Copy Link
Add to Bookmark
Report
SURFPUNK Technical Journal 084
Date: Wed, 5 May 93 19:18:41 PDT
Reply-To: <surfpunk@osc.versant.com>
Return-Path: <cocot@osc.versant.com>
Message-ID: <surfpunk-0084@SURFPUNK.Technical.Journal>
Mime-Version: 1.0
Content-Type: text/plain
From: surfpunk@osc.versant.com (n jbeyq-pynff grnz bs sbhe ratvarref)
To: surfpunk@osc.versant.com (SURFPUNK Technical Journal)
Subject: [surfpunk-0084] USCONGRESS: rights and responsibilities in cyberspace
Lots of files are going around about last week's congressional hearings.
I've chosen a couple that interested me more.
I think there'll be a better version of Bruce Sterling's creative
testimony somewhere, that includes the question-and-answer exchange,
which I don't have. I hope this one is pretty accurate. Is it?
I'm disappointed to see that NIST still thinks it's going ahead
with its DSS digital signature proposal. I thought the arguments
to shoot it down were pretty good. --strick
________________________________________________________________________
________________________________________________________________________
Date: Sat, 01 May 1993 20:57:34
From: David L Racette <dlr@medical.win.net>
To: Leri <Leri@pyramid.com>
Subject: Interesting mail
Opening Statement to the House Subcommittee on
Telecommunications and Finance, Washington DC, April 29,
1993
Hello everyone and thanks for inviting me here. My
name is Bruce Sterling and I'm a science fiction writer and
sometime science journalist. Since writing my nonfiction book
HACKER CRACKDOWN: LAW AND DISORDER ON THE ELECTRONIC
FRONTIER, I have returned to writing science fiction. And I've
returned to that with some relief, frankly, since the world of
science fiction is in most ways rather less strange and less
bizarre than the contemporary world of telecommunications
policy.
I hope therefore that you will forgive me if I testify
today as a science fiction writer. It's one of the perks of my
profesion to write about the future, or attempt to, and I
thought you might like to meet someone from the
telecommunications future that you are so busy creating.
With your kind indulgence for my novelist's whimsy
then, the rest of my brief presentation today will be given by a
Mr. Bob Smith, with is an NREN network administrator from the
year 2015.
I present Mr. Smith.
"Thank you, Mr. Sterling. It's a remarkable privilege to
talk to the legislators who historically created my working
environment. As a laborer in the fields of 21st Century
cyberspace I of course would have no job without NREN and
my wife and small son and I are all properly grateful for your
foresight in establishing the Information Superhighway.
"Your actions in this regard have affected American
society every bit as strongly as did the telegraph, the railroads,
the telephone, the highway system, and television. In fact, it's
impossible for me to imagine contemporary life in 2015
without the Global Net; living without the Net would be like
trying to live without electricity.
"However, it's a truism in technological development that
no silver lining comes without its cloud. Today I'd like to
mention two or three trifling problems that have come up that
were not entirely obvious from the perspective of the early
1990s.
"First of all, this 'Research and Education' aspect. Since
communications *is* power in an Information Society, giving
fantastically advanced communications to the Research and
Education communities did in fact empower those communities
quite drastically by comparison with interest-groups lacking
that advantage. Today, one of the most feared political
organizations in the world is the multi-national anarchist
libertarian group called the Students for an Utterly Free
Society.
"Of course, there have always been campus radicals, but
thanks to their relative lack of financial clout, and lack of even
a steady home address, these young fanatics once found it very
difficult to organize politically. Therefore, they were easy for
the powers-that-be to ignore, except during occasional spasms
of violent campus unrest.
"Thanks to NREN, however, spasms of student unrest can
now spread like lightning across entire continents. Advanced
AI translation programs installed on the Net only made matters
worse, since in 2015 the global leaders of the student
movements are not only extremely radical, but French.
"Attempts by campus authorities to control this unrest
have failed miserably. In 2015, NREN sites are always the first
buildings occupied during a campus strike. Campus chancellors
and faculty are themselves so utterly dependent on NREN that
they become quite helpless off-line.
"A second major problem has been the growth of
unlicenced encryption, which has proved quite unstoppable.
Today some seventy-five percent of NREN archives are
material that no one in authority can read. Countries that
attempted to control and monitor network traffic have lost
market share and service revenue as data processing simply
moves offshore.
