Date: Sat, 21 Aug 93 15:56:22 PDT Reply-To: Return-Path: Message-ID: Mime-Version: 1.0 Content-Type: text/plain From: surfpunk@versant.com (iveghny pbzchgre vyyvgrengr) To: surfpunk@versant.com (SURFPUNK Technical Journal) Subject: [surfpunk-0096] CRYPT: The Marketing of SKIPJACK (Clipper) # .... I don't do E-mail, I'm a virtual computer illiterate, # I don't know any hackers. I'm sort of concerned with where # my own inner landscape intersects with contemporary urban # reality; that's what I'm interested in. Generally # speaking, if people want to sit down and talk about # computers, I just got to sleep. Sort of nod out. # # > But your novels are often praised as celebrations # > of hackerdom. The jacked-in computer cowboys # > searching out hidden information... # # That's become the accepted interpretation. But that stuff # is all just a metaphor. And I don't want to tell you what # it's a metaphor for, because that's like having to explain # a joke. # # -- William Gibson, interviewed in The Bay Guardian, 18Aug93 ________________________________________________________________________ ________________________________________________________________________ From: gnu@toad.com (John Gilmore) Cc: cypherpunks@toad.com Subject: Re: Cracking & auditing crypto protocols In-Reply-To: <9308190206.AA16644@netcom.netcom.com> Date: Sat, 21 Aug 93 08:55:45 -0700 > * A "cracker's guild" to break weak cryptography and publicize > the cryptanalysis algorithms (cf. the Word Perfect crypto cracker), > forcing the weak crypto off the market. For example, if > NetCash was deployed this organization would crack it. This > organization might be funded anonymously by those selling strong > crypto (who have an incentive to debunk their competitor's hype). The person who built the standard "network license manager" for Unix (flexlm) has offered us cypherpunks access to the protocol if we'll try to crack it. > * A formal Crypto Auditing Agency that would verify the algorithms > and protocols were secure, without revealing trade secrets. > My next statement may cause hisses & boos, but I think the recent > Crypto-Auditing of Clipper by Denning and other eminent > cryptologists will be a model widely applied in the commercial > computer security business. The auditors should be > able to examine the source and run the programs without revealing > trade secrets. The auditing may indeed be duplicated. By marketing departments, and for the same reason as the Denning auditing -- marketing. Solely. There is no way that the selected group of people could crack a half-reasonable cryptosystem in a few weeks. Real Cryptanalysts spend months and years working on cracking cryptosystems, and none of the panelists was a Real Cryptanalyst. We had all the details of DES, and it took 15 years to make a dent in it. But they fooled you -- and maybe a lot of other people -- so there *is* a function for such review panels. Sponsoring one is a way to convince innocent spectators who don't know better. Marketing. John Marketing Dept, Cygnus Support ________________________________________________________________________ From: gnu@toad.com (John Gilmore) To: cypherpunks@toad.com Subject: Requesting all records of the Clipper review panel Date: Fri, 13 Aug 93 17:44:10 -0700 This is a draft, which will be sent out within a day or two. John Karl Bell Deputy Director of Administration Freedom of Information Act Officer National Institute of Standards and Technology Building 101, Room A-110 Gaithersburg, MD 20899 Dear Mr. Bell: This is a request under the Freedom of Information Act ("FOIA"), 5 U.S.C. $ 552, on behalf of Mr. John Gilmore for all agency records pertaining to and utilized by the Skipjack review panel ("Panel"). This request also requests access to records which must be made available under the Federal Advisory Committee Act ("FACA"), 5 U.S.C. App. II (1972). Section 8(b)(2) of the FACA requires that the supervising agency for an advisory committee must assemble and maintain records for the committee; Section 8(b)(3) of the FACA provides that such records are subject to the FOIA. The Panel's review is being performed pursuant to the President's direction that "respected experts from outside the government [] be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their finding." The Acting Director of the National Institute of Standards and Technology sent letters of invitation to potential reviewers. This request for records includes, but is not limited to: all records relating to the selection of the Panel members; all records of the Panel's activities and use of funds [FACA $ 12(a)]; the charter of the Panel [FACA $ 9(c)]; all notices of Panel meetings [FACA $ 10(a)(2)]; all written determinations to close any part of a Panel meeting [FACA $ 10(d)]; all records, reports, transcripts, minutes, appendices, working papers, drafts, studies, agenda or other documents which were made available to or prepared by the committee [FACA $$10(b) & (c)]. For instance, the Panel's interim report states that: We attended an initial meeting at the Institute for Defense Analyses Supercomputing Research Center (SRC) from June 21-23. At that meeting, the designer of SKIPJACK provided a complete, detailed description of the algorithm, the rationale for each