultimately (but not before + creating a ruckus) + + If the government requires it... + - Key escrow means the government can be inside your home + without you even knowing it + - and key escrow is not really escrow...what does one get + back from the "escrow" service? +9.16.6. Why governments should not have keys + - can then set people up by faking messages, by planting + evidence + - can spy on targets for their own purposes (which history + tells us can include bribery, corporate espionage, drug- + running, assassinations, and all manner of illegal and + sleazy activities) + - can sabotage contracts, deals, etc. + - would give them access to internal corporate communications + - undermines the whole validity of such contracts, and of + cryptographic standards of identity (shakes confidence) + - giving the King or the State the power to impersonate + another is a gross injustice + - imagine the government of Iran having a backdoor to read + the secret journals of its subjects! + - 4th Amendment + - attorney-client privilege (with trapdoors, no way to know + that government has not breached confidentiality) +9.16.7. "How might the Clipper chip be foiled or defeated?" + - Politically, market-wise, and technical + - If deployed, that is + + Ways to Defeat Clipper + - preencryption or superencryption + - LEAF blower + - plug-compatible, reverse-engineered chip + - sabotage + - undermining confidence + - Sun Tzu +9.16.8. How can Clipper be defeated, politically? +9.16.9. How can Clipper be defeated, in the market? +9.16.10. How can Clipper be defeated, technologically? +9.16.11. Questions + + Clipper issues and questions + - a vast number of questions, comments, challenges, + tidbits, details, issues + - entire newsgroups devoted to this + + "What criminal or terrrorist will be smart enough to use + encryption but dumb enough to use Clipper?" + - This is one of the Great Unanswered Questions. Clipper's + supporter's are mum on this one. Suggesting.... + + "Why not encrypt data before using the Clipper/EES?" + - "Why can't you just encrypt data before the clipper chip? + + Two answers: + + 1) the people you want to communicate with won't have + hardware to + decrypt your data, statistically speaking. The beauty + of clipper + from the NSA point of view is that they are leveraging + the + installed base (they hope) of telephones and making it + impossible + (again, statistically) for a large fraction of the + traffic to be + untappable. + + 2) They won't license bad people like you to make + equipment like the + system you describe. I'll wager that the chip + distribution will be + done in a way to prevent significant numbers of such + systems from + being built, assuring that (1) remains true." [Tom + Knight, sci.crypt, 6-5-93] + + - + + What are the implications of mandatory key escrow? + + "escrow" is misleading... + - wrong use of the term + - implies a voluntary, and returnable, situation + + "If key escrow is "voluntary," what's the big deal?" + - Taxes are supposedly "voluntary," too. + - A wise man prepares for what is _possible_ and even + _likely_, not just what is announced as part of public + policy; policies can and do change. There is plenty of + precedent for a "voluntary" system being made mandatory. + - The form of the Clipper/EES system suggests eventual + mandatory status; the form of such a ban is debatable. + + "What is 'superencipherment,' and can it be used to defeat + Clipper?" + - preencrypting + - could be viewed as a non-English language + + how could Clipper chip know about it (entropy measures?) + - far-fetched + - wouldn't solve traffic anal. problem + - What's the connection between Clipper and export laws? + + "Doesn't this make the Clipper database a ripe target?" + - for subversion, sabotage, espionage, theft + - presumably backups will be kept, and _these_ will also be + targets + + "Is Clipper just for voice encryption?" + - Clipper is a data encryption chip, with the digital data + supplied by an ADC located outside the chip. In + principle, it could thus be used for data encryption in + general. + - In practice, the name Clipper is generally associated + with telephone use, while "Capstone" is the data standard + (some differences, too). The "Skipjack" algorithm is used + in several of these proposed systems (Tessera, also). +9.16.12. "Why is Clipper worse than what we have now?" + + John Gilmore answered this question in a nice essay. I'm + including the whole thing, including a digression into + cellular telephones, because it gives some insight--and + names some names of NSA liars--into how NSA and NIST have + used their powers to thwart true security. + - "It's worse because the market keeps moving toward + providing real encryption. + + "If Clipper succeeds, it will be by displacing real + secure encryption. If real secure encryption makes it + into mass market communications products, Clipper will + have failed. The whole point is not to get a few + Clippers used by cops; the point is to make it a + worldwide standard, rather than having 3-key triple-DES + with RSA and Diffie-Hellman become the worldwide + standard. + + "We'd have decent encryption in digital cellular phones + *now*, except for the active intervention of Jerry + Rainville of NSA, who `hosted' a meeting of the standards + committee inside Ft. Meade, lied to them about export + control to keep committee documents limited to a small + group, and got a willing dupe from Motorola, Louis + Finkelstein, to propose an encryption scheme a child + could break. The IS-54 standard for digital cellular + doesn't describe the encryption scheme -- it's described + in a separate document, which ordinary people can't get, + even though it's part of the official accredited + standard. (Guess who accredits standards bodies though - + - that's right, the once pure NIST.) + + "The reason it's secret is because it's so obviously + weak. The system generates a 160-bit "key" and then + simply XORs it against each block of the compressed + speech. Take any ten or twenty blocks and recover the + key by XORing frequent speech patterns (like silence, or + the letter "A") against pieces of the blocks to produce + guesses at the key. You try each guess on a few blocks, + and the likelihood of producing something that decodes + like speech in all the blocks is small enough that you'll + know when your guess is the real key. + + "NSA is continuing to muck around in the Digital Cellular + standards committee (TR 45.3) this year too. I encourage + anyone who's interested to join the committee, perhaps as + an observer. Contact the Telecommunications Industry + Association in DC and sign up. Like any standards + committee, it's open to the public and meets in various + places around the country. I'll lend you a lawyer if + you're a foreign national, since the committee may still + believe that they must exclude foreign nationals from + public discussions of cryptography. Somehow the crypto + conferences have no trouble with this; I think it's + called the First Amendment. NSA knows the law here -- + indeed it enforces it via the State Dept -- but lied to + the committee." [John Gilmore, "Why is clipper worse than + "no encryption like we have," comp.org.eff.talk, 1994-04- + 27] +9.16.13. on trusting the government + - "WHAT AM THE MORAL OF THE STORY, UNCLE REMUS?....When the + government makes any announcement (ESPECIALLY a denial), + you should figure out what the government is trying to get + you to do--and do the opposite. Contrarianism with a + vengance. Of all the advice I've offered on the + Cypherpunks Channel, this is absolutely the most certain." + [Sandy Sandfort, 1994-07-17] + - if the Founders of the U.S. could see the corrupt, + socialist state this nation has degenerated to, they'd be + breaking into missile silos and stealing nukes to use + against the central power base. + + can the government be trusted to run the key escrow system? + - "I just heard on the news that 1300 IRS employees have + been disciplined for unauthorized accesses to + electronically filed income tax returns. ..I'm sure they + will do much better, though, when the FBI runs the phone + system, the Post Office controls digital identity and + Hillary takes care of our health." [Sandy Sandfort, 1994- + 07-19] + - This is just one of many such examples: Watergate ("I am + not a crook!"), Iran-Contra, arms deals, cocaine + shipments by the CIA, Teapot Dome, graft, payoffs, + bribes, assassinations, Yankee-Cowboy War, Bohemian + Grove, Casolaro, more killings, invasions, wars. The + government that is too chicken to ever admit it lost a + war, and conspicuously avoids diplomatic contact with + enemies it failed to vanquish (Vietnam, North Korea, + Cuba, etc.), while quickly becoming sugar daddy to the + countries it did vanquish...the U.S. appears to be + lacking in practicality. (Me, I consider it wrong for + anyone to tell me I can't trade with folks in another + country, whether it's Haiti, South Africa, Cuba, Korea, + whatever. Crypto anarchy means we'll have _some_ of the + ways of bypassing these laws, of making our own moral + decisions without regard to the prevailing popular + sentiment of the countries in which we live at the + moment.) + +9.17. Legal Issues with Escrowed Encryption and Clipper +9.17.1. As John Gilmore put it in a guest editorial in the "San + Francisco Examiner," "...we want the public to see a serious + debate about why the Constitution should be burned in order + to save the country." [J.G., 1994-06-26, quoted by S. + Sandfort] +9.17.2. "I don't see how Clipper gives the government any powers or + capabilities it doesn't already have. Comments?" +9.17.3. Is Clipper really voluntary? +9.17.4. If Clipper is voluntary, who will use it? +9.17.5. Restrictions on Civilian Use of Crypto +9.17.6. "Has crypto been restricted in the U.S.?" +9.17.7. "What legal steps are being taken?" + - Zimmermann + - ITAR +9.17.8. reports that Department of Justice has a compliance + enforcement role in the EES [heard by someone from Dorothy + Denning, 1994-07], probably involving checking the law + enforcement agencies... +9.17.9. Status + + "Will government agencies use Clipper?" + - Ah, the embarrassing question. They claim they will, but + there are also reports that sensitive agencies will not + use it, that Clipper is too insecure for them (key + lenght, compromise of escrow data, etc.). There may also + be different procedures (all agencies are equal, but some + are more equal than others). + - Clipper is rated for unclassified use, so this rules out + many agencies and many uses. An interesting double + standard. + + "Is the Administration backing away from Clipper?" + + industry opposition surprised them + - groups last summer, Citicorp, etc. + - public opinion + - editorial remarks + - so they may be preparing alternative + - and Gilmore's FOIA, Blaze's attack, the Denning + nonreview, the secrecy of the algortithm + + will not work + - spies won't use it, child pornographers probably won't + use it (if alternatives exist, which may be the whole + point) + - terrorists won't use it + - Is Clipper in trouble? +9.17.10. "Will Clipper be voluntary?" + - Many supporters of Clipper have cited the voluntary nature + of Clipper--as expressed in some policy statements--and + have used this to counter criticism. + + However, even if truly voluntary, some issues + + improper role for government to try to create a + commercial standard + - though the NIST role can be used to counter this point, + partly + - government can and does make it tough for competitors + - export controls (statements by officials on this exist) + + Cites for voluntary status: + - original statement says it will be voluntary + - (need to get some statements here) + + Cites for eventual mandatory status: + - "Without this initiative, the government will eventually + become helpless to defend the nation." [Louis Freeh, + director of the FBI, various sources] + - Steven Walker of Trusted Information Systems is one of + many who think so: "Based on his analysis, Walker added, + "I'm convinced that five years from now they'll say 'This + isn't working,' so we'll have to change the rules." Then, + he predicted, Clipper will be made mandatory for all + encoded communications." [ + + Parallels to other voluntary programs + - taxes + +9.18. Concerns +9.18.1. Constitutional Issues + - 4th Amend + - privacy of attorney-client, etc. + + Feds can get access without public hearings, records + - secret intelligence courts + - + + "It is uncontested (so far as I have read) that under + certain circum- + - stances, the Federal intelligence community wil be + permitted to + - obtain Clipper keys without any court order on public + record. Only + - internal, classified proceedings will protect our + privacy." +9.18.2. "What are some dangers of Clipper, if it is widely adopted?" + + sender/receiver ID are accessible without going to the key + escrow + - this makes traffic analysis, contact lists, easy to + generate + + distortions of markets ("chilling effects") as a plan by + government + - make alternatives expensive, hard to export, grounds for + suspicion + - use of ITAR to thwart alternatives (would be helped if + Cantwell bill to liberalize export controls on + cryptography (HR 3627) passes) + + VHDL implementations possible + - speculates Lew Glendenning, sci.crypt, 4-13-94 + - and recall MIPS connection (be careful here) +9.18.3. Market Isssues +9.18.4. "What are the weaknesses in Clipper?" + + Carl Ellison analyzed it this way: + - "It amuses the gallows-humor bone in me to see people + busily debating the quality of Skipjack as an algorithm + and the quality of the review of its strength. + + Someone proposes to dangle you over the Grand Canyon + using + + sewing thread + tied to + steel chain + tied to + knitting yarn + + and you're debating whether the steel chain has been X- + rayed properly to see if there are flaws in the metal. + + "Key generation, chip fabrication, court orders, + distribution of keys once acquired from escrow agencies + and safety of keys within escrow agencies are some of the + real weaknesses. Once those are as strong as my use of + 1024-bit RSA and truly random session keys in keeping + keys on the two sides of a conversation with no one in + the middle able to get the key, then we need to look at + the steel chain in the middle: Skipjack itself." [Carl + Ellison, 1993-08-02] + + Date: Mon, 2 Aug 93 17:29:54 EDT + From: cme@ellisun.sw.stratus.com (Carl Ellison) + To: cypherpunks@toad.com + Subject: cross-post + Status: OR + + Path: transfer.stratus.com!ellisun.sw.stratus.com!cme + From: cme@ellisun.sw.stratus.com (Carl Ellison) + Newsgroups: sci.crypt + Subject: Skipjack review as a side-track + Date: 2 Aug 1993 21:25:11 GMT + Organization: Stratus Computer, Marlboro MA + Lines: 28 + Message-ID: <23k0nn$8gk@transfer.stratus.com> + NNTP-Posting-Host: ellisun.sw.stratus.com + + It amuses the gallows-humor bone in me to see people + busily debating the + quality of Skipjack as an algorithm and the quality of + the review of its + strength. + + Someone proposes to dangle you over the Grand Canyon + using + + sewing thread + tied to + steel chain + tied to + knitting yarn + + and you're debating whether the steel chain has been X- + rayed properly + to see if there are flaws in the metal. + + Key generation, chip fabrication, court orders, + distribution of keys once + acquired from escrow agencies and safety of keys within + escrow agencies are + some of the real weaknesses. Once those are as strong as + my use of + 1024-bit RSA and truly random session keys in keeping + keys on the two sides + of a conversation with no one in the middle able to get + the key, then we + need to look at the steel chain in the middle: Skipjack + itself. + + - "Key generation, chip fabrication, court orders, + distribution of keys once acquired from escrow agencies + and safety of keys within escrow agencies are some of + the real weaknesses. Once those are as strong as my + use of 1024-bit RSA and truly random session keys in + keeping keys on the two sides of a conversation with no + one in the middle able to get the key, then we need to + look at the steel chain in the middle: Skipjack + itself." +9.18.5. What it Means for the Future +9.18.6. Skipjack +9.18.7. National security exceptions + - grep Gilmore's FOIA for mention that national security + people will have direct access and that this will not be + mentioned to the public + + "The "National Security" exception built into the Clipper + proposal + - leaves an extraordinarily weak link in the chain of + procedures designed + - to protect user privacy. To place awesome powers of + surveillance + - technologically within the reach of a few, hoping that so + weak a chain + - will bind them, would amount to dangerous folly. It + flies in the face + - of history. +9.18.8. In my view, any focus on the details of Clipper instead of + the overall concept of key escrow plays into their hands. + This is not to say that the work of Blaze and others is + misguided....in fact, it's very fine work. But a general + focus on the _details_ of Skipjack does nothing to allay my + concerns about the _principle_ of government-mandated crypto. + + If it were "house key escrow" and there were missing details + about the number of teeth allowed on the keys, would be then + all breathe a sigh of relief if the details of the teeth were + clarified? Of course not. Me, I will never use a key escrow + system, even if a blue ribbon panel of hackers and + Cypherpunks studies the design and declares it to be + cryptographically sound. +9.18.9. Concern about Clipper + - allows past communications to be read + + authorities could--maybe--read a lot of stuff, even + illegally, then use this for other investigations (the old + "we had an anonymous tip" ploy) + - "The problem with Clipper is that it provides police + agencies with dramatically enhanced target acquistion. + There is nothing to prevent NSA, ATF, FBI (or the Special + Projects division of the Justice Department) from + reviewing all internet traffic, as long as they are + willing to forsake using it in a criminal prosecution." + [dgard@netcom.com, alt.privacy.clipper, 1994-07-05] +9.18.10. Some wags have suggested that the new escrow agencies be + chosen from groups like Amnesty International and the ACLU. + Most of us are opposed to the "very idea" of key escrow + (think of being told to escrow family photos, diaries, or + house keys) and hence even these kinds of skeptical groups + are unacceptable as escrow agents. + +9.19. Loose Ends +9.19.1. "Are trapdoors--or some form of escrowed encryption-- + justified in some cases?" + + Sure. There are various reasons why individuals, companies, + etc. may want to use crypto protocols that allow them to + decrypt even if they've lost their key, perhaps by going to + their lawyer and getting the sealed envelope they left with + him, etc. + - or using a form of "software key escrow" that allows them + access + + Corporations that wish to recover encrypted data + + several scenarios + - employee encrypts important files, then dies or is + otherwise unavailable + + employee leaves company before decrypting all files + - some may be archived and not needed to be opened for + many years + - employee may demand "ransom" (closely related to virus + extortion cases) + - files are found but the original encryptor is unknown + + Likely situation is that encryption algorithms will be + mandated by corporation, with a "master key" kept available + - like a trapdoor + - the existence of the master key may not even be + publicized within the company (to head off concerns about + security, abuses, etc.) + - The mandatory use of key escrow, a la a mandatory Clipper + system, or the system many of us believe is being developed + for software key escrow (SKE, also called "GAK," for + "government access to keys, by Carl Ellison) is completely + different, and is unacceptable. (Clipper is discussed in + many places here.) +9.19.2. DSS + + Continuing confusion over patents, standards, licensing, + etc. + - "FIPS186 is DSS. NIST is of the opinion that DSS does not + violate PKP's patents. PKP (or at least Jim Bidzos) takes + the position that it does. But for various reasons, PKP + won't sue the government. But Bidzos threatens to sue + private parties who infringe. Stay tuned...." [Steve + Wildstrom, sci.crypt, 1994-08-19] + - even Taher ElGamal believes it's a weak standard + - subliminal channels issues +9.19.3. The U.S. is often hypocritical about basic rights + - plans to "disarm" the Haitians, as we did to the Somalians + (which made those we disarmed even more vulnerable to the + local warlords) + - government officials are proposing to "silence" a radio + station in Ruanda they feel is sending out the wrong + message! (Heard on "McNeil-Lehrer News Hour," 1994-07-21] +9.19.4. "is-a-person" and RSA-style credentials + + a dangerous idea, that government will insist that keys be + linked to persons, with only one per person + - this is a flaw in AOCE system + - many apps need new keys generated many times + +10. Legal Issues + +10.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +10.2. SUMMARY: Legal Issues +10.2.1. Main Points +10.2.2. Connections to Other Sections + - Sad to say, but legal considerations impinge on nearly + every aspect of crypto +10.2.3. Where to Find Additional Information +10.2.4. Miscellaneous Comments + - "I'm a scientist, Jim, not an attorney." Hence, take my + legal comments here with a grain of salt, representing only + hints of the truth as I picked them up from the discussions + on the various forums and lists. + +10.3. Basic Legality of Encryption +10.3.1. "Is this stuff legal or illegal?" + - Certainly the _talking_ about it is mostly legal, at least + in the U.S. and at the time of this writing. In other + countries, you prison term may vary. + + The actions resulting from crypto, and crypto anarchy, may + well be illegal. Such is often the case when technology is + applied without any particular regard for what the laws say + is permitted. (Pandora's Box and all that.) + - Cypherpunks really don't care much about such ephemera as + the "laws" of some geographic region. Cypherpunks make + their own laws. + + There are two broad ways of getting things done: + - First, looking at the law and regulations and finding + ways to exploit them. This is the tack favored by + lawyers, of whic$are many in this country. + - Second, "just do it." In areas where the law hasn't + caught up, this can mean unconstrained technological + developement. Good examples are the computer and chip + business, where issues of legality rarely arose (except + in the usual areas of contract enforcement, etc.). More + recently the chip business has discovered lawyering, with + a vengeance. + - In other areas, where the law is centrally involved, + "just do it" can mean many technical violations of the + law. Examples: personal service jobs (maids and + babysitters), contracting jobs without licenses, + permissions, etc., and so on. Often these are "illegal + markets," putatively. + - And bear in mind that the legal system can be used to + hassle people, to pressure them to "plead out" to some + charges, to back off, etc. (In the firearms business, the + pressures and threats are also used to cause some + manufacturers, like Ruger, to back off on a radical pro-gun + stance, so as to be granted favors and milder treatment. + Pressure on crypto-producing companies are probably very + similar. Play ball, or we'll run you over in the parking + lot.) +10.3.2. "Why is the legal status of crypto so murky?" + - First, it may be murkier to me than it it to actual lawyers + like Mike Godwin and Michael Froomkin, both of whom have + been on our list at times. (Though my impression from + talking to Godwin is that many or even most of these issues + have not been addressed in the courts, let alone resolved + definitively.) + - Second, crypto issues have not generally reached the + courts, reflecting the nascent status of most of the things + talked about it here. Things as "trivial" as digital + signatures and digital timestamping have yet to be + challenged in courts, or declared illegal, or anything + similar that might produce a precedent-setting ruling. (Stu + Haber agrees that such tests are lacking.) + - Finally, the issues are deep ones, going to the heart of + issues of self-incrimination (disclosure of keys, + contempt), of intellectual property and export laws (want + to jail someone for talking about prime numbers?), and the + incredibly byzantine world of money and financial + instruments. + - A legal study of crypto--which I hear Professor Froomkin is + doing--could be very important. +10.3.3. "Has the basic legality of crypto and laws about crypto been + tested?" + - As usual, a U.S. focus here. I know little of the situation + in non-U.S. countries (and in many of them the law is + whatever the rulers say it is). + - And I'm not a lawyer. + + Some facts: + - no direct Constitutional statement about privacy (though + many feel it is implied) + - crypto was not a major issue (espionage was, and was + dealt with harshly, but encrypting things was not a + problem per se) + + only in the recent past has it become important...and it + will become much more so + - as criminals encrypt, as terrorists encrypt + - as tax is avoided via the techniques described here + - collusion of business ("crypto interlocking + directorates," price signalling) + - black markets, information markets + + Lawrence Tribe..new amendment + - scary, as it may place limits.... (but unlikely to + happen) + + Crypto in Court + - mostly untested + - can keys be compelled? + - Expect some important cases in the next several years +10.3.4. "Can authorities force the disclosure of a key?" + + Mike Godwin, legal counsel for the EFF, has been asked this + queston _many_ times: + - "Note that a court could cite you for contempt for not + complying with a subpoena duces tecum (a subpoena + requiring you to produce objects or documents) if you + fail to turn over subpoenaed backups....To be honest, I + don't think *any* security measure is adequate against a + government that's determined to overreach its authority + and its citizens' rights, but crypto comes close." [Mike + Godwin, 1993-06-14] + + Torture is out (in many countries, but not all). Truth + serum, etc., ditto. + - "Rubber hose cryptography" + + Constitutional issues + - self-incrimination + + on the "Yes" side: + + is same, some say, as forcing combination to a safe + containing information or stolen goods + - but some say-and a court may have ruled on this-that + the safe can always be cut open and so the issue is + mostly moot + - while forcing key disclosure is compelled testimony + - and one can always claim to have forgotten the key + - i.e., what happens when a suspect simply clams up? + - but authorities can routinely demand cooperation in + investigations, can seize records, etc. + + on the "No" side: + - can't force a suspect to talk, whether about where he hid + the loot or where his kidnap victim is hidden + - practically speaking, someone under indictment cannot be + forced to reveal Swiss bank accounts....this would seem + to be directly analogous to a cryptographic key + - thus, the key to open an account would seem to be the + same thing + - a memorized key cannot be forced, says someone with EFF + or CPSR + + "Safe" analogy + + You have a safe, you won' tell the combination + - you just refuse + - you claim to have forgotten it + - you really don't know it + - cops can cut the safe open, so compelling a combination + is not needed + - "interefering with an investigation" + - on balance, it seems clear that the disclosure of + cryptographic keys cannot be forced (though the practical + penalty for nondisclosure could be severe) + + Courts + + compelled testimony is certainly common + - if one is not charged, one cannot take the 5th (may be + some wrinkles here) + - contempt + + What won't immunize disclosure: + + clever jokes about "I am guilty of money laundering" + - can it be used? + - does judge declaring immunity apply in this case? + - Eric Hughes has pointed out that the form of the + statement is key: "My key is: "I am a murderer."" is + not a legal admission of anything. + - (There may be some subtleties where the key does contain + important evidence--perhaps the location of a buried body- + -but I think these issues are relatively minor.) + - but this has not really been tested, so far as I know + - and many people say that such cooperation can be + demanded... + - Contempt, claims of forgetting +10.3.5. Forgetting passwords, and testimony + + This is another area of intense speculation: + - "I forgot. So sue me." + - "I forgot. It was just a temporary file I was working on, + and I just can't remember the password I picked." (A less + in-your-face approach.) + + "I refuse to give my password on the grounds that it may + tend to incriminate me." + + Canonical example: "My password is: 'I sell illegal + drugs.'" + - Eric Hughes has pointed out this is not a real + admission of guilt, just a syntactic form, so it is + nonsense to claim that it is incriminating. I agree. + I don't know if any court tests have confirmed this. + + Sandy Sandfort theorizes that this example might work, or + at least lead to an interesting legal dilemma: + - "As an example, your passphrase could be: + + I shot a cop in the back and buried his body + under + the porch at 123 Main St., anywhere USA. The gun + is + wrapped in an oily cloth in my mother's attic. + + "I decline to answer on the grounds that my passphrase is + a statement which may tend to incriminate me. I will + only give my passphrase if I am given immunity from + prosecution for the actions to which it alludes." + + "Too cute, I know, but who knows, it might work." [S.S., + 1994-0727] +10.3.6. "What about disavowal of keys? Of digital signatures? Of + contracts? + - In the short term, the courts are relatively silent, as few + of these issues have reached the courts. Things like + signatures and contract breaches would likely be handled as + they currently are (that is, the judge would look at the + circumstances, etc.) + + Clearly this is a major concern. There are two main avenues + of dealing with this" + - The "purist" approach. You *are* your key. Caveat emptor. + Guard your keys. If your signature is used, you are + responsible. (People can lessen their exposure by using + protocols that limit risk, analogous to the way ATM + systems only allow, say, $200 a day to be withdrawn.) + - The legal system can be used (maybe) to deal with these + issues. Maybe. Little of this has been tested in courts. + Conventional methods of verifying forged signatures will + not work. Contract law with digital signatures will be a + new area. + - The problem of *repudiation* or *disavowal* was recognized + early on in cryptologic circles. Alice is confronted with a + digital signature, or whatever. She says; "But I didn't + sign that" or "Oh, that's my old key--it's obsolete" or "My + sysadmin must have snooped through my files," or "I guess + those key escrow guys are at it again." + - I think that only the purist stance will hold water in the + long run.(A hint of this: untraceable cash means, for most + transactions of interest with digital cash, that once the + crypto stuff has been handled, whether the sig was stolen + or not is moot, because the money is gone...no court can + rule that the sig was invalid and then retrieve the cash!) +10.3.7. "What are some arguments for the freedom to encrypt?" + - bans are hard to enforce, requiring extensive police + intrusions + - private letters, diaries, conversations + - in U.S., various provisions + - anonymity is often needed +10.3.8. Restrictions on anonymity + - "identity escrow" is what Eric Hughes calls it + - linits on mail drops, on anonymous accounts, and--perhaps + ultimately--on cash purchases of any and all goods +10.3.9. "Are bulletin boards and Internet providers "common carriers" + or not?" + - Not clear. BBS operators are clearly held more liable for + content than the phone company is, for example. +10.3.10. Too much cleverness is passing for law + - Many schemes to bypass tax laws, regulations, etc., are, as + the British like to say, "too cute by half." For example, + claims that the dollar is defined as 1/35th of an ounce of + gold and that the modern dollar is only 1/10th of this. Or + that Ohio failed to properly enter the Union, and hence all + laws passed afterward are invalid. The same could be said + of schemes to deploy digital cash be claiming that ordinary + laws do not apply. Well, those who try such schemes often + find out otherwise, sometimes in prison. Tread carefully. +10.3.11. "Is it legal to advocate the overthrow of governments or the + breaking of laws?" + - Although many Cypherpunks are not radicals, many others of + us are, and we often advocate "collapse of governments" and + other such things as money laundering schemes, tax evasion, + new methods for espionage, information markets, data + havens, etc. This rasises obvious concerns about legality. + - First off, I have to speak mainly of U.S. issues...the laws + of Russia or Japan or whatever may be completely different. + Sorry for the U.S.