"The United States has profited by this phenomenon to a
great extent as people worldwide have flocked to the relative
liberty of our networks. Unfortunately many of these
electronic virtual immigrants are not simply dissidents looking
for free expression but in fact are organized criminals.
"Take for instance a recent FBI raid on an enormous
archive of encrypted Iranian files, illicitly stored in an obscure
NREN node in North Dakota. Luckily the FBI was able to
decrypt these files thanks to an inside informant. Deciphering
these archives revealed the following contraband:
"Eighty percent graphic image files of attractive young
women without veils on, or, in fact, much clothing of any kind.
"Fifteen percent digitally stored pirated copies of Western
pop music and Western videos, still illegal to possess in
Teheran.
"And, five percent text files in the Farsi language
describing how to guild, deliver and park truck-bombs in major
urban areas.
"I can't conclude my brief remarks today without a
mention of a particularly odd development having to do with
*wireless* computer telecommunications. Since it is now
possible to transact business entirely in cyberspace, including
financial transactions, many information entrepreneurs in 2015
have simply given up any physical home. Basically, they have
become stateless people, 21st Century gypsies.
"A recent tragic example of this occurred in the small
town of North Zulch, Texas. There some rural law enforcement
officers apprehended a scruffy vagabond on a motorcycle in a
high-speed chase. Unfortunately he was killed. A search of his
backpack revealed a device the size of a cigarette pack. In
searching the dead man's effects, the police officers, who were
not computer literate, accidentally broke the device. This tiny
device was actually a privately owned computer bulletin board
system with some 15,000 registered users.
"Many of the users were wealthy celebrities, and the
apparent outlaw biker was actually an extremely popular and
nationally known system operator. These 15,000 users were
enraged by what they considered the wanton destruction of
their electronic community. They pooled their resources and
took a terrible vengeance on the small town of North Zulch,
which, by contrast, had only 2,000 residents, none of them
wealthy or technologically sophisticated. Through a
combination of harassing lawsuits and sharp real-estate deals,
the vengeful board users bankrupted the town. Eventually the
entire township was bulldozed flat and purchased for parkland
by the Nature Conservancy.
"Thanks in part to the advances that you yourselves set
in motion, violent conflicts between virtual and actual
communities have become a permanent feature of the cultural
landscape in 2015."
Thank you for your patience in entertaining my
speculations. I'll be happy to take any questions -- though
only in my real-life persona. Thank you very much.
________________________________________________________________________
To: cypherpunks@toad.com
Subject: Hearing statement of Ray Kammer
From: fergp@sytex.com (Paul Ferguson)
Date: Wed, 05 May 93 13:53:37 EDT
This file <TESTIM.TXT> was obtained from the National Institute of
Standards and Technology. -
8<------- Cut Here ------------
STATEMENT OF
RAYMOND G. KAMMER
ACTING DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
BEFORE THE
SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE
COMMITTEE ON ENERGY AND COMMERCE
APRIL 29, 1993
Mr. Chairman and Members of the Subcommittee:
Good morning. Thank you for inviting me to testify. I am Raymond G.
Kammer, Acting Director of the National Institute of Standards and
Technology of the U.S. Department of Commerce. Under the Computer
Security Act of 1987, NIST is responsible for the development of
standards for protecting unclassified government computer systems,
except those commonly known as Warner Amendment systems (as defined
in Title 10 USC 2315).
NIST has a long-established program of developing computer security
guidelines and standards for federal agencies. Many of these are
also used, on a voluntary basis, by the private sector. We have
published guidance on computer security training and awareness,
identification and authentication, open systems security, incident
response, cryptographic standards, trusted systems, and many other
facets of computer security.
Today, however, I plan to address the following topics which I
believe are most directly germane to your invitation:
* The need for good information security technology to
protect computer and telecommunications systems and
networks;
* NIST's activities in telecommunications switch security;
* the planned recertification of the Data Encryption
Standard;
* NIST's proposed Digital Signature Standard;
* the recent White House announcement of a new encryption
technology, called the Clipper Chip; and
* the President's directive to review advanced
telecommunications and encryption technology.
Need for Computer Security
Strong security technology is required in modern communications
systems and networks to protect sensitive and valuable information.
Government agencies and private corporations depend upon the
integrity and availability of their communications system in order to
do business. Computer viruses, network worms, hackers, and other
threats against our systems emphasize the importance of
telecommunications security.
