Date: Wed, 5 May 93 19:18:41 PDT Reply-To: Return-Path: Message-ID: Mime-Version: 1.0 Content-Type: text/plain From: surfpunk@osc.versant.com (n jbeyq-pynff grnz bs sbhe ratvarref) To: surfpunk@osc.versant.com (SURFPUNK Technical Journal) Subject: [surfpunk-0084] USCONGRESS: rights and responsibilities in cyberspace Lots of files are going around about last week's congressional hearings. I've chosen a couple that interested me more. I think there'll be a better version of Bruce Sterling's creative testimony somewhere, that includes the question-and-answer exchange, which I don't have. I hope this one is pretty accurate. Is it? I'm disappointed to see that NIST still thinks it's going ahead with its DSS digital signature proposal. I thought the arguments to shoot it down were pretty good. --strick ________________________________________________________________________ ________________________________________________________________________ Date: Sat, 01 May 1993 20:57:34 From: David L Racette To: Leri Subject: Interesting mail Opening Statement to the House Subcommittee on Telecommunications and Finance, Washington DC, April 29, 1993 Hello everyone and thanks for inviting me here. My name is Bruce Sterling and I'm a science fiction writer and sometime science journalist. Since writing my nonfiction book HACKER CRACKDOWN: LAW AND DISORDER ON THE ELECTRONIC FRONTIER, I have returned to writing science fiction. And I've returned to that with some relief, frankly, since the world of science fiction is in most ways rather less strange and less bizarre than the contemporary world of telecommunications policy. I hope therefore that you will forgive me if I testify today as a science fiction writer. It's one of the perks of my profesion to write about the future, or attempt to, and I thought you might like to meet someone from the telecommunications future that you are so busy creating. With your kind indulgence for my novelist's whimsy then, the rest of my brief presentation today will be given by a Mr. Bob Smith, with is an NREN network administrator from the year 2015. I present Mr. Smith. "Thank you, Mr. Sterling. It's a remarkable privilege to talk to the legislators who historically created my working environment. As a laborer in the fields of 21st Century cyberspace I of course would have no job without NREN and my wife and small son and I are all properly grateful for your foresight in establishing the Information Superhighway. "Your actions in this regard have affected American society every bit as strongly as did the telegraph, the railroads, the telephone, the highway system, and television. In fact, it's impossible for me to imagine contemporary life in 2015 without the Global Net; living without the Net would be like trying to live without electricity. "However, it's a truism in technological development that no silver lining comes without its cloud. Today I'd like to mention two or three trifling problems that have come up that were not entirely obvious from the perspective of the early 1990s. "First of all, this 'Research and Education' aspect. Since communications *is* power in an Information Society, giving fantastically advanced communications to the Research and Education communities did in fact empower those communities quite drastically by comparison with interest-groups lacking that advantage. Today, one of the most feared political organizations in the world is the multi-national anarchist libertarian group called the Students for an Utterly Free Society. "Of course, there have always been campus radicals, but thanks to their relative lack of financial clout, and lack of even a steady home address, these young fanatics once found it very difficult to organize politically. Therefore, they were easy for the powers-that-be to ignore, except during occasional spasms of violent campus unrest. "Thanks to NREN, however, spasms of student unrest can now spread like lightning across entire continents. Advanced AI translation programs installed on the Net only made matters worse, since in 2015 the global leaders of the student movements are not only extremely radical, but French. "Attempts by campus authorities to control this unrest have failed miserably. In 2015, NREN sites are always the first buildings occupied during a campus strike. Campus chancellors and faculty are themselves so utterly dependent on NREN that they become quite helpless off-line. "A second major problem has been the growth of unlicenced encryption, which has proved quite unstoppable. Today some seventy-five percent of NREN archives are material that no one in authority can read. Countries that attempted to control and monitor network traffic have lost market share and service revenue as data processing simply moves offshore. "The United States has profited by this phenomenon to a great extent as people worldwide have flocked to the relative liberty of our networks. Unfortunately many of these electronic virtual immigrants are not simply dissidents looking for free expression but in fact are organized