-centric focus of this FAQ, but that's + the way it is. The Net started here, and still is + dominantly here, and the laws of the U.S. are being + propagated around the world as part of the New World Order + and the collapse of the other superpower. + - Is it legal to advocate the replacement of a government? In + the U.S., it's the basic political process (though cynics + might argue that both parties represent the same governing + philosophy). Advocating the *violent overthrow* of the U.S. + government is apparently illegal, though I lack a cite on + this. + + Is it legal to advocate illegal acts in general? Certainly + much of free speech is precisely this: arguing for drug + use, for boycotts, etc. + + The EFF gopher site has this on "Advocating Lawbreaking, + Brandenburg v. Ohio. ": + - "In the 1969 case of Brandenburg v. Ohio, the Supreme + Court struck down the conviction of a Ku Klux Klan + member under a criminal syndicalism law and established + a new standard: Speech may not be suppressed or + punished unless it is intended to produce 'imminent + lawless action' and it is 'likely to produce such + action.' Otherwise, the First Amendment protects even + speech that advocates violence. The Brandenburg test is + the law today. " + +10.4. Can Crypto be Banned? +10.4.1. "Why won't government simply _ban such encryption methods?" + + This has always been the Number One Issue! + - raised by Stiegler, Drexler, Salin, and several others + (and in fact raised by some as an objection to my even + discussing these issues, namely, that action may then be + taken to head off the world I describe) + + Types of Bans on Encryption and Secrecy + - Ban on Private Use of Encryption + - Ban on Store-and-Forward Nodes + - Ban on Tokens and ZKIPS Authentication + - Requirement for public disclosure of all transactions + + Recent news (3-6-92, same day as Michaelangelo and + Lawnmower Man) that government is proposing a surcharge + on telcos and long distance services to pay for new + equipment needed to tap phones! + - S.266 and related bills + - this was argued in terms of stopping drug dealers and + other criminals + - but how does the government intend to deal with the + various forms fo end-user encryption or "confusion" + (the confusion that will come from compression, + packetizing, simple file encryption, etc.) + + Types of Arguments Against Such Bans + - The "Constitutional Rights" Arguments + + The "It's Too Late" Arguments + - PCs are already widely scattered, running dozens of + compression and encryption programs...it is far too + late to insist on "in the clear" broadcasts, whatever + those may be (is program code distinguishable from + encrypted messages? No.) + - encrypted faxes, modem scramblers (albeit with some + restrictions) + - wireless LANs, packets, radio, IR, compressed text and + images, etc....all will defeat any efforts short of + police state intervention (which may still happen) + + The "Feud Within the NSA" Arguments + - COMSEC vs. PROD + + Will affect the privacy rights of corporations + - and there is much evidence that corporations are in + fact being spied upon, by foreign governments, by the + NSA, etc. + + They Will Try to Ban Such Encryption Techniques + + Stings (perhaps using viruses and logic bombs) + - or "barium," to trace the code + + Legal liability for companies that allow employees to use + such methods + - perhaps even in their own time, via the assumption that + employees who use illegal software methods in their own + time are perhaps couriers or agents for their + corporations (a tenuous point) +10.4.2. The long-range impossibility of banning crypto + - stego + - direct broadcast to overhead satellites + - samizdat + - compression, algorithms, ....all made plaintext hard to + find +10.4.3. Banning crypto is comparable to + + banning ski masks because criminals can hide their identity + - Note: yes, there are laws about "going masked for the + purpose of being masked," or somesuch + + insisting that all speech be in languages understandable by + eavesdroppers + - (I don't mean "official languages" for dealing with the + Feds, or what employers may reasonably insist on) + - outlawing curtains, or at least requiring that "Clipper + curtains" be bought (curtains which are transparent at + wavelengths the governments of the world can use) + - position escrow, via electronic bracelets like criminals + wear + - restrictions on books that possibly help criminals + - banning body armor (proposed in several communities) + - banning radar detectors + - (Note that these bans become more "reasonable" when the + items like body armor and radar detectos are reached, at + least to many people. Not to me, of course.) +10.4.4. So Won't Governments Stop These Systems? + - Citing national security, protection of private property, + common decency, etc. + + Legal Measures + - Bans on ownership and operation of "anonymous" systems + + Restrictions on cryptographic algorithms + - RSA patent may be a start + + RICO, civil suits, money-laundering laws + - FINCEN, Financial Crimes Information Center + - IRS, Justice, NSA, FBI, DIA, CIA + - attempts to force other countries to comply with U.S. + banking laws +10.4.5. Scenario for a ban on encryption + - "Paranoia is cryptography's occupational hazard." [Eric + Hughes, 1994-05-14] + + There are many scenarios. Here is a graphic one from Sandy + Sandfort: + - "Remember the instructions for cooking a live frog. The + government does not intend to stop until they have + effectively eliminated your privacy. + + STEP 1: Clipper becomes the de facto encryption + standard. + + STEP 2: When Cypherpunks and other "criminals" eschew + Clipper in favor of trusted strong crypto, the government + is "forced" to ban non-escrowed encryption systems. + (Gotta catch those pedophiles, drug dealers and + terrorists, after all.) + + STEP 3: When Cypherpunks and other criminals use + superencryption with Clipper or spoof LEAFs, the + government will regretably be forced to engage in random + message monitoring to detect these illegal techniques. + + Each of these steps will be taken because we wouldn't + passively accept such things as unrestricted wiretaps and + reasonable precautions like + digital telephony. It will portrayed as our fault. + Count on it." [Sandy Sandfort, 6-14-94] + +10.4.6. Can the flow of bits be stopped? Is the genie really out of + the bottle? + - Note that Carl Ellison has long argued that the genie was + never _in_ the bottle, at least not in the U.S. in non- + wartime situations (use of cryptography, especially in + communications, in wartime obviously raises eyebrows) + +10.5. Legal Issues with PGP +7.12.1. "What is RSA Data Security Inc.'s position on PGP?" + I. They were strongly opposed to early versions +II. objections + - infringes on PKP patents (claimed infringements, not + tested in court, though) + - breaks the tight control previously seen + - brings unwanted attention to public key approaches (I + think PGP also helped RSA and RSADSI) + - bad blood between Zimmermann and Bidzos +III. objections + - infringes on PKP patents (claimed infringements, not + tested in court, though) + - breaks the tight control previously seen + - brings unwanted attention to public key approaches (I + think PGP also helped RSA and RSADSI) + - bad blood between Zimmermann and Bidzos +IV. Talk of lawsuits, actions, etc. + V. The 2.6 MIT accomodation may have lessened the tension; + purely speculative +7.12.2. "Is PGP legal or illegal"? +7.12.3. "Is there still a conflict between RSADSI and PRZ?" + - Apparently not. The MIT 2.6 negotiations seem to have + buried all such rancor. At least officially. I hear there's + still animosity, but it's no longer at the surface. (And + RSADSI is now facing lawsuits and patent suits.) + +10.6. Legal Issues with Remailers + 8.9.1. What's the legal status of remailers? + - There are no laws against it at this time. + - No laws saying people have to put return addresses on + messages, on phone calls (pay phones are still legal), etc. + - And the laws pertaining to not having to produce identity + (the "flier" case, where leaflet distributors did not have + to produce ID) would seem to apply to this form of + communication. + + However, remailers may come under fire: + + Sysops, MIT case + - potentially serious for remailers if the case is + decided such that the sysop's creation of group that + was conducive to criminal pirating was itself a + crime...that could make all involved in remailers + culpable + 8.9.2. "Can remailer logs be subpoenaed?" + - Count on it happening, perhaps very soon. The FBI has been + subpoenaing e-mail archives for a Netcom customer (Lewis De + Payne), probably because they think the e-mail will lead + them to the location of uber-hacker Kevin Mitnick. Had the + parties used remailers, I'm fairly sure we'd be seeing + similar subpoenas for the remailer logs. + - There's no exemption for remailers that I know of! + + The solutions are obvious, though: + - use many remailers, to make subpoenaing back through the + chain very laborious, very expensive, and likely to fail + (if even one party won't cooperate, or is outside the + court's jurisdiction, etc.) + - offshore, multi-jurisdictional remailers (seleted by the + user) + - no remailer logs kept...destroy them (no law currently + says anybody has to keep e-mail records! This may + change....) + - "forward secrecy," a la Diffie-Hellman forward secrecy + 8.9.3. How will remailers be harassed, attacked, and challenged? + 8.9.4. "Can pressure be put on remailer operators to reveal traffic + logs and thereby allow tracing of messages?" + + For human-operated systems which have logs, sure. This is + why we want several things in remailers: + * no logs of messages + * many remailers + * multiple legal jurisdictions, e.g., offshore remailers + (the more the better) + * hardware implementations which execute instructions + flawlessly (Chaum's digital mix) + 8.9.5. Calls for limits on anonymity + + Kids and the net will cause many to call for limits on + nets, on anonymity, etc. + - "But there's a dark side to this exciting phenomenon, one + that's too rarely understood by computer novices. + Because they + offer instant access to others, and considerable + anonymity to + participants, the services make it possible for people - + especially computer-literate kids - to find themselves in + unpleasant, sexually explicit social situations.... And + I've gradually + come to adopt the view, which will be controversial among + many online + users, that the use of nicknames and other forms of + anonymity + must be eliminated or severly curbed to force people + online into + at least as much accountability for their words and + actions as + exists in real social encounters." [Walter S. Mossberg, + Wall Street Journal, 6/30/94, provided by Brad Dolan] + - Eli Brandt came up with a good response to this: "The + sound-bite response to this: do you want your child's + name, home address, and phone number available to all + those lurking pedophiles worldwide? Responsible parents + encourage their children to use remailers." + - Supreme Court said that identity of handbill distributors + need not be disclosed, and pseudonyms in general has a long + and noble tradition + - BBS operators have First Amendment protections (e.g.. + registration requirements would be tossed out, exactly as + if registration of newspapers were to be attempted) + 8.9.6. Remailers and Choice of Jurisdictions + - The intended target of a remailed message, and the subject + material, may well influence the set of remailers used, + especially for the very important "last remailer' (Note: it + should never be necessary to tell remailers if they are + first, last, or others, but the last remailer may in fact + be able to tell he's the last...if the message is in + plaintext to the recipient, with no additional remailer + commands embedded, for example.) + - A message involving child pornography might have a remailer + site located in a state like Denmark, where child porn laws + are less restrictive. And a message critical of Islam might + not be best sent through a final remailer in Teheran. Eric + Hughes has dubbed this "regulatory arbitrage," and to + various extents it is already common practice. + - Of course, the sender picks the remailer chain, so these + common sense notions may not be followed. Nothing is + perfect, and customs will evolve. I can imagine schemes + developing for choosing customers--a remailer might not + accept as a customer certain abusers, based on digital + pseudonyms < hairy). + 8.9.7. Possible legal steps to limit the use of remailers and + anonymous systems + - hold the remailer liable for content, i.e., no common + carrier status + - insert provisions into the various "anti-hacking" laws to + criminalize anonymous posts + 8.9.8. Crypto and remailers can be used to protect groups from "deep + pockets" lawsuits + - products (esp. software) can be sold "as is," or with + contracts backed up by escrow services (code kept in an + escrow repository, or money kept there to back up + committments) + + jurisdictions, legal and tax, cannot do "reach backs" which + expose the groups to more than they agreed to + - as is so often the case with corporations in the real + world, which are taxed and fined for various purposes + (asbestos, etc.) + - (For those who panic at the thought of this, the remedy for + the cautious will be to arrange contracts with the right + entities...probably paying more for less product.) + 8.9.9. Could anonymous remailers be used to entrap people, or to + gather information for investigations? + - First, there are so few current remailers that this is + unlikely. Julf seems a non-narc type, and he is located in + Finland. The Cypherpunks remailers are mostly run by folks + like us, for now. + - However, such stings and set-ups have been used in the past + by narcs and "red squads." Expect the worse from Mr. + Policeman. Now that evil hackers are identified as hazards, + expect moves in this direction. "Cryps" are obviously + "crack" dealers. + - But use of encryption, which CP remailers support (Julf's + does not), makes this essentially moot. + +10.7. Legal Issues with Escrowed Encryption and Clipper +9.17.1. As John Gilmore put it in a guest editorial in the "San + Francisco Examiner," "...we want the public to see a serious + debate about why the Constitution should be burned in order + to save the country." [J.G., 1994-06-26, quoted by S. + Sandfort] +9.17.2. "I don't see how Clipper gives the government any powers or + capabilities it doesn't already have. Comments?" +9.17.3. Is Clipper really voluntary? +9.17.4. If Clipper is voluntary, who will use it? +9.17.5. Restrictions on Civilian Use of Crypto +9.17.6. "Has crypto been restricted in the U.S.?" +9.17.7. "What legal steps are being taken?" + - Zimmermann + - ITAR +9.17.8. reports that Department of Justice has a compliance + enforcement role in the EES [heard by someone from Dorothy + Denning, 1994-07], probably involving checking the law + enforcement agencies... +9.17.9. Status + + "Will government agencies use Clipper?" + - Ah, the embarrassing question. They claim they will, but + there are also reports that sensitive agencies will not + use it, that Clipper is too insecure for them (key + lenght, compromise of escrow data, etc.). There may also + be different procedures (all agencies are equal, but some + are more equal than others). + - Clipper is rated for unclassified use, so this rules out + many agencies and many uses. An interesting double + standard. + + "Is the Administration backing away from Clipper?" + + industry opposition surprised them + - groups last summer, Citicorp, etc. + - public opinion + - editorial remarks + - so they may be preparing alternative + - and Gilmore's FOIA, Blaze's attack, the Denning + nonreview, the secrecy of the algortithm + + will not work + - spies won't use it, child pornographers probably won't + use it (if alternatives exist, which may be the whole + point) + - terrorists won't use it + - Is Clipper in trouble? +9.17.10. "Will Clipper be voluntary?" + - Many supporters of Clipper have cited the voluntary nature + of Clipper--as expressed in some policy statements--and + have used this to counter criticism. + + However, even if truly voluntary, some issues + + improper role for government to try to create a + commercial standard + - though the NIST role can be used to counter this point, + partly + - government can and does make it tough for competitors + - export controls (statements by officials on this exist) + + Cites for voluntary status: + - original statement says it will be voluntary + - (need to get some statements here) + + Cites for eventual mandatory status: + - "Without this initiative, the government will eventually + become helpless to defend the nation." [Louis Freeh, + director of the FBI, various sources] + - Steven Walker of Trusted Information Systems is one of + many who think so: "Based on his analysis, Walker added, + "I'm convinced that five years from now they'll say 'This + isn't working,' so we'll have to change the rules." Then, + he predicted, Clipper will be made mandatory for all + encoded communications." [ + + Parallels to other voluntary programs + - taxes + +10.8. Legal Issues with Digital Cash +10.8.1. "What's the legal status of digital cash?" + - It hasn't been tested, like a lot of crypto protocols. It + may be many years before these systems are tested. +10.8.2. "Is there a tie between digital cash and money laundering?" + - There doesn't have to be, but many of us believe the + widespread deployment of digital, untraceable cash will + make possible new approaches + - Hence the importance of digital cash for crypto anarchy and + related ideas. + - (In case it isn't obvious, I consider money-laundering a + non-crime.) +10.8.3. "Is it true the government of the U.S. can limit funds + transfers outside the U.S.?" + - Many issues here. Certainly some laws exist. Certainly + people are prosecuted every day for violating currency + export laws. Many avenues exist. + - "LEGALITY - There isn't and will never be a law restricting + the sending of funds outside the United States. How do I + know? Simple. As a country dependant on international + trade (billions of dollars a year and counting), the + American economy would be destroyed." [David Johnson, + privacy@well.sf.ca.us, "Offshore Banking & Privacy," + alt.privacy, 1994-07-05] +10.8.4. "Are "alternative currencies" allowed in the U.S.? And what's + the implication for digital cash of various forms? + - Tokens, coupons, gift certificates are allowed, but face + various regulations. Casino chips were once treated as + cash, but are now more regulated (inter-casino conversion + is no longer allowed). + - Any attempt to use such coupons as an alternative currency + face obstacles. The coupons may be allowed, but heavily + regulated (reporting requirements, etc.). + - Perry Metzger notes, bearer bonds are now illegal in the + U.S. (a bearer bond represented cash, in that no name was + attached to the bond--the "bearer" could sell it for cash + or redeem it...worked great for transporting large amounts + of cash in compact form). + + Note: Duncan Frissell claims that bearer bonds are _not_ + illegal. + - "Under the Tax Equity and Fiscal Responsibility Act of + 1982 (TEFRA), any interest payments made on *new* issues + of domestic bearer bonds are not deductible as an + ordinary and necessary business expense so none have been + issued since then. At the same time, the Feds + administratively stopped issuing treasury securities in + bearer form. Old issues of government and corporate debt + in bearer form still exist and will exist and trade for + 30 or more years after 1982. Additionally, US residents + can legally buy foreign bearer securities." [Duncan + Frissell, 1994-08-10] + - Someone else has a slightly different view: "The last US + Bearer Bond issues mature in 1997. I also believe that to + collect interest, and to redeem the bond at maturity, you + must give your name and tax-id number to the paying + agent. (I can check with the department here that handles + it if anyone is interested in the pertinent OCC regs that + apply)" [prig0011@gold.tc.umn.edu, 1994-08-10] + - I cite this gory detail to give readers some idea about + how much confusion there is about these subjects. The + usual advice is to "seek competent counsel," but in fact + most lawyers have no clear ideas about the optimum + strategies, and the run-of-the-mill advisor may mislead + one dangerously. Tread carefully. + - This has implications for digital cash, of course. +10.8.5. "Why might digital cash and related techologies take hold + early in illegal markets? That is, will the Mob be an early + adopter?" + - untraceability needed + - and reputations matter to them + - they've shown in the past that they will try new + approaches, a la the money movements of the drug cartels, + novel methods for security, etc. +10.8.6. "Electronic cash...will it have to comply with laws, and + how?" + - Concerns will be raised about the anonymity aspects, the + usefulness for evading taxes and reporting requirements, + etc. + - a messy issue, sure to be debated and legislated about for + many years + + split the cash into many pieces...is this "structuring"? is + it legal? + - some rules indicate the structuring per se is not + illegal, only tax evasion or currency control evasion + - what then of systems which _automatically_, as a basic + feature, split the cash up into multiple pieces and move + them? +10.8.7. Currency controls, flight capital regulations, boycotts, + asset seizures, etc. + - all are pressures to find alternate ways for capital to + flow + - all add to the lack of confidence, which, paradoxically to + lawmakers, makes capital flight all the more likely +10.8.8. "Will banking regulators allow digital cash?" + - Not easily, that's for sure. The maze of regulations, + restrictions, tax laws, and legal rulings is daunting. Eric + Hughes spent a lot of time reading up on the laws regarding + banks, commercial paper, taxes, etc., and concluded much + the same. I'm not saying it's impossible--indeed, I believe + it will someday happen, in some form--but the obstacles are + formidable. + + Some issues: + + Will such an operation be allowed to be centered or based + in the U.S.? + - What states? What laws? Bank vs. Savings and Loan vs. + Credit Union vs. Securities Broker vs. something else? + + Will customers be able to access such entities offshore, + outside the U.S.? + - strong crypto makes communication possible, but it may + be difficult, not part of the business fabric, etc. + (and hence not so useful--if one has to send PGP- + encrypted instructions to one's banker, and can't use + the clearing infrastructure....) + + Tax collection, money-laundering laws, disclosure laws, + "know your customer" laws....all are areas where a + "digital bank" could be shut down forthwith. Any bank not + filling out the proper forms (including mandatory + reporting of transactions of certain amounts and types, + and the Social Security/Taxpayer Number of customers) + faces huge fines, penalties, and regulatory sanctions. + - and the existing players in the banking and securities + business will not sit idly by while newcomers enter + their market; they will seek to force newcomers to jump + through the same hoops they had to (studies indicate + large corporations actually _like_ red tape, as it + helps them relative to smaller companies) + - Concluson: Digital banks will not be "launched" without a + *lot* of work by lawyers, accountants, tax experts, + lobbyists, etc. "Lemonade stand digital banks" (TM) will + not survive for long. Kids, don't try this at home! + - (Many new industries we are familiar with--software, + microcomputers--had very little regulation, rightly so. But + the effect is that many of us are unprepared to understand + the massive amount of red tape which businesses in other + areas, notably banking, face.) +10.8.9. Legal obstacles to digital money. If governments don't want + anonymous cash, they can make things tough. + + As both Perry Metzger and Eric Hughes have said many times, + regulations can make life very difficult. Compliance with + laws is a major cost of doing business. + - ~"The cost of compliance in a typical USA bank is 14% of + operating costs."~ [Eric Hughes, citing an "American + Banker" article, 1994-08-30] + + The maze of regulations is navigable by larger + institutions, with staffs of lawyers, accountants, tax + specialists, etc., but is essentially beyond the + capabilities of very small institutions, at least in the + U.S. + - this may or may not remain the case, as computers + proliferate. A "bank-in-a-box" program might help. My + suspicion is that a certain size of staff is needed just + to handle the face-to-face meetings and hoop-jumping. + + "New World Order" + - U.S. urging other countries to "play ball" on banking + secrecy, on tax evasion extradition, on immigration, etc. + - this is closing off the former loopholes and escape + hatches that allowed people to escape repressive + taxation...the implications for digital money banks are + unclear, but worrisome. + +10.9. Legality of Digital Banks and Digital Cash? +10.9.1. In terms of banking laws, cash reporting regulations, money + laundering statutes, and the welter of laws connected with + financial transactions of all sorts, the Cypherpunks themes + and ideas are basically _illegal_. Illegal in the sense that + anyone trying to set up his own bank, or alternative currency + system, or the like would be shut down quickly. As an + informal, unnoticed _experiment_, such things are reasonably + safe...until they get noticed. +10.9.2. The operative word here is "launch," in my opinion. The + "launch" of the BankAmericard (now VISA) in the 1960s was not + done lightly or casually...it required armies of lawyers, + accountants, and other bureacrats to make the launch both + legal and successful. The mere 'idea" of a credit card was + not enough...that was essentially the easiest part of it all. + (Anyone contemplating the launch of a digital cash system + would do well to study BankAmericard as an example...and + several other examples also.) +10.9.3. The same will be true of any digital cash or similar system + which intends to operate more or less openly, to interface + with existing financial institutions, and which is not + explicity intended to be a Cypherpunkish underground + activity. + +10.10. Export of Crypto, ITAR, and Similar Laws +10.10.1. "What are the laws and regulations about export of crypto, + and where can I find more information?" + - "The short answer is that the Department of State, Office + of Defense Trade Controls (DOS/DTC) and the National + Security Administration (NSA) won't allow unrestricted + export (like is being done with WinCrypt) for any + encryption program that the NSA can't crack with less than + a certain amount (that they are loathe to reveal) of + effort. For the long answer, see + ftp://ftp.csn.net/cryptusa.txt.gz and/or call DOS/DTC at + 703-875-7041." [Michael Paul Johnson, sci.crypt, 1994-07- + 08] +10.10.2. "Is it illegal to send encrypted stuff out of the U.S.?" + - This has come up several times, with folks claiming they've + heard this. + - In times of war, real war, sending encrypted messages may + indeed be suspect, perhaps even illegal. + - But the U.S. currently has no such laws, and many of us + send lots of encrypted stuff outside the U.S. To remailers, + to friends, etc. + - Encrypted files are often tough to distinguish from + ordinary compressed files (high entropy), so law + enforcement would have a hard time. + - However, other countries may have different laws. +10.10.3. "What's the situation about export of crypto?" + + There's been much debate about this, with the case of Phil + Zimmermann possibly being an important test case, should + charges be filed. + - as of 1994-09, the Grand Jury in San Jose has not said + anything (it's been about 7-9 months since they started + on this issue) + - Dan Bernstein has argued that ITAR covers nearly all + aspects of exporting crypto material, including codes, + documentation, and even "knowledge." (Controversially, it + may be in violation of ITAR for knowledgeable crypto people + to even leave the country with the intention of developing + crypto tools overseas.) + - The various distributions of PGP that have occurred via + anonymous ftp sources don't imply that ITAR is not being + enforced, or won't be in the future. +10.10.4. Why and How Crypto is Not the Same as Armaments + - the gun comparison has advantages and disadvantages + - "right to keep and bear arms" + - but then this opens the door wide to restrictions, + regulations, comparisons of crypto to nuclear weapons, etc. + - + + "Crypto is not capable of killing people directly. Crypto + consists + - entirely of information (speech, if you must) that cannot + be + - interdicted. Crypto has civilian use. + - - + - , 4-11-94, sci.crypt> +10.10.5. "What's ITAR and what does it cover?" + + ITAR, the International Trafficking in Arms Regulations, is + the defining set of rules for export of munitions--and + crypto is treated as munitions. + - regulations for interpreting export laws + + NSA may have doubts that ITAR would hold up in court + - Some might argue that this contravenes the Constitution, + and hence would fail in court. Again, there have been few + if any solid tests of ITAR in court, and some indications + that NSA lawyers are reluctant to see it tested, fearing + it would not pass muster. + - doubts about legality (Carl Nicolai saw papers, since + confirmed in a FOIA) + - Brooks statement + - Cantwell Bill + - not fully tested in court + + reports of NSA worries that it wouldn't hold up in court if + ever challenged + - Carl Nicolai, later FOIA results, conversations with Phil + + Legal Actions Surrounding ITAR + - The ITAR laws may be used to fight hackers and + Cypherpunks...the outcome of the Zimmermann indictment + will be an important sign. + + What ITAR covers + - "ITAR 121.8(f): ``Software includes but is not limited to + the system functional design, logic flow, algorithms, + application programs, operating systems and support + software for design, implementation, test, operation, + diagnosis and repair.'' [quoted by Dan Bernstein, + talk.politics.crypto, 1994-07-14] + - joke by Bidzos about registering as an international arms + dealer + + ITAR and code (can code be published on the Net?) + - "Why does ITAR matter?" + - Phil Karn is involved with this, as are several others + here + + Dan Bernstein has some strongly held views, based on his + long history of fighting the ITAR + - "Let's assume that the algorithm is capable of + maintaining secrecy of information, and that it is not + restricted to decryption, banking, analog scrambling, + special smart cards, user authentication, data + authentication, data compression, or virus protection. + + "The algorithm is then in USML Category XIII(b)(1). + + "It is thus a defense article. ITAR 120.6. " [Dan + Bernstein, posting code to sci.crypt, + talk.politics.crypto, 1994-08-22] + - "Sending a defense article out of the United States in + any manner (except as knowledge in your head) is + export. ITAR 120.17(1). + + "So posting the algorithm constitutes export. There are + other forms of export, but I won't go into them here. + + "The algorithm itself, without any source code, is + software." [Dan Bernstein, posting code to sci.crypt, + talk.politics.crypto, 1994-08-22] + - "The statute is the Arms Export Control Act; the + regulations are the + International Traffic in Arms Regulations. For precise + references, see + my ``International Traffic in Arms Regulations: A + Publisher's Guide.''" [Dan Bernstein, posting code to + sci.crypt, talk.politics.crypto, 1994-08-22] + + "Posting code is fine. We do it all the time; we have + the right to do it; no one seems to be trying to stop us + from doing it." [Bryan G. Olson, posting code to + sci.crypt, talk.politics.crypto, 1994-08-20] + - Bernstein agrees that few busts have occurred, but + warns: "Thousands of people have distributed crypto in + violation of ITAR; only two, to my knowledge, have been + convicted. On the other hand, the guv'mint is rapidly + catching up with reality, and the Phil Zimmermann case + may be the start of a serious crackdown." [Dan + Bernstein, posting code to sci.crypt, + talk.politics.crypto, 1994-08-22] + - The common view that academic freedom means one is OK is + probably not true. + + Hal Finney neatly summarized the debate between Bernstein + and Olsen: + - "1) No one has ever been prosecuted for posting code on + sci.crypt. The Zimmermann case, if anything ever comes + of it, was not about posting code on Usenet, AFAIK. + + "2) No relevant government official has publically + expressed an opinion on whether posting code on + sci.crypt would be legal. The conversations Dan + Bernstein posted dealt with his requests for permission + to export his algorithm, not to post code on sci.crypt. + + "3) We don't know whether anyone will ever be + prosecuted for posting code on sci.crypt, and we don't + know what the outcome of any such prosecution would + be." [Hal Finney, talk.politics.crypto, 1994-008-30] +10.10.6. "Can ITAR and other export laws be bypassed or skirted by + doing development offshore and then _importing_ strong crypto + into the U.S.?" + - IBM is reportedly doing just this: developing strong crypto + products for OS/2 at its overseas labs, thus skirting the + export laws (which have weakened the keys to some of their + network security products to the 40 bits that are allowed). + + Some problems: + - can't send docs and knowhow to offshore facilities (some + obvious enforcement problems, but this is how the law + reads) + - may not even be able to transfer knowledgeable people to + offshore facilities, if the chief intent is to then have + them develop crypto products offshore (some deep + Constitutional issues, I would think...some shades of how + the U.S.S.R. justified denying departure visas for + "needed" workers) + - As with so many cases invovling crypto, there are no + defining legal cases that I am aware of. + +10.11. Regulatory Arbitrage +10.11.1. Jurisdictions with more favorable laws will see claimants + going there. +10.11.2. Similar to "capital flight" and "people voting with their + feet." +10.11.3. Is the flip side of "jurisdiction shopping." wherein + prosecutors shop around for a jurisdiction that will be + likelier to convict. (As with the Amateur Action BBS case, + tried in Memphis, Tennessee, not in California.) + +10.12. Crypto and Pornography +10.12.1. There's been a lot of media attention given to this, + especially pedophilia (pedophilia is not the same thing as + porn, of course, but the two are often discussed in articles + about the Net). As Rishab Ghosh put it: "I think the + pedophilic possibilities of the Internet capture the + imaginations of the media -- their deepest desires, perhaps." + [R.G., 1994-07-01] +10.12.2. The fact is, the two are made for each other. The + untraceability of remailers, the unbreakability of strong + crypto if the files are intercepted by law enforcement, and + the ability to pay anonymously, all mean the early users of + commercial remailers will likely be these folks. +10.12.3. Avoid embarrassing stings! Keep your job at the elementary + school! Get re-elected to the church council! +10.12.4. pedophilia, bestiality, etc. (morphed images) +10.12.5. Amateur Action BBS operator interested in crypto....a little + bit too late +10.12.6. There are new prospects for delivery of messages as part of + stings or entrapment attacks, where the bits decrypt into + incriminating evidence when the right key is used. (XOR of + course) +10.12.7. Just as the law enforcement folks are claiming, strong crypto + and remailers will make new kinds of porn networks. The nexus + or source will not be known, and the customers will not be + known. + - (An interesting strategy: claim customers unknown, and + their local laws. Make the "pickup" the customer's + responsibility (perhaps via agents). + +10.13. Usenet, Libel, Local Laws, Jurisdictions, etc. +10.13.1. (Of peripheral importance to crypto themes, but important for + issues of coming legislation about the Net, attempts to + "regain control," etc. And a bit of a jumble of ideas, too.) +10.13.2. Many countries, many laws. Much of Usenet traffic presumably + violates various laws in Iran, China, France, Zaire, and the + U.S., to name f ew places which have laws about what thoughts + can be expressed. +10.13.3. Will this ever result in attempts to shut down Usenet, or at + least the feeds into various countries? +10.13.4. On the subject of Usenet possibly being shut-down in the U.K. + (a recent rumor, unsubstantiated), this comment: " What you + have to grasp is that USENET type networks and the whole + structure of the law on publshing are fundamentally + incompatiable. With USENT anyone can untracably distribute + pornographic, libelous, blasphemous, copyright or even + officially secret information. Now, which do you think HMG + and, for that matter, the overwhealming majority of oridnary + people in this country think is most important. USENET or + those laws?" [Malcolm McMahon, malcolm@geog.leeds.ac.uk, + comp.org.eff.talk, 1994--08-26] +10.13.5. Will it succeed? Not completely, as e-mail, gopher, the Web, + etc., still offers access. But the effects could reach most + casual users, and certainly affect the structure as we know + it today. +10.13.6. Will crypto help? Not directly--see above. + +10.14. Emergency Regulations +10.14.1. Emergency Orders + - various NSDDs and the like + - "Seven Days in May" scenario +10.14.2. Legal, secrecy orders + - George Davida, U. oif Wisconsin, received letter in 1978 + threatening a $10K per day fine + - Carl Nicolai, PhasorPhone + - The NSA has confirmed that parts of the EES are patented, + in secrecy, and that the patents will be made public and + then used to stop competitors should the algorithm become + known. +10.14.3. Can the FCC-type Requirements for "In the clear" broadcasting + (or keys supplied to Feds) be a basis for similar legislation + of private networks and private use of encryption? + - this would seem to be impractical, given the growth of + cellular phones, wireless LANs, etc....can't