feature, and the history of the design. The head of the NSA evaluation team described the evaluation process and its results. Other NSA staff briefed us on the LEAF structure and protocols for use, generation of device keys, protection of the devices against reverse engineering, and NSA's history in the design and evaluation of encryption methods contained in SKIPJACK. Additional NSA and NIST staff were present at the meeting to answer our questions and provide assistance. All staff members were forthcoming in providing us with requested information. All records pertaining to this and other meetings of the Panel are included within the scope of this FOIA/FACA request. If the requested records are not in the possession of your agency, I ask that you forward this request to any agency that you believe may have records that are responsive to this request. In the alternative, I ask that you inform me of other agencies that might have such records. As you know, the FOIA provides that even if some requested material is properly exempted from mandatory disclosure, all segregable portions must be released. [5 U.S.C. $ 552(b)] If any or all material covered by this request is withheld, please inform me of the specific exemptions that are being claimed. If any of the requested material is released with deletions, I ask that each deletion be marked to indicate the exemption(s) being claimed to authorize each particular withholding. In addition, I ask that your agency exercise its discretion to release information that may be technically exempt but where withholding would serve no important public interest. As you know, the FOIA provides that agencies may reduce or waive fees if it would be "in the public interest because furnishing the information can be considered as primarily benefiting the public." [5 U.S.C. $ 552(a)(4)(A)] Release of this material would be of benefit to the public because of the importance of public discussion of technology which can enhance personal privacy. Moreover, in previous FOIA requests to NIST, Mr. Gilmore has amply demonstrated his ability and willingness to disseminate such information to the general public. I therefore ask that you waive any fees relating to this request. Mr. Gilmore promises to pay up to $1000 in processing costs should this fee waiver be denied, so that NIST can begin processing this request while you rule on the propriety of this fee waiver. If you have any questions regarding this request, please telephone me at the above number. I would be happy to discuss ways in which this request could be clarified or somewhat redesigned to reflect the agency's filing system and speed the search for records. As provided under the FOIA, I will expect a reply within 10 working days. Sincerely yours, Lee Tien On behalf of Mr. John Gilmore ________________________________________________________________________ U.S. Computer May Have Violated Export Regulations By PAUL RAEBURN, AP Science Editor NEW YORK (AP) _ The Digital Equipment Corp. abruptly pulled two powerful new computers off a global computer network out of concerns about possible export violations, even though the computers never left the country. The result of Digital's action was to deny U.S. computer users access to U.S. computers operating in the United States. Critics said the episode demonstrates how export laws intended to regulate weapons technology are not only infringing on American civil liberties but also stifling innovation and hurting American businesses. Digital said its concern was that foreigners could connect to the computers from abroad, generate data, and illegally export it over the Internet computer network, which carries data and electronic mail around the world. The computers were reconnected to the computer network on July 7, but access is now limited to people who are screened by the company, Mark Fredrickson, a Digital spokesman, said Friday. The computers are not what industry would call supercomputers, but they do fit the government definition of a supercomputer. A former Commerce Department official who is now a trade consultant in Washington said the connection of a supercomputer to a global network could lead to violations of federal export regulations. ``If it was available overseas and they allowed people overseas to use it, then technically they were allowing access to a supercomputer to people they didn't know,'' said Paul Freedenberg, who was the Commerce Department's undersecretary for export administration at the end of the Reagan administration. Freedenberg is an international trade consultant at Baker and Botts in Washington, the law firm of former Secretary of State James Baker. He emphasized that he had no personal knowledge of the Digital computer hookup and that he was speaking of the regulations generally. ``I can't say Digital violated the law, because I don't know what Digital did,'' he said. Lee Mercer, Digital's corporate export manager, said making the computer available was not a violation. A Commerce Department official, speaking on condition his name not be used, agreed that making the computer available was not a violation, but that export of data generated on the computer would be a violation of regulations. The computer hookup was in place for five weeks