criminals. "Take for instance a recent FBI raid on an enormous archive of encrypted Iranian files, illicitly stored in an obscure NREN node in North Dakota. Luckily the FBI was able to decrypt these files thanks to an inside informant. Deciphering these archives revealed the following contraband: "Eighty percent graphic image files of attractive young women without veils on, or, in fact, much clothing of any kind. "Fifteen percent digitally stored pirated copies of Western pop music and Western videos, still illegal to possess in Teheran. "And, five percent text files in the Farsi language describing how to guild, deliver and park truck-bombs in major urban areas. "I can't conclude my brief remarks today without a mention of a particularly odd development having to do with *wireless* computer telecommunications. Since it is now possible to transact business entirely in cyberspace, including financial transactions, many information entrepreneurs in 2015 have simply given up any physical home. Basically, they have become stateless people, 21st Century gypsies. "A recent tragic example of this occurred in the small town of North Zulch, Texas. There some rural law enforcement officers apprehended a scruffy vagabond on a motorcycle in a high-speed chase. Unfortunately he was killed. A search of his backpack revealed a device the size of a cigarette pack. In searching the dead man's effects, the police officers, who were not computer literate, accidentally broke the device. This tiny device was actually a privately owned computer bulletin board system with some 15,000 registered users. "Many of the users were wealthy celebrities, and the apparent outlaw biker was actually an extremely popular and nationally known system operator. These 15,000 users were enraged by what they considered the wanton destruction of their electronic community. They pooled their resources and took a terrible vengeance on the small town of North Zulch, which, by contrast, had only 2,000 residents, none of them wealthy or technologically sophisticated. Through a combination of harassing lawsuits and sharp real-estate deals, the vengeful board users bankrupted the town. Eventually the entire township was bulldozed flat and purchased for parkland by the Nature Conservancy. "Thanks in part to the advances that you yourselves set in motion, violent conflicts between virtual and actual communities have become a permanent feature of the cultural landscape in 2015." Thank you for your patience in entertaining my speculations. I'll be happy to take any questions -- though only in my real-life persona. Thank you very much. ________________________________________________________________________ To: cypherpunks@toad.com Subject: Hearing statement of Ray Kammer From: fergp@sytex.com (Paul Ferguson) Date: Wed, 05 May 93 13:53:37 EDT This file was obtained from the National Institute of Standards and Technology. - 8<------- Cut Here ------------ STATEMENT OF RAYMOND G. KAMMER ACTING DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY BEFORE THE SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE COMMITTEE ON ENERGY AND COMMERCE APRIL 29, 1993 Mr. Chairman and Members of the Subcommittee: Good morning. Thank you for inviting me to testify. I am Raymond G. Kammer, Acting Director of the National Institute of Standards and Technology of the U.S. Department of Commerce. Under the Computer Security Act of 1987, NIST is responsible for the development of standards for protecting unclassified government computer systems, except those commonly known as Warner Amendment systems (as defined in Title 10 USC 2315). NIST has a long-established program of developing computer security guidelines and standards for federal agencies. Many of these are also used, on a voluntary basis, by the private sector. We have published guidance on computer security training and awareness, identification and authentication, open systems security, incident response, cryptographic standards, trusted systems, and many other facets of computer security. Today, however, I plan to address the following topics which I believe are most directly germane to your invitation: * The need for good information security technology to protect computer and telecommunications systems and networks; * NIST's activities in telecommunications switch security; * the planned recertification of the Data Encryption Standard; * NIST's proposed Digital Signature Standard; * the recent White House announcement of a new encryption technology, called the Clipper Chip; and * the President's directive to review advanced telecommunications and encryption technology. Need for Computer Security Strong security technology is required in modern communications systems and networks to protect sensitive and valuable information. Government agencies and private corporations depend upon the integrity and availability of their communications system in order to do business. Computer viruses, network worms, hackers, and other threats against our systems emphasize the importance of