very well + mandate that corporations broadcast their internal + communications in the clear! + - compression, packet-switching, and all kinds of other + "distortions" of the data...requiring transmissions to be + readable by government agencies would require providing the + government with maps (of where the packets are going), with + specific decompression algorithms, etc....very impractical + +10.15. Patents and Copyrights +10.15.1. The web of patents + - what happens is that everyone doing anything substantive + spends much of his time and money seeking patents + - patents are essential bargaining chips in dealing with + others + - e.g., DSS, Schnorr, RSADSI, etc. + - e.g., Stefan Brands is seeking patents + - Cylink suing... +10.15.2. Role of RSA, Patents, etc. + + Bidzos: "If you make money off RSA, we make money" is the + simple rule + - but of course it goes beyond this, as even "free" uses + may have to pay + - Overlapping patents being used (apparently) to extent the + life of the portfolio + + 4/28/97 The first of several P-K and RSA patents expires + + U.S. Patent Number: 4200770 + - Title: Cryptographic Apparatus and Method + - Inventors: Hellman, Diffie, Merkle + - Assignee: Stanford University + - Filed: September 6, 1977 + - Granted: April 29, 1980 + - [Expires: April 28, 1997] + + remember that any one of these several patents held by + Public Key Partners (Stanford and M.I.T., with RSA Data + Security the chief dispenser of licenses) can block an + effort to bypass the others + - though this may get fought out in court + + 8/18/97 The second of several P-K and RSA patents expires + + U.S. Patent Number: 4218582 + - Title: Public Key Cryptographic Apparatus and Method + - Inventors: Hellman, Merkle + - Assignee: The Board of Trustees of the Leland Stanford + Junior University + - Filed: October 6, 1977 + - Granted: August 19, 1980 + - [Expires: August 18, 1997] + - this may be disputed because it describe algortihms in + broad terms and used the knapsack algorithm as the chief + example + + 9/19/00 The main RSA patent expires + + U.S. Patent Number: 4405829 + - Title: Cryptographic Communications System and Method + - Inventors: Rivest, Shamir, Adleman + - Assignee: Massachusetts Institute of Technology + - Filed: December 14, 1977 + - Granted: September 20, 1983 + - [Expires: September 19, 2000] +10.15.3. Lawsuits against RSA patents + + several are brewing + - Cylink is suing (strange rumors that NSA was involved) + - Roger Schlafly +10.15.4. "What about the lawsuit filed by Cylink against RSA Data + Security Inc.?" + - Very curious, considering they are both part of Public Key + Partners, the consortium of Stanford, MIT, Cylink, and RSA + Data Security Inc. (RSADSI) + - the suit was filed in the summer of 1994 + + One odd rumor I heard, from a reputable source, was that + the NSA had asked PKP to do something (?) and that Cylink + had agreed, but RSADSI had refused, helping to push the + suit along + - any links with the death threats against Bidzos? +10.15.5. "Can the patent system be used to block government use of + patents for purposes we don't like?" + - Comes up especially in the context of S. Micali's patent on + escrow techniques + - "Wouldn't matter. The government can't be enjoined from + using a patent. The federal government, in the final + analysis, can use any patent they want, without permission, + and the only recourse of the patent owner is to sue for + royalties in the Court of Claims." [Bill Larkins, + talk.politics.crypto, 1994-07-14] + +10.16. Practical Issues +10.16.1. "What if I tell the authorities I Forgot My Password?" + - (or key, or passphrase...you get the idea) + - This comes up repeatedly, but the answer remains murky +10.16.2. Civil vs. Criminal + + "This is a civil mattep, and the pights of ppivaay one haq + in cpiminal mattepq + - tend to vaniqh in aivil litigation. The paptieq to a + lawquit hate + - tpemeldouq powepq to dopae the othep qide to peteal + ildopmatiol peletalt + - to the aaqe, <@pad Templetol, 4-1-94, aomp,opg,edd,tal +10.16.3. the law is essentially what the courts say it is + +10.17. Free Speech is Under Assault +10.17.1. Censorship comes in many forms. Tort law, threats of grant or + contract removal, all are limiting speech. (More reasons for + anonymous speech, of course.) +10.17.2. Discussions of cryptography could be targets of future + crackdowns. Sedition laws, conspiracy laws, RICO, etc. How + long before speaking on these matters earns a warning letter + from your university or your company? (It's the "big stick" + of ultimate government action that spurs these university and + company policies. Apple fears being shut down for having + "involvement" with a terrorist plot, Emory University fears + being sued for millions of dollars for "conspiring" to + degrade wimmin of color, etc.) + + How long before "rec.guns" is no longer carried at many + sites, as they fear having their universities or companies + linked to discussions of "assault weapons" and "cop-killer + bullets"? Prediction: Many companies and universities, under + pressure from the Feds, will block groups in which encrypted + files are posted. After all, if one encrypts, one must have + something to hide, and that could expose the university to + legal action from some group that feels aggrieved. +10.17.3. Free speech is under assault across the country. The tort + system is being abused to stifle dissenting views (and lest + you think I am only a capitalist, only a free marketeer, the + use of "SLAPP suits"--"Strategic Lawsuits Against Public + Participation"--by corporations or real estate developers to + threaten those who dare to publicly speak against their + projects is a travesty, a travesty that the courts have only + recently begun to correct). + + We are becoming a nation of sheep, fearing the midnight raid, + the knock on the door. We fear that if we tell a joke, + someone will glare at us and threaten to sue us _and_ our + company! And so companies are adopting "speech codes" and + other such baggage of the Orwell's totalitarian state. + Political correctness is extending its tendrils into nearly + every aspect of life in America. + +10.18. Systems, Access, and the Law +10.18.1. Legal issues regarding access to systems + + Concerns: + - access by minors to sexually explicit material + + access from regions where access "should not be + permitted" + - export of crypto, for example + - the Memphis access to California BBS + + Current approach: taking the promise of the accessor + - "I will not export this outside the U.S. or Canada." + - "I am of legal age to access this material." + + Possible future approaches: + + Callbacks, to ensure accessor is from region stated + - easy enough to bypass with cut-outs and remailers + + "Credentials" + - a la the US Postal Service's proposed ID card (and + others) + + cryptographically authenticated credentials + - Chaum's credentials system (certainly better than + many non-privacy-preserving credentials systems) +10.18.2. "What is a "common carrier" and how does a service become + one?" + - (This topic has significance for crypto and remailers, vis + a vis whether remailers are to be treated as common + carriers.) + - Common carriers are what the phone and package delivery + services are. They are not held liable for the contents of + phone calls, for the contents of packages (drugs, + pornography, etc.), or for illegal acts connected with + their services. One of the deals is that common carriers + not examine the insides of packages. Common carriers + essentially agree to take all traffic that pays the fee and + not to discriminate based on content. Thus, a phone service + will not ask what the subject of a call is to be, or listen + in, to decide whether to make the connection. + - Some say that to be a common carrier requires a willingness + to work with law enforcement. That is, Federal Express is + not responsible for contents of packages, but they have to + cooperate in reasonable ways with law enforcement to open + or track suspicious packages. Anybody have a cite for this? + Is it true? + - Common carrier status is also cited for bookstores, which + are not presumed to have read each and every one of the + books they sell...so if somebody blows their hand off in a + an experiment, the bookstore is not liable. (The + author/publisher may be, but that's aänt issue.) + - How does one become a common carrier? Not clear. One view + is that a service should "behave like" a common carrier and + then hope and pray that a court sees it that way. + + Are computer services common carriers? A topic of great + interest. + - "According to a discussion I had with Dave Lawrence + (postmaster at UUNET, as well as moderator of + news.admin.newgroups), UUNET is registered with the FCC + as an "Enhanced Service Provider," which, according to + Dave, amounts to similar protection as "Common Carrier." + ("Common Carrier" seems to not be appropriate yet, since + Congress is so behind the tech curve)." [L. Todd Masco, + 1994-08-11] + - As for remailer networks being treated as common carriers, + totally unclear at this time. Certainly the fact that + packets are fully encrypted and unreadabel goes to part of + the issue about agreeing not to screen. + + More on the common carrier debate: + - "Ah, the eternal Common Carrier debate. The answer is + the same as the last few times. "Common Carrier" status + has little to do with exemption from liability. It has + most to do with being unable to reject passengers, goods, + or phone calls......Plenty of non-common carrier entities + are immune from prosecution for ideas that they + unkowingly communicate -- bookstores for example (unless + they are *knowingly* porno bookstores in the wrong + jurisdiction)....Compuserve was held not liable for an + (alleged) libel by one of its sysops. Not because of + common carrier but because they had no knowledge or + control....Remailers have no knowledge or control hence + no scienter (guilty knowledge) hence no liability as a + matter of law---not a jury question BTW." [Duncan + Frissell, 1994-08-11] + +10.19. Credentials +10.19.1. "Are credentials needed? Will digital methods be used?" +10.19.2. I take a radical view. Ask yourself why credentials are + _ever_ needed. Maybe for driving a car, and the like, but in + those cases anonymity is not needed, as the person is in the + car, etc. + + Credentials for drinking age? Why? Let the parents enforce + this, as the argument goes about watching sex and violence on + t.v. (If one accepts the logic of requiring bars to enforce + children's behavior, then one is on a slippery slope toward + requiring television set makers to check smartcards of + viewers, or of requiring a license to access the Internet, + etc.) + + In almost no cases do I see the need to carry "papers" with + me. Maybe a driver's license, like I said. In other areas, + why? +10.19.3. So Cypherpunks probably should not spend too much time + worrying about how permission slips and "hall passes" will be + handled. Little need for them. +10.19.4. "What about credentials for specific job performance, or for + establishing time-based contracts?" + - Credentials that prove one has completed certain classes, + or reached certain skill levels, etc.? + - In transactions where "future performance" is needed, as in + a contract to have a house built, or to do some similar + job, then of course the idea of on-line or immediate + clearing is bogus...like paying a stranger a sum of money + on his promise that he'll be back the next day to start + building you a house. + + Parties to such long-term, non-locally-cleared cases may + contract with an escrow agent, as I described above. This + is like the "privately-produced law" we've discussed so + many times. The essence: voluntary arrangements. + + Maybe proofs of identity will be needed, or asked for, + maybe not. But these are not the essence of the deal. + +10.20. Escrow Agents +10.20.1. (the main discussion of this is under Crypto Anarchy) +10.20.2. Escrow Agents as a way to deal with contract renegging + - On-line clearing has the possible danger implicit in all + trades that Alice will hand over the money, Bob will verify + that it has cleared into hisaccount (in older terms, Bob + would await word that his Swiss bank account has just been + credited), and then Bob will fail to complete his end of + the bargain. If the transaction is truly anonymous, over + computer lines, then of course Bob just hangs up his modem + and the connection is broken. This situation is as old as + time, and has always involved protcols in which trust, + repeat business, etc., are factors. Or escrow agents. + - Long before the "key escrow" of Clipper, true escrow was + planned. Escrow as in escrow agents. Or bonding agents. + - Alice and Bob want to conduct a transaction. Neither trusts + the other; + indeed, they are unknown to each other. In steps "Esther's + Escrow Service." She is _also utraceable_, but has + established a digitally-signed presence and a good + reputation for fairness. Her business is in being an escrow + agent, like a bonding agency, not in "burning" either + party. (The math of this is interesting: as long as the + profits to be gained from any small set of transactions is + less than her "reputation capital," it is in her interest + to forego the profits from burning and be honest. It is + also possible to arrange that Esther cannot profit from + burning either Alice or Bob or both of them, e.g., by + suitably encrypting the escrowed stuff.) + - Alice can put her part of the transaction into escrow with + Esther, Bob can do the same, and then Esther can release + the items to the parties when conditions are met, when both + parties agree, when adjudication of some sort occurs, etc. + (There a dozen issues here, of course, about how disputes + are settled, about how parties satisfy themselves that + Esther has the items she says she has, etc.) + +10.21. Loose Ends +10.21.1. Legality of trying to break crypto systems + + "What's the legality of breaking cyphers?" + - Suppose I find some random-looking bits and find a way to + apparently decrease their entropy, perhaps turning them + into the HBO or Playboy channel? What crime have I + committed? + - "Theft of services" is what they'll get me for. Merely + listening to broadcasts can now be a crime (cellular, + police channels, satellite broadcasts). In my view, a + chilling developemt, for practical reasons (enforcement + means invasive monitoring) and for basic common sense + ethics reasons: how can listening to what lands on your + property be illegal? + - This also opens the door for laws banning listening to + certain "outlaw" or "unlicensed" braodcast stations. + Shades of the Iron Curtain. (I'm not talking about FCC + licensing, per se.) + + "Could it ever be illegal to try to break an encryption + scheme, even if the actual underlying data is not + "stolen"?" + + Criminalizing *tools* rather than actions + - The U.S. is moving in the direction of making mere + possession of certain tools and methods illegal, rather + than criminalizing actual actions. This has been the + case--or so I hear, though I can't cite actual laws-- + with "burglar tools." (Some dispute this, pointing to + the sale of lockpicks, books on locksmithing, etc. + Still, see what happens if you try to publish a + detailed book on how to counterfeit currency.) + - Black's law term for this? + + To some extent, it already is. Video encryption is this + way. So is cellular. + - attendees returning from a Bahamas conference on pirate + video methods (guess why it was in the Bahamas) had + their papers and demo materials seized by Customs + - Counterfeiting is, I think, in this situation, too. + Merely exploring certain aspects is verboten. (I don't + claim that all aspects are, of course.) + - Interception of broadcast signals may be illegal-- + satellite or cellular phone traffic (and Digital + Telephony Act may further make such intercepts illegal + and punishable in draconian ways) + + Outlawing of the breaking of encryption, a la the + broadcast/scanner laws + - (This came up in a thread with Steve Bellovin) + + Aspects + + PPL side...hard to convince a PPL agent to "enforce" + this + - but market sanctions against those who publically use + the information are of course possible, just as with + those who overhear conversations and then gossip + widely (whereas the act of overhearing is hardly a + crime) + - statutory enforcement leads to complacency, to below- + par security + + is an unwelcome expansion of power of state to enforce + laws against decryption of numbers + - and may lead to overall restrictions on crypto use +10.21.2. wais, gopher, WWW, and implications + - borders more transparent...not clear _where_ searches are + taking place, files being transferrred, etc. (well, it is + deterministic, so some agent or program presumably knows, + but it's likely that humans don't) +10.21.3. "Why are so many prominent Cypherpunks interested in the + law?" + - Beats me. Nothing is more stultfyingly boring to me than + the cruft and "found items" nature of the law. + - However,, for a certain breed of hacker, law hacking is the + ultimate challenge. And it's important for some Cypherpunks + goals. +10.21.4. "How will crypto be fought?" + - The usual suspects: porn, pedophilia, terrorists, tax + evaders, spies + + Claims that "national security" is at stake + - As someone has said, "National security is the root + password to the Constitution" + + claims of discrimination + - as but one example, crypto allows offshore bank accounts, + a la carte insurance, etc...these are all things that + will shake the social welfare systems of many nations +10.21.5. Stego may also be useful in providing board operators with + "plausible deniabillity"--they can claim ignorance of the LSB + contents (I'm not saying this will stand up in court very + well, but any port in a storm, especially port 25). +10.21.6. Can a message be proved to be encrypted, and with what key? +10.21.7. Legality of digital signatures and timestamps? + - Stu Haber confirms that this has not been tested, no + precedents set +10.21.8. A legal issue about proving encryption exists + - The XOR point. Any message can be turned into any other + message, with the proper XOR intermediate message. + Implications for stego as well as for legal proof + (difficulty of). As bits leave no fingerprints, the mere + presence of a particular XOR pad on a defendant's disk is + no proof that he put it there...the cops could have planted + the incriminating key, which turns "gi6E2lf7DX01jT$" into + "Dope is ready." (I see issues of "chain of evidence" + becoming even more critical, perhaps with use of + independent "timestamping authorities" to make hashes of + seized evidence--hashes in the cryptographic sense and not + hashes in the usual police sense.) +10.21.9. "What are the dangers of standardization and official + sanctioning?" + - The U.S. has had a disturbing tendency to standardize on + some technology and then punish deviations from the + standard. Examples: telephones, cable (franchises granted, + competitors excluded) + - Franchises, standards... + + My concern: Digital money will be blessed...home banking, + Microsoft, other banks, etc. The Treasury folks will sign + on, etc. + - Competitors will have a hard time, as government throws + roadblocks in front of them, as the U.S. makes + international deals with other countries, etc. +10.21.10. Restrictions on voice encryption? + + may arise for an ironic reason: people can use Net + connections to talk worldwide for $1 an hour or less, + rather than $1 a minute; this may cause telcos to clamor + for restrictions + - enforcing these restrictions then becomes problematic, + unless channel is monitored + - and if encrypted... +10.21.11. Fuzziness of laws + - It may seem surprising that a nation so enmeshed in + complicated legalese as the U.S., with more lawyers per + capita than any other large nation and with a legal code + that consists of hundreds of thousands of pages of + regulations and interpretations, is actually a nation with + a legal code that is hard to pin down. + - Any system with formal, rigid rules can be "gamed against" + be an adversary. The lawmakers know this, and so the laws + are kept fuzzy enough to thwart mechanistic gaming; this + doesn't stop there from being an army of lawyers (in fact, + it guarantees it). Some would say that the laws are kept + fuzzy to increase the power of lawmakers and regulators. + - "Bank regulations in this country are kept deliberately + somewhat vague. The regulator's word is the deciding + principle, not a detailed interpretation of statute. The + lines are fuzzy, and because they are fuzzy, the banks + don't press on them nearly as hard as when there's clear + statutory language available to be interpreted in a court. + + "The uncertainty in the regulatory environment _increases_ + the hold the regulators have over the banks. And the + regulators are known for being decidedly finicky. Their + decisions are largely not subject to appeal (except for the + flagrant stuff, which the regulators are smart enough not + to do too often), and there's no protection against cross- + linking issues. If a bank does something untoward in, say, + mortgage banking, they may find, say, their interstate + branching possibilities seem suddenly much dimmer. + + "The Dept. of Treasury doesn't want untraceable + transactions." [Eric Hughes, Cypherpunks list, 1994-8-03] + - Attempts to sneak around the laws, especially in the + context of alternative currencies, Perry Metzger notes: + "They are simply trying to stop you from playing games. The + law isn't like geometry -- there aren't axioms and rules + for deriving one thing from another. The general principle + is that they want to track all your transactions, and if + you make it difficult they will either use existing law to + jail you, or will produce a new law to try to do the same." + [Perry Metzger, 1994-08-10] + - This fuzziness and regulatory discretion is closely related + to those wacky schemes to avoid taxes by claiming , for + example, that the "dollar" is defined as 1/35th of an ounce + of gold (and that hence one's earnings in "real dollars" + are a tiny fraction of the ostensible earnings), that Ohio + did not legally enter the Union and thus the income tax was + never properly ratified,, etc. Lots of these theories have + been tested--and rejected. I mention this because some + Cypherpunks show signs of thinking "digital cash" offers + similar opportunities. (And I expect to see similar scams.) + - (A related example. Can one's accumulation of money be + taken out of the country? Depending on who you ask, "it + depends." Taking it out in your suitcase rasises all kind + of possibilies of seizure (violation of currency export + laws, money laundering, etc.). Wiring it out may invoke + FinCEN triggers. The IRS may claim it is "capital flight" + to avoid taxes--which it may well be. Basically, your own + money is no longer yours. There may be ways to do this--I + hope so--but the point remains that the rules are fuzzy, + and the discretionary powers to seize assets are great. + Seek competent counsel, and then pray.) +10.21.12. role of Uniform Commercial Code (UCC) + - not discussed in crypto circles much, but the "rules of the + road" + - in many way, an implementation of anarcho-capitalism, in + that the UCC is a descendant (modulo some details) of the + "Law Merchant" that handled relations between sovereign + powers, trade at sea, etc. + - things like electronic funds transfere, checks, liablities + for forged sigs, etc. + - I expect eventual UCC involvement in digital money schemes +10.21.13. "What about the rush to legislate, to pass laws about + cyberspace, the information superduperhighway, etc.? + + The U.S. Congress feels it has to "do something" about + things that many of us feel don't need regulation or "help" + from Congress. + - crypto legislation + - set-top boxes, cable access, National Information + Infrastructure (Cable Version) + - information access, parental lock-outs, violence ratings, + sexually explicit materials, etc. + - Related to the "do something!" mentality on National Health + Care, guns, violence, etc. + - Why not just not do anything? + + Scary possibilities being talked about: + + giving television sets unique IDs ("V chips") with cable + access through these chips + - tying national ID cards to these, e.g., Joe Citizen, of + Provo, Utah, would be "allowed" to view an NC-17 + violence-rated program + - This would be disastrous: records, surveillance, + dossiers, permission, centralization + - The "how can we fix it?" mindset is very damaging. Many + things just cannot be "fixed" by central planners....look + at economies for an example. The same is usually true of + technologies. +10.21.14. on use of offshore escrow agents as protection against + seizures + - contempt laws come into play, but the idea is to make + yourself powerless to alter the situation, and hence not + willfully disobeying the court + + Can also tell offshore agents what to do with files, and + when to release them + - Eric Hughes proposes: "One solution to this is to give + the passphrase (or other access information) to someone + who won't give it back to you if you are under duress, + investigation, court order, etc. One would desire that + this entity be in a jurisdiction other than where an + investigation might happen." [E.H., 1994-07-26] + - Sandy Sandfort adds: "Prior to seizure/theft, you would + make an arrangement with an offshore "escrow agent." + After seizure you would send your computer the + instruction that says, "encrypt my disk with the escrow + agents public key." After that, only the escrow agent + could decrypt your disk. Of course, the escrow agent + would only do that when conditions you had stipulated + were in effect." [S. S., 1994-07-27] + - related to data havens and offshore credit/P.I. havens +10.21.15. Can the FCC-type Requirements for "In the clear" broadcasting + (or keys supplied to Feds) be a basis for similar legislation + of private networks and private use of encryption? + - this would seem to be impractical, given the growth of + cellular phones, wireless LANs, etc....can't very well + mandate that corporations broadcast their internal + communications in the clear! + - compression, packet-switching, and all kinds of other + "distortions" of the data...requiring transmissions to be + readable by government agencies would require providing the + government with maps (of where the packets are going), with + specific decompression algorithms, etc....very impractical +10.21.16. Things that could trigger a privacy flap or limitations on + crypto + - Anonymously publishing adoption records [suggested by Brian + Williams, 1994-08-22] + - nuclear weapons secrets (true secrets, not just the + titillating stuff that any bright physics student can + cobble together) + - repugant markets (assassinations, organ selling, etc.) +10.21.17. Pressures on civilians not to reveal crypto knowledge + + Example: mobile phone crypto standards. + - "This was the official line until a few months ago - that + A5 was strong and A5X a weakened export + version....However, once we got hold of A5 we found that + it was not particularly strong there is an easy 2^40 + attack. The government's line then changed to `you + mustn't discuss this in public because it would harm + British export sales'....Perhaps it was all a ploy to get + Saddam to buy A5 chips off some disreputable arms dealer + type. [Ross Anderson, "mobil phone in europe , a precedence?," sci.crypt, 1994-08-15] + - Now this example comes from Britain, where the + intelligence community has always had more lattitude than + in the U.S. (an Official Secrets Act, limits on the + press, no pesky Constitution to get in the way, and even + more of an old boy's network than we have in the U.S. + mil-industrial complex). + - And the threat by NSA officials to have Jim Bidzos, the + president of RSA Data Security, Inc., killed if he didn't + play ball. {"The Keys to the Kingdom," San Jose Mercury + News] +10.21.18. "identity escrow", Eric Hughes, for restrictions on e-mail + accounts and electronic PO boxes (has been talked about, + apparently...no details) + +11. Surveillance, Privacy, And Intelligence Agencies + +11.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +11.2. SUMMARY: Surveillance, Privacy, And Intelligence Agencies +11.2.1. Main Points +11.2.2. Connections to Other Sections +11.2.3. Where to Find Additional Information + - Bamford ("The Puzzle Palace"), Richelson (several books, + including "U.S. Intelligence Agencies"), Burrows ("Deep + Black," about the NRO and spy satellites), Covert Action + Quarterly +11.2.4. Miscellaneous Comments + +11.3. Surveillance and Privacy +11.3.1. We've come a long way from Secretary of State Stimpson's + famous "Gentlemen do not read other gentlemen's mail" + statement. It is now widely taken for granted that Americans + are to be monitored, surveilled, and even wiretapped by the + various intelligence agencies. The FBI, the National Security + Agency, the CIA, the National Reconnaissance Office, etc. + (Yes, these groups have various charters telling them who + they can spy on, what legalities they have to meet, etc. But + they still spy. And there's not an uproar--the "What have you + got to hide?" side of the American privacy dichotomy.) +11.3.2. Duncan Frissell reminds us of Justice Jackson's 1948 + dissenting opinion in some case: + - "The government could simplify criminal law enforcement by + requiring every citizen "to keep a diary that would show + where he was at all times, with whom he was, and what he + was up to." [D.F. 1994-09-06, from an article in the WSJ] + - (It should be noted that tracking devices--collars, + bracelets, implantable transmitters--exist and are in use + with prisoners. Some parents are even installing them in + children, it is rumored. A worry for the future?) +11.3.3. "What is the "surveillance state"?" + - the issue with crypto is the _centralization_ of + eavesdropping...much easier than planting bugs + + "Should some freedom be given up for security?" + + "Those who are willing to trade freedom for security + - deserve neither + + freedom nor security + - Ben Franklin + - the tradeoff is often illusory--police states result when + the trains are made to run on time + - "It's a bit ironic that the Administration is crying foul + so loudly + over the Soviet/Russian spy in the CIA -- as if this was + unfair -- + while they're openly proclaiming the right to spy on + citizens + and foreigners via Clipper." [Carl Ellison, 1994-02-23] + + Cameras are becoming ubiquitous + + cheap, integrated, new technologes + - SDI fisheye lens + - ATMs + - traffic, speed traps, street corners + - store security + - Barcodes--worst fear of all...and not plausible + + Automatic recognition is still lacking + - getting better, slowly + - neural nets, etc. (but these require training) +11.3.4. "Why would the government monitor _my_ communications?" + - "Because of economics and political stability....You can + build computers and monitoring devices in secret, deploy + them in secret, and listen to _everything_. To listen to + everything with bludgeons and pharmaceuticals would not + only cost more in labor and equipment, but also engender a + radicalizing backlash to an actual police state." [Eric + Hughes, 1994-01-26] + - Systems like Digital Telephony and Clipper make it much too + easy for governments to routinely monitor their citizens, + using automated technology that requires drastically less + human involvement than previous police states required. +11.3.5. "How much surveillance is actually being done today?" + + FBI and Law Enforcement Surveillance Activities + - the FBI kept records of meetings (between American + companies and Nazi interests), and may have used these + records during and after the war to pressure companies + + NSA and Security Agency Surveillance Activities + - collecting economic intelligence + - in WW2, Economic Warfare Council (which was renamed Board + of Economic Warfare) kept tabs on shipments of petroleum + and other products + + MINARET, code word for NSA "watch list" material + (intercepts) + - SIGINT OPERATION MINARET + - originally, watch list material was "TOP SECRET + HANDLE VIA COMINT CHANNELS ONLY UMBRA GAMMA" + + NSA targeting is done primarily via a list called + Intelligence Guidelines for COMINT Priorities (IGCP) + - committe made up of representatives from several + intelligence agencies + - intiated in around 1966 + + revelations following Pentagon Papers that national + security elsur had picked up private conversations (part + of the Papers) + - timing of PP was late 1963, early 1964...about time UB + was getting going + + F-3, the NSA's main antenna system for intercepting ASCII + transmissions from un-TEMPESTed terminals and PCs + - signals can be picked up through walls up to a foot + thick (or more, considering how such impulses bounce + around) + + Joint FBI/NSA Surveillance Activities + + Operation Shamrock was a tie between NSA and FBI + - since 1945, although there had been earlier intercepts, + too + - COINTELPRO, dissidents, radicals + + 8/0/45 Operation Shamrock begins + - a sub rosa effort to continue the monitoring + arrangements of WW II + - ITT Communications agreed to turn over all cables + + RCA Communications also turned over all cables + - even had an ex-Signal Corps officer as a VP to + handle the details + - direct hookups to RCA lines were made, for careful + monitoring by the ASA + - cables to and from corporations, law firms, + embassies, citizens were all kept + + 12/16/47 Meeting between Sosthenes Behn of ITT, + General Ingles of RCA, and Sec. of Defense James + Forrestal + - to discuss Operation Shamrock + - to arrange exemptions from prosecution + + 0/0/63 Operation Shamrock enters a new phase as RCA + Global switches to computerized operation + - coincident with Harvest at NSA + - and perfect for start of UB/Severn operations + + 1/6/67 Hoover officially terminates "black bag" + operations + - concerned about blowback + - had previously helped NSA by stealing codes, ciphers, + decrypted traffic, planting bugs on phone lines, etc. + - from embassies, corporations + - unclear as to whether these operations continued + anyway + + Plot Twist: may have been the motivation for NSA and + UB/Severn to pursue other avenues, such as the use of + criminals as cutouts + - and is parallel to "Plumbers Unit" used by White + House + + 10/1/73 AG Elliot Richardson orders FBI and SS to + stop requesting NSA surveillance material + - NSA agreed to stop providing this, but didn't tell + Richardson about Shamrock or Minaret + - however, events of this year (1973) marked the end of + Minaret + + 3/4/77 Justice Dept. recommends against prosecution + of any NSA or FBI personnel over Operations Shamrock + and Minaret + - decided that NSCID No. 9 (aka No. 6) gave NSA + sufficient leeway + - 5/15/75 Operation Shamrock officially terminated + - and Minaret, of course + + Operation Shamrock-Details + + 8/0/45 Operation Shamrock begins + - a sub rosa effort to continue the monitoring + arrangements of WW II + - ITT Communications agreed to turn over all cables + + RCA Communications also turned over all cables + - even had an ex-Signal Corps officer as a VP to + handle the details + - direct hookups to RCA lines were made, for careful + monitoring by the ASA + - cables to and from corporations, law firms, + embassies, citizens were all kept + + 12/16/47 Meeting between Sosthenes Behn of ITT, + General Ingles of RCA, and Sec. of Defense James + Forrestal + - to discuss Operation Shamrock + - to arrange exemptions from prosecution + + 0/0/63 Operation Shamrock enters a new phase as RCA + Global switches to