Additionally, I have grown convinced, through strong anecdotal
evidence, most of it shared on a proprietary basis, of the growing
threat to American business from "economic espionage." Much has been
reported in the press of the activities of foreign intelligence
services targeting American firms, and sharing their findings with
competing foreign firms. I am convinced that American firms need
strong security, and in particular, strong cryptography, to protect
against such threats.
More importantly, the Administration is committed to working with the
private sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to information.
This infrastructure of high-speed networks ("information
superhighways") will transmit video, images, HDTV programming, and
huge data files as easily as today's telephone system transmits
voice. Appropriate security techniques may at times be integrated
into such systems.
Telecommunications Security
Federal telephone and computer networks depend upon reliable and
secure telecommunications capabilities, both of long-distance
carriers and local private-branch exchanges (PBXs). To examine
security issues of telecommunications networks, including issues of
PBX security and telecommunications switch security, NIST is
currently setting up a Telecommunications Security Analysis Center.
This Center will expand on initial research we have conducted on the
vulnerability of telecommunications switches.
Telecommunications switches are an integral part of the security of
the public switched network. Security problems in switches can
result in serious problems such as toll fraud, unauthorized and
illegal eavesdropping, or the disabling of switches, which would
result in bringing down part of the public switched network.
NIST has been monitoring the growth of switch-related abuse and has
been analyzing switches to be able to address the types of crimes
that could be perpetrated in the future. This work includes studying
the growing ease of perpetrating these crimes.
There are several areas of concern:
* Toll fraud. Current research indicates that the problem is
well over $1 billion per year. While not all toll-fraud is
accomplished technically, telecommunications switches are
vulnerable to hackers who can gain unauthorized access to
the use of long-distance services. This is a particular
vulnerability to the owners of PBXs, who can lose
considerable sums if their systems are inadequately
protected. Good system configuration control is one good
security measure we are examining.
* Network Availability. There have been no cases of
intruders purposefully bringing down parts of the public
switched network. The President's National Security
Telecommunications Advisory Committee (NSTAC) concluded
that "Until there is confidence that strong comprehensive
computer security programs are in place, the industry
should assume that a motivated and resourceful adversary in
one concerted manipulation of the network software could
degrade at least portions of the PSN."
* Unauthorized Eavesdropping. If unauthorized access is
gained to telecommunications switches, which is really just
a computer that switches phone calls, a hacker can gain
access to the contents of phone conversations and other
information transmitted through a switch. This
unauthorized eavesdropping can be either "real-time," as
the conversations occur, or the intruders can arrange to
have the conversations and data electronically transmitted
to another telecommunications switch or computer for later
analysis.
The purpose of the Telecommunications Security Analysis Center will
be to:
* Develop tools and techniques to analyze very complex
systems such as switches;
* Provide informal security guidance and advice to federal
agencies on procurement of telecommunications switches;
* Perform security analyses of commercial switches in both
laboratory and real world environments; and
* Develop standards and guidance for use in securing switches
and in building more secure switches, while providing for
the legitimate needs of law enforcement, under proper court
order, to protect the American public.
As we pursue this research, we will be pleased to provide additional
information on our findings to the Committee.
The Data Encryption Standard
The current government standard for the encryption of data is known
as the Data Encryption Standard (DES), which was first approved as a
Federal Information Processing Standard in 1977. DES is widely used
within both the government and the private sector for the protection
of sensitive information, including financial information, medical
information, and Privacy Act data. DES represents a proven twenty
year old technology with DES products available in the marketplace
for the last 15 years.
Last year, NIST formally solicited comments on the recertification of
DES. After reviewing those comments, and the other technical inputs
that I have received, I plan to recommend to the Secretary of
Commerce that he recertify DES for another five years. I also plan
to suggest to the Secretary that when we announce the recertification
we state our intention to consider alternatives to it over the next
five years. By putting that announcement on the table, we hope to
give people an opportunity to comment on orderly technological
transitions. In the meantime, we need to consider the large
installed base of systems that rely upon this proven standard.
NIST's Proposed Digital Signature Standard
The majority of the cryptographic-based security requirements in
computer and network systems involve the need for strong
identification and authentication. One method which we believe holds
a capacity for significant improvements in security and also cost-
savings by automating paper processes is the use of digital
signatures.