in April and May, said Fredrickson. It was intended to give potential customers the opportunity to test-drive the computers. It was terminated by company executives who wanted to avoid any appearance of violating export regulations, he said. ``None of this has been motivated by anyone from the government suggesting that we do anything here,'' said Fredrickson. ``This was simply our own internal people raising the possibility of concern.'' In a separate incident last year, a Digital computer ``bulletin board,'' offered access to programs for encoding computer data. Exporting such software is a violation of federal regulations, Freedenberg said. ``It's a technical data transfer'' that falls under the State Department's control of munitions export, he said. Frederickson said the company shut the bulletin board down to ensure that the software would not be exported illegally. ``Nothing was found that was thought to be a concern even meriting informing the government about it,'' he said. Digital, the nation's No. 2 computer maker after IBM, said that 65 percent of its $14 billion in annual sales are overseas. In December 1991, the Commerce Department charged the company with 62 violations of export laws and fined it $2.4 million. It was the largest fine the department had imposed for export violations. Digital agreed to pay it without admitting or denying guilt. The Digital computers connected to the network were two of Digital's new AXP 4000 computers, operating in a Digital laboratory in Palo Alto, Calif. The computers, which cost from $77,000 to $100,000, are considered midsized computers by industry standards. Freedenberg said that the government would probably soon revise its outmoded standards that define those models as supercomputers and bring them under export regulations. Robert Kaylor, a spokesman for the Commerce Department, said the department was prohibited by law from discussing the details of a specific case. Critics called for speedy revision of the export laws, which date from the Cold War. ``Export control policies are shutting us directly out of certain markets,'' costing U.S. businesses at least $10 billion a year in lost exports, said Howard Lewis, vice president of the National Association of Manufacturers. ``It's harmful to innovation, but we think it's also very harmful to the privacy interests of American citizens,'' said Daniel Weitzner, an attorney with the Electronic Frontier Foundation, a group concerned with computers and civil-liberties issues. ________________________________________________________________________ ________________________________________________________________________ The SURFPUNK Technical Journal is a dangerous multinational hacker zine originating near BARRNET in the fashionable western arm of the northern California matrix. Quantum Californians appear in one of two states, spin surf or spin punk. Undetected, we are both, or might be neither. ________________________________________________________________________ Send postings to , subscription requests to . WWW Archive at ``http://www.acns.nwu.edu/surfpunk/''. ________________________________________________________________________ ________________________________________________________________________ Internet Protocol packet size is two octets. The procedures used in the host knows to whether such a way of putting it is set to zero. Note: No addresses are allocated among Research, Defense, Government (Non-Defense) and Commercial uses. There are several time outs involved in a network environment. It does not specify the points of interception. Then the center zooms into the canonical name of the algorithm only one ADMD per country, and so we did not find them commercially available. Examples are gateways among networks would be the same host that handles mail on this class are reserved for future allocation by joint agreement of ISO layers which can then manipulate that composite as a separate table is updated to reflect revised Multimedia Syntax The SPECIFICATION identifies the documents specifying the reason for disabling this SIMP-host link that it evolve into a host to send mail to repository users rely on the main body of the hosts in the introduction. Process groups are also now supported for both systems to be connected to the right name is--after setting an appropriate modification of the original ARPANET Host/IMP interface is very attractive, their low speed network interconnection with personal computers, and possible methods of distributing such news: the Internet Protocol. NVFS The sending NETBLT has to be available to the sender must time out on the contents of the Outboard Processing approach has the following diagram: 3 +---+ ----------->| F | Figure 4-1. SYNCH Packet Format ISO 8348 Information processing systems - Open systems interconnection - Basic mode control procedures (see 12.2.1.2) are used in classes 1, 2, 3, 4 set to one (1) to eight (8), where bit one (1) then segmentation has taken effect. 2.5.1. Specialized Usage There is one outside the site. The pathname of the called address, and any two-way traffic, such as HMP described in the workstation to the recommendations of the same format as the value 170 (decimal). 0 0 1 1 0 1 0|1 1 1 0 2 2 4 -- markov3 rfc9[0-9][0-9]