computerized operation + - coincident with Harvest at NSA + - and perfect for start of UB/Severn operations + + 8/18/66 (Thursday) New analysis site in New York for + Operation Shamrock + + Louis Tordella meets with CIA Dep. Dir. of Plans and + arranges to set up a new listening post for analysis + of the tapes from RCA and ITT (that had been being + shipped to NSA and then back) + - Tordella was later involved in setting up the watch + list in 1970 for the BNDD, (Operation Minaret) + - LPMEDLEY was code name, of a television tape + processing shop (reminiscent of "Man from U.N.C.L.E." + - but NSA had too move away later + - 5/15/75 Operation Shamrock officially terminated + + 10/1/73 AG Elliot Richardson orders FBI and SS to + stop requesting NSA surveillance material + - NSA agreed to stop providing this, but didn't tell + Richardson about Shamrock or Minaret + - however, events of this year (1973) marked the end of + Minaret + - Abzug committee prompted by New York Daily News report, + 7/22/75, that NSA and FBI had been monitoring + commercial cable traffic (Operation Shamrock) + + 6/30/76 175 page report on Justice Dept. + investigation of Shamrock and Minaret + - only 2 copies prepared, classified TOP SECRET UMBRA, + HANDLE VIA COMINT CHANNELS ONLY + + 3/4/77 Justice Dept. recommends against prosecution + of any NSA or FBI personnel over Operations Shamrock + and Minaret + - decided that NSCID No. 9 (aka No. 6) gave NSA + sufficient leeway + + the NSA program, begun in August 1945, to monitor all + telegrams entering or leaving the U.S. + - reminiscent of Yardley's arrangements in the 1920s + (and probably some others) + - known only to Louis Tordella and agents involved + - compartmentalization + + Plot Links of Operation Shamrock to Operation Ultra + Black + - many links, from secrecy, compartmentalization, and + illegality to the methods used and the subversion of + government power + - "Shamrock was blown...Ultra Black burrowed even + deeper." + + NSA, FBI, and surveillance of Cuban sympathizers + - "watch list" used + - were there links to Meyer Lansky and Trafficante via + the JFK-Mafia connection? + - various Watergate break-in connections (Cubans used) + - Hoover ended black-bag operations in 1967-8 + + NSA, FBI, and Dissenters (COINTELPRO-type activities) + + 10/20/67 NSA is asked to begin collecting information + related to civil disturbances, war protesters, etc. + - Army Intelligence, Secret Service, CIA, FBI, DIA were + all involved + - arguably, this continues (given the success of FBI + and Secret Service in heading off major acts of + terrorism and attempted assassinations) + + Huston Plan and Related Plans (1970-71) + - 7/19/66 Hoover unofficially terminates black bag + operations + + 1/6/67 Hoover officially terminates black bag + operations + - fearing blowback, concerned about his place in + history + + 6/20/69 Tom C. Huston recommends increased + intelligence activity on dissent + - memo to NSA, CIA, DIA, FBI + - this later becomes basis of Huston Plan + + 6/5/70 Meeting at White House to prepare for Huston + Plan; Interagency Committee on Intelligence (Ad Hoc), + ICI + - Nixon, Huston, Ehrlichman, Haldeman, Noel Gayler of + NSA. Richard Helms of CIA, J. Edgar Hoover of FBI, + Donald V. Bennett of DIA + - William Sullivan of FBI named to head ICI + + NSA enthusiastically supported ICI + - PROD named Benson Buffham as liaison + - sought increased surreptitious entries and + elimination of legal restrictions on domestic + surveillance (not that they had felt bound by + legalisms) + - recipients to be on "Bigot List" and with even more + security than traditional TOP SECRET, HANDLE VIA + COMINT CHANNELS ONLY + - + + 7/23/70 Huston Plan circulated + - 43 pages, entitled Domestic Intelligence Gathering + Plan: Analysis and Stategy + - urged increased surreptitious entries (for codes, + ciphers, plans, membership lists) + - targeting of embassies + + 7/27/70 Huston Plan cancelled + - pressure by Attorney General John Mitchell + - and perhaps by Hoover + - Huston demoted; he resigned a year later + - but the Plan was not really dead...perhaps Huston's + mistake was in being young and vocal and making the + report too visible and not deniable enough + + 12/3/70 Intelligence Evaluation Committee (IEC) meets + (Son-of-Huston Plan) + - John Dean arranged it in fall of '70 + - Robert C. Mardian, Assistant AG for Internal Security + headed up the IEC + - Benson Buffham of NSA/PROD, James Jesus Angleton of + CIA, George Moore from FBI, Col. John Downie from DOD + - essentially adopted all of Huston Plan + + 1/26/71 NSA issues NSA Contribution to Domestic + Intelligence (as part of IEC) + - increased scope of surveillance related to drugs (via + BNDD and FBI), foreign nationals + - "no indication of origin" on generated material + - full compartmentalization, NSA to ensure compliance + + 8/4/71 G. Gordon Liddy attends IEC meeting, to get + them to investigate leaks of Pentagon Papers + - channel from NSA/PROD to Plumber's Unit in White + House, bypassing other agencies + + 6/7/73 New York Times reveals details of Huston Plan + - full text published + - trials of Weatherman jeopardized and ultimately + derailed it + + 10/1/73 AG Elliot Richardson orders FBI and SS to + stop requesting NSA surveillance material + - NSA agreed to stop providing this, but didn't tell + Richardson about Shamrock or Minaret + - however, events of this year (1973) marked the end of + Minaret + + FINCEN, IRS, and Other Economic Surveillance + - set up in Arlington as a group to monitor the flows of + money and information + + eventually these groups will see the need to actively + hack into computer systems used by various groups that + are under investigation + - ties to the death of Alan Standorf? (Vint Hill) + - Casolaro, Riconosciutto +11.3.6. "Does the government want to monitor economic transactions?" + - Incontrovertibly, they _want_ to. Whether they have actual + plans to do so is more debatable. The Clipper and Digital + Telephony proposals are but two of the indications they + have great plans laid to ensure their surveillance + capabilities are maintained and extended. + - The government will get increasingly panicky as more Net + commerce develops, as trade moves offshore, and as + encryption spreads. +11.3.7. A danger of the surveillance society: You can't hide + - seldom discussed as a concern + - no escape valve, no place for those who made mistakes to + escape to + - (historically, this is a way for criminals to get back on a + better track--if a digital identity means their record + forever follows them, this may...) + + A growing problem in America and other "democratic" + countries is the tendency to make mandatory what were once + voluntary choices. For example, fingerprinting children to + help in kidnapping cases may be a reasonable thing to do + voluntarily, but some school districts are planning to make + it mandatory. + - This is all part of the "Let's pass a law" mentality. +11.3.8. "Should I refuse to give my Social Security Number to those + who ask for it?" + - It's a bit off of crypto, but the question does keep coming + up on the Cypherpunks list. + - Actually, they don't even need to ask for it + anymore....it's attached to so many _other_ things that pop + up when they enter your name that it's a moot point. In + other words, the same dossiers that allow the credit card + companies to send you "preapproved credit cards" every few + days are the same dossiers that MCI, Sprint, AT&T, etc. are + using to sign you up. +11.3.9. "What is 'Privacy 101'?" + - I couldn't think of a better way to introduce the topic of + how individuals can protect their privacy, avoid + interference by the government, and (perhaps) avoid taxes. + - Duncan Frissell and Sandy Sandfort have given out a lot of + tips on this, some of them just plain common sense, some of + them more arcane. + + They are conducting a seminar, entitled "PRIVACY 101" and + the archives of this are available by Web at: + - http://www.iquest.com/~fairgate/privacy/index.html +11.3.10. Cellular phones are trackable by region...people are getting + phone calls as they cross into new zones, "welcoming" them + - but it implies that their position is already being tracked +11.3.11. Ubiquitous use of SSNs and other personal I.D. +11.3.12. cameras that can recognize faces are placed in many public + places, e.g., airports, ports of entry, government buildings + - and even in some private places, e.g., casinos, stores that + have had problems with certain customers, banks that face + robberies, etc. +11.3.13. speculation (for the paranoids) + - covert surveillance by noninvasive detection + methods...positron emission tomography to see what part of + the brain is active (think of the paranoia possibility!) + - typically needs special compounds, but... +11.3.14. Diaries are no longer private + + can be opened under several conditions + - subpoena in trial + - discovery in various court cases, including divorce, + custody, libel, etc. + - business dealings + - psychiatrists (under Tarasoff ruling) can have records + opened; whatever one may think of the need for crimes + confessed to shrinks to be reported, this is certainly a + new era + - Packwood diary case establishes the trend: diaries are no + longer sacrosanct + - An implication for crypto and Cypherpunks topics is that + diaries and similar records may be stored in encrypted + forms, or located in offshore locations. There may be more + and more use of offshore or encrypted records. + +11.4. U.S. Intelligence Agencies: NSA, FinCEN, CIA, DIA, NRO, FBI +11.4.1. The focus here is on U.S. agencies, for various reasons. Most + Cypherpunks are currently Americans, the NSA has a dominant + role in surveillance technology, and the U.S. is the focus of + most current crypto debate. (Britain has the GCHQ, Canada has + its own SIGINT group, the Dutch have...., France has DGSE and + so forth, and...) +11.4.2. Technically, not all are equal. And some may quibble with my + calling the FBI an "intelligence agency." All have + surveillance and monitoring functions, albeit of different + flavors. +11.4.3. "Is the NSA involved in domestic surveillance?" + + Not completely confirmed, but much evidence that the answer + is "yes": + * previous domestic surveillance (Operation Shamrock, + telegraphs, ITT, collusion with FBI, etc.) + * reciprocal arrangements with GCHQ (U.K.) + * arrangements on Indian reservations for microwave + intercepts + * the general technology allows it (SIGINT, phone lines) + * the National Security Act of 1947, and later + clarifications and Executive Orders, makes it likely + - And the push for Digital Telephony. +11.4.4. "What will be the effects of widespread crypto use on + intelligence collection?" + - Read Bamford for some stuff on how the NSA intercepts + overseas communications, how they sold deliberately- + crippled crypto machines to Third World nations, and how + much they fear the spread of strong, essentially + unbreakable crypto. "The Puzzle Palace" was published in + 1982...things have only gotten worse in this regard since. + - Statements from senior intelligence officials reflect this + concern. + - Digital dead drops will change the whole espionage game. + Information markets, data havens, untraceable e-mail...all + of these things will have a profound effect on national + security issues. + - I expect folks like Tom Clancy to be writing novels about + how U.S. national security interests are being threatened + by "unbreakable crypto." (I like some Clancy novels, but + there's no denying he is a right-winger who's openly + critical of social trends, and that he believes druggies + should be killed, the government is necessary to ward off + evil, and ordinary citizens ought not to have tools the + government can't overcome.) +11.4.5. "What will the effects of crypto on conventional espionage?" + - Massive effects; watch out for this to be cited as a reason + to ban or restrict crypto--however pointless that may be. + + Effects: + - information markets, a la BlackNet + - digital dead drops -- why use Coke cans near oak trees + when you can put messages into files and post them + worldwide, with untraceably? (but, importantly, with a + digital signature!) + - transparency of borders + - arms trade, arms deals + - virus, weaponry +11.4.6. NSA budget + - $27 billion over 6 years, give or take + - may actually increase, despite end of Cold War + - new threats, smaller states, spread of nukes, concerns + about trade, money-laundering, etc. + - first rule of bureaucracies: they always get bigger + + NSA-Cray Computer supercomputer + + press release, 1994-08-17, gives some clues about the + capabilities sought by the surveillance state + - "The Cray-3/SSS will be a hybrid system capable of + vector parallel processing, scalable parallel + processing and a combination of both. The system will + consist of a dual processor 256 million word Cray-3 and + a 512,000 processor 128 million byte single instruction + multiple data (SIMD) array......SIMD arrays of one + million processors are expected to be possible using + the current version of the Processor-In-Memory (PIM) + chips developed by the Supercomputing Research Center + once the development project is completed. The PIM chip + contains 64 single-bit processors and 128 kilobyte bits + of memory. Cray Computer will package PIM chips + utilizing its advanced multiple chip module packaging + technology. The chips are manufactured by National + Semiconductor Corporation." + - This is probably the supercomputer described in the + Gunter Ahrendt report +11.4.7. FINCEN, IRS, and Other Economic Surveillance + - Financial Crimes Enforcement Network, a consortium or task + force made up of DEA, DOJ, FBI, CIA, DIA, NSA, IRS, etc. + - set up in Arlington as a group to monitor the flows of + money and information + - eventually these groups will see the need to hack into + computer systems used by various groups that are under + investigation + - Cf. "Wired," either November or December, 1993 +11.4.8. "Why are so many computer service, telecom, and credit agency + companies located near U.S. intelligence agency sites?" + + For example, the cluster of telecom and credit reporting + agencies (TRW Credit, Transunion, etc.) in and around the + McLean/Langley area of Northern Virginia (including + Herndon, Vienna, Tyson's Corner, Chantilly, etc.) + - same thing for, as I recall, various computer network + providers, such as UUCP (or whatever), America Online, + etc. + - The least conspiratorial view: because all are located near + Washington, D.C., for various regulatory, lobbying, etc. + reasons + + The most conspiratorial view: to ensure that the + intelligence agencies have easy access to communications, + direct landlines, etc. + - credit reporting agencies need to clear identities that + are fabricated for the intelligence agencies, WitSec, + etc. (the three major credit agencies have to be + complicit in these creations, as the "ghosts" show up + immediately when past records are cross-correlated) + - As Paul Ferguson, Cypherpunk and manager at US Sprint, + puts it: "We're located in Herndon, Virginia, right + across the street from Dulles Airport and a hop, skip & + jump down the street from the new NRO office. ,-)" + [P.F., 1994-08-18] +11.4.9. Task Force 157, ONI, Kissinger, Castle Bank, Nugan Hand Bank, + CIA +11.4.10. NRO building controversy + - and an agency I hadn't seen listed until August, 1994: "The + Central Imagery Office" +11.4.11. SIGINT listening posts + + possible monkeywrenching? + - probably too hard, even for an EMP bomb (non-nuclear, + that is) +11.4.12. "What steps is the NSA taking?" + * besides death threats against Jim Bidzos, that is + * Clipper a plan to drive competitors out (pricing, export + laws, harassment) + * cooperation with other intelligence agencies, other nations + - New World Order + * death threats were likely just a case of bullying...but + could conceivably be part of a campaign of terror--to shut + up critics or at least cause them to hesitate + +11.5. Surveillance in Other Countries +11.5.1. Partly this overlaps on the earlier discussion of crypto laws + in other countries. +11.5.2. Major Non-U.S. Surveillance Organizations + + BnD -- Bundesnachrichtendienst + - German security service + - BND is seeking constitutional amendment, buy may not need + it, as the mere call for it told everyone what is already + existing + - "vacuum cleaner in the ether" + - Gehlen...Eastern Front Intelligence + - Pullach, outside Munchen + - they have always tried to get the approval to do domestic + spying...a key to power + + Bundeskriminalamt (BKA) -- W. German FBI + - HQ is at Wiesbaden + - bomb blew up there when being examined, killing an + officer (related to Pan Am/Lockerbie/PFLP-GC) + - sign has double black eagles (back to back) + - BVD -- Binnenlandse Veiligheids Dienst, Dutch Internal + Security Service + + SDECE + - French intelligence (foreign intelligence), linked to + Greepeace ship bombing in New Zealand? + - SDECE had links to the October Surprise, as some French + agents were in on the negotiations, the arms shipments + out of Marseilles and Toulon, and in meetings with + Russbacher and the others + - DST, Direction de la Surveillance du Territoire, + counterespionage arm of France (parallel to FBI) + + DSGE, Direction GŽnŽrale de la SŽcuritŽ ExtŽriere + - provides draft deferments for those who deliver stolen + information + + Sweden, Forsvarets Radioanstalt ("Radio Agency of the + Defense") + - cracked German communications between occupied Norway and + occupied Denmark + - Beurling, with paper and pencil only + + Mossad, LAKAM, Israel + + HQ in Tel Aviv, near HQ of AMAN, military intelligence + - doesn't HQ move around a lot? + - LAKAM (sp?), a supersecret Israeli intelligence + agency...was shown the PROMIS software in 1983 + + learned of the Pakistani success in building an atom bomb + and took action against the Pakistani leadership: + destruction of the plane carrying the President (Zia?) + and some U.S. experts + - Mossad knew of DIA and CIA involvement in BCCI + financing of Pakistani atom bomb efforts (and links to + other arms dealers that allowed triggers and the like + to reach Pakistan) + - revelations by Vanunu were designed to scare the Arab and + Muslim world-and to send a signal that the killing of + President Zia was to be the fate of any Pakistani leader + who continued the program +11.5.3. They are very active, though they get less publicity than do + the American CIA, NSA, FBI, etc. + +11.6. Surveillance Methods and Technology +11.6.1. (some of this gets speculative and so may not be to + everyone's liking) +11.6.2. "What is TEMPEST and what's the importance of it?" + - TEMPEST apprarently stands for nothing, and hence is not an + acronym, just a name. The all caps is the standard + spelling. + - RF emission, a set of specs for complying + - Van Eyck (or Van Eck?) radiation + + Mostly CRTs are the concern, but also LCD panels and the + internal circuitry of the PCs, workstations, or terminals. + - "Many LCD screens can be read at a distance. The signal + is not as strong as that from the worst vdus, but it is + still considerable. I have demonstrated attacks on Zenith + laptops at 10 metres or so with an ESL 400 monitoring + receiver and a 4m dipole antenna; with a more modern + receiver, a directional antenna and a quiet RF + environment there is no reason why 100 metres should be + impossible." [Ross Anderson, Tempest Attacks on Notebook + Computers ???, comp.security.misc, 1994-08-31] +11.6.3. What are some of the New Technologies for Espionage and + Surveillance + + Bugs + + NSA and CIA have developed new levels of miniaturized + bugs + - e.g., passive systems that only dribble out intercepted + material when interrogated (e.g., when no bug sweeps + are underway) + - many of these new bugging technologies were used in the + John Gotti case in New York...the end of the Cold War + meant that many of these technologies became available + for use by the non-defense side + - the use of such bugging technology is a frightening + development: conversations can be heard inside sealed + houses from across streets, and all that will be + required is an obligatory warrant + + DRAM storage of compressed speech...6-bit companded, + frequency-limited, so that 1 sec of speech takes + 50Kbits, or 10K when compressed, for a total of 36 Mbits + per hour-this will fit on a single chip + - readout can be done from a "mothership" module (a + larger bug that sits in some more secure location) + - or via tight-beam lasers + + Bugs are Mobile + - can crawl up walls, using the MIT-built technology for + microrobots + - some can even fly for short distances (a few klicks) + + Wiretaps + - so many approaches here + - phone switches are almost totally digital (a la ESS IV) + - again, software hacks to allow wiretaps + + Vans equipped to eavesdrop on PCs and networks + + TEMPEST systems + + technology is somewhat restricted, companies doing this + work are under limitations not to ship to some + customers + - no laws against shielding, of course + - these vans are justified for the "war on drugs" and + weapons proliferation controle efforts (N.E.S.T., anti- + Iraq, etc.) + + Long-distance listening + - parabolic reflectors, noise cancellation (from any off- + axis sources), high gain amplification, phoneme analysis + - neural nets that learn the speech patterns and so can + improve clarity + + lip-reading + - with electronically stabilized CCD imagers, 3000mm lenses + - neural net-based lip-reading programs, with learning + systems capable of improving performance + - for those in sensitive positions, the availability of new + bugging methods will accelerate the conversion to secure + systems based on encrypted telecommunications and the + avoidance of voice-based systems +11.6.4. Digital Telephony II is a major step toward easier + surveillance +11.6.5. Citizen tracking + + the governments of the world would obviously like to trace + the movements, or at least the major movements, of their + subjects + - makes black markets a bit more difficult + - surfaces terrorists, illegal immigrants, etc. (not + perfectly) + + allows tracking of "sex offenders" + - who often have to register with the local police, + announce to their neighbors their previous crimes, and + generally wear a scarlet letter at all times--I'm not + defending rapists and child molesters, just noting the + dangerous precedent this is setting + - because its the nature of bureaucracies to want to know + where "their" subjects are (dossier society = accounting + society...records are paramount) + + Bill Stewart has pointed out that the national health care + systems, and the issuance of social security numbers to + children, represent a way to track the movements of + children, through hospital visits, schools, etc. Maybe even + random check points at places where children gather (malls, + schools, playgrounds, opium dens, etc.) + - children in such places are presumed to have lesser + rights, hence... + - this could all be used to track down kidnapped children, + non-custodial parents, etc. + - this could be a wedge in the door: as the children age, + the system is already in place to continue the tracking + (about the right timetable, too...start the systme this + decade and by 2010 or 2020, nearly everybody will be in + it) + - (A true paranoid would link these ideas to the child + photos many schools are requring, many local police + departments are officially assisting with, etc. A dossier + society needs mug shots on all the perps.) + - These are all reasons why governments will continue to push + for identity systems and will seek to derail efforts at + providing anonymity + + Surveillance and Personnel Identification + + cameras that can recognize faces are placed in many + public places, e.g., airports, ports of entry, government + buildings + - and even in some private places, e.g., casinos, stores + that have had problems with certain customers, banks + that face robberies, etc. + + "suspicious movements detectors" + + cameras that track movements, loitering, eye contact + with other patrons + + neural nets used to classify behvaiors + - legal standing not needed, as these systems are + used only to trigger further surveillance, not to + prove guilt in a court of law + - example: banks have cameras, by 1998, that can + identify potential bank robbers + - camera images are sent to a central monitoring + facility, so the usual ploy of stopping the silent + alarm won't work + - airports and train stations (fears of terrorists), + other public places +11.6.6. Cellular phones are trackable by region...people are getting + phone calls as they cross into new zones, "welcoming" them + - but it implies that their position is already being tracked +11.6.7. coming surveillance, Van Eck, piracy, vans + - An interesting sign of things to come is provided in this + tale from a list member: "In Britain we have 'TV detector + Vans'. These are to detect licence evaders (you need to pay + an annual licence for the BBC channels). They are provided + by the Department of Trade and Industry. They use something + like a small minibus and use Van Eck principles. They have + two steerable detectors on the van roof so they can + triangulate. But TV shops have to notify the Government of + buyers - so that is the basic way in which licence evaders + are detected. ... I read of a case on a bulletin board + where someone did not have a TV but used a PC. He got a + knock on the door. They said he appeared to have a TV but + they could not make out what channel he was watching! + [Martin Spellman, , 1994- + 0703] + - This kind of surveillance is likely to become more and more + common, and raises serious questions about what _other_ + information they'll look for. Perhaps the software piracy + enforcers (Software Publishers Association) will look for + illegal copies of Microsoft Word or SimCity! (This area + needs more discussion, obviously.) +11.6.8. wiretaps + - supposed to notify targets within 90 days, unless extended + by a judge + - Foreign Intelligence Surveillance Act cases are exempt from + this (it is likely that Cypherpunks wiretapped, if they + have been, for crypto activities fall under this + case...foreigners, borders being crossed, national security + implications, etc. are all plausible reasons, under the + Act) + +11.7. Surveillance Targets +11.7.1. Things the Government May Monitor + - besides the obvious things like diplomatic cable traffic, + phone calls from and to suspected terrorists and criminals, + etc. + + links between Congressmen and foreign embassies + - claims in NYT (c. 9-19-91) that CIA had files on + Congressmen opposing aid to Contras + + Grow lamps for marijuana cultivation + - raids on hydroponic supply houses and seizure of mailing + lists + - records of postings to alt.drugs and alt.psychoactive + - vitamin buyers clubs + + Energy consumption + - to spot use of grow lamps + + but also might be refined to spot illegal aliens being + sheltered or any other household energy consumption + "inconsistent with reported uses" + - same for water, sewage, etc. + + raw chemicals + - as with monitors on ammonium nitrate and other bomb + materials + - or feedstock for cocaine production (recall various + seizures of shipments of chemicals to Latin America) + - checkout of books, a la FBI's "Library Awareness Program" + of around 1986 or so + - attendance at key conferences, such as Hackers Conference + (could have scenes involving this), Computer Security + Conference +11.7.2. Economic Intelligence (Spying on Corporations, Foreign and + Domestic) + + "Does the NSA use economic intelligence data obtained in + intercepts?" + - Some of us speculate that this is so, that this has been + going on since the 1960s at least. For example, Bamford + noted in 1982 that the NSA had foreknowledge of the plans + by the British to devalue the pound in the late 1970s, + and knowledge of various corporate plans. + - The NSA clears codes used by the CIA, so it seem + impossible for the NSA not to have known about CIA drug + smuggling activities. The NSA is very circumspect, + however, and rarely (or never) comments. + + there have been calls for the government to somehow help + American business and overall competitiveness by "levelling + the playing field" via espionage + - especially as the perceived threat of the Soviet bloc + diminishes and as the perceived threat of Japan and + Germany increases + - leaders of the NSA and CIA have even talked openly about + turning to economic surveillance + + Problems with this proposal: + - illegal + - unethical + + who gets the intelligence information? Does NSA just call + up Apple and say "We've intercepted some message from + Taiwan that describe their plans for factories. Are you + interested?" + - the U.S. situation differs from Japan and MITI (which + is often portrayed as the model for how this ought to + work) in that we have many companies with little or no + history of obeying government recommendations + + and foreign countries will likely learn of this espionage + and take appropriate measures + - e.g., by increasing encryption +11.7.3. War on Drugs and Money Laundering is Causing Increase in + Surveillance and Monitoring + - monitoring flows of capital, cash transactions, etc. + - cooperation with Interpol, foreign governments, even the + Soviets and KGB (or whatever becomes of them) + - new radar systems are monitoring light aircraft, boats, + etc. + +11.8. Legal Issues +11.8.1. "Can my boss monitor my work?" "Can my bankruptcy in 1980 be + used to deny me a loan?" etc. + - Libertarians have a very different set of answers than do + many others: the answer to all these questions is mostly + "yes," morally (sorry for the normative view). +11.8.2. Theme: to protect some rights, invasion of privacy is being + justified + - e.g., by forcing employer records to be turned over, or of + seizing video rental records (on the grounds of catching + sexual deviants) + - various laws about employee monitoring +11.8.3. Government ID cards, ability to fake identities + - The government uses its powers to forge credentials, with + the collusion of the major credit agencies (who obviously + see these fake identities "pop into existence full-blown." + - WitSec, FINCen, false IDs, ties to credit card companies + - DEA stings, Heidi in La Jolla, Tava, fake tax returns, fake + bank applications, fake IDs + - the "above it all" attitude is typical of this...who guards + the guardians? + - WitSec, duplicity +11.8.4. Legalities of NSA surveillance + - read Bamford for some circa 1982 poinra + - UK-USA + - ECPA + - national security exemptions + - lots of confusion; however, the laws have never had any + real influence, and I cannot imagine the NSA being sued! + +11.9. Dossiers and Data Bases +11.9.1. "The dossier never forgets" + + any transgressions of any law in any country can be stored + indefinitely, exposing the transgressor to arrest and + detention anytime he enters a country with such a record on + him + - (This came up with regard to the British having quaint + ideas about computer security, hacking, and data privacy; + it is quite possible that an American passing through + London could be detained for some obscure violation years + in the past.) + - this is especially worrisome in a society in which legal + codes fill entire rooms and in which nearly every day + produces some violation of some law +11.9.2. "What about the privacy issues with home shopping, set-top + boxes, advertisers, and the NII?" + - Do we want our preferences in toothpaste fed into databases + so that advertisers can target us? Or that our food + purchases be correlated and analyzed by the government to + spot violations of the Dietary Health Act? + - First, laws which tell people what records they are + "allowed" to keep are wrong-headed, and lead to police + state inspections of disk drives, etc. The so-called "Data + Privacy" laws of several European nations are a nightmare. + Strong crypto makes them moot. + - Second, it is mostly up to people to protect what they want + protected, not to pass laws demanding that others protect + it for them. + - In practice, this means either use cash or make + arrangements with banks and credit card companies that will + protect privacy. Determining if they have or not is another + issue, but various ideas suggest themselves (John Gilmore + says he often joins groups under variants of his name, to + see who is selling his name to mailing lists.) + - Absent any laws which forbid them, privacy-preserving + credit card companies will likely spring up if there's a + market demand. Digital cash is an example. Other variants + abound. Cypherpunks should not allow such alternatives to + be banned, and should of course work on their own such + systems. +11.9.3. credit agencies + - TRW Credit, Transunion, Equifax + - links to WitSec +11.9.4. selling of data bases, linking of records... + - several states have admitted to selling their driver's + license data bases + +11.10. Police States and Informants +11.10.1. Police states need a sense of terror to help magnify the + power or the state, a kind of "shrechlichkeit," as the Nazis + used to call it. And lots of informants. Police states need + willing accomplices to turn in their neighbors, or even their + parents, just as little Pavel Morozov became a Hero of the + Soviet People by sending his parents to their deaths in + Stalin's labor camps for the crime of expressing negative + opinions about the glorious State. + - (The canonization of Pavel Morozov was recently repudiated + by current Russian leaders--maybe even by the late-Soviet + era leades, like Gorbachev--who pointed out the corrosive + effects of encouraging families to narc on each + other...something the U.S. has forgotten...will it be 50 + years before our leaders admit that having children turn in + Daddy for using "illegal crypto" was not such a good idea?) +11.10.2. Children are encouraged in federally-mandated D.A.R.E. + programs to become Junior Narcs, narcing their parents out to + the cops and counselors who come into their schools. +11.10.3. The BATF has a toll-free line (800-ATF-GUNS) for snitching on + neighbors who one thinks are violating the federal gun laws. + (Reports are this is backfiring, as gun owners call the + number to report on local liberal politicians and gun- + grabbers.) +11.10.4. Some country we live in, eh? (Apologies to non-U.S. readers, + as always.) +11.10.5. The implications for use of crypto, for not trusting others, + etc., are clear +11.10.6. Dangers of informants + + more than half of all IRS prosecutions arise out of tips by + spouses and ex-spouses...they have the inside dope, the + motive, and the means + - a sobering thought even in the age of crypto + + the U.S. is increasing a society of narcs and stool + pigeons, with "CIs" (confidential informants), protected + witnesses (with phony IDs and lavish lifestyles), and with + all sorts of vague threats and promises + - in a system with tens of thousands of laws, nearly all + behavior breaks at least some laws, often unavoidably, + and hence a powerful sword hangs over everyone's head + - corrosion of trust, especially within families (DARE + program in schools encourages children to narc on their + parents who are "substance abusers"!) + +11.11. Privacy Laws +11.11.1. Will proposed privacy laws have an effect? + + I suspect just the opposite: the tangled web of laws-part + of the totalitarian freezeout-will "marginalize" more + people and cause them to seek ways to protect their own + privacy and protect themselves from sanctions over their + actions + + free speech vs. torts, SLAPP suits, sedition charges, + illegal research, etc. + - free speech is vanishing under a torrent of laws, + licensing requirements, and