telecommunications security. Additionally, I have grown convinced, through strong anecdotal evidence, most of it shared on a proprietary basis, of the growing threat to American business from "economic espionage." Much has been reported in the press of the activities of foreign intelligence services targeting American firms, and sharing their findings with competing foreign firms. I am convinced that American firms need strong security, and in particular, strong cryptography, to protect against such threats. More importantly, the Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Appropriate security techniques may at times be integrated into such systems. Telecommunications Security Federal telephone and computer networks depend upon reliable and secure telecommunications capabilities, both of long-distance carriers and local private-branch exchanges (PBXs). To examine security issues of telecommunications networks, including issues of PBX security and telecommunications switch security, NIST is currently setting up a Telecommunications Security Analysis Center. This Center will expand on initial research we have conducted on the vulnerability of telecommunications switches. Telecommunications switches are an integral part of the security of the public switched network. Security problems in switches can result in serious problems such as toll fraud, unauthorized and illegal eavesdropping, or the disabling of switches, which would result in bringing down part of the public switched network. NIST has been monitoring the growth of switch-related abuse and has been analyzing switches to be able to address the types of crimes that could be perpetrated in the future. This work includes studying the growing ease of perpetrating these crimes. There are several areas of concern: * Toll fraud. Current research indicates that the problem is well over $1 billion per year. While not all toll-fraud is accomplished technically, telecommunications switches are vulnerable to hackers who can gain unauthorized access to the use of long-distance services. This is a particular vulnerability to the owners of PBXs, who can lose considerable sums if their systems are inadequately protected. Good system configuration control is one good security measure we are examining. * Network Availability. There have been no cases of intruders purposefully bringing down parts of the public switched network. The President's National Security Telecommunications Advisory Committee (NSTAC) concluded that "Until there is confidence that strong comprehensive computer security programs are in place, the industry should assume that a motivated and resourceful adversary in one concerted manipulation of the network software could degrade at least portions of the PSN." * Unauthorized Eavesdropping. If unauthorized access is gained to telecommunications switches, which is really just a computer that switches phone calls, a hacker can gain access to the contents of phone conversations and other information transmitted through a switch. This unauthorized eavesdropping can be either "real-time," as the conversations occur, or the intruders can arrange to have the conversations and data electronically transmitted to another telecommunications switch or computer for later analysis. The purpose of the Telecommunications Security Analysis Center will be to: * Develop tools and techniques to analyze very complex systems such as switches; * Provide informal security guidance and advice to federal agencies on procurement of telecommunications switches; * Perform security analyses of commercial switches in both laboratory and real world environments; and * Develop standards and guidance for use in securing switches and in building more secure switches, while providing for the legitimate needs of law enforcement, under proper court order, to protect the American public. As we pursue this research, we will be pleased to provide additional information on our findings to the Committee. The Data Encryption Standard The current government standard for the encryption of data is known as the Data Encryption Standard (DES), which was first approved as a Federal Information Processing Standard in 1977. DES is widely used within both the government and the private sector for the protection of sensitive information, including financial information, medical information, and Privacy Act data. DES represents a proven twenty year old technology with DES products available in the marketplace for the last 15 years. Last year, NIST formally solicited comments on the recertification of DES. After reviewing those comments, and the other technical inputs that I have received, I plan to recommend to the Secretary of Commerce that he recertify DES for another five years. I also plan to suggest to the Secretary that when we announce the recertification we state our intention to consider alternatives to it over the next five years. By putting that announcement on the table, we hope to give people an opportunity to comment on orderly technological transitions. In the