A digital signature is a computer-based method of "sealing" an
electronic message in such a way that its contents cannot be changed
or forged without detection and that the identity of the originator
of the communication can be verified. The digital signature for a
message is simply a code, or large number, that is unique for each
message and each message originator (within a very high, known
probability). A digital signature is computed for a message by
computing a representation of the message (called a "hash" code) and
a cryptographic process that uses a key associated with the message
originator. Any party with access to the public key, message, and
signature can verify the signature. If the signature verifies
correctly, the receiver (or any other party) has confidence that the
message was signed by the owner of the public key and the message has
not been altered after it was signed.
In 1991, NIST proposed a draft Digital Signature Standard (DSS). We
received about 130 public comments. We have been reviewing these
comments and revising the standard as appropriate to respond to those
comments. Additionally, we have examined and are currently dealing
with two claims of patent infringement, which we believe will be
successfully resolved in the not-too-distant future. Once this
occurs, the Secretary of Commerce needs to decide to approve the DSS
as a Federal Information Processing Standard. It will then
complement the Secure Hash Standard which was recently approved by
the Secretary of Commerce as Federal Information Processing Standard
180.
We anticipate that the DSS will find many uses within government
computer systems and networks. For example, DSS could be employed in
electronic funds transfer systems. Suppose an electronic funds
transfer message is generated to request that $100.00 be transferred
from one account to another. If the message was passed over an
unprotected network, it may be possible for an adversary to alter the
message and request a transfer of $1000.00. Without additional
information, it would be difficult, if not impossible, for the
receiver to know the message had been altered. However if the DSS
was used to sign the message before it was sent, the receiver would
know the message had been altered because it would not verify
correctly. The transfer request could then be denied.
DSS could be employed in a variety of business applications requiring
a replacement of handwritten signatures. One example is Electronic
Data Interchange (EDI). EDI is the computer-to-computer interchange
of messages representing business documents. In the federal
government, this technology is being used to procure goods and
services. Digital signatures could be used to replace handwritten
signatures in these EDI transactions. For instance, contracts
between the government and its vendors could be negotiated
electronically. A government procurement official could post an
electronically signed message requesting bids for office supplies.
Vendors wishing to respond to the request may first verify the
message before they respond. This assures that the contents of the
message have not been altered and that the request was signed by a
legitimate procurement official. After verifying the bid request,
the vendor could generate and sign an electronic bid. Upon receiving
the bid, the procurement official could verify that the vendor's bid
was not altered after it was signed. If the bid is accepted, the
electronic message could be passed to a contracting office to
negotiate the final terms of the contract. The final contract could
be digitally signed by both the contracting office and the vendor.
If a dispute arose at some later time, the contents of contract and
the associated signatures could be verified by a third party.
DSS is also likely to find widespread applications in the health care
field. It might be used to sign digital images, for example, to
assure that they remain safe against unauthorized modifications.
DSS could also be useful in the distribution of software. A digital
signature could be applied to software after it has been validated
and approved for distribution. Before installing the software on a
computer, the signature could be verified to be sure no unauthorized
changes (such as the addition of a virus) have been made. The
digital signature could be verified periodically to ensure the
integrity of the software.
In database applications, the integrity of information stored in the
database is often essential. DSS could be employed in a variety of
database applications to provide integrity. For example, information
could be signed when it was entered into the database. To maintain
integrity, the system could also require that all updates or
modifications to the information be signed. Before signed
information was viewed by a user, the signature could be verified.
If the signature verified correctly, the user would know the
information was not altered by an unauthorized party. The system
could also include signatures in the audit information to provide a
record of users who modified the information.
The DSS can also be used in conjunction with more secure
identification and authentication systems, for the protection of
access to both computer and telecommunication systems.
A New Encryption Technology: The Clipper Chip
Approximately two weeks ago, the White House announced our intention,
based on a new encryption technology, the Clipper Chip, to initiate a
voluntary program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law enforcement.
This initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links - the
security of the very systems you are examining here today.
Sophisticated encryption technology, including the DES, has been used
for years to protect electronic funds transfer. It is now being used
to protect electronic mail and computer files. While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used by
terrorists, drug dealers, and other criminals.
A state-of-the-art microcircuit, the "Clipper Chip," has been
developed by government engineers. The chip represents a new
approach to encryption technology. It can be used in new, relatively
inexpensive encryption devices that can be attached to an ordinary
telephone. It scrambles telephone communications using an encryption
algorithm that is more powerful than many in commercial use today.
The Clipper algorithm with an 80 bit long cryptographic key is
approximately 16 million times stronger than DES. It would take a
CRAY YMP over 200 years to solve one DES key. It would take the same
machine over a billion years to solve one Clipper Chip key.