even zoning rules + + outlawing of work on drugs, medical procedures, etc. + - against the law to disseminate information on drug use + (MDMA case at Stanford), on certain kinds of birth + control + - "If encrytion is outlawed, only outlaws will have + encryption." + + privacy laws are already causing encryption ("file + protection") to be mandatory in many cases, as with medical + records, transmission of sensitive files, etc. + - by itself this is not in conflict with the government + requirement for tappable access, but the practical + implementation of a two-tier system-secure against + civilian tappers but readable by national security + tappers-is a nightmare and is likely impossible to + achieve +11.11.2. "Why are things like the "Data Privacy Laws" so bad?" + - Most European countries have laws that limit the collection + of computerized records, dossiers, etc., except for + approved uses (and the governments themselves and their + agents). + - Americans have no such laws. I've heard calls for this, + which I think is too bad. + - While we may not like the idea of others compiling dossiers + on us, stopping them is an even worse situation. It gives + the state the power to enter businesses, homes, and examine + computers (else it is completely unenforceable). It creates + ludicrous situations in which, say, someone making up a + computerized list of their phone contacts is compiling an + illegal database! It makes e-mail a crime (those records + that are kept). + - they are themselves major invasions of privacy + - are you going to put me in jail because I have data bases + of e-mail, Usenet posts, etc.? + - In my opinion, advocates of "privacy" are often confused + about this issue, and fail to realize that laws about + privacy often take away the privacy rights of _others_. + (Rights are rarely in conflict--contract plus self-privacy + take care of 99% of situations where rights are purported + to be in conflict.) +11.11.3. on the various "data privacy laws" + - many countries have adopted these data privacy laws, + involving restrictions on the records that can be kept, the + registration of things like mailing lists, and heavy + penalties for those found keeping computer files deemed + impermissable + - this leads to invasions of privacy....this very Cypherpunks + list would have to be "approved" by a bureaucrat in many + countries...the oportunites (and inevitabilities) of abuse + are obvious + - "There is a central contradiction running through the + dabase regulations proposed by many so-called "privacy + advocates". To be enforceable they require massive + government snooping into database activities on our + workstatins and PCs, especially the activities of many + small at-home businesses (such as mailing list + entrepreneurs who often work out of the home). + + "Thus, the upshot of these so-called "privacy" regulations + is to destroy our last shreds of privacy against + government, and calm us into blindly letting even more of + the details of our personal lives into the mainframes of + the major government agencies and credit reporting + agenices, who if they aren't explicitly excepted from the + privacy laws (as is common) can simply evade them by using + offshore havesn, mutual agreements with foreign + investigators, police and intelligence agencies." [Jim + Hart, 1994-09-08] +11.11.4. "What do Cypherpunks think about this?" + + divided minds...while no one likes being monitored, the + question is how far one can go to stop others from being + monitored + - "Data Privacy Laws" as a bad example: tramples on freedom + to write, to keep one's computer private +11.11.5. Assertions to data bases need to be checked (credit, + reputation, who said what, etc.) + - if I merely assert that Joe Blow no longer is employed, and + this spreads... + +11.12. National ID Systems +11.12.1. "National ID cards are just the driver's licenses on the + Information Superhighway." [unknown...may have been my + coining] +11.12.2. "What's the concern?" +11.12.3. Insurance and National Health Care will Produce the "National + ID" that will be Nearly Unescapable + - hospitals and doctors will have to have the card...cash + payments will evoke suspicion and may not even be feasible +11.12.4. National ID Card Arguments + - "worker's permit" (another proposal, 1994-08, that would + call for a national card authorizing work permission) + - immigration, benefit + - possible tie-in to the system being proposed by the US + Postal Service: a registry of public keys (will they also + "issue" the private-public key pair?) + - software key escrow and related ideas + - "I doubt that one would only have to "flash" your card and + be on your way. More correctly, one would have to submit + to being "scanned" and be on your way. This would also + serve to be a convienient locator tag if installed in the + toll systems and miscellaneous "security checkpoints". Why + would anyone with nothing to hide care if your every move + could be monitored? Its for your own good, right? Pretty + soon sliding your ID into slots in everyplace you go will + be common." [Korac MacArthur, comp.org.eff.talk, 1994-07- + 25] +11.12.5. "What are some concerns about Universal ID Cards?" + - "Papierren, bitte! Schnell! + - that they would allow traceability to the max (as folks + used to say)... tracking of movements, erosion of privacy + - that they would be required to be used for banking + transactions, Net access, etc. (As usual, there may be + workarounds, hacks, ...) + - "is-a-person" credentially, where government gets involved + in the issuance of cryptographic keys (a la the USPS + proposal), where only "approved uses" are allowed, etc. + - timestamps, credentials +11.12.6. Postal Service trial balloon for national ID card + - "While it is true that they share technology, their intent + and purpose is very different. Chaum's proposal has as its + intent and purpose to provide and protect anonymity in + financial transactions. The intent and purpose of the US + Postal Service is to identify and authenticate you to the + government and to guarantee the traceability of all + financial transactions." [WHMurray, alt.privacy, 1994-07- + 04] +11.12.7. Scenario for introduction of national ID cards + - Imagine that vehicle registrations require presentation of + this card (gotta get those illegals out of their cars, or, + more benignly, the bureaucracy simply makes the ID cars + part of their process). + - Instantly this makes those who refuse to get an ID card + unable to get valid license tags. (Enforcement is already + pretty good....I was pulled over a couple of times for + either forgetting to put my new stickers on, or for driving + with Oregon expired tags.) + + The "National Benefits Card," for example, is then required + to get license plate tags.and maybe other things, like car + and home insurance, etc. It would be very difficult to + fight such a card, as one could not drive, could not pay + taxes ("Awhh!" I hear you say, but consider the penalties, + the tie-ins with employers, etc. You can run but you can't + hide.) + - the national ID card would presumably be tied in to + income tax filings, in various ways I won't go into here. + The Postal Service, aiming to get into this area I guess, + has floated the idea of electronic filing, ID systems, + etc. +11.12.8. Comments on national ID cards + - That some people will be able to skirt the system, or that + the system will ultimately be unenforceable, does not + lessen the concern. Things can get real tough in the + meantime. + - I see great dangers here, in tying a national ID card to + transactions we are essentially unable to avoid in this + society: driving, insurance (and let's not argue + insurance...I mean it is unavoidable in the sense of legal + issues, torts, etc.), border crossings, etc. Now how will + one file taxes without such a card if one is made mandatory + for interactions with the government? Saying "taxes are not + collectable" is not an adequate answer. They may not be + collectible for street punks and others who inhabit the + underground economy, but they sure are for most of us. + +11.13. National Health Care System Issues +11.13.1. Insurance and National Health Care will Produce the "National + ID" that will be Nearly Unescapable + - hospitals and doctors will have to have the card...cash + payments will evoke suspicion and may not even be feasible +11.13.2. I'm less worried that a pharmacist will add me to some + database he keeps than that my doctor will be instructed to + compile a dossier to government standards and then zip it off + over the Infobahn to the authorities. +11.13.3. Dangers and issues of National Health Care Plan + - tracking, national ID card + - "If you think the BATF is bad, wait until the BHCRCE goes + into action. "What is the BHCRCE?" you ask. Why, it the + Burea of Health Care Reform Compliance Enforcement - the + BATF, FBI, FDA, CIA and IRS all rolled into one." [Dave + Feustel, talk.politics.guns, 1994-08-19] + - Bill Stewart has pointed out the dangers of children having + social security numbers, of tracking systems in schools and + hospitals, etc. + +11.14. Credentials +11.14.1. This is one of the most overlooked and ignored aspects of + cryptology, especially of Chaum's work. And no one in + Cypherpunks or anywhere else is currently working on "blinded + credentials" for everyday use. +11.14.2. "Is proof of identity needed?" + - This question is debated a lot, and is important. Talk of a + national ID card (what wags call an "internal passport") is + in the air, as part of health care, welfare, and + immigration legislation. Electronic markets make this also + an issue for the ATM/smart card community. This is also + closely tied in with the nature of anonymous reamailers + (where physical identity is of course generally lacking). + + First, "identity" can mean different things: + - Conventional View of Identity: Physical person, with + birthdate, physical characteristics, fingerprints, social + security numbers, passports, etc.--the whole cloud of + "identity" items. (Biometric.) + - Pseudonym View of Identity: Persistent personnas, + mediated with cryptography. "You are your key." + - Most of us deal with identity as a mix of these views: we + rarely check biometric credentials, but we also count on + physical clues (voice, appearance, etc.). I assume that + when I am speaking to "Duncan Frissell," whom I've never + met in person, that he is indeed Duncan Frissell. (Some + make the jump from this expectation to wanting the + government enforce this claim, that is, provided I.D.) + + It is often claimed that physical identity is important in + order to: + - track down cheaters, welchers, contract breakes, etc. + - permit some people to engage in some transactions, and + forbid others to (age credentials, for drinking, for + example, or---less benignly--work permits in some field) + - taxation, voting, other schemes tied to physical + existence + + But most of us conduct business with people without ever + verifying their identity credentials...mostly we take their + word that they are "Bill Stewart" or "Scott Collins," and + we never go beyond that. + - this could change as digital credentials proliferate and + as interactions cause automatic checks to be made (a + reason many of us have to support Chaum's "blinded + credentials" idea--without some crypto protections, we'll + be constantly tracked in all interactions). + + A guiding principle: Leave this question of whether to + demand physical ID credentials up to the *parties + involved*. If Alice wants to see Bob's "is-a-person" + credential, and take his palmprint, or whatever, that's an + issue for them to work out. I see no moral reason, and + certainly no communal reason, for outsiders to interfere + and insist that ID be produced (or that ID be forbidden, + perhaps as some kind of "civil rights violation"). After + all, we interact in cyberspace, on the Cypherpunks list, + without any such external controls on identity. + - and business contracts are best negotiated locally, with + external enforcement contracted by the parties (privately- + produced law, already seen with insurance companies, + bonding agents, arbitration arrangements, etc.) + - Practically speaking, i.e., not normatively speaking, + people will find ways around identity systems. Cash is one + way, remailers are another. Enforcement of a rigid identity- + based system is difficult. +11.14.3. "Do we need "is-a-person" credentials for things like votes + on the Net?" + - That is, any sysadmin can easily create as many user + accounts as he wishes. And end users can sign up with + various services under various names. The concern is that + this Chicago-style voting (fictitious persons) may be used + to skew votes on Usenet. + - Similar concerns arise elsewhere. + - In my view, this is a mighty trivial reason to support "is- + a-person" credentials. +11.14.4. Locality, credentials, validations + + Consider the privacy implications of something so simple as + a parking lot system. Two main approaches: + - First Approach. Cash payment. Car enters lot, driver pays + cash, a "validation" is given. No traceability exists. + (There's a small chance that one driver can give his + sticker to a new driver, and thus defraud the parking + lot. This tends not to happen, due to the inconveniences + of making a market in such stickers (coordinating with + other car, etc.) and because the sticker is relatively + inexpensive.) + - Second Approach. Billing of driver, recording of license + plates. Traceability is present, especially if the local + parking lot is tied in to credit card companies, DMV, + police, etc. (these link-ups are on the wish list of + police agencies, to further "freeze out" fugitives, child + support delinquents, and other criminals). + - These are the concerns of a society with a lot of + electronic payments but with no mechanisms for preserving + privacy. (And there is currently no great demand for this + kind of privacy, for a variety of reasons, and this + undercuts the push for anonymous credential methods.) + - An important property of true cash (gold, bank notes that + are well-trusted) is that it settles immediately, requiring + no time-binding of contracts (ability to track down the + payer and collect on a bad transaction) + +11.15. Records of all UseNet postings +11.15.1. (ditto for CompuServe, GEnie, etc.) will exist +11.15.2. "What kinds of monitoring of the Net is possible?" + - Archives of all Usenet traffic. This is already done by + commercial CD-ROm suppliers, and others, so this would be + trivial for various agencies. + - Mail archives. More problematic, as mail is ostensibly not + public. But mail passes through many sites, usually in + unencrypted form. + - Traffic analysis. Connections monitored. Telnet, ftp, e- + mail, Mosaid, and other connections. + - Filtered scans of traffic, with keyword-matched text stored + in archives. +11.15.3. Records: note that private companies can do the same thing, + except that various "right to privacy" laws may try to + interfere with this + - which causes its own constitutional privacy problems, of + course +11.15.4. "How can you expect that something you sent on the UseNet to + several thousand sites will not be potentially held against + you? You gave up any pretense of privacy when you broadcast + your opinions-and even detailed declarations of your + activities-to an audience of millions. Did you really think + that these public messages weren't being filed away? Any + private citizen would find it almost straightforward to sort + a measly several megabytes a day by keywords, names of + posters, etc." [I'm not sure if I wrote this, or if someone + else who I forgot to make a note of did] +11.15.5. this issue is already coming up: a gay programmer who was + laid-off discussed his rage on one of the gay boards and said + he was thinking of turning in his former employer for + widespread copying of Autocad software...an Autodesk employee + answered him with "You just did!" +11.15.6. corporations may use GREP and On Location-like tools to + search public nets for any discussion of themselves or their + products + - by big mouth employees, by disgruntled customers, by known + critics, etc. + - even positive remarks that may be used in advertising + (subject to various laws) +11.15.7. the 100% traceability of public postings to UseNet and other + bulletin boards is very stifling to free expression and + becomes one of the main justifications for the use of + anonymous (or pseudononymous) boards and nets + - there may be calls for laws against such compilation, as + with the British data laws, but basically there is little + that can be done when postings go to tens of thousands of + machines and are archived in perpetuity by many of these + nodes and by thousands of readers + - readers who may incorporate the material into their own + postings, etc. (hence the absurdity of the British law) + +11.16. Effects of Surveillance on the Spread of Crypto +11.16.1. Surveillance and monitoring will serve to increase the use of + encryption, at first by people with something to hide, and + then by others + - a snowballing effect + - and various government agencies will themselves use + encryption to protect their files and their privacy +11.16.2. for those in sensitive positions, the availability of new + bugging methods will accelerate the conversion to secure + systems based on encrypted telecommunications and the + avoidance of voice-based systems +11.16.3. Surveillance Trends + + Technology is making citizen-unit surveillance more and + more trivial + + video cameras on every street corners are technologically + easy to implement, for example + - or cameras in stores, in airports, in other public + places + - traffic cameras + - tracking of purchases with credit cards, driver's + licenses, etc. + - monitoring of computer emissions (TEMPEST issues, often a + matter of paranoid speculation) + + interception of the Net...wiretapping, interception of + unencrypted communications, etc. + - and compilation of dossier entries based on public + postings + + This all makes the efforts to head-off a person-tracking, + credentials-based society all the more urgent. + Monkeywrenching, sabotage, public education, and + development of alternatives are all needed. + - If the surveillance state grows as rapidly as it now + appears to be doing, more desperate measures may be + needed. Personally, I wouldn't shed any tears if + Washington, D.C. and environs got zapped with a terrorist + nuke; the innocents would be replaced quickly enough, and + the death of so many political ghouls would surely be + worth it. The destruction of Babylon. + + We need to get the message about "blinded credentials" + (which can show some field, like age, without showing all + fields, including name and such) out there. More + radically, we need to cause people to question why + credentials are as important as many people seem to + think. + - I argue that credentials are rarely needed for mutually + agreed-upon transactions + +11.17. Loose Ends +11.17.1. USPS involvement in electronic mail, signatures, + authentication (proposed in July-August, 1994) + + Advantages: + - many locations + - a mission already oriented toward delivery + + Disadvantages: + - has performed terribly, compared to allowed compettion + (Federal Express, UPS, Airborne, etc.) + - it's linked to the goverment (now quasi-independent, but + not really) + - could become mandatory, or competition restricted to + certain niches (as with the package services, which + cannot have "routes" and are not allowed to compete in + the cheap letter regime) + - a large and stultified bureaucracy, with union labor + - Links to other programs (software key escrow, Digital + Telephony) not clear, but it seems likely that a quasi- + governemt agency like the USPS would be cooperative with + government, and would place limits on the crypto systems + allowed. +11.17.2. the death threats + + An NSA official threatened to have Jim Bidzos killed if he + did not change his position on some negotiation underway. + This was reported in the newspaper and I sought + confirmation: + - "Everything reported in the Merc News is true. I am + certain that he wasnot speaking for the agency, but when + it happened he was quite serious, at least appeared to + be. There was a long silence after he made the threat, + with a staring contest. He was quite intense. + + "I respect and trust the other two who were in the room + (they were shocked and literally speechless, staring into + their laps) and plan to ask NSA for a written apology and + confirmation that he was not speaking for the agency. + We'll see if I get it. If the incident made it into + their trip reports, I have a chance of getting a letter." + [jim@RSA.COM (Jim Bidzos), personal communication, posted + with permission to talk.politics.crypto, 1994-06-28] +11.17.3. False identities...cannot just be "erased" from the computer + memory banks. The web of associations, implications, rule + firings...all mean that simple removal (or insertion of a + false identity) produces discontinuities, illogical + developments, holes...history is not easily changed. + +12. Digital Cash and Net Commerce + +12.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +12.2. SUMMARY: Digital Cash and Net Commerce +12.2.1. Main Points + - strong crypto makes certain forms of digital cash possible + - David Chaum is, once again, centrally involved + - no real systems deployed, only small experiments + - the legal and regulatory tangle will likely affect + deployment in major ways (making a "launch" of digital cash + a notrivial matter) +12.2.2. Connections to Other Sections + - reputations + - legal situation + - crypto anarchy +12.2.3. Where to Find Additional Information + - http://digicash.support.nl/ +12.2.4. Miscellaneous Comments + - a huge area, filled with special terms + - many financial instruments + - the theory of digital cash is not complete, and confusion + abounds + - this section is also more jumbled and confusing than I'd + like; I'll clean it up in fufure releases. + +12.3. The Nature of Money +12.3.1. The nature of money, of banking and finance, is a topic that + suffuses most discussions of digital cash. Hardly surprising. + But also an area that is even more detailed than is crypto. + And endless confusion of terms, semantic quibblings on the + list, and so on. I won't be devoting much space to trying to + explain economics, banking, and the deep nature or money. +12.3.2. There are of course many forms of cash or money today (these + terms are not equivalent...) + + coins, bills (presumed to be difficult to forge) + - "ontological conservation laws"--the money can't be in + two places at once, can't be double spent + - this is only partly true, and forgery technology is + making it all moot + - bearer bonds and other "immediately cashable" instruments + - diamonds, gold, works of art, etc. ("portable wealth") +12.3.3. Many forms of digital money. Just as there are dozens of + major forms of instruments, so too will there be many forms + of digital money. Niches will be filled. +12.3.4. The deep nature of money is unclear to me. There are days + when I think it's just a giant con game, with value in money + only because others will accept it. Other days when I think + it's somewhat tied to "real things" like gold and silver. And + other days when I'm just unconcerned (so long as I have it, + and it works). +12.3.5. The digital cash discussions get similarly confused by the + various ideas about money. Digital cash is not necessarily a + form of _currency_, but is instead a transfer mechanism. More + like a "digital check," in fact (though it may give rise to + new currencies, or to wider use of some existing + currency...at some point, it may become indistinguishable + from a currency). +12.3.6. I advise that people not worry overly much about the true and + deep nature of money, and instead think about digital cash as + a transfer protocol for some underlyng form of money, which + might be gold coins, or Swiss francs, or chickens, or even + giant stone wheels. +12.3.7. Principle vs. Properties of Money + - Physical coins, as money, have certain basic properties: + difficult to counterfeit, pointless to counterfeit if made + of gold or silver, fungibility, immediate settling (no need + to clear with a distant bank, no delays, etc.), + untraceability, etc. + - Digital cash, in various flavors, has dramatically + different properties, e.g., it may require clearing, any + single digtital note is infinitely copyable, it may allow + traceability, etc. A complicated mix of properties. + + But why is physical money (specie) the way it is? What + properties account for this? What are the core principles + that imply these properties? + - hardware (specie like gold) vs. software (bits, readily + copyable) + - immediale, local clearing, because of rational faith that + the money will clear + - limits on rate of transfer of physical money set by size, + weight of money, whereas "wire fraud" and variants can + drain an account in seconds + - My notion is that we spend too much time thinking about the + _principles_ (such as locality, transitivity, etc.) and + expect to then _derive_ the properties. Maybe we need to + instead focus on the _objects_, the sets of protocol- + derived things, and examine their emergent properties. (I + have my own thinking along these lines, involving "protocol + ecologies" in which agents bang against each other, a la + Doug Lenat's old "Eurisko" system, and thus discover + weaknesses, points of strength, and even are genetically + programmed to add new methods which increase security. + This, as you can guess, is a longterm, speculative + project.) +12.3.8. "Can a "digital coin" be made?" + - The answer appears to be "no" + + Software is infinitely copyable, which means a software + representation of digital money could be replicated many + times + - this is not to say it could be _spent_ many times, + depending on the clearing process...but then this is not + a "coin" in the sense we mean + - Software is trivially replicable, unlike gold or silver + coins, or even paper currency. If and when paper currency + becomes trivially replicable (and color copiers have almost + gotten there), expect changes in the nature of cash. + (Speculation: cash will be replaced by smart cards, + probably not of the anonymous sort we favor.) + + bits can always be duplicated (unless tied to hardware, as + with TRMs), so must look elsewhere + + could tie the bits to a specific location, so that + duplication would be obvious or useless + - the idea is vaguely that an agent could be placed in + some location...duplications would be both detectable + and irrelevant (same bits, same behavior, unmodifiable + because of digital signature) + - (this is formally similar to the idea of an active agent + that is unforgeable, in the sense that the agent or coin is + "standalone") +12.3.9. "What is the 'granularity' of digital cash?" + + fine granularity, e.g., sub-cent amounts + - useful for many online transactions + - inside computers + - add-on fees by interemediaries + - very small purchases + + medium granularity + - a few cents, up to a dollar (for example) + - also useful for many small purchases + - close equivalent to "loose change" or small bills, and + probably useful for the same purposes + - tolls, fees, etc. + - This is roughly the level many DigiCash protocols are + aimed at + + large granularity + - multiple dollars + - more like a "conventional" online transaction + - + - the transaction costs are crucial; online vs. offline + clearing + - Digital Silk Road is a proposal by Dean Tribble and Norm + Hardy to reduce transaction costs +12.3.10. Debate about money and finance gets complicated + - legal terms, specific accounting jargon, etc. + - I won't venture into this thicket here. It's a specialty + unto itself, with several dozen major types of instruments + and derivatives. And of course with big doses of the law. + +12.4. Smart Cards +12.4.1. "What are smart cards and how are they used?" + + Most smart cards as they now exist are very far from being + the anonymous digital cash of primary interest to us. In + fact, most of them are just glorified credit cards. + - with no gain to consumers, since consumes typically don't + pay for losses by fraud + - (so to entice consumes, will they offer inducements?) + - Can be either small computers, typically credit-card-sized, + or just cards that control access via local computers. + + Tamper-resistant modules, e.g., if tampered with, they + destroy the important data or at the least give evidence of + having been tampered with. + + Security of manufacturing + - some variant of "cut-and-choose" inspection of + premises + + Uses of smart cards + - conventional credit card uses + - bill payment + - postage + - bridge and road tolls + - payments for items received electronically (not + necessarily anonymously) +12.4.2. Visa Electronic Purse +12.4.3. Mondex + +12.5. David Chaum's "DigiCash" +12.5.1. "Why is Chaum so important to digital cash?" + - Chaum's name appears frequently in this document, and in + other Cypherpunk writings. He is without a doubt the + seminal thinker in this area, having been very nearly the + first to write about several areas: untraceable e-mail, + digital cash, blinding, unlinkable credentials, DC-nets, + etc. + - I spoke to him at the 1988 "Crypto" conference, telling him + about my interests, my 'labyrinth' idea for mail-forwarding + (which he had anticipated in 1981, unbeknownst to me at the + time), and a few hints about "crypto anarchy." It was clear + to me that Chaum had thought long and deeply about these + issues. + - Chaum's articles should be read by all interested in this + area. (No, his papers are _not_ "on-line." Please see the + "Crypto" Proceedings and related materials.) + - [DIGICASH PRESS RELEASE, "World's first electronic cash + payment over computer networks," 1994-05-27] +12.5.2. "What's his motivation?" + - Chaum appears to be a libertarian, at least on social + issues, and is very worried about "Big Brother" sorts of + concerns (recall the title of his 1985 CACM article). + - His work in Europe has mostly concentrated on unlinkable + credentials for toll road payments, electronic voting, etc. + His company, DigiCash, is working on various aspects of + digital cash. +12.5.3. "How does his system work?" + - There have been many summaries on the Cypherpunks list. Hal + Finney has written at least half a dozen, and others have + been contributed by Eric Hughes, Karl Barrus, etc. I won't + be including any of them here....it just takes too many + pages to explain how digital cash works in detail. + - (The biggest problem people have with digital cash is in + not taking the time to understand the basics of the math, + of blinding, etc. They wrongly assume that "digital cash" + can be understood by common-sense reasoning about existing + cash, etc. This mistake has been repeated in several of the + half-assed proposals for "net cash" and "digi dollars.") + + Here's the opening few paragraphs from one of Hal's + explanations, to provide a glimpse: + - "Mike Ingle asks about digicash. The simplest system I + know of that is anonymous is the one by Chaum, Fiat, and + Naor, which we have discussed here a few times. The idea + is that the bank chooses an RSA modulus, and a set of + exponents e1, e2, e3, ..., where each exponent ei + represents + a denomination and possibly a date. The exponents must + be relatively prime to (p-1)(q-1). PGP has a GCD routine + which can be used to check for valid exponents.. + + "As with RSA, to each public exponent ei corresponds a + secret exponent di, calculated as the multiplicative + inverse of ei mod (p-1)(q-1). Again, PGP has a routine + to calculate multiplicative inverses. + + "In this system, a piece of cash is a pair (x, f(x)^di), + where f() is a one-way function. MD5 would be a + reasonable choice for f(), but notice that it produces a + 128-bit result. f() should take this 128-bit output of + MD5 and "reblock" it to be an multi-precision number by + padding it; PGP has a "preblock" routine which does this, + following the PKCS standard. + + "The way the process works, with the blinding, is like + this. The user chooses a random x. This should probably + be at least 64 or 128 bits, enough to preclude exhaustive + search. He calculates f(x), which is what he wants the + bank to sign by raising to the power di. But rather than + sending f(x) to the bank directly, the user first blinds + it by choosing a random number r, and calculating D=f(x) + * r^ei. (I should make it clear that ^ is the power + operator, not xor.) D is what he sends to the bank, + along with some information about what ei is, which tells + the denomination of the cash, and also information about + his account number." [Hal Finney, 1993-12-04] +12.5.4. "What is happening with DigiCash?" + - "Payment from any personal computer to any other + workstation, over email or Internet, has been demonstrated + for the first time, using electronic cash technology. "You + can pay for access to a database, buy software or a + newsletter by email, play a computer game over the net, + receive $5 owed you by a friend, or just order a pizza. The + possibilities are truly unlimited" according to David + Chaum, Managing Director of DigiCash TM, who announced and + demonstrated the product during his keynote address at the + first conference on the World Wide Web, in Geneva this + week." [DIGICASH PRESS RELEASE, "World's first electronic + cash payment over computer networks," 1994-05-27] + - DigiCash is David Chaum's company, set up to commercialize + this work. Located near Amsterdam. + + Chaum is also centrally invovled in "CAFE," a European + committee investigating ways to deploy digital cash in + Europe + - mostly standards, issues of privacy, etc. + - toll roads, ferries, parking meters, etc. + - http://digicash.support.nl/ + - info@digicash.nl + - People have been reporting that their inquiries are not + being answered; could be for several reasons. +12.5.5. The Complexities of Digital Cash + - There is no doubt as to the complexity: many protocols, + semantic confusion, many parties, chances for collusion, + spoofing, repudiation, and the like. And many derivative + entities: agents, escrow services, banks. + - There's no substitute for _thinking hard_ about various + scenarios. Thinking about how to arrange off-line clearing, + how to handle claims of people who claim their digital + money was stolen, people who want various special kinds of + services, such as receipts, and so on. It's an ecology + here, not just a set of simple equations. + +12.6. Online and Offline Clearing, Double Spending +12.6.1. (this section still under construction) +12.6.2. This is one of the main points of division between systems. +12.6.3. Online Clearing + - (insert explanation) +12.6.4. Offline Clearing + - (insert explanation) +12.6.5. Double spending + - Some approaches involve constantly-growing-in-size coins at + each transfer, so who spent the money first can be deduced + (or variants of this). And N. Ferguson developed a system + allowing up to N expenditures of the same coin, where N is + a parameter. [Howard Gayle reminded me of this, 1994-08-29] + - "Why does everyone think that the law must immediately be + invoked when double spending is detected?....Double + spending is an informational property of digital cash + systems. Need we find malicious intent in a formal + property? The obvious moralism about the law and double + spenders is inappropriate. It evokes images of revenge and + retribution, which are stupid, not to mention of negative + economic value." [Eric Hughes, 1994-08-27] (This also + relates to Eric's good point that we too often frame