meantime, we need to consider the large installed base of systems that rely upon this proven standard. NIST's Proposed Digital Signature Standard The majority of the cryptographic-based security requirements in computer and network systems involve the need for strong identification and authentication. One method which we believe holds a capacity for significant improvements in security and also cost- savings by automating paper processes is the use of digital signatures. A digital signature is a computer-based method of "sealing" an electronic message in such a way that its contents cannot be changed or forged without detection and that the identity of the originator of the communication can be verified. The digital signature for a message is simply a code, or large number, that is unique for each message and each message originator (within a very high, known probability). A digital signature is computed for a message by computing a representation of the message (called a "hash" code) and a cryptographic process that uses a key associated with the message originator. Any party with access to the public key, message, and signature can verify the signature. If the signature verifies correctly, the receiver (or any other party) has confidence that the message was signed by the owner of the public key and the message has not been altered after it was signed. In 1991, NIST proposed a draft Digital Signature Standard (DSS). We received about 130 public comments. We have been reviewing these comments and revising the standard as appropriate to respond to those comments. Additionally, we have examined and are currently dealing with two claims of patent infringement, which we believe will be successfully resolved in the not-too-distant future. Once this occurs, the Secretary of Commerce needs to decide to approve the DSS as a Federal Information Processing Standard. It will then complement the Secure Hash Standard which was recently approved by the Secretary of Commerce as Federal Information Processing Standard 180. We anticipate that the DSS will find many uses within government computer systems and networks. For example, DSS could be employed in electronic funds transfer systems. Suppose an electronic funds transfer message is generated to request that $100.00 be transferred from one account to another. If the message was passed over an unprotected network, it may be possible for an adversary to alter the message and request a transfer of $1000.00. Without additional information, it would be difficult, if not impossible, for the receiver to know the message had been altered. However if the DSS was used to sign the message before it was sent, the receiver would know the message had been altered because it would not verify correctly. The transfer request could then be denied. DSS could be employed in a variety of business applications requiring a replacement of handwritten signatures. One example is Electronic Data Interchange (EDI). EDI is the computer-to-computer interchange of messages representing business documents. In the federal government, this technology is being used to procure goods and services. Digital signatures could be used to replace handwritten signatures in these EDI transactions. For instance, contracts between the government and its vendors could be negotiated electronically. A government procurement official could post an electronically signed message requesting bids for office supplies. Vendors wishing to respond to the request may first verify the message before they respond. This assures that the contents of the message have not been altered and that the request was signed by a legitimate procurement official. After verifying the bid request, the vendor could generate and sign an electronic bid. Upon receiving the bid, the procurement official could verify that the vendor's bid was not altered after it was signed. If the bid is accepted, the electronic message could be passed to a contracting office to negotiate the final terms of the contract. The final contract could be digitally signed by both the contracting office and the vendor. If a dispute arose at some later time, the contents of contract and the associated signatures could be verified by a third party. DSS is also likely to find widespread applications in the health care field. It might be used to sign digital images, for example, to assure that they remain safe against unauthorized modifications. DSS could also be useful in the distribution of software. A digital signature could be applied to software after it has been validated and approved for distribution. Before installing the software on a computer, the signature could be verified to be sure no unauthorized changes (such as the addition of a virus) have been made. The digital signature could be verified periodically to ensure the integrity of the software. In database applications, the integrity of information stored in the database is often essential. DSS could be employed in a variety of database applications to provide integrity. For