This new technology offers opportunities for companies to protect
proprietary information, protect the privacy of personal phone
conversations and prevent unauthorized release of data transmitted
electronically. At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals.
Protection of confidentiality of information is of critical concern
to the nation. So too is the ability of law enforcement to provide
safe streets and neighborhoods. Americans demand the very best in
law enforcement - at the federal, state and local level. Citizens
insist upon a quick response to terrorist threats, organized crime,
and drug dealers, while preserving our Constitutional rights. Past
experience clearly shows that one critical technology successfully
used to prosecute organized crime is the use of court-authorized
wiretaps. Unquestionably, these lawful electronic intercepts have
saved lives and been critical to bringing criminals to justice. The
"Clipper Chip" is also a powerful tool which will be used by law
enforcement to protect its own sensitive communications from illicit
criminal monitoring.
A "key-escrow" system is envisioned that would ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans. Each device containing the chip will have two unique
"keys," numbers that will be needed by authorized government agencies
to decode messages encoded by the device. When the device is
manufactured, the two keys would be deposited separately in two "key-
escrow" data bases established by the Attorney General. Access to
these keys would be limited to government officials with legal
authorization to conduct a wiretap.
The President has asked the Attorney General to make arrangements
with appropriate entities who would hold the keys for the key-escrow
microcircuits installed in communications equipment. I understand
that the Attorney General is currently studying these procedures and
options for who will serve as the key escrow holders.
Since the announcement from the White House, I have stressed that the
"Clipper Chip" technology provides law enforcement with no new
authorities to access the content of the private conversations of
Americans. Also, some have claimed that there is a hidden trapdoor
in the chip or the algorithm. I cannot state it more simply: no
trapdoor exists.
The chip is an important step in addressing the problem of
encryption's dual-edge sword: encryption helps to protect the
privacy of individuals and industry, but it also can shield criminals
and terrorists. We need the "Clipper Chip" and other approaches that
can both provide law-abiding citizens with access to the encryption
they need and prevent criminals from using it to hide their illegal
activities.
Presidential Directive for Advanced Telecommunications and Encryption
Review
In order to assess technology trends and explore new approaches and
technologies (like the key-escrow system), the President has directed
government agencies to develop a comprehensive policy on encryption
and advanced telecommunications technology that accommodates:
* the privacy of our citizens, including the need to employ
voice or data encryption for business purposes;
* the ability of authorized officials to access telephone
calls and data, under proper court or other legal order,
when necessary to protect our citizens;
* the effective and timely use of the most modern technology
to build the National Information Infrastructure needed to
promote economic growth and the competitiveness of American
industry in the global marketplace; and
* the need of U.S. companies to manufacture and export high
technology products.
The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.
I anticipate being a member of the governmental review panel which
will study this issue.
I will again stress what we have stated previously. Encryption
technology will play an increasingly important role in future network
infrastructures and the Federal Government must act quickly to
develop consistent, comprehensive policies regarding its use. The
Administration is committed to policies that protect all Americans'
right to privacy while also protecting them from those who break the
law.
Thank you Mr. Chairman, I would be pleased to answer any questions.
Paul Ferguson | Uncle Sam wants to read
Network Integrator | your e-mail...
Centreville, Virginia USA | Just say "NO" to the Clipper
fergp@sytex.com | Chip...
-------------------------------+------------------------------
I love my country, but I fear it's government.
________________________________________________________________________
Date: 03 May 1993 09:12:58 -0400 (EDT)
From: carl@malamud.com (Carl Malamud)
Subject: Hearings by Congressman Markey
To: announce@malamud.com
Org: Internet Talk Radio
Channel: Internet Town Hall
Program: Special Program
Release: May 2, 1993 (Hearings were on April 29, 1993)
Content: Hearings by House Subcommittee on Telecommunications and Finance
Chairman Edward Markey held oversight hearings on April 29 on the
rights and responsibilities of individuals and organizations in
cyberspace. A high tech presentation highlighting issues such as
encryption, electronic invasions of privacy, fraud, civil liberties and
computer crime, preceded a panel discussion.
For the demonstration, a world-class team of four engineers from Sun
and the San Diego Supercomputer Center brought in an HDTV, an ATM
switch, an ISDN switch, a Russian satellite dish, a XEROX Liveboard,
a BARCO projector with special video equipment, four Sparcstation
10s, a few Sparcstation 2s, and miscellaneous other equipment.