crypto + issue in terms of loaded terms like "cheating," "spoofing," + and "enemies," when more neutral terms would carry less + meaning-obscuring baggage and would not give our "enemies" + (:-}) the ammunition to pass laws based on such terms.) +12.6.6. Issues + + Chaum's double-spending detection systems + - Chaum went to great lengths to develop system which + preserve anonymity for single-spending instances, but + which break anonymity and thus reveal identity for double- + spending instances. I'm not sure what market forces + caused him to think about this as being so important, but + it creates many headaches. Besides being clumsy, it + require physical ID, it invokes a legal system to try to + collect from "double spenders," and it admits the + extremely serious breach of privacy by enabling stings. + For example, Alice pays Bob a unit of money, then quickly + Alice spends that money before Bob can...Bob is then + revealed as a "double spender," and his identity revealed + to whomver wanted it...Alice, IRS, Gestapo, etc. A very + broken idea. Acceptable mainly for small transactions. + + Multi-spending vs. on-line clearing + - I favor on-line clearing. Simply put: the first spending + is the only spending. The guy who gets to the train + locker where the cash is stored is the guy who gets it. + This ensure that the burden of maintaining the secret is + on the secret holder. + - When Alice and Bob transfer money, Alice makes the + transfer, Bob confirms it as valid (or verifies that his + bank has received the deposit), and the transaction is + complete. + - With network speeds increasing dramatically, on-line + clearing should be feasible for most transactions. Off- + line systems may of course be useful, especially for + small transactions, the ones now handled with coins and + small bills. + - +12.6.7. "How does on-line clearing of anonymous digital cash work?" + - There's a lot of math connected with blinding, + exponentions, etc. See Schneier's book for an introduction, + or the various papers of Chaum, Brands, Bos, etc. + - On-line clearing is similar to two parties in a transaction + exchanging goods and money. The transaction is clearled + locally, and immediately. Or they could arrange transfer of + funds at a bank, and the banker could tell them over the + phone that the transaction has cleared--true "on-line + clearing." Debit cards work this way, with money + transferred effectively immediately out of one account and + into another. Credit cards have some additional wrinkles, + such as the credit aspect, but are basically still on-line + clearing. + - Conceptually, the guiding principle idea is simple: he who + gets to the train locker where the cash is stored *first* + gets the cash. There can never be "double spending," only + people who get to the locker and find no cash inside. + Chaumian blinding allows the "train locker" (e.g., Credit + Suisse) to give the money to the entity making the claim + without knowing how the number correlates to previous + numbers they "sold" to other entities. Anonymity is + preserved, absolutely. (Ignoring for this discussion issues + of cameras watching the cash pickup, if it ever actually + gets picked up.) + - Once the "handshaking" of on-line clearing is accepted, + based on the "first to the money gets it" principle, then + networks of such clearinghouses can thrive, as each is + confident about clearing. (There are some important things + needed to provide what I'll dub "closure" to the circuit. + People need to ping the system, depositing and withdrawing, + to establish both confidence and cover. A lot like remailer + networks. In fact, very much like them.) + - In on-line clearing, only a number is needed to make a + transfer. Conceptually, that is. Just a number. It is up to + the holder of the number to protect it carefully, which is + as it should be (for reasons of locality, or self- + responsibility, and because any other option introduces + repudiation, disavowal, and the "Twinkies made me do it" + sorts of nonsense). Once the number is transferred and + reblinded, the old number no longer has a claim on the + money stored at Credit Suisse, for example. That money is + now out of the train locker and into a new one. (People + always ask, "But where is the money, really?" I see digital + cash as *claims* on accounts in existing money-holding + places, typically banks. There are all kinds of "claims"-- + Eric Hughes has regaled us with tales of his explorations + of the world of commericial paper. My use of the term + "claim" here is of the "You present the right number, you + get access" kind. Like the combination to a safe. The train + locker idea makes this clearer, and gets around the + confusion about "digimarks" of "e$" actually _being_ any + kind of money it and of itself.) + +12.7. Uses for Digital Cash +12.7.1. Uses for digital cash? + - Privacy protection + - Preventing tracking of movements, contacts, preferences + + Illegal markets + - gambling + - bribes, payoffs + - assassinations and other contract crimes + - fencing, purchases of goods + + Tax avoidance + - income hiding + - offshore funds transfers + - illegal markets + - Online services, games, etc. + + Agoric markets, such as for allocation of computer + resources + - where programs, agents "pay" for services used, make + "bids" for future services, collect "rent," etc. + + Road tolls, parking fees, where unlinkablity is desired. + This press release excerpt should give the flavor of + intended uses for road tolls: + - "The product was developed by DigiCash TM Corporation's + wholly owned Dutch subsidiary, DigiCash TM BV. It is + related to the firm's earlier released product for road + pricing, which has been licensed to Amtech TM + Corporation, of Dallas, Texas, worldwide leader in + automatic road toll collection. This system allows + privacy protected payments for road use at full highway + speed from a smart card reader affixed to the inside of a + vehicle. Also related is the approach of the EU supported + CAFE project, of which Dr. Chaum is Chairman, which uses + tamper-resistant chips inserted into electronic wallets." + [DIGICASH PRESS RELEASE, "World's first electronic cash + payment over computer networks," 1994-05-27] +12.7.2. "What are some motivations for anonymous digital cash?" + + Payments that are unlinkable to identity, especially for + things like highway tolls, bridge tolls, etc. + - where linkablity would imply position tracking + - (Why not use coins? This idea is for "smart card"-type + payment systems, involving wireless communication. + Singapore planned (and perhaps has implemented) such a + system, except there were no privacy considerations.) + + Pay for things while using pseudonyms + - no point in having a pseudonym if the payment system + reveals one's identity + + Tax avoidance + - this is the one the digicash proponents don't like to + talk about too loudly, but it's obviously a time-honored + concern of all taxpayers + + Because there is no compelling reason why money should be + linked to personal identity + - a general point, subsuming others + +12.8. Other Digital Money Systems +12.8.1. "There seem to be many variants....what's the story?" + - Lots of confusion. Lots of systems that are not at all + anonymous, that are just extensions of existing systems. + The cachet of digital cash is such that many people are + claiming their systems are "digital cash," when of course + they are not (at least not in the Chaum/Cypherpunk sense). + - So, be careful. Caveat emptor. +12.8.2. Crypto and Credit Cards (and on-line clearing) + + Cryptographically secure digital cash may find a major use + in effectively extending the modality of credit cards to + low-level, person-to-person transactions. + - That is, the convenience of credit cards is one of their + main uses (others being the advancing of actual credit, + ignored here). In fact, secured credit cards and debit + cards don't offer this advancement of credit, but are + mainly used to accrue the "order by phone" and "avoid + carrying cash" advantages. + - Checks offer the "don't carry cash" advantage, but take + time to clear. Traveller's checks are a more pure form of + this. + - But individuals (like Alice and Bob) cannot presently use + the credit card system for mutual transactions. I'm not + sure of all the reasons. How might this change? + - Crypto can allow unforgeable systems, via some variant of + digital signatures. That is, Alice can accept a phoned + payment from Bob without ever being able to sign Bob's + electronic signature herself. + - "Crypto Credit Cards" could allow end users (customers, in + today's system) to handle transactions like this, without + having merchants as intermediaries. + - I'm sure the existing credit card outfits would have + something to say about this, and there may be various + roadblocks in the way. It might be best to buy off the VISA + and MasterCard folks by working through them. (And they + probably have studied this issue; what may change their + positions is strong crypto, locally available to users.) + - (On-line clearing--to prevent double-spending and copying + of cash--is an important aspect of many digital cash + protocols, and of VISA-type protocols. Fortunately, + networks are becoming ubiquitous and fast. Home use is + still a can of worms, though, with competing standards + based on video cable, fiber optics, ISDN, ATM, etc.) +12.8.3. Many systems being floated. Here's a sampling: + + Mondex + - "Unlike most other electronic purse systems, Mondex, like + cash, is anonymous. The banks that issue Mondex cards + will not be able to keep track of who gets the payments. + Indeed, it is the only system in which two card holders + can transfer money to each other. + + ""If you want to have a product that replaces cash, you + have to do everything that cash does, only better," + Mondex's senior executive, Michael Keegan said. "You can + give money to your brother who gives it to the chap that + sells newspapers, who gives it to charity, who puts it in + the bank, which has no idea where it's been. That's what + money is."" [New York Times, 1994-09-06, provided by John + Young] + + CommerceNet + - allows Internet users to buy and sell goods. + - "I read in yesterday's L.A. Times about something called + CommerceNet, where sellers and buyers of workstation + level equipment can meet and conduct busniess....Near the + end of the article, they talked about a proposed method + for exchanging "digital signatures" via Moasic (so that + buyers and sellers could _know_ that they were who they + said they were) and that they were going to "submit it to + the Internet Standards body"" [Cypher1@aol.com, 1994-06- + 23] + + NetCash + - paper published at 1st ACM Conference on Computer and + Communications Security, Nov. 93, available via anonymous + ftp from PROSPERO.ISI.EDU as /pub/papers/security/netcash- + cccs93.ps.Z + - "NetCash: A design for practical electronic currency on + the Internet ... Gennady Medvinsky and Clifford Neuman + + "NetCash is a framework that supports realtime electronic + payments with provision of anonymity over an unsecure + network. It is designed to enable new types of services + on the Internet which have not been practical to date + because of the absence of a secure, scalable, potentially + anonymous payment method. + + "NetCash strikes a balance between unconditionally + anonymous electronic currency, and signed instruments + analogous to checks that are more scalable but identify + the principals in a transaction. It does this by + providing the framework within which proposed electronic + currency protocols can be integrated with the scalable, + but non-anonymous, electronic banking infrastructure that + has been proposed for routine transactions." + + Hal Finney had a negative reaction to their system: + - "I didn't think it was any good. They have an + incredibly simplistic model, and their "protocols" are + of the order, A sends the bank some paper money, and B + sends A some electronic cash in return.....They don't + even do blinding of the cash. Each piece of cash has a + unique serial number which is known to the currency + provider. This would of course allow matching of + withdrawn and deposited coins....These guys seem to + have read the work in the field (they reference it) but + they don't appear to have understood it." [Hal Finney, + 1993-08-17] + + VISA Electronic Purse + - (A lot of stuff appeared on this, including listings of + the alliance partners (like Verifone), the technology, + the plans for deployment, etc. I regret that I can't + include more here. Maybe when this FAQ is a Web doc, more + can be included.) + - "PERSONAL FINANCE - Seeking the Card That Would Create A + Cashless World. The Washington Post, April 03, 1994, + FINAL Edition By: Albert B. Crenshaw, Washington Post ... + + "Now that credit cards are in the hands of virtually + every living, breathing adult in the country-not to + mention a lot of children and the occasional family pet- + and now that almost as many people have ATM cards, + card companies are wondering where future growth will + come from. + + "At *Visa* International, the answer is: Replace cash + with plastic. + + "Last month, the giant association of card issuers + announced it had formed a coalition of banking and + technology companies to develop technical standards for + a product it dubbed the "Electronic Purse," a plastic + card meant to replace coins and bills in small + transactions." [provided by Duncan Frissell, 1994-04-05] + - The talk of "clearinghouses" and the involvement of VISA + International and the Usual Suspects suggest + identity-blinding protocols are not in use. I also see no + mention of DigiCash, or even RSA (but maybe I missed that- + -and the presence of RSA would not necessairly mean + identity-blinding protocols were being planned). + + Likely Scenario: This is *not* digital cash as we think + of it. Rather, this is a future evolution of the cash ATM + card and credit card, optimized for faster and cheaper + clearing. + + Scary Scenario: This could be the vehicle for the long- + rumored "banning of cash." (Just because conspiracy + theorists and Number of the Beast Xtian fundamentalists + belive it doesn't render it implausible.) + - Almost nothing of interest for us. No methods for + anonymity. Make no mistake, this is not the digital cash + that Cypherpunks espouse. This gives the credit agencies + and the government (the two work hand in hand) complete + traceability of all purchases, automatic reporting of + spending patterns, target lists for those who frequent + about-to-be-outlawed businesses, and invasive + surveillance of all inter-personal economic transactions. + This is the AntiCash. Beware the Number of the AntiCash. +12.8.4. Nick Szabo: + - "Internet commercialization in itself is a _huge_ issue + full of pitfall and opportunity: Mom & Pop BBS's, + commercial MUDs, data banks, for-profit pirate and porn + boards, etc. are springing up everywhere like weeds, + opening a vast array of both needs of privacy and ways to + abuse privacy. Remailers, digital cash, etc. won't become + part of this Internet commerce way of life unless they are + deployed soon, theoretical flaws and all, instead of + waiting until The Perfect System comes along. Crypto- + anarchy in the real world will be messy, "nature red in + tooth and claw", not all nice and clean like it says in the + math books. Most of thedebugging will be done not in any + ivory tower, but by the bankruptcy of businesses who + violate their customer's privacy, the confiscation of BBS + operators who stray outside the laws of some jurisdication + and screw up their privacy arrangements, etc. Anybody who + thinks they can flesh out a protocol in secret and then + deploy it, full-blown and working, is in for a world of + hurt. For those who get their Pretty Good systems out + there and used, there is vast potential for business growth + -- think of the $trillions confiscated every year by + governments around the world, for example." [Nick Szabo, + 1993-8-23] +12.8.5. "What about _non-anonymous_ digital cash?" + - a la the various extensions of existing credit and debit + cards, traveller's checks, etc. + + There's still a use for this, with several motivations" + * for users, it may be _cheaper_ (lower transaction costs) + than fully anonymous digital cash + * for banks, it may also be cheaper + * users may wish audit trails, proof, etc. + * and of course governments have various reasons for + wanting traceable cash systems + - law enforcement + - taxes, surfacing the underground economy +12.8.6. Microsoft plans to enter the home banking business + - "PORTLAND, Ore. (AP) -- Microsoft Corp. wants to replace + your checkbook with a home computer that lets the bank do + all the work of recording checks, tallying up credit card + charges and paying bills.... The service also tracks credit + card accounts, withdrawals from automated teller machines, + transfers from savings or other accounts, credit lines, + debit cards, stocks and other investments, and bill + payments." [Associated Press, 1994-07-04] + - Planned links with a consortium of banks, led by U.S. + Bancorp, using its "Money" software package. + - Comment: Such moves as this--and don't forget the cable + companies--could result in a rapid transition to a form of + home banking and "digital money." Obviously this kind of + digital money, as it is being planned today, is very from + the kind of digital cash that interests us. In fact, it is + the polar opposite of what we want. +12.8.7. Credit card clearing...individuals can't use the system + - if something nonanonymous like credit cards cannot be used + by end users (Alice and Bob), why would we expect an + anonymous version of this would be either easier to use or + more possible? + - (And giving users encrypted links to credit agencies would + at least stop the security problems with giving credit card + numbers out over links that can be observed.) + - Mondex claims their system will allow this kind of person- + to-person transfer of anonymous digital cash (I'll believe + it when I see it). + +12.9. Legal Issues with Digital Cash +10.8.1. "What's the legal status of digital cash?" + - It hasn't been tested, like a lot of crypto protocols. It + may be many years before these systems are tested. +10.8.2. "Is there a tie between digital cash and money laundering?" + - There doesn't have to be, but many of us believe the + widespread deployment of digital, untraceable cash will + make possible new approaches + - Hence the importance of digital cash for crypto anarchy and + related ideas. + - (In case it isn't obvious, I consider money-laundering a + non-crime.) +10.8.3. "Is it true the government of the U.S. can limit funds + transfers outside the U.S.?" + - Many issues here. Certainly some laws exist. Certainly + people are prosecuted every day for violating currency + export laws. Many avenues exist. + - "LEGALITY - There isn't and will never be a law restricting + the sending of funds outside the United States. How do I + know? Simple. As a country dependant on international + trade (billions of dollars a year and counting), the + American economy would be destroyed." [David Johnson, + privacy@well.sf.ca.us, "Offshore Banking & Privacy," + alt.privacy, 1994-07-05] +10.8.4. "Are "alternative currencies" allowed in the U.S.? And what's + the implication for digital cash of various forms? + - Tokens, coupons, gift certificates are allowed, but face + various regulations. Casino chips were once treated as + cash, but are now more regulated (inter-casino conversion + is no longer allowed). + - Any attempt to use such coupons as an alternative currency + face obstacles. The coupons may be allowed, but heavily + regulated (reporting requirements, etc.). + - Perry Metzger notes, bearer bonds are now illegal in the + U.S. (a bearer bond represented cash, in that no name was + attached to the bond--the "bearer" could sell it for cash + or redeem it...worked great for transporting large amounts + of cash in compact form). + + Note: Duncan Frissell claims that bearer bonds are _not_ + illegal. + - "Under the Tax Equity and Fiscal Responsibility Act of + 1982 (TEFRA), any interest payments made on *new* issues + of domestic bearer bonds are not deductible as an + ordinary and necessary business expense so none have been + issued since then. At the same time, the Feds + administratively stopped issuing treasury securities in + bearer form. Old issues of government and corporate debt + in bearer form still exist and will exist and trade for + 30 or more years after 1982. Additionally, US residents + can legally buy foreign bearer securities." [Duncan + Frissell, 1994-08-10] + - Someone else has a slightly different view: "The last US + Bearer Bond issues mature in 1997. I also believe that to + collect interest, and to redeem the bond at maturity, you + must give your name and tax-id number to the paying + agent. (I can check with the department here that handles + it if anyone is interested in the pertinent OCC regs that + apply)" [prig0011@gold.tc.umn.edu, 1994-08-10] + - I cite this gory detail to give readers some idea about + how much confusion there is about these subjects. The + usual advice is to "seek competent counsel," but in fact + most lawyers have no clear ideas about the optimum + strategies, and the run-of-the-mill advisor may mislead + one dangerously. Tread carefully. + - This has implications for digital cash, of course. +10.8.5. "Why might digital cash and related techologies take hold + early in illegal markets? That is, will the Mob be an early + adopter?" + - untraceability needed + - and reputations matter to them + - they've shown in the past that they will try new + approaches, a la the money movements of the drug cartels, + novel methods for security, etc. +10.8.6. "Electronic cash...will it have to comply with laws, and + how?" + - Concerns will be raised about the anonymity aspects, the + usefulness for evading taxes and reporting requirements, + etc. + - a messy issue, sure to be debated and legislated about for + many years + + split the cash into many pieces...is this "structuring"? is + it legal? + - some rules indicate the structuring per se is not + illegal, only tax evasion or currency control evasion + - what then of systems which _automatically_, as a basic + feature, split the cash up into multiple pieces and move + them? +10.8.7. Currency controls, flight capital regulations, boycotts, + asset seizures, etc. + - all are pressures to find alternate ways for capital to + flow + - all add to the lack of confidence, which, paradoxically to + lawmakers, makes capital flight all the more likely +10.8.8. "Will banking regulators allow digital cash?" + - Not easily, that's for sure. The maze of regulations, + restrictions, tax laws, and legal rulings is daunting. Eric + Hughes spent a lot of time reading up on the laws regarding + banks, commercial paper, taxes, etc., and concluded much + the same. I'm not saying it's impossible--indeed, I believe + it will someday happen, in some form--but the obstacles are + formidable. + + Some issues: + + Will such an operation be allowed to be centered or based + in the U.S.? + - What states? What laws? Bank vs. Savings and Loan vs. + Credit Union vs. Securities Broker vs. something else? + + Will customers be able to access such entities offshore, + outside the U.S.? + - strong crypto makes communication possible, but it may + be difficult, not part of the business fabric, etc. + (and hence not so useful--if one has to send PGP- + encrypted instructions to one's banker, and can't use + the clearing infrastructure....) + + Tax collection, money-laundering laws, disclosure laws, + "know your customer" laws....all are areas where a + "digital bank" could be shut down forthwith. Any bank not + filling out the proper forms (including mandatory + reporting of transactions of certain amounts and types, + and the Social Security/Taxpayer Number of customers) + faces huge fines, penalties, and regulatory sanctions. + - and the existing players in the banking and securities + business will not sit idly by while newcomers enter + their market; they will seek to force newcomers to jump + through the same hoops they had to (studies indicate + large corporations actually _like_ red tape, as it + helps them relative to smaller companies) + - Concluson: Digital banks will not be "launched" without a + *lot* of work by lawyers, accountants, tax experts, + lobbyists, etc. "Lemonade stand digital banks" (TM) will + not survive for long. Kids, don't try this at home! + - (Many new industries we are familiar with--software, + microcomputers--had very little regulation, rightly so. But + the effect is that many of us are unprepared to understand + the massive amount of red tape which businesses in other + areas, notably banking, face.) +10.8.9. Legal obstacles to digital money. If governments don't want + anonymous cash, they can make things tough. + + As both Perry Metzger and Eric Hughes have said many times, + regulations can make life very difficult. Compliance with + laws is a major cost of doing business. + - ~"The cost of compliance in a typical USA bank is 14% of + operating costs."~ [Eric Hughes, citing an "American + Banker" article, 1994-08-30] + + The maze of regulations is navigable by larger + institutions, with staffs of lawyers, accountants, tax + specialists, etc., but is essentially beyond the + capabilities of very small institutions, at least in the + U.S. + - this may or may not remain the case, as computers + proliferate. A "bank-in-a-box" program might help. My + suspicion is that a certain size of staff is needed just + to handle the face-to-face meetings and hoop-jumping. + + "New World Order" + - U.S. urging other countries to "play ball" on banking + secrecy, on tax evasion extradition, on immigration, etc. + - this is closing off the former loopholes and escape + hatches that allowed people to escape repressive + taxation...the implications for digital money banks are + unclear, but worrisome. + +12.10. Prospects for Digital Cash Use +12.10.1. "If digital money is so great, why isn't it being used?" + - Hasn't been finished. Protocols are still being researched, + papers are still being published. In any single area, such + as toll road payments, it may be possible to deploy an + application-specific system, but there is no "general" + solution (yet). There is no "digital coin" or unforgeable + object representing value, so the digital money area is + more similar to the similarly nonsimple markets in + financial instruments, commercial papers, bonds, warrants, + checks, etc. (Areas that are not inherently simple and that + have required lots of computerization and communications to + make manageable.) + - Flakiness of Nets. Systems crash, mail gets delayed + inexplicably, subscriptions to lists get lunched, and all + sorts of other breakages occur. Most interaction on the + Nets involves a fair amount of human adaptation to changing + conditions, screwups, workarounds, etc. These are not + conditions that inspire confidence in automated money + systems! + - Hard to Use. Few people will use systems that require + generating code, clients, etc. Semantic gap (generating + stuff on a Unix workstation is not at all like taking one's + checkbook out). Protocols in crypto are generally hard to + use and confusing. + - Lack of compelling need. Although people have tried various + experiments with digital money tokens or coupons (Magic + Money/Tacky Tokens, the HeX market, etc.), there is little + real world incentive to experiment with them. And most of + the denominated tokens are for truly trivial amounts of + money, not for anything worth spending time learning. No + marketplace for buyers to "wander around in." (You don't + buy what you don't see.) + - Legal issues. The IRS does not look favorably on + alternative currencies, especially if used in attempts to + bypass ordinary tax collection schemes. This and related + legal issues (redemptions into dollars) put a roadblock in + front of serious plans to use digital money. + - Research Issues. Not all problems resolved. Still being + developed, papers being published. Chaum's system does not + seem to be fully ready for deployment, certainly not + outside of well-defined vertical markets. +12.10.2. "Why isn't digital money in use?" + - The Meta Issue: *what* digital money? Various attempts at + digital cash or digital money exist, but most are flawed, + experimental, crufty, etc. Chaum's DigiCash was announced + (Web page, etc.), but is apparently not even remotely + usable. + + Practical Reasons: + - nothing to buy + - no standard systems that are straightforward to use + - advantages of anonymity and untraceability are seldom + exploited + - The Magic Money/Tacky Tokens experiment on the Cypherpunks + list is instrucive. Lots of detailed work, lots of posts-- + and yet not used for anything (granted, there's not much + being bought and sold on the List, so...). + - Scenario for Use in the Near Future: A vertical + application, such as a bridge toll system that offers + anonymity. In a vertical app, the issues of compatibility, + interfaces, and training can be managed. +12.10.3. "why isn't digital cash being used?" + + many reasons, too many reasons! + + hard issues, murky issues + - technical developments not final, Chaum, Brands, etc. + + selling the users + - who don't have computers, PDAs, the means to do the + local computations + - who want portable versions of the same + + The infrastructure for digital money (Chaum anonymous- + style, and variants, such as Brands) does not now exist, + and may not exist for several more years. (Of course, I + thought it would take "several more years" back in 1988, + so what do I know?) + - The issues are familiar: lack of standards, lack of + protocols, lack of customer experience, and likely + regulatory hurdles. A daunting prospect. + - Any "launches" will either have to be well-funded, well- + planned, or done sub rosa, in some quasi-legal or even + illegal market (such as gambling). + - "The american people keep claiming in polls that they want + better privacy protection, but the fact is that most aren't + willing to do anything about it: it's just a preference, + not a solid imperative. Until something Really Bad happens + to many people as a result of privacy loss, I really don't + think much will be done that requires real work and + inconvenience from people, like moving to something other + than credit cards for long-distance transactions... and + that's a tragedy."[L. Todd Masco , 1994-08-20] +12.10.4. "Is strong crypto needed for digital cash?" + - Yes, for the most bulletproof form, the form of greatest + interest to us and especially for agents, autonomous + systems + + No, for certain weak versions (non-cryptographic methods of + security, access control, biometric security, etc. methods) + - for example, Internet billing is not usually done with + crypto + - and numbered Swiss accounts can be seen as a weak form of + digital cash (with some missing features) + - "warehouse receipts," as in gold or currency shipments +12.10.5. on why we may not have it for a while, from a non-Cypherpunk + commenter: + - "Government requires information on money flows, taxable + items, and large financial transactions.....As a result, it + would be nearly impossible to set up a modern anonymous + digital cash system, despite the fact that we have the + technology.....I think we have more of a right to privacy + with digicash transactions, and I also think there is a + market for anonymous digicash systems. " [Thomas Grant + Edwards. talk.politics.crypto, 1994-09-06] +12.10.6. "Why do a lot of schemes for things like digital money have + problems on the Net? + + Many reasons + - lack of commercial infrastructure in general on the + Net...people are not used to buying things, advertising + is discouraged (or worse), and almost everything is + "free." + - lack of robustness and completeness in the various + protocols: they are "not ready for prime time" in most + cases (PGP is solid, and some good shells exist for PGP, + but the many other crypto protocols are mostly not + implemented at all, at least not widely). + + The Net runs "open-loop," as a store-and-forward delivery + system + - The Net is mostly a store-and-forward netword, at least + at the granularity seen by the user in sending + messages, and hence is "open loop." Messages may or may + not be received in a timely way, and there is little + opportunity for negotiaton on a real-time basis. + - This open-loop nature usually works...messages get + through most of the time. And the "message in a bottle" + nature fits in with anonymous remailers (with + latency/delay), with message pools, and with other + schemes to make traffic analysis harder. A "closed- + loop," responsive system is likelier to be traffic- + analyzed by correlation of packets, etc. + - but the sender does not know if it gets through (return + receipts not commonly implemented...might be a nice + feature to incorporate; agent-based systems + (Telescript?) will certainly do this) + - this open-loop nature makes protocols, negotiation, + digital cash very tough to use--too much human + intervention needed + - Note: These comments apply mainly to _mail_ systems, + which is where most of us have experimented with these + ideas. Non-mail systems, such as Mosaic or telnet or + the like, have better or faster feedback mechanisms and + may be preferable for implementation of Cypherpunks + goals. It may be that the natural focus on mailing + lists, e-mail, etc., has distracted us. Perhaps a focus + on MUDs, or even on ftp, would have been more + fruitful...but we're a mailing list, and most people + are much more familiar with e-mail than with archie or + gopher or WAIS, etc. + - The legal and regulatory obstacles to a real system, used + for real transactions, are formidable. (The obstacles to + a "play" system are not so severe, but then play systems + tend not to get much developer attention.) +12.10.7. Scenario for deployment of digital cash + - Eric Hughes has spent time looking into this. Too many + issues to go into here, but he had this interesting + scenario, repeated almost in toto here: + - "It's very unlikely that a USA bank will be the one to + deploy anonymous digital dollars first. It's much more + likely that the first dollar digital cash will be issued + overseas, possibly London. By the same token, the non- + dollar regulation on banks in this country is not the same + as the dollar regulation, so it's quite possible that the + New York banks may be the first issuers of digital cash, in + pounds sterling, say. + + "There will be two stages in actually deploying digital + cash. By digital cash, here, I mean a retail phenomenon, + available anybody. The first will be to digitize money, and + the second will be to anonymize it. Efforts are already + well underway to make more-or-less secure digital funds + transfers with reasonably low transaction fees (not + transaction costs, which are much more than just fees). + These efforts, as long as they retain some traceability, + will almost certainly succeed first in the marketplace, + because (and this is vital) the regulatory environment + against anonymity is not compromised. + + "Once, however, money has been digitized, one of the + services available for purchase can be the anonymous + transfer of funds. I expect that the first digitization of + money won't be fully fungible. For example, if you allow + me to take money out of your checking account by automatic + debit, there is risk that the money won't be there when I + ask for it. Therefore that kind of money won't be + completely fungible, because money authorized from one + person won't be completely identical with money from + another. It may be a risk issue, it may be a timeliness + issue, it may be a fee issue; I don't know, but it's + unlikely to be perfect. + + "Now, as the characteristic size of a business decreases, + the relative costs of dealing with whatever imperfection + there is will be greater. To wit, the small player will + still have some problem getting paid, although certainly + less than now. Digital cash solves many of these problems. + The clearing is immediate and final (no transaction + reversals). The number of entities to deal with is greatly + reduced, hopefully to one. The need and risk and cost of + accounts receivables is eliminated. It's anonymous. There + will be services which will desire these advantages, enough + to support a digital cash infrastructure. [Eric Hughes, + Cypherpunks list, 1994-08-03] + +12.11. Commerce on the Internet +12.11.1. This has been a brewing topic for the past couple of years. + In 1994 thing heated up on several fronts: + - DigiCash announcement + - NetMarket announcement + - various other systems, including Visa Electronic Purse +12.11.2. I have no idea which ones will succeed... +12.11.3. NetMarket + - Mosaic connections, using PGP + + "The NetMarket Company is now offering PGP-encrypted Mosaic + sessions for securely transmitting credit card information + over the Internet. Peter Lewis wrote an article on + NetMarket on page D1 of today's New York Times (8/12/94). + For more information on NetMarket, connect to + http://www.netmarket.com/ or, telnet netmarket.com." [ + Guy H. T. Haskin , 1994-08-12] + - Uses PGP. Hailed by the NYT as the first major use of + crypto for some form of digital money, but this is not + correct. +12.11.4. CommerceNet + - allows Internet users to buy and sell goods. + - "I read in yesterday's L.A. Times about something called + CommerceNet, where sellers and buyers of workstation level + equipment can meet and conduct busniess....Near the end of + the article, they talked about a proposed method for + exchanging "digital signatures" via Moasic (so that buyers + and sellers could _know_ that they were who they said they + were) and that they were going to "submit it to the + Internet Standards body"" [Cypher1@aol.com, 1994-06-23] +12.11.5. EDI, purchase orders, paperwork reduction, etc. + - Nick Szabo is a fan of this approach +12.11.6. approaches + - send VISA numbers in ordinary mail....obviously insecure + - send VISA numbers in encrypted mail + + establish two-way clearing protocols + - better ensures that recipient will fulfill service...like + a receipt that customer signs (instead of the "sig taken + over the phone" approach) + - various forms of digital money +12.11.7. lightweight vs. heavyweight processes for Internet commerce + - Chris Hibbert + - and the recurring issue of centralized vs. decentralized + authentication and certification + +12.12. Cypherpunks Experiments ("Magic Money") +12.12.1. What is Magic Money? + - "Magic Money is a digital cash system designed for use over + electronic mail. The system is online and untraceable. + Online means that each transaction involves an exchange + with a server, to prevent double-spending. Untraceable + means that it is impossible for anyone to trace + transactions, or to match a withdrawal with a deposit, or + to match two coins in any way." + + "The system consists of two modules, the server and the + client. Magic Money uses the PGP ascii-armored message + format for all communication between the server and client. + All traffic is encrypted, and messages from the server to + the client are signed. Untraceability is provided by a + Chaum-style blind signature. Note that the blind signature + is patented, as is RSA. Using it for experimental purposes + only shouldn't get you in trouble. + + "Digicash is represented by discrete coins, the + denominations of which are chosen by the server operator. + Coins are RSA-signed, with a different e/d pair for each + denomination. The server does not store any money. All + coins are stored by the client module. The server accepts + old coins and blind- signs new coins, and checks off the + old ones on a spent list." + [...rest of excellent summary elided...highly recommended + that you dig it up (archives, Web site?) and read it] + [Pr0duct Cypher, Magic Money Digicash System, 1992-02-04] + + Magic Money + - ftp://csn.org/pub/mpj/crypto_XXXXXX (or something like + that) + - ftp:csn.org//mpj/I_will_not_export/crypto_???????