example, information could be signed when it was entered into the database. To maintain integrity, the system could also require that all updates or modifications to the information be signed. Before signed information was viewed by a user, the signature could be verified. If the signature verified correctly, the user would know the information was not altered by an unauthorized party. The system could also include signatures in the audit information to provide a record of users who modified the information. The DSS can also be used in conjunction with more secure identification and authentication systems, for the protection of access to both computer and telecommunication systems. A New Encryption Technology: The Clipper Chip Approximately two weeks ago, the White House announced our intention, based on a new encryption technology, the Clipper Chip, to initiate a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. This initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links - the security of the very systems you are examining here today. Sophisticated encryption technology, including the DES, has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit, the "Clipper Chip," has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. The Clipper algorithm with an 80 bit long cryptographic key is approximately 16 million times stronger than DES. It would take a CRAY YMP over 200 years to solve one DES key. It would take the same machine over a billion years to solve one Clipper Chip key. This new technology offers opportunities for companies to protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. Protection of confidentiality of information is of critical concern to the nation. So too is the ability of law enforcement to provide safe streets and neighborhoods. Americans demand the very best in law enforcement - at the federal, state and local level. Citizens insist upon a quick response to terrorist threats, organized crime, and drug dealers, while preserving our Constitutional rights. Past experience clearly shows that one critical technology successfully used to prosecute organized crime is the use of court-authorized wiretaps. Unquestionably, these lawful electronic intercepts have saved lives and been critical to bringing criminals to justice. The "Clipper Chip" is also a powerful tool which will be used by law enforcement to protect its own sensitive communications from illicit criminal monitoring. A "key-escrow" system is envisioned that would ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys would be deposited separately in two "key- escrow" data bases established by the Attorney General. Access to these keys would be limited to government officials with legal authorization to conduct a wiretap. The President has asked the Attorney General to make arrangements with appropriate entities who would hold the keys for the key-escrow microcircuits installed in communications equipment. I understand that the Attorney General is currently studying these procedures and options for who will serve as the key escrow holders. Since the announcement from the White House, I have stressed that the "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Also, some have claimed that there is a hidden trapdoor in the chip or the algorithm. I cannot state it more simply: no trapdoor exists. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. Presidential Directive for Advanced Telecommunications and Encryption Review In order to assess technology trends and explore new approaches and technologies (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption and advanced telecommunications technology that accommodates: * the privacy of our citizens, including the need to employ voice or data encryption for business purposes; * the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; * the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and * the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. I anticipate being a member of the governmental review panel which will study this issue. I will again stress what we have stated previously. Encryption technology will play an increasingly important role in future network infrastructures and the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Thank you Mr. Chairman, I would be pleased to answer any questions. Paul Ferguson | Uncle Sam wants to read Network Integrator | your e-mail... Centreville, Virginia USA | Just say "NO" to the Clipper fergp@sytex.com | Chip... -------------------------------+------------------------------ I love my country, but I fear it's government. ________________________________________________________________________ Date: 03 May 1993 09:12:58 -0400 (EDT) From: carl@malamud.com (Carl Malamud) Subject: Hearings by Congressman Markey To: announce@malamud.com Org: Internet Talk Radio Channel: Internet Town Hall Program: Special Program Release: May 2, 1993 (Hearings were on April 29, 1993) Content: Hearings by House Subcommittee on Telecommunications and Finance Chairman Edward Markey held oversight hearings