The purpose of the demonstration was to show that while our current
public policy makes distinctions based on industry, those distinctions
have no meaning in the underlying technology. A television is a
computer and a computer is a television; a computer is a telephone
and vice versa. To demonstrate the latter point, Gage and his
associates showed how a new AT&T cellular phone could be changed
by any 13-year old into a scanner. The demonstration also showed
how DES code could be pulled off anonymous FTP systems in Finland,
yet US industry was unable to export this technology.
The panel consisted of Raymond Kammer, Acting Director of NIST
(National Institute of Standards and Technology), who provided
testimony on technology standard setting issues including the
government-endorsed "Clipper Chip" encryption technology;
Mr. Bruce Sterling, noted science fiction writer on cyberspace and also
author of the non-fiction book, "The Hacker Crackdown: Law and Disorder
on the Electronic Frontier," which discusses computer crime and civil
liberties;
Mr. John Lucich, State Investigator with the New Jersey Division of
Criminal Justice. Mr. Lucich combats computer and electronic fraud
crimes by electronically infiltrating the underground computer bulletin
boards of the "hacker" and "phone phreak" community; and
Mr. Joel Reidenberg, Professor of Law at Fordham University Law School,
who has studied how personal privacy is affected by telecommunications
and computer technologies and the various privacy protections afforded
citizens of different countries.
We would like to apologize in advance for the very poor audio
quality of this tape. The hearing room was quite antiquated, and
was full of ungrounded electricity, lots and lots of electronic
equipment, wireless mikes, and PA systems turned up way too loud.
We hope the content makes the mind happier than the ears.
Support for this program was provided by O'Reilly & Associates and
by Sun Microsystems.
ITH Program Files: 050293_spec_01_HALL.au (Testimony of John Gage)
050293_spec_02_HALL.au (Testimony of Panel)
ITH Readme File: 050293_spec_HALL.readme (This File)
For information on Internet Talk Radio, write to info@radio.com.
More information on Internet Town Hall will be available shortly.
For a current, partial listing of sites, write to sites@radio.com.
________________________________________________________________________
Date: Sat, 1 May 93 01:51:06 -0700
From: tcmay@netcom.com (Timothy C. May)
Subject: REALPOLITIK = Choosing Battles Carefully
Cc: cypherpunks@toad.com
(Cyphergang, this is going to have to be my last post for a while on this
thread. The points have been made. Some agree with me, some call me
treasonous. I say what I think. -TCM)
Hal Finney writes:
.....stuff elided....
>First, I don't see that the interests of RSADSI are fully aligned with
>ours regarding Clipper. Despite PKP's success in accumulating patents,
>Clipper per se does not appear to infringe, being based on a new symmetric
>cryptosystem. So they don't have any direct leverage over the use of
>Clipper.
That's right, they don't. Clipper/Skipjack/Capstone looks to be
well-planned move to reassert government control over crypto, with various
government modules replacing existing modules (as with the DSS signature
standard, which uses the El Gamal algorithm).
Whether RSADSI is upset, I don't know. I suspect so. Bidzos was quoted as
saying "Clipper is an arrow aimed at the heart of my company." (source:
Eric, who saw it in a newspaper)
...
>In fact, Clipper in some ways represents a major market opportunity for PKP.
>To the extent that the publicity leads to increased sales of encrypting
>phones, PKP may benefit from the success of the Clipper.
This could be. I don't think enough is known to answer this. I suspect the
"end run" theory mentioned above. If Bidzos thought Clipper was a great
thing for his company, he wouldn't be busily lobbying to help kill it, nor
would he have shown up at ur emergency meeting to tell us what he knew.
>(The follow-on Capstone project does appear to pose a greater threat to
>PKP, since it will use DSS (for key exchange???).)
Capstone is not really a "follow-on," in the sense that it is due to be
announced *this month*, if I recall correctly. It's very far along, I
believe. More like a "one-two punch." And, yes, it appears to be a major
threat to us all. But we'll have to wait and see, I suppose.
>
>Furthermore, in any future government prohibition on non-Clipper cryptography,
>our greatest nightmare, it is plausible that the government would "take care"
>of PKP by making sure that they get a nice piece of the pie. I could easily
>imagine a situation in which non-Clipper crypto is banned, Clipper is
>widely distributed, and PKP is doing very well financially with a slice
>of the profits from every sale.