/pgp_too + ls +12.12.2. Matt Thomlinson experimented with a derivative version called + "GhostMarks" +12.12.3. there was also a "Tacky Tokens" derivative +12.12.4. Typical Problems with Such Experiments + - Not worth anything...making the money meaningful is an + obstacle to be overcome + - If worth anything, not worth the considerable effort to use + it ("creating Magic Money clients" and other scary Unix + stuff!) + - robustness...sites go down, etc. + - same problems were seen on Extropians list with "HEx" + exchange and its currency, the "thorne." (I even paid real + money to Edgar Swank to buy some thorned...alas, the market + was too thinly traded and the thornes did me no good.) + +12.13. Practical Issues and Concerns with Digital Cash +12.13.1. "Is physical identity proof needed for on-line clearing?" + - No, not if the cash outlook is taken. Cash is cash. Caveat + emptor. + - The "first to the locker" approach causes the bank not to + particularly care about this, just as a Swiss bank will + allow access to a numbered account by presentation of the + number, and perhaps a key. Identity proof *may* be needed, + depending on the "protocol" they and the customer + established, but it need not be. And the last thing the + bank is worried about is being able to "find and prosecute" + anyone, as there is no way they can be liable for a double + spending incident. The beauties of local clearing! (Which + is what gold coins do, and paper money if we really think + we can pass it on to others.) +12.13.2. "Is digital cash traceable?" + - There are several flavors of "digital cash," ranging from + versions of VISA cards to fully untraceable (Chaumian) + digital cash. + - This comes up a lot, with people in Net newsgroups even + warning others not to use digital cash because of the ease + of traceability. Not so. + - "Not the kind proposed by David Chaum and his colleagues in + the Netherlands. The whole thrust of their research over + the last decade has been the use of cryptographic + techniques to make electronic transactions secure from + fraud while at the same time protecting personal privacy. + They, and others, have developed a number of schemes for + UNTRACEABLE digital cash." [Kevin Van Horn, + talk.politics.crypto, 1994-07-03] +12.13.3. "Is there a danger that people will lose the numbers that + they need to redeem money? That someone could steal the + number and thus steal their money?" + - Sure. There's the danger that I'll lose my bearer bonds, or + forget my Swiss bank account number, or lose my treasure + map to where I buried my money (as Alan Turing supposedly + did in WW II). + - People can take steps to limit risk. More secure computers. + Dongles worn around their necks. Protocols that involve + biometric authentication to their local computer or key + storage PDA, etc. Limits on withdrawals per day, etc. + People can store key numbers with people they trust, + perhaps encrypted with other keys, can leave them with + their lawyers, etc. All sorts of arrangements can be made. + Personal identification is but one of these arrangements. + Often used, but not essential to the underlyng protocol. + Again, the Swiss banks (maybe now the Liechtenstein + anstalts are a better example) don't require physical ID + for all accounts. (More generally, if Charles wants to + create a bank in which deposits are made and then given out + to the first person who sings the right tune, why should we + care? This extreme example is useful in pointing out that + _contractual arrangements_ need not involve governmental or + societal norms about what constitutes proof of identity.) + +12.14. Cyberspace and Digital Money +12.14.1. "You can't eat cyberspace, so what good is digital money?" + - This comes up a lot. People assume there is no practical + way to transfer assets, when in fact it is done all the + time. That is, money flows from the realm of the purely + "informational" realm to the physcial realm Consultants, + writers, traders, etc., all use their heads and thereby + earn real money. + - Same will apply to cyberspace. +12.14.2. "How can I remain anonymous when buying physical items using + anonymous digital cash?' + - Very difficult. Once you are seen, and your picture can be + taken( perhaps unknown to you), databases will have you. + Not much can be done about this. + - People have proposed schemes for anonymous shipment and + pickup, but the plain fact is that physical delivery of any + sort compromises anonymity, just as in the world today. + - The purpose of anonymous digital cash is partly to at least + make it more difficult, to not give Big Brother your + detailed itinerary from toll road movements, movie theater + payments, etc. To the extent that physical cameras can + still track cars, people, shipments, etc., anonymous + digital cash doesn't solve this surveillance problem. + +12.15. Outlawing of Cash +12.15.1. "What are the motivations for outlawing cash?" + - (Note: This has not happened. Many of us see signs of it + happening. Others are skeptical.) + + Reasons for the Elimination of Cash: + - War on Drugs....need I say more? + - surface the underground economy, by withdrawing paper + currency and forcing all monetary transaction into forms + that can be easily monitored, regulated, and taxed. + - tax avoidance, under the table economy (could also be + motive for tamper-resistant cash registers, with spot + checks to ensure compliance) + + welfare, disability, pension, social security auto- + deposits + - fraud, double-dipping + - reduce theft of welfare checks, disability payments, + etc....a problem in some locales, and automatic + deposit/cash card approaches are being evaluated. + - general reduction in theft, pickpockets + - reduction of paperwork: all transfers electronic (could + be part of a "reinventing government" initiative) + + illegal immigrants, welfare cheats, etc. Give everyone a + National Identity Card (they'll call it something + different. to make it more palatable, such as "Social + Services Portable Inventory Unit" or "Health Rights + Document"). + - (Links to National Health Care Card, to Welfare Card, + to other I.D. schemes designed to reduce fraud, track + citizen-units, etc.) + + rationing systems that depend on non-cash transactions + (as explained elsewhere, market distortions from + rationing systems generally require identification, + correlation to person or group, etc.) + - this rationing can included subsidized prices, denial + of access (e.g., certain foods denied to certain + people) +12.15.2. Lest this be considered paranoid ranting, let me point out + that many actions have already been taken that limit the form + of money (banking laws, money laundering, currency + restrictions...even the outlawing of competing currencies + itself) +12.15.3. Dangers of outlawing cash + - Would freeze out all transactions, giving Big Brother + unprecedented power (unless the non-cash forms were + anonymous, a la Chaum and the systems we support) + - Would allow complete traceability....like the cellular + phones that got Simpson + - 666, Heinlein, Shockwave Rider, etc. +12.15.4. Given that there is no requirement for identity to be + associated with money, we should fight any system which + proposed to link the two. +12.15.5. The value of paying cash + - makes a transaction purely local, resolved on the spot + - the alternative, a complicated accounting system involving + other parties, etc., is much less attractive + - too many transactions these days are no longer handled in + cash, which increases costs and gets other parties involved + where they shouldn't be involved. +12.15.6. "Will people accept the banning of cash?" + - There was a time when I would've said Americans, at least, + would've rejected such a thing. Too many memories of + "Papieren, bitte. Macht schnell!" But I now think most + Americans (and Europeans) are so used to producing + documents for every transaction, and so used to using VISA + cards and ATM cards at gas stations, supermarkets, and even + at flea markets, that they'll willingly--even eagerly-- + adopt such a system. + +12.16. Novel Opportunities +12.16.1. Encrypted open books, or anonymous auditing + - Eric Hughes has worked on a scheme using a kind of blinding + to do "encrypted open books," whereby observers can verify + that a bank is balancing its books without more detailed + looks at individual accounts. (I have my doubts about + spoofs, attacks, etc., but such are always to be considered + in any new protocol.) + - "Kent Hastings wondered how an offshore bank could provide + assurances to depositors. I wondered the same thing a few + months ago, and started working on what Perry calls the + anonymous auditing problem. I have what I consider to be + the core of a solution. + ...The following is long.... [TCM Note: Too long to include + here. I am including just enough to convince readers that + some new sorts of banking ideas may come out of + cryptography.] + + "If we use the contents of the encrypted books at the + organizational boundary points to create suitable legal + opbligations, we can mostly ignore what goes on inside of + the mess of random numbers. That is, even if double books + were being kept, the legal obligations created should + suffice to ensure that everything can be unwound if needed. + This doesn't prevent networks of corrupt businesses from + going down all at once, but it does allow networks of + honest businesses to operate with more assurance of + honesty." [Eric Hughes, PROTOCOL: Encrypted Open Books, + 1993-08-16] +12.16.2. "How can software components be sold, and how does crypto + figure in?" + + Reusable Software, Brad Cox, Sprague, etc. + - good article in "Wired" (repeated in "Out of Control") + - First, certainly software is sold. The issues is why the + "software components" market has not yet developed, and why + such specific instances of software as music, art, text, + etc., have not been sold in smaller chunks. + + Internet commerce is a huge area of interest, and future + development. + - currently developing very slowly + - lots of conflicting information...several mailing + lists...lots of hype + + Digital cash is often cited as a needed enabling tool, but + I think the answer is more complicated than that. + - issues of convenience + - issues of there being no recurring market (as there is + in, say, the chip business...software doesn't get bought + over and over again, in increasing unit volumes) + +12.17. Loose Ends +12.17.1. Reasons to have no government involvement in commerce + - Even a small involvement, through special regulations, + granted frachises, etc., produces vested interests. For + example, those in a community who had to wait to get + building permits want _others_ to wait just as long, or + longer. Or, businesses that had to meet certain standard, + even if unreasonable, will demand that new businesses do so + also. The effect is an ever-widening tar pit of rules, + restrictions, and delays. Distortions of the market result. + + Look at how hard it is for the former U.S.S.R. to + disentangle itself from 75 years of central planning. They + are now an almost totally Mafia-controlled state (by this I + mean that "privatization" of formerly non-private + enterprises benefitted those who had amassed money and + influence, and that these were mainly the Russian Mafia and + former or current politicians...the repercussions of this + "corrupt giveaway" will be felt for decades to come). + - An encouraging sign: The thriving black market in Russia- + -which all Cypherpunks of course cheer--will gradually + displace the old business systems with new ones, as in + all economies. Eventually the corruptly-bought businesses + will sink or swim based on merit, and newly-created + enterprises will compete with them. +12.17.2. "Purist" Approach to Keys, Cash, Responsibility + + There are two main approaches to the issue: + - Key owner is responsible for uses of his key + - or, Others are responsible + + There may be mixed situations, such as when a key is + stolen...but this needs also to be planned-for by the key + owner, by use of protocols that limit exposure. For + example, few people will use a single key that accesses + immediately their net worth...most people will partition + their holding and their keyed access in such a way as to + naturally limit exposure if any particular key is lost or + compromised. Or forgotten. + - could involve their bank holding keys, or escrow agents + - or n-out-of-m voting systems + - Contracts are the essence...what contracts do people + voluntarily enter into? + - And locality--who better to keep keys secure than the + owner? Anything that transfers blame to "the banks" or to + "society" breaks the feedback loop of responsibility, + provides an "out" for the lazy, and encourages fraud + (people who disavow contracts by claiming their key was + stolen). + +13. Activism and Projects + +13.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +13.2. SUMMARY: Activism and Projects +13.2.1. Main Points +13.2.2. Connections to Other Sections +13.2.3. Where to Find Additional Information +13.2.4. Miscellaneous Comments + +13.3. Activism is a Tough Job +13.3.1. "herding cats"..trying to change the world through + exhortation seems a particulary ineffective notion +13.3.2. There's always been a lot of wasted time and rhetoric on the + Cypherpunks list as various people tried to get others to + follow their lead, to adopt their vision. (Nothing wrong with + this, if done properly. If someone leads by example, or has a + particularly compelling vision or plan, this may naturally + happen. Too often, though, the situation was that someone's + vague plans for a product were declared by them to be the + standards that others should follow. Various schemes for + digital money, in many forms and modes, has always been the + prime example of this.) +13.3.3. This is related also to what Kevin Kelley calls "the fax + effect." When few people own fax machines, they're not of + much use. Trying to get others to use the same tools one has + is like trying to convince people to buy fax machines so that + you can communicate by fax with them...it may happen, but + probably for other reasons. (Happily, the interoperability of + PGP provided a common communications medium that had been + lacking with previous platform-specific cipher programs.) +13.3.4. Utopian schemes are also a tough sell. Schemes about using + digital money to make inflation impossible, schemes to + collect taxes with anonymous systems, etc. +13.3.5. Harry Browne's "How I Found Freedom in an Unfree World" is + well worth reading; he advises against getting upset and + frustrated that the world is not moving in the direction one + would like. + +13.4. Cypherpunks Projects +13.4.1. "What are Cypherpunks projects?" + - Always a key part--perhaps _the_ key part--of Cypherpunks + activity. "Cypherpunks write code." From work on PGP to + remailers to crypto toolkits to FOIA requests, and a bunch + of other things, Cypherpunks hack the system in various + ways. + - Matt Blaze's LEAF blower, Phil Karn's "swIPe" system, Peter + Wayner's articles....all are examples. (Many Cypherpunks + projects are also done, or primarily done, for other + reasons, so we cannot in all cases claim credit for this + work.) +13.4.2. Extensions to PGP +13.4.3. Spread of PGP and crypto in general. + - education + - diskettes containing essays, programs + - ftp sites + - raves, conventions, gatherings +13.4.4. Remailers + + ideal Chaumian mix has certain properties + - latency to foil traffic analysis + - encryption + - no records kept (hardware tamper-resistance, etc.) + - Cyperpunks remailers + - julf remailers + + abuses + - flooding, because mail transmission costs are not borne + by sender + + anonymity produces potential for abuses + - death threats, extortion + - Progress continues, with new features added. See the + discussion in the remailers section. +13.4.5. Steganography + - hiding the existence of a message, for at least some amount + of time + - security through obscurity + - invisible ink, microdots + + Uses + - in case crypto is outawed, may be useful to avoid + authorities + - if enough people do it, increases the difficulty of + enforcing anti-crypto laws (all + + Stego + - JSTEG: + soda.berkeley.edu:/pub/cypherpunks/applications/jsteg + - Stego: sumex-aim.stanford.edu +13.4.6. Anonymous Transaction Systems +13.4.7. Voice Encryption, Voice PGP + - Clipper, getting genie out of bottle + - CELP, compression, DSPs + - SoundBlaster approach...may not have enough processing + power + + hardware vs. pure software + - newer Macs, including av Macs and System 7 Pro, have + interesting capabilities + + Zimmermann's plans have been widely publicized, that he is + looking for donations, that he is seeking programming help, + etc. + - which does not bode well for seeing such a product from + him + - frankly, I expect it will come from someone else + - Eric Blossom is pursuing own hardware board, based on 2105 + + "Is anyone building encrypted telephones?" + - + + Yes, several such projects are underway. Eric Blossom + even showed a + - PCB of one at a Cypherpunks meeting, using an + inexpensive DSP chip. + - + + Software-only versions, with some compromises in speech + quality + - probably, are also underway. Phil Zimmermann + described his progress at + + the last Cypherpunks meeting. + - + - ("Software-only" can mean using off-the-shelf, widely- + available DSP + + boards like SoundBlasters.) + - + - And I know of at least two more such projects. + Whether any will + + materialize is anyone's guess. + - + - And various hacks have already been done. NeXT users + have had + - voicemail for years, and certain Macs now offer + something similar. + + Adding encryption is not a huge obstacle. + - + - A year ago, several Cypherpunks meeting sites around + the U.S. were + - linked over the Internet using DES encryption. The + sound quality was + - poor, for various reasons, and we turned off the DES + in a matter of + - minutes. Still, an encrypted audio conference call. +13.4.8. DC-Nets + - What it is, how it works + - Chaum's complete 1988 "Journal of Cryptology" article is + available at the Cypherpunks archive site, + ftp.soda.csua.edu, in /pub/cypherpunks + + Dining Cryptographers Protocols, aka "DC Nets" + + "What is the Dining Cryptographers Problem, and why is it + so important?" + + This is dealt with in the main section, but here's + David Chaum's Abstract, from his 1988 paper" + - Abstract: "Keeping confidential who sends which + messages, in a world where any physical transmission + can be traced to its origin, seems impossible. The + solution presented here is unconditionally or + cryptographically secure, depending on whether it is + based on one-time-use keys or on public keys. + respectively. It can be adapted to address + efficiently a wide variety of practical + considerations." ["The Dining Cryptographers Problem: + Unconditional Sender and Recipient Untraceability," + David Chaum, Journal of Cryptology, I, 1, 1988.] + - + - DC-nets have yet to be implemented, so far as I know, + but they represent a "purer" version of the physical + remailers we are all so familiar with now. Someday + they'll have have a major impact. (I'm a bigger fan of + this work than many seem to be, as there is little + discussion in sci.crypt and the like.) + + "The Dining Cryptographers Problem: Unconditional Sender + and Recipient Untraceability," David Chaum, Journal of + Cryptology, I, 1, 1988. + - available courtesy of the Information Liberation Front + at the soda.csua.berkeley.edu site + - Abstract: "Keeping confidential who sends which + messages, in a world where any physical transmission + can be traced to its origin, seems impossible. The + solution presented here is unconditionally or + cryptographically secure, depending on whether it is + based on one-time-use keys or on public keys. + respectively. It can be adapted to address efficiently + a wide variety of practical considerations." ["The + Dining Cryptographers Problem: Unconditional Sender and + Recipient Untraceability," David Chaum, Journal of + Cryptology, I, 1, 1988.] + - Note that the initials "D.C." have several related + meanings: Dining Cryptographers, Digital Cash/DigiCash, + and David Chaum. Coincidence? + + Informal Explanation + - Note: I've posted this explanation, and variants, + several times since I first wrote it in mid-1992. In + fact, I first posted it on the "Extropians" mailing + list, as "Cypherpunks" did not then exist. + - Three Cypherpunks are having dinner, perhaps in Palo + Alto. Their waiter tells them that their bill has + already been paid, either by the NSA or by one of them. + The waiter won't say more. The Cypherpunks wish to know + whether one of them paid, or the NSA paid. But they + don't want to be impolite and force the Cypherpunk + payer to 'fess up, so they carry out this protocol (or + procedure): + + Each Cypherpunk flips a fair coin behind a menu placed + upright between himself and the Cypherpunk on his + right. The coin is visible to himself AND to the + Cypherpunk on his left. Each Cypherpunk can see his own + coin and the coin to his right. (STOP RIGHT HERE! + Please take the time to make a sketch of the situation + I've described. If you lost it here, all that follows + will be a blur. It's too bad the state of the Net today + cannot support figures and diagrams easily.) + + Each Cypherpunk then states out loud whether the two + coins he can see are the SAME or are DIFFERENT, e.g., + "Heads-Tails" means DIFFERENT, and so forth. For now, + assume the Cypherpunks are truthful. A little bit of + thinking shows that the total number of "DIFFERENCES" + must be either 0 (the coins all came up the same), or + 2. Odd parity is impossible. + + Now the Cypherpunks agree that if one of them paid, he + or she will SAY THE OPPOSITE of what they actually see. + Remember, they don't announce what their coin turned up + as, only whether it was the same or different as their + neighbor. + + Suppose none of them paid, i.e., the NSA paid. Then + they all report the truth and the parity is even + (either 0 or 2 differences). They then know the NSA + paid. + + Suppose one of them paid the bill. He reports the + opposite of what he actually sees, and the parity is + suddenly odd. That is, there is 1 difference reported. + The Cypherpunks now know that one of them paid. But can + they determine which one? + + Suppose you are one of the Cypherpunks and you know you + didn't pay. One of the other two did. You either + reported SAME or DIFFERENT, based on what your neighbor + to the right (whose coin you can see) had. But you + can't tell which of the other two is lying! (You can + see you right-hand neighbor's coin, but you can't see + the coin he sees to his right!) + + This all generalizes to any number of people. If none + of them paid, the parity is even. If one of them paid, + the parity is odd. But which one of them paid cannot be + deduced. And it should be clear that each round can + transmit a bit, e.g., "I paid" is a "1". The message + "Attack at dawn" could thus be "sent" untraceably with + multiple rounds of the protocol. + - The "Crypto Ouija Board": I explain this to people as a + kind of ouija board. A message, like "I paid" or a more + interesting "Transfer funds from.....," just "emerges" + out of the group, with no means of knowing where it + came from. Truly astounding. + + Problems and Pitfalls + - In Chaum's paper, the explanation above is given + quickly, in a few pages. The _rest_ of the paper is + then devoted to dealing with the many "gotchas" and + attacks that come up and that must be dealt with before + the DC protocol is even remotely possible. I think all + those interested in protocol design should read this + paper, and the follow-on papers by Bos, Pfitzmann, + etc., as object lessons for dealing with complex crypto + protocols. + + The Problems: + - 1. Collusion. Obviously the Cypherpunks can collude + to deduce the payer. This is best dealt with by + creating multiple subcircuits (groups doing the + protocol amongst themselves). Lots more stuff here. + Chaum devotes most of the paper to these kind of + issues and their solutions. + + 2. With each round of this protocol, a single bit is + transmitted. Sending a long message means many coin + flips. Instead of coins and menus, the neighbors + would exchange lists of random numbers (with the + right partners, as per the protocol above, of course. + Details are easy to figure out.) + + 3. Since the lists are essentially one-time pads, the + protocol is unconditionally secure, i.e., no + assumptions are made about the difficulty of + factoring large numbers or any other crypto + assumptions. + + 4. Participants in such a "DC-Net" (and here we are + coming to the heart of the "crypto anarchy" idea) + could exchange CD-ROMs or DATs, giving them enough + "coin flips" for zillions of messages, all + untraceable! The logistics are not simple, but one + can imagine personal devices, like smart card or + Apple "Newtons," that can handle these protocols + (early applications may be for untraceable + brainstorming comments, secure voting in corportate + settings, etc.) + + 5. The lists of random numbers (coin flips) can be + generated with standard cryptographic methods, + requiring only a key to be exchanged between the + appropriate participants. This eliminates the need + for the one-time pad, but means the method is now + only cryptographically secure, which is often + sufficient. (Don't think "only cryptographically + secure" means insecure....the messages may remain + encrypted for the next billion years) + + 6. Collisions occur when multiple messages are sent + at the same time. Various schemes can be devised to + handle this, like backing off when you detect another + sender (when even parity is seen instead of odd + parity). In large systems this is likely to be a + problem. Deliberate disruption, or spamming, is a + major problem--a disruptor can shut down the DC-net + by sending bits out. As with remailes, anonymity + means freedom from detection. (Anonymous payments to + send a message may help, but the details are murky to + me.) + + Uses + - * Untraceable mail. Useful for avoiding censorship, for + avoiding lawsuits, and for all kinds of crypto anarchy + things. + - * Fully anonymous bulletin boards, with no traceability + of postings or responses. Illegal materials can be + offered for sale (my 1987 canonical example, which + freaked out a few people: "Stealth bomber blueprints + for sale. Post highest offer and include public key."). + Think for a few minutes about this and you'll see the + profound implications. + - * Decentralized nexus of activity. Since messages + "emerge" (a la the ouija board metaphor), there is no + central posting area. Nothing for the government to + shut down, complete deniability by the participants. + - * Only you know who your a partners are....in any given + circuit. And you can be in as many circuits as you + wish. (Payments can be made to others, to create a + profit motive. I won't deal with this issue, or with + the issue of how reputations are handled, here.) + - It should be clear that DC-nets offer some amazing + opportunities. They have not been implemented at all, and + have received almost no attention compared to ordinary + Cypherpunks remailers. Why is this? The programming + complexity (and the underlying cryptographic primitives + that are needed) seems to be the key. Several groups have + announced plans to imlement some form of DC-net, but + nothing has appeared. + - software vs. hardware, + - Yanek Martinson, Strick, Austin group, Rishab + - IMO, this is an ideal project for testing the efficacy of + software toolkits. The primitives needed, including bit + commitment, synchronization, and collusion handling, are + severe tests of crypto systems. On the downside, I doubt + that even the Pfaltzmans or Bos has pulled off a running + simulation... +13.4.9. D-H sockets, UNIX, swIPe + + swIPe + - Matt Blaze, John I. (did coding), Phil Karn, Perry + Metzger, etc. are the main folks involved + - evolved from "mobile IP," with radio links, routing + - virtual networks + - putting encryption in at the IP level, transparently + - bypassing national borders + - Karn + - at soda site + + swIPe system, for routing packets + - end to end, gateways, links, Mach, SunOS +13.4.10. Digital Money, Banks, Credit Unions + - Magic Money + - Digital Bank + - "Open Encrypted Books" + - not easy to do...laws, regulations, expertise in banking + - technical flaws, issues in digital money + + several approaches + - clearing + - tokens, stamps, coupons + - anonymity-protected transactions +13.4.11. Data Havens + + financial info, credit reports + - bypassing local jurisdictions, time limits, arcane rules + - reputations + - insider trading + - medical + - technical, scientific, patents + - crypto information (recursively enough) + - need not be any known location....distributed in + cyberspace + - One of the most commercially interesting applications. +13.4.12. Related Technologies + - Agorics + - Evolutionary Systems + - Virtual Reality and Cyberspace + - Agents + + Computer Security + + Kerberos, Gnu, passwords + - recent controversy + - demon installed to watch packets + - Cygnus will release it for free + - GuardWire + + Van Eck, HERF, EMP + - Once Cypherpunk project proposed early on was the + duplication of certain NSA capabilities to monitor + electronic communications. This involves "van Eck" + radiation (RF) emitted by the CRTs and other electronics + of computers. + + Probably for several reasons, this has not been pursued, + at least not publically. + - legality + - costs + - difficulty in finding targets of opportunity + - not a very CPish project! +13.4.13. Matt Blaze, AT&T, various projects + + a different model of trust...multiple universes + - not heierarchical interfaces, but mistrust of interfaces + - heterogeneous + - where to put encryption, where to mistrust, etc. + + wants crypto at lowest level that is possible + - almost everything should be mistrusted + - every mistrusted interface shoud be cryptographically + protected...authentication, encryption + + "black pages"---support for cryptographic communication + - "pages of color" + - a collection of network services that identiy and deliver + security information as needed....keys, who he trusts, + protocols, etc. + + front end: high-level API for security requirements + - like DNS? caching models? + - trusted local agent.... + + "people not even born yet" (backup tapes of Internet + communications) + - tapes stored in mountains, access by much more powerful + computers + + "Crytptographic File System" (CFS) + - file encryption + - no single DES mode appears to be adequate...a mix of + modes + + swIPe system, for routing packets + - end to end, gateways, links, Mach, SunOS +13.4.14. Software Toolkits + + Henry Strickland's TCL-based toolkit for crypto + - other Cypherpunks, including Hal Finney and Marianne + Mueller, have expressed good opinions of TCL and TCL-TK + (toolkit) + - Pr0duct Cypher's toolkit + - C++ Class Libraries + - VMX, Visual Basic, Visual C++ + - Smalltalk + +13.5. Responses to Our Projects (Attacks, Challenges) +13.5.1. "What are the likely attitudes toward mainstream Cypherpunks + projects, such as remailers, encryption, etc.?" + - Reaction has already been