on April 29 on the rights and responsibilities of individuals and organizations in cyberspace. A high tech presentation highlighting issues such as encryption, electronic invasions of privacy, fraud, civil liberties and computer crime, preceded a panel discussion. For the demonstration, a world-class team of four engineers from Sun and the San Diego Supercomputer Center brought in an HDTV, an ATM switch, an ISDN switch, a Russian satellite dish, a XEROX Liveboard, a BARCO projector with special video equipment, four Sparcstation 10s, a few Sparcstation 2s, and miscellaneous other equipment. The purpose of the demonstration was to show that while our current public policy makes distinctions based on industry, those distinctions have no meaning in the underlying technology. A television is a computer and a computer is a television; a computer is a telephone and vice versa. To demonstrate the latter point, Gage and his associates showed how a new AT&T cellular phone could be changed by any 13-year old into a scanner. The demonstration also showed how DES code could be pulled off anonymous FTP systems in Finland, yet US industry was unable to export this technology. The panel consisted of Raymond Kammer, Acting Director of NIST (National Institute of Standards and Technology), who provided testimony on technology standard setting issues including the government-endorsed "Clipper Chip" encryption technology; Mr. Bruce Sterling, noted science fiction writer on cyberspace and also author of the non-fiction book, "The Hacker Crackdown: Law and Disorder on the Electronic Frontier," which discusses computer crime and civil liberties; Mr. John Lucich, State Investigator with the New Jersey Division of Criminal Justice. Mr. Lucich combats computer and electronic fraud crimes by electronically infiltrating the underground computer bulletin boards of the "hacker" and "phone phreak" community; and Mr. Joel Reidenberg, Professor of Law at Fordham University Law School, who has studied how personal privacy is affected by telecommunications and computer technologies and the various privacy protections afforded citizens of different countries. We would like to apologize in advance for the very poor audio quality of this tape. The hearing room was quite antiquated, and was full of ungrounded electricity, lots and lots of electronic equipment, wireless mikes, and PA systems turned up way too loud. We hope the content makes the mind happier than the ears. Support for this program was provided by O'Reilly & Associates and by Sun Microsystems. ITH Program Files: 050293_spec_01_HALL.au (Testimony of John Gage) 050293_spec_02_HALL.au (Testimony of Panel) ITH Readme File: 050293_spec_HALL.readme (This File) For information on Internet Talk Radio, write to info@radio.com. More information on Internet Town Hall will be available shortly. For a current, partial listing of sites, write to sites@radio.com. ________________________________________________________________________ Date: Sat, 1 May 93 01:51:06 -0700 From: tcmay@netcom.com (Timothy C. May) Subject: REALPOLITIK = Choosing Battles Carefully Cc: cypherpunks@toad.com (Cyphergang, this is going to have to be my last post for a while on this thread. The points have been made. Some agree with me, some call me treasonous. I say what I think. -TCM) Hal Finney writes: .....stuff elided.... >First, I don't see that the interests of RSADSI are fully aligned with >ours regarding Clipper. Despite PKP's success in accumulating patents, >Clipper per se does not appear to infringe, being based on a new symmetric >cryptosystem. So they don't have any direct leverage over the use of >Clipper. That's right, they don't. Clipper/Skipjack/Capstone looks to be well-planned move to reassert government control over crypto, with various government modules replacing existing modules (as with the DSS signature standard, which uses the El Gamal algorithm). Whether RSADSI is upset, I don't know. I suspect so. Bidzos was quoted as saying "Clipper is an arrow aimed at the heart of my company." (source: Eric, who saw it in a newspaper) ... >In fact, Clipper in some ways represents a major market opportunity for PKP. >To the extent that the publicity leads to increased sales of encrypting >phones, PKP may benefit from the success of the Clipper. This could be. I don't think enough is known to answer this. I suspect the "end run" theory mentioned above. If Bidzos thought Clipper was a great thing for his company, he wouldn't be busily lobbying to help kill it, nor would he have shown up at ur emergency meeting to tell us what he knew. >(The follow-on Capstone project does appear to pose a greater threat to >PKP, since it will use DSS (for key exchange???).) Capstone is not really a "follow-on," in the sense that it is due to be announced *this month*, if I recall correctly. It's very far along, I believe. More like a "one-two punch." And, yes, it appears to be a major threat to us all. But we'll have to wait and see, I suppose. > >Furthermore, in any future government prohibition on