I think I mentioned somewhere that I put Bidzos on the spot with what I
called "The 64-bit Question": Are you going to cut a deal and sell us out?
Bidzos was very sober when he answered this, and said, roughly: "If you
mean will I conspire with the government to deny strong crypto to users,
no. But if Clipper and Capstone are destined for deployment and they come
to us and offer royalties, what choice will we have? We have a duty to our
shareholders." And as he was leaving for the day, he leaned in the door to
our meeting and said, as if to reiterate the point, "Tim, I won't sell you
out."
(Please don't use this recollection of what he said for a dissection of
what he really meant, what RSA is really doing, etc. I have already said
that Bidzos said he knew nothing about the Clipper program until we all
did. And so on.)
>Even if Jim Bidzos were personally committed to widespread, strong, public
>cryptography, and opposed Clipper for fundamental philosophical reasons
>(just like us), he would be faced with a conflict of interest. As several
This is not clear. Deploying strong crypto could be more lucrative to
RSADSI than having the government deploy its own Capstone "CA"
(Cryptographic Algorithm, the new acronym du jour) and paying RSADSI some
token amount for some small piece of the package.
>people have pointed out here, Bidzos has a fiduciary responsibility to
>his shareholders to maximize profits for his twin companies. If it comes
>down to a choice between opposing Clipper on principle and accepting it
>along with guaranteed profits, he may be forced (in the same sense in which
>he is forced to send threats to Stanton McCandlish) to back Clipper.
>
>So, even if Bidzos is personally a nice guy I think we need to remember
>that his company may not be a natural ally of ours.
I completely agree and nothing I have ever said suggests we place all our
faith in his company or any other institution. What I have said--several
times, now--is that a frontal attack on the RSA patents, via highly public
postings of PGP and a "Fuck you!" approach to talking with patent owners,
is not the best strategy at this time.
>I like Tim's .sig and all it represents. But frankly, it is hard for me
>to square a commitment to radical change with the proposed alliance with
>PKP. Part of the trouble is that I still don't understand exactly what
>our relationship with RSADSI is proposed to become. But at a minimum it
>sounds like we would avoid supporting activities which would infringe
>on their patents.
There's no proposed alliance being talked about. See previous paragraph. I
don't expect anyone to necessarily agree with my politics.
>
>That means that when we want to start working on some of those things in
>Tim's .sig, we are in many cases going to have to get Jim Bidzos's
>permission. Can you imagine asking something like this:
>
>"Dear Jim: We request permission to use the RSA algorithm for an
>implementation of digital cash which we will distribute in an underground
>way among BBS's all over the world, with the goal being the support of
>"information markets, black markets, [and] smashing of governments"
>(to quote Tim's excellent .sig). "Please sign on the dotted line
>below. Yours truly, an anonymous Cypherpunk."
Of course not! Nobody has suggested this. This is a straw man. Being
nonconfrontational in some areas (aka "living to fight another day," aka
"choosing your battles carefully") doesn't mean any kind of mutual approval
pact has been signed.
I want strong crypto first and foremost. Then the other stuff can perhaps
follow. If crypto privacy is outlawed now, if the War on Drugs and "What
have you got to hide?" approaches win out, then all is lost.
>How, exactly, are we supposed to progress towards Crypto Anarchy if we
>have to be sure not to step on PKP's toes? Do we just not ask him for
>permission (in which case we are in PGP's boat)? Do we ask for permission
>without revealing the full scope of the project (in which case it may be
>rescinded later)? I am not being facetious here. I honestly don't see
>how you can carry out Cypherpunk activities with a corporate sponsor.
Asked and answered.
Let me phrase the issue in slightly different terms. Which of the following
strategies do you folks think will best improve the chances that strong
crypto remains legal?
1. CONFRONTATION: We fight RSADSI at every step. We engage them in legal
battles, we distribute infringing code whenever possible. We get PGP spread
to thousands of users, perhaps tens of thousands of users at bootleg,
underground sites. (Remember that businesses cannot use PGP without fear of
prosecution, fines, whatever...unless the Cypherpunks win their lawsuit
against RSADSI, sometime around 1997 or so, at the rate these cases move
through the courts.)