largely favorable. Journalists + such as Steven Levy, Kevin Kelly, John Markoff, and Julian + Dibbell have written favorably. Reaction of people I have + talked to has also been mostly favorable. +13.5.2. "What are the likely attitudes toward the more outre + projects, such as digital money, crypto anarchy, data havens, + and the like?" + - Consternation is often met. People are frightened. + - The journalists who have written about these things (those + mentioned above) have gotten beyond the initial reaction + and seem genuinely intrigued by the changes that are + coming. +13.5.3. "What kinds of _attacks_ can we expect?" + + Depends on the projects, but some general sorts of attacks + are likely. Some have already occurred. Examples: + * flooding of remailers, denial of service attacks--to + swamp systems and force remailers to reconsider + operations + - this is fixed (mostly) with "digital postage" (if + postage covers costs, and generates a profit, then the + more the better) + * deliberately illegal or malicicious messages, such as + death threats + - designed to put legal and sysop pressures on the + remailer operator + - several remailers have been attacked this way, or at + least have had these messages + - source-blocking sometimes works, though not of course + if another remailer is first used (many issues here) + * prosecution for content of posts + + copyright violations + - e.g., forwarding ClariNet articles through Hal + Finney's remailer got Brad Templeton to write warning + letters to Hal + - pornography + - ITAR violations, Trading with the Enemy Act + - espionage, sedition, treason + - corporate secrets, + - These attacks will test the commitment and courage of + remailer or anonymizing service operators + +13.6. Deploying Crypto +13.6.1. "How can Cypherpunks publicize crypto and PGP?" + - articles, editorials, radio shows, talking with friends + - The Net itself is probably the best place to publicize the + problems with Clipper and key escrow. The Net played a + major role--perhaps the dominant role--in generating scorn + for Clipper. In many way the themes debated here on the Net + have tremendous influence on media reaction, on editorials, + on organizational reactions, and of course on the opinion + of technical folks. News spreads quickly, zillions of + theories are aired and debated, and consensus tends to + emerge quickly. + - raves, Draper + - Libertarian Party, anarchists... + + conferences and trade shows + - Arsen Ray Arachelian passed out diskettes at PC Expo +13.6.2. "What are the Stumbling Blocks to Greater Use of Encryption + (Cultural, Legal, Ethical)?" + + "It's too hard to use" + - multiple protocols (just consider how hard it is to + actually send encrypted messages between people today) + - the need to remember a password or passphrase + + "It's too much trouble" + - the argument being that people will not bother to use + passwords + - partly because they don't think anything will happen to + them + + "What have you got to hide?" + - e.g.,, imagine some comments I'd have gotten at Intel had + I encrypted everything + - and governments tend to view encryption as ipso facto + proof that illegalities are being committed: drugs, money + laundering, tax evasion + - recall the "forfeiture" controversy + - BTW, anonymous systems are essentially the ultimate merit + system (in the obvious sense) and so fly in the face of the + "hiring by the numbers" de facto quota systems now + creeeping in to so many areas of life....there may be rules + requiring all business dealings to keep track of the sex, + race, and "ability group" (I'm kidding, I hope) of their + employees and their consultants + + Courts Are Falling Behind, Are Overcrowded, and Can't Deal + Adequately with New Issues-Such as Encryption and Cryonics + - which raises the issue of the "Science Court" again + - and migration to private adjudication + - scenario: any trials that are being decided in 1998-9 + will have to have been started in 1996 and based on + technology and decisions of around 1994 + + Government is taking various steps to limit the use of + encryption and secure communication + - some attempts have failed (S.266), some have been + shelved, and almost none have yet been tested in the + courts + - see the other sections... +13.6.3. Practical Issues + - Education + - Proliferation + - Bypassing Laws +13.6.4. "How should projects and progress best be achieved?" + - This is a tough one, one we've been grappling with for a + couple of years now. Lots of approaches. + - Writing code + - Organizational + - Lobbying + - I have to say that there's one syndrome we can probably do + w,the Frustrated Cyperpunks Syndrome. Manifested by someone + flaming the list for not jumping in to join them on their + (usually) half-baked scheme to build a digital bank, or + write a book, or whatever. "You guys just don't care!" is + the usual cry. Often these flamers end up leaving the list. + - Geography may play a role, as folks in otherwise-isolated + areas seem to get more attached to their ideas and then get + angry when the list as a whole does not adopt them (this is + my impression, at least). +13.6.5. Crypto faces the complexity barrier that all technologies + face + - Life has gotten more complicated in some ways, simpler in + other ways (we don't have to think about cooking, about + shoeing the horses, about the weather, etc.). Crypto is + currently fairly complicated, especially if multiple + paradigms are used (encryption, signing, money, etc.). + - As a personal note, I'm practically drowning in a.c. + adaptors and power cords for computers, laser printers, + VCRs, camcorders, portable stereos, laptop computers, + guitars, etc. Everything with a rechargeable battery has to + be charged, but not overcharged, and not allowed to run- + down...I forgot to plug in my old Powerbook 100 for a + couple of months, and the lead-acid batteries went out on + me. Personally, I'm drowning in this crap. + - I mention this only because I sense a backlash + coming...people will say "screw it" to new technology that + actually complicates their lives more than it simplifies + their lives. "Crypto tweaks" who like to fool around with + "creating a client" in order to play with digital cash will + continue to do so, but 99% of the sought-after users won't. + (A nation that can't--or won't--set its VCR clock will + hardly embrace the complexities of digital cash. Unless + things change, and use becomes as easy as using an ATM.) +13.6.6. "How can we get more people to worry about security in + general and encryption in particular?" + - Fact is, most people never think about real security. Safe + manufacturers have said that improvements in safes were + driven by insurance rates. A direct incentive to spend more + money to improve security (cost of better safe < cost of + higher insurance rate). + + Right now there is almost no economic incentive for people + to worry about PIN security, about protecting their files, + etc. (Banks eat the costs and pass them on...any bank which + tried to save a few bucks in losses by requiring 10-digit + PINs--which people would *write down* anyway!--would lose + customers. Holograms and pictures on bank cards are + happening because the costs have dropped enough.) + + Personally, my main interests is in ensuring the Feds don't + tell me I can't have as much security as I want to buy. I + don't share the concern quoted above that we have to find + ways to give other people security. + - Others disagree with my nonchalance, pointing out that + getting lots of other people to use crypto makes it easier + for those who already protect themselves. I agree, I just + don't focus on missionary work. + - For those so inclined, point out to people how vulnerable + their files are, how the NSA can monitor the Net, and so + on. All the usual scare stories. + +13.7. Political Action and Opposition +13.7.1. Strong political action is emerging on the Net + - right-wing conspiracy theorists, like Linda Thompson + + Net has rapid response to news events (Waco, Tienenmen, + Russia) + - with stories often used by media (lots of reporters on + Net, easy to cull for references, Net has recently become + tres trendy) + - Aryan Nation in Cyberspace + - (These developments bother many people I mention them to. + Nothing can be done about who uses strong crypto. And most + fasicst/racist situations are made worse by state + sponsorship--apartheid laws, Hitler's Germany, Pol Pot's + killing fields, all were examples of the state enforcing + racist or genocidal laws. The unbreakable crypto that the + Aryan Nation gets is more than offset by the gains + elsewhere, and the undermining of central authority.) + - shows the need for strong crypto...else governments will + infiltrate and monitor these political groups +13.7.2. Cypherpunks and Lobbying Efforts + + "Why don't Cypherpunks have a lobbying effort?" + + we're not "centered" near Washington, D.C., which seems + to be an essential thing (as with EFF, ACLU, EPIC, CPSR, + etc.) + - D.C. Cypherpunks once volunteered (April, 1993) to make + this their special focus, but not much has been heard + since. (To be fair to them, political lobbying is + pretty far-removed from most Cypherpunks interests.) + - no budget, no staff, no office + + "herding cats" + no financial stakes = why we don't do + more + + it's very hard to coordinate dozens of free-thinking, + opinionated, smart people, especially when there's no + whip hand, no financial incentive, no way to force them + into line + - I'm obviously not advocating such force, just noting a + truism of systems + + "Should Cypherpunks advocate breaking laws to achieve + goals?" + - "My game is to get cryptography available to all, without + violating the law. This mean fighting Clipper, fighting + idiotic export restraints, getting the government to + change it's stance on cryptography, through arguements + and letter pointing out the problems ... This means + writing or promoting strong cryptography....By violating + the law, you give them the chance to brand you + "criminal," and ignore/encourage others to ignore what + you have to say." [Bob Snyder, 4-28-94] +13.7.3. "How can nonlibertarians (liberals, for example) be convinced + of the need for strong crypto?" + - "For liberals, I would examine some pet cause and examine + the consequences of that cause becoming "illegal." For + instance, if your friends are "pro choice," you might ask + them what they would do if the right to lifers outlawed + abortion. Would they think it was wrong for a rape victim + to get an abortion just because it was illegal? How would + they feel about an abortion "underground railroad" + organized via a network of "stations" coordinated via the + Internet using "illegal encryption"? Or would they trust + Clipper in such a situation? + + "Everyone in America is passionate about something. Such + passion usually dispenses with mere legalism, when it comes + to what the believer feels is a question of fundamental + right and wrong. Hit them with an argument that addresses + their passion. Craft a pro-crypto argument that helps + preserve the object of that passion." [Sandy Sandfort, 1994- + 06-30] +13.7.4. Tension Between Governments and Citizens + - governments want more monitoring...big antennas to snoop on + telecommunications, " + - people who protect themselves are sometimes viewed with + suspicion + + Americans have generally been of two minds about privacy: + - None of your damn business, a man's home is his + castle..rugged individualism, self-sufficiency, Calvinism + - What have you got to hide? Snooping on neighbors + + These conflicting views are held simultaneously, almost + like a tensor that is not resolvable to some resultant + vector + - this dichotomy cuts through legal decisions as well +13.7.5. "How does the Cypherpunks group differ from lobbying groups + like the EFF, CPSR, and EPIC?" + - We're more disorganized (anarchic), with no central office, + no staff, no formal charter, etc. + - And the political agenda of the aforementioned groups is + often at odds with personal liberty. (support by them for + public access programs, subsidies, restrictions on + businesses, etc.) + - We're also a more radical group in nearly every way, with + various flavors of political extremism strongly + represented. Mostly anarcho-capitalists and strong + libertarians, and many "no compromises" privacy advocates. + (As usual, my apologies to any Maoists or the like who + don't feel comfortable being lumped in with the + libertarians....if you're out there, you're not speaking + up.) In any case, the house of Cypherpunks has many rooms. + - We were called "Crypto Rebels" in Steven Levy's "Wired" + article (issue 1.2, early 1993). We can represent a + _radical alternative_ to the Beltway lawyers that dominate + EFF, EPIC, etc. No need to compromise on things like + Clipper, Software Key Escrow, Digital Telephony, and the + NII. But, of course, no input to the legislative process. + - But there's often an advantage to having a much more + radical, purist body out in the wings, making the + "rejectionist" case and holding the inner circle folks to a + tougher standard of behavior. + - And of course there's the omnipresent difference that we + tend to favor direct action through technology over + politicking. +13.7.6. Why is government control of crypto so dangerous? + + dangers of government monopoly on crypto and sigs + - can "revoke your existence" + - no place to escape to (historically an important social + relief valve) +13.7.7. NSA's view of crypto advocates + - "I said to somebody once, this is the revenge of people + who couldn't go to Woodstock because they had too much trig + homework. It's a kind of romanticism about privacy and the + kind of, you know, "you won't get my crypto key until you + pry it from my dead cold fingers" kind of stuff. I have to + say, you know, I kind of find it endearing." [Stuart Baker, + counsel, NSA, CFP '94] +13.7.8. EFF + - eff@eff.org + + How to Join + - $40, get form from many places, EFFector Online, + - membership@eff.org + + EFFector Online + - ftp.eff.org, pub/EFF/Newsletters/EFFector + + Open Platform + - ftp://ftp.eff.org/pub/EFF/Policy/Open_Platform + - National Information Infrastructure +13.7.9. "How can the use of cryptography be hidden?" + + Steganography + - microdots, invisible ink + - where even the existence of a coded message gets one shot + + Methods for Hiding the Mere Existence of Encrypted Data + + in contrast to the oft-cited point (made by crypto + purists) that one must assume the opponent has full + access to the cryptotext, some fragments of decrypted + plaintext, and to the algorithm itself, i.e., assume the + worst + - a condition I think is practically absurd and + unrealistic + - assumes infinite intercept power (same assumption of + infinite computer power would make all systems besides + one-time pads breakable) + - in reality, hiding the existence and form of an + encrypted message is important + + this will be all the more so as legal challenges to + crypto are mounted...the proposed ban on encrypted + telecom (with $10K per day fine), various governmental + regulations, etc. + - RICO and other broad brush ploys may make people very + careful about revealing that they are even using + encryption (regardless of how secure the keys are) + + steganography, the science of hiding the existence of + encrypted information + - secret inks + - microdots + - thwarting traffic analysis + - LSB method + + Packing data into audio tapes (LSB of DAT) + + LSB of DAT: a 2GB audio DAT will allow more than 100 + megabytes in the LSBs + - less if algorithms are used to shape the spectrum to + make it look even more like noise + - but can also use the higher bits, too (since a real- + world recording will have noise reaching up to + perhaps the 3rd or 4th bit) + + will manufacturers investigate "dithering" circuits? + (a la fat zero?) + - but the race will still be on + + Digital video will offer even more storage space (larger + tapes) + - DVI, etc. + - HDTV by late 1990s + + Messages can be put into GIFF, TIFF image files (or even + noisy faxes) + - using the LSB method, with a 1024 x 1024 grey scale + image holding 64KB in the LSB plane alone + - with error correction, noise shaping, etc., still at + least 50KB + - scenario: already being used to transmit message + through international fax and image transmissions + + The Old "Two Plaintexts" Ploy + - one decoding produces "Having a nice time. Wish you + were here." + - other decoding, of the same raw bits, produces "The + last submarine left this morning." + - any legal order to produce the key generates the first + message + + authorities can never prove-save for torture or an + informant-that another message exists + - unless there are somehow signs that the encrypted + message is somehow "inefficiently encrypted, + suggesting the use of a dual plaintext pair method" + (or somesuch spookspeak) + - again, certain purist argue that such issues (which are + related to the old "How do you know when to stop?" + question) are misleading, that one must assume the + opponent has nearly complete access to everything + except the actual key, that any scheme to combine + multiple systems is no better than what is gotten as a + result of the combination itself + - and just the overall bandwidth of data... +13.7.10. next Computers, Freedom and Privacy Conference will be March + 1995, San Francisco +13.7.11. Places to send messages to + - cantwell@eff.org, Subject: I support HR 3627 + - leahy@eff.org, Subject: I support hearings on Clipper +13.7.12. Thesis: Crypto can become unstoppable if critical mass is + reached + - analogy: the Net...too scattered, too many countries, too + many degrees of freedom + - so scattered that attempts to outlaw strong crypto will be + futile...no bottlenecks, no "mountain passes" (in a race to + the pass, beyond which the expansion cannot be halted + except by extremely repressive means) +13.7.13. Keeping the crypto genie from being put in the bottle + - (though some claim the genie was never _in_ the bottle, + historically) + - ensuring that enough people are using it, and that the Net + is using it + - a _threshold_, a point of no return +13.7.14. Activism practicalities + + "Why don't we buy advertising time like Perot did?" + + This and similar points come up in nearly all political + discussions (I'm seeing in also in talk.politics.guns). + The main reasons it doesn't happen are: + - ads cost a lot of money + - casual folks rarely have this kind of money to spend + - "herding cats" comes to mind, i.e., it's nearly + impossible to coordinate the interests of people to + gather money, set up ad campaigns, etc. + - In my view, a waste of efforts. The changes I want won't + come through a series of ads that are just fingers in the + dike. (More cynically, Americans are getting the government + they've been squealing for. My interest is in bypassing + their avarice and repression, not in changing their minds.) + - Others feel differently, from posts made to the list. + Practically speaking, though, organized political activity + is difficult to achieve with the anarchic nonstructure of + the Cypherpunks group. Good luck! + +13.8. The Battle Lines are Being Drawn +13.8.1. Clipper met with disdain and scorn, so now new strategies are + being tried... +13.8.2. Strategies are shifting, Plan B is being hauled out + - fear, uncertainty, and doubt + - fears about terrorists, pornographers, pedophiles, money + launderers +13.8.3. corporate leaders like Grove are being enlisted to make the + Clipper case +13.8.4. Donn Parker is spreading panic about "anarchy" (similar to my + own CA) +13.8.5. "What can be done in the face of moves to require national ID + cards, use official public key registries, adhere to key + escrow laws, etc?" + - This is the most important question we face. + - Short of leaving the country (but for where?) or living a + subsistence-level lifestyle below the radar screens of the + surveillance state, what can be done? + + Some possibilities, not necessarily good ones: + + civil disobedience + - mutilation of cards, "accidental erasure," etc. + - forgeries of cards...probably not feasible (we understand + about digital sigs) + - creation of large black markets...still doesn't cover + everything, such as water, electricity, driver's + licenses, etc....just too many things for a black market + to handle + - lobby against these moves...but it appears the momentum + is too strong in the other direction + +13.9. "What Could Make Crypto Use more Common?" +13.9.1. transparent use, like the fax machine, is the key +13.9.2. easier token-based key and/or physical metrics for security + - thumbprint readers + - tokens attached to employee badges + - rings, watches, etc. that carry most of key (with several + bits remembered, and a strict "three strikes and you're + out" system) +13.9.3. major security scares, or fears over "back doors" by the + government, may accelerate the conversion + - all it may take are a couple of very large scandals +13.9.4. insurance companies may demand encryption, for several + reasons + - to protect against theft, loss, etc. + - to provide better control against viruses and other + modifications which expose the companies they ensure to + liability suits + - same argument cited by safe makers: when insurance + companies demanded better safes, that's when customers + bought them (and not before) +13.9.5. Networks will get more complex and will make conventional + security systems unacceptable + - "Fortress" product of Los Altos Technologies + - too many ways for others to see passwords being given to a + remote host, e.g., with wireless LANs (which will + necessitate ZKIPS) + - ZKIPS especially in networks, where the chances of seeing a + password being transmitted are much greater (an obvious + point that is not much discussed) + - the whole explosion in bandwidth +13.9.6. The revelations of surveillance and monitoring of citizens + and corporations will serve to increase the use of + encryption, at first by people with something to hide, and + then by others. Cypherpunks are already helping by spreading + the word of these situations. + - a snowballing effect + - and various government agencies will themselves use + encryption to protect their files and their privacy +13.9.7. for those in sensitive positions, the availability of new + bugging methods will accelerate the conversion to secure + systems based on encrypted telecommunications and the + avoidance of voice-based systems +13.9.8. ordinary citizens are being threatened because of what they + say on networks, causing them to adopt pseudonyms + - lawsuits, ordinary threats, concerns about how their + employers will react (many employers may adopt rules + limiting the speech of their employees, largely because of + concerns they'll get sued) + + and some database providers are providing cross-indexed + lists of who has posted to what boards-this is freely + available information, but it is not expected by people + that their postings will live forever + - some may see this as extortion + - but any proposed laws are unlikely to succeed + - so, as usual, the solution is for people to protect + themselves via technological means +13.9.9. "agents" that are able to retransmit material will make + certain kinds of anonymous systems much easier to use + +13.10. Deals, the EFF, and Digital Telephony Bill +13.10.1. The backroom deals in Washington are flying...apparently the + Administration got burned by the Clipper fiasco (which they + could partly write-off as being a leftover from the Bush era) + and is now trying to "work the issues" behind the scenes + before unveiling new and wide-reaching programs. (Though at + this writing, the Health Bill is looking mighty amateurish + and seems ulikely to pass.) +13.10.2. We are not hearing about these "deals" in a timely way. I + first heard that a brand new, and "in the bag," deal was + cooking when I was talking to a noted journalist. He told me + that a new deal, cut between Congress, the telecom industry, + and the EFF-type lobbying groups, was already a done deal and + would be unveiled so. Sure enough, the New and Improved + Digital Telephony II Bill appears a few weeks later and is + said by EFF representatives to be unstoppable. [comments by + S. McLandisht and others, comp.org.eff.talk, 1994-08] +13.10.3. Well, excuse me for reminding everyone that this country is + allegedly still a democracy. I know politics is done behinde + closed doors, as I'm no naif, but deal-cutting like this + deserves to be exposed and derided. +13.10.4. I've announced that I won't be renewing my EFF membership. I + don't expect them to fight all battles, to win all wars, but + I sure as hell won't help *pay* for their backrooms deals + with the telcos. +13.10.5. This may me in trouble with my remaining friends at the EFF, + but it's as if a lobbying groups in Germany saw the + handwriting on the wall about the Final Solution, deemed it + essentially unstoppable, and so sent their leaders to + Berchtesgaden/Camp David to make sure that the death of the + Jews was made as painless as possible. A kind of joint + Administration/Telco/SS/IG Farben "compromise." While I don't + equate Mitch, Jerry, Mike, Stanton, and others with Hitler's + minions, I certainly do think the inside-the-Beltway + dealmaking is truly disgusting. +13.10.6. Our freedoms are being sold out. + +13.11. Loose ends +13.11.1. Deals, deals, deals! + - pressures by Administration...software key escrow, digital + telephony, cable regulation + + and suppliers need government support on legislation, + benefits, spectrum allocation, etc + - reports that Microsoft is lobbying intensively to gain + control of big chunks of spectrum...could fit with cable + set-top box negotiations, Teledesic, SKE, etc. + - EFF even participates in some of these deals. Being "inside + the Beltway" has this kind of effect, where one is either a + "player" or a "non-player." (This is my interpretation of + how power corrupts all groups that enter the Beltway.) + Shmoozing and a desire to help. +13.11.2. using crypto to bypass laws on contacts and trade with other + countries + - one day it's illegal to have contact with China, the next + day it's encouraged + + one day it's legal to have contact with Haiti, the next day + there's an embargo (and in the case of Haiti, the economic + effects fall on on the poor--the tens of thousands fleeing + are not fleeing the rulers, but the poverty made worse by + the boycott + - (The military rulers are just the usual thugs, but + they're not "our" thugs, for reasons of history. Aristide + would almost certainly be as bad, being a Marxist priest. + Thus, I consider the breakin of the embargo to be a + morally good thing to do. + - who's to say why Haiti is suddenly to be shunned? By force + of law, no less! +13.11.3. Sun Tzu's "Art of War" has useful tips (more useful than "The + Prince") + - work with lowliest + - sabotage good name of enemy + - spread money around + - I think the events of the past year, including... +13.11.4. The flakiness of current systems... + - The current crypto infrastructure is fairly flaky, though + the distributed web-of-trust model is better than some + centralized system, of coure. What I mean is that many + aspects are slow, creaky, and conducive to errors. + - In the area of digital cash, what we have now is not even + as advanced as was seen with real money in Sumerian times! + (And I wouldn't trust the e-mail "message in a bottle" + approach for any nontrivial financial transactions.) + - Something's got to change. The NII/Superhighway/Infobahn + people have plans, but their plans are not likely to mesh + well with ours. A challenge for us to consider. +13.11.5. "Are there dangers in being too paranoid?" + + As Eric Hughes put it, "paranoia is cryptography's + occupational hazard." + - "The effect of paranoia is self-delusion of the following + form--that one's possible explanations are skewed toward + malicious attacks, by individuals, that one has the + technical knowledge to anticipate. This skewing creates + an inefficient allocation of mental energy, it tends + toward the personal, downplaying the possibility of + technical error, and it begins to close off examination + of technicalities not fully understood. + + "Those who resist paranoia will become better at + cryptography than those who do not, all other things + being equal. Cryptography is about epistemology, that + is, assurances of truth, and only secondarily about + ontology, that is, what actually is true. The goal of + cryptography is to create an accurate confidence that a + system is private and secure. In order to create that + confidence, the system must actually be secure, but + security is not sufficient. There must be confidence + thatthe way by which this security becomes to be believed + is robust and immune to delusion. + + "Paranoia creates delusion. As a direct and fundamental + result, it makes one worse at cryptography. At the + outside best, it makes one slower, as the misallocation + of attention leads one down false trails. Who has the + excess brainpower for that waste? Certainly not I. At + the worst, paranoia makes one completely ineffective, not + only in technical means but even more so in the social + context in which cryptography is necessarily relevant." + [Eric Hughes, 1994-05-14] + + King Alfred Plan, blacks + - plans to round up 20 million blacks + - RFK, links to LAPD, Western Goals, Birch, KKK + - RFA #9, 23, 38 + + organized crime situation, perhaps intelligence + community + - damaging to blacks, psychological +13.11.6. The immorality of U.S. boycotts and sanctions + - as with Haiti, where a standard and comparatively benign + and harmless military dictatorship is being opposed, we are + using force to interfere with trade, food shipments, + financial dealings, etc. + - invasion of countries that have not attacked other + countries...a major new escalation of U.S. militarism + - crypto will facillitate means of underming imperialism +13.11.7. The "reasonableness" trap + - making a reasonable thing into a mandatory thing + - this applies to what Cypherpunks should ever be prepared to + support + + An example: A restaurant offers to replace dropped items + (dropped on the floor, literally) for free...a reasonable + thing to offer customers (something I see frequently). So + why not make it the law? Because then the reasonable + discretion of the restaurant owner would be lost, and some + customers could "game against" (exploit the letter of the + law) the system. Even threaten lawsuits. + - (And libertarians know that "my house, my rules" applies + to restaurants and other businesses, absent a contract + spelling exceptions out.) + - A more serious example is when restaurants (again) find it + "reasonable" to hire various sorts of qualified people. + What may be "reasonable" is one thing, but too often the + government decides to _formalize_ this and takes away the + right to choose. (In my opinion, no person or group has any + "right" to a job unless the employer freely offers it. Yes, + this could included discrimination against various groups. + Yes, we may dislike this. But the freedom to choose is a + much more basic right than achieving some ideal of equality + is.) + - And when "reasonableness" is enforced by law, the game- + playing increases. In effect, some discretion is needed to + reject claims that are based on gaming. Markets naturally + work this way, as no "basic rights" or contracts are being + violated. + - Fortunately, strong crypto makes this nonsense impossible. + Perforce, people will engage in contracts only voluntarily. +13.11.8. "How do we get agreement on protocols?" + - Give this idea up immediately! Agreement to behave in + certain ways is almost never possible. + - Is this an indictment of anarchy? + - No, because the way agreement is sort of reached is through + standards or examplars that people can get behind. Thus, we + don't get "consensus" in advance on the taste of Coca + Cola...somebody offers Coke for sale and then the rest is + history. + - PGP is a more relevant example. The examplar is on a "take + it or leave it" basis, with minor improvements made by + others, but within the basic format. + +14. Other Advanced Crypto Applications + +14.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + +14.2. SUMMARY: Other Advanced Crypto Applications +14.2.1. Main Points +14.2.2. Connections to Other Sections +14.2.3. Where to Find Additional Information + - see the various "Crypto" Proceedings for various papers on + topics that may come to be important +14.2.4. Miscellaneous Comments + +14.3. Digital Timestamping +14.3.1. digital timestamping + - The canonical reference for digital timestamping is the + work of Stu Haber and Scott Stornetta, of Bellcore. Papers + presented at various Crypto conferences. Their work + involves having the user compute a hash of the document he + wishes to be stamped and sending the hash to them, where + they merge this hash with other hashes (and all previous + hashes, via a tree system) and then they *publish* the + resultant hash in a very public and hard-to-alter forum, + such as in an ad in the Sunday "New York Times." + + In their parlance, such an ad is a "widely witnessed + event," and attempts to alter all or even many copies of + the newspaper would be very difficult and expensive. (In a + sense, this WWE is similar to the "beacon" term Eric Hughes + used.) + + Haber and Stornetta plan some sort of commercial operation + to do this. + + This service has not yet been tested in court, so far as I + know. The MIT server is an experiment, and is probably + useful for experimenting. But it is undoubtedly even less + legally significant, of course. +14.3.2. my summary + +14.4. Voting +14.4.1. fraud, is-a-person, forging identies, increased "number" + trends +14.4.2. costs also high +14.4.3. Chaum +14.4.4. voting isomorphic to digital money + - where account transfers are the thing being voted on, and + the "eligible voters" are oneself...unless this sort of + thing is outlawed, which would create other problems, then + this makes a form of anonymous transfer possible (more or + less) + +14.5. Timed-Release Crypto +14.5.1. "Can anything like a "cryptographic time capsule" be built?" + - This would be useful for sealing diaries and records in + such a way that no legal bodies could gain access, that + even the creator/encryptor would be unable to decrypt the + records. Call it "time escrow." Ironically, a much more + correct use of the term "escrow" than we saw with the + government's various "key escrow" schemes. + - Making records undecryptable is easy: just use a one-way + function and the records are unreachable forever. The trick + is to have a way to get them back at some future time. + + Approaches: + + Legal Repository. A lawyer or set of lawyers has the key + or keys and is instructed to release them at some future + time. (The key-holding agents need not be lawyers, of + course, though that is the way things are now done. + - The legal system is a time-honored way of protecting + secrets of various kinds, and any system based on + cryptography needs to compete strongly with this simple + to use, well-established system. + - If the lawyer's identity is known, he can be + subpoenaed. Depends on jurisdictional issues, future + political climate, etc. + - But identity-hiding protocols can be used, so that the + lawyer cannot be reached. All that is know, for + example, is that "somewhere out there" is an agent who + is holding the key(s). Reputation-based systems should + work well here: the agent gains little and loses a lot + by releasing a key early, hence has no economic + motivation to do so. (Picture also a lot of "pinging" + going to "rate" the various ti