non-Clipper cryptography, >our greatest nightmare, it is plausible that the government would "take care" >of PKP by making sure that they get a nice piece of the pie. I could easily >imagine a situation in which non-Clipper crypto is banned, Clipper is >widely distributed, and PKP is doing very well financially with a slice >of the profits from every sale. I think I mentioned somewhere that I put Bidzos on the spot with what I called "The 64-bit Question": Are you going to cut a deal and sell us out? Bidzos was very sober when he answered this, and said, roughly: "If you mean will I conspire with the government to deny strong crypto to users, no. But if Clipper and Capstone are destined for deployment and they come to us and offer royalties, what choice will we have? We have a duty to our shareholders." And as he was leaving for the day, he leaned in the door to our meeting and said, as if to reiterate the point, "Tim, I won't sell you out." (Please don't use this recollection of what he said for a dissection of what he really meant, what RSA is really doing, etc. I have already said that Bidzos said he knew nothing about the Clipper program until we all did. And so on.) >Even if Jim Bidzos were personally committed to widespread, strong, public >cryptography, and opposed Clipper for fundamental philosophical reasons >(just like us), he would be faced with a conflict of interest. As several This is not clear. Deploying strong crypto could be more lucrative to RSADSI than having the government deploy its own Capstone "CA" (Cryptographic Algorithm, the new acronym du jour) and paying RSADSI some token amount for some small piece of the package. >people have pointed out here, Bidzos has a fiduciary responsibility to >his shareholders to maximize profits for his twin companies. If it comes >down to a choice between opposing Clipper on principle and accepting it >along with guaranteed profits, he may be forced (in the same sense in which >he is forced to send threats to Stanton McCandlish) to back Clipper. > >So, even if Bidzos is personally a nice guy I think we need to remember >that his company may not be a natural ally of ours. I completely agree and nothing I have ever said suggests we place all our faith in his company or any other institution. What I have said--several times, now--is that a frontal attack on the RSA patents, via highly public postings of PGP and a "Fuck you!" approach to talking with patent owners, is not the best strategy at this time. >I like Tim's .sig and all it represents. But frankly, it is hard for me >to square a commitment to radical change with the proposed alliance with >PKP. Part of the trouble is that I still don't understand exactly what >our relationship with RSADSI is proposed to become. But at a minimum it >sounds like we would avoid supporting activities which would infringe >on their patents. There's no proposed alliance being talked about. See previous paragraph. I don't expect anyone to necessarily agree with my politics. > >That means that when we want to start working on some of those things in >Tim's .sig, we are in many cases going to have to get Jim Bidzos's >permission. Can you imagine asking something like this: > >"Dear Jim: We request permission to use the RSA algorithm for an >implementation of digital cash which we will distribute in an underground >way among BBS's all over the world, with the goal being the support of >"information markets, black markets, [and] smashing of governments" >(to quote Tim's excellent .sig). "Please sign on the dotted line >below. Yours truly, an anonymous Cypherpunk." Of course not! Nobody has suggested this. This is a straw man. Being nonconfrontational in some areas (aka "living to fight another day," aka "choosing your battles carefully") doesn't mean any kind of mutual approval pact has been signed. I want strong crypto first and foremost. Then the other stuff can perhaps follow. If crypto privacy is outlawed now, if the War on Drugs and "What have you got to hide?" approaches win out, then all is lost. >How, exactly, are we supposed to progress towards Crypto Anarchy if we >have to be sure not to step on PKP's toes? Do we just not ask him for >permission (in which case we are in PGP's boat)? Do we ask for permission >without revealing the full scope of the project (in which case it may be >rescinded later)? I am not being facetious here. I honestly don't see >how you can carry out Cypherpunk activities with a corporate sponsor. Asked and answered. Let me phrase the issue in slightly different terms. Which of the following strategies do you folks think will best improve the chances that strong crypto remains legal? 1. CONFRONTATION: We fight RSADSI at every step. We engage them in legal battles, we distribute infringing code whenever possible. We get PGP spread to thousands of users, perhaps tens of thousands of users at bootleg, underground sites. (Remember that businesses cannot use PGP without fear of prosecution, fines, whatever...unless the Cypherpunks win their lawsuit against RSADSI, sometime around 1997 or so, at the rate these cases move through the courts.) 