2. REALPOLITIK: We concentrate instead on spreading strong crypto into as
many ecological niches as possible: individuals, corporations, e-mail
packages, attorney-client transactions, and so on. We emphasize the legal,
constitutional right to communicate messages in the language of our choice
(that is, we have no obligation to speak in languages eavesdroppers can
more easily understand). To head off government moves to act against PGP
and similar systems, the parts of PGP that conflict with RSA's patents are
modified, thus becoming legal to use (and Phil even has a chance to make
some money, which he sure as hell can't do now).
I'll take #2 and worry about digital money and anonymous systems later.
Strong crypto is logically prior to everything else.
All I've argued is that the "in your face" approach has its limits. Most of
the PGP users are, I think we'll all agree, hobbyists and hackers who
downloaded it, played with it, learned some crypto from it, exchanged keys,
etc. Probably not too many critical uses, YET. But the popularity suggests
a hunger for strong crypto.
The Clipper/Capstone move indicates the government wants to head this off
at the pass. The question is whether the bootleg and infringing PGP (and
Phil admits to all this in his docs, obviously) has a better chance of
succeeding than a fully legal and already spreading RSA solution?
(The issue of PGP's feature set versus that of MailSafe's is secondary to
the main issues...between RSAREF, RIPEM, OCE, and other RSA-based systems,
the features can be found. I expect a compromise along these lines, mixing
parts of PGP with parts of RSAREF, is going to happen.)
As for Stanton McLandish's removal of PGP from his site, Eric Hughes and
others have explained the legal issues in great detail.
Of course, anyone who really wishes to take on the RSA patents in a big way
is perfectly free to place PGP on his U.S. site, advertise it heavily in
sci.crypt so that RSADSI cannot possibly claim to have missed it, tell
Bidzos to get lost when the inevitable "cease and desist" warning arrives,
and then follow through with the several-year legal battle that will
result.
Strong crypto is far more important that this petty issue of patents.
-Tim May
--
Timothy C. May | Crypto Anarchy: encryption, digital money,
tcmay@netcom.com | anonymous networks, digital pseudonyms, zero
408-688-5409 | knowledge, reputations, information markets,
W.A.S.T.E.: Aptos, CA | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: by arrangement
________________________________________________________________________
________________________________________________________________________
The SURFPUNK Technical Journal is a dangerous multinational hacker zine
originating near BARRNET in the fashionable western arm of the northern
California matrix. Quantum Californians appear in one of two states,
spin surf or spin punk. Undetected, we are both, or might be neither.
________________________________________________________________________
Send postings to <surfpunk@osc.versant.com>, subscription requests
to <surfpunk-request@osc.versant.com>. MIME encouraged.
Xanalogical archive access soon. Has the right to exclude all others.
________________________________________________________________________
________________________________________________________________________
From: wuthel!noisy@drums.reasoning.com
Subject: Patent fallacies
To: cypherpunks@toad.com
There seems to be some misunderstanding of
how patent protection works. Page numbers in
square brackets are references to
_Patent_It_Yourself_ by David Pressman (Nolo
Press) 2nd edition. Page numbers in angle
brackets are to ``Intellectual Property'' by
Miller & Davis (West) 2nd edition.
CONTRIBUTOR INFRINGEMENT
``If your claims don't read on the infringnid
device, but the infringing device is a
specially made compenent tha't nly useful in
a machine covered by your patent, the
ingringer may be liable under the doctrine of
`Contributroy infringment' '' [page 15-9]
``If a person actively encourages another to
make, user or sell the inventin o without
permission, the psers so inducing is liable
for INDIRECT infringment. CONTRIBUTORY
infringment can be commmitted by know
selling or supplying a non-stape item for
which the only or predominant use is in
connecitno with a patented invention.'' <130>
``Contributory infringement can occur only
in connection with a SALE . . . Thus, a
contributory infringer can be liable for
infringment even though what he has sold
is completey i the public domain and has
no patent protection itself.'' <131>
HOME INFRINGEMENT
``While 'home infrignement' may be difficult
to detect, nevertheless it is a form in
infringment which is legally actionable and
can subject the infringer to paying damages
and/or an injunction prohibiting futher
infringement '' [page 15-12]
''A patenet ahs the EXCLUSIVE right to
MAKE, USE or SELL the invention. 35 SUCA
Par 154 <128> .... The owner of a patent
... has the right to exclude all others
from using ... it.
SELECTIVE ENFORCEMENT IS OK
``. . . a patent owner is not prejudiced
by the fact that antoher infringer has
prodcuded the item without notice of
the paten even though a later second
infrigner could legitimately claim that
he copies an unmarked product.'' <129>