2. REALPOLITIK: We concentrate instead on spreading strong crypto into as many ecological niches as possible: individuals, corporations, e-mail packages, attorney-client transactions, and so on. We emphasize the legal, constitutional right to communicate messages in the language of our choice (that is, we have no obligation to speak in languages eavesdroppers can more easily understand). To head off government moves to act against PGP and similar systems, the parts of PGP that conflict with RSA's patents are modified, thus becoming legal to use (and Phil even has a chance to make some money, which he sure as hell can't do now). I'll take #2 and worry about digital money and anonymous systems later. Strong crypto is logically prior to everything else. All I've argued is that the "in your face" approach has its limits. Most of the PGP users are, I think we'll all agree, hobbyists and hackers who downloaded it, played with it, learned some crypto from it, exchanged keys, etc. Probably not too many critical uses, YET. But the popularity suggests a hunger for strong crypto. The Clipper/Capstone move indicates the government wants to head this off at the pass. The question is whether the bootleg and infringing PGP (and Phil admits to all this in his docs, obviously) has a better chance of succeeding than a fully legal and already spreading RSA solution? (The issue of PGP's feature set versus that of MailSafe's is secondary to the main issues...between RSAREF, RIPEM, OCE, and other RSA-based systems, the features can be found. I expect a compromise along these lines, mixing parts of PGP with parts of RSAREF, is going to happen.) As for Stanton McLandish's removal of PGP from his site, Eric Hughes and others have explained the legal issues in great detail. Of course, anyone who really wishes to take on the RSA patents in a big way is perfectly free to place PGP on his U.S. site, advertise it heavily in sci.crypt so that RSADSI cannot possibly claim to have missed it, tell Bidzos to get lost when the inevitable "cease and desist" warning arrives, and then follow through with the several-year legal battle that will result. Strong crypto is far more important that this petty issue of patents. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement ________________________________________________________________________ ________________________________________________________________________ The SURFPUNK Technical Journal is a dangerous multinational hacker zine originating near BARRNET in the fashionable western arm of the northern California matrix. Quantum Californians appear in one of two states, spin surf or spin punk. Undetected, we are both, or might be neither. ________________________________________________________________________ Send postings to , subscription requests to . MIME encouraged. Xanalogical archive access soon. Has the right to exclude all others. ________________________________________________________________________ ________________________________________________________________________ From: wuthel!noisy@drums.reasoning.com Subject: Patent fallacies To: cypherpunks@toad.com There seems to be some misunderstanding of how patent protection works. Page numbers in square brackets are references to _Patent_It_Yourself_ by David Pressman (Nolo Press) 2nd edition. Page numbers in angle brackets are to ``Intellectual Property'' by Miller & Davis (West) 2nd edition. CONTRIBUTOR INFRINGEMENT ``If your claims don't read on the infringnid device, but the infringing device is a specially made compenent tha't nly useful in a machine covered by your patent, the ingringer may be liable under the doctrine of `Contributroy infringment' '' [page 15-9] ``If a person actively encourages another to make, user or sell the inventin o without permission, the psers so inducing is liable for INDIRECT infringment. CONTRIBUTORY infringment can be commmitted by know selling or supplying a non-stape item for which the only or predominant use is in connecitno with a patented invention.'' <130> ``Contributory infringement can occur only in connection with a SALE . . . Thus, a contributory infringer can be liable for infringment even though what he has sold is completey i the public domain and has no patent protection itself.'' <131> HOME INFRINGEMENT ``While 'home infrignement' may be difficult to detect, nevertheless it is a form in infringment which is legally actionable and can subject the infringer to paying damages and/or an injunction prohibiting futher infringement '' [page 15-12] ''A patenet ahs the EXCLUSIVE right to MAKE, USE or SELL the invention. 35 SUCA Par 154 <128> .... The owner of a patent ... has the right to exclude all others from using ... it. SELECTIVE ENFORCEMENT IS OK ``. . . a patent owner is not prejudiced by the fact that antoher infringer has prodcuded the item without notice of the paten even though a later second infrigner could legitimately claim that he copies an unmarked product.'' <129>