Re: SF Internet self-defense course
At 01:11 PM 8/29/00 +0200, Tom Vogt wrote: Tim May wrote: are you required to provide your private keys to an enemy (e.g. someone who is sueing you) ? .. I expect 95% or more of all encryption is done at the transport layer, i.e., for transmission. Most peoplee, I surmise, keep their original compositions in unencrypted form and their decrypted transmissions in that form, too. The perceived threat model is for interception by ISPs, snoops, and government agencies. that's where good software comes in. mutt, for example, stores the received encrypted mail - well, encrypted. decryption is done when you view the mail. also, encrypted mails you send are encrypted twice - once with the receipient's key and sent to him, once with your key for your "outbox" archive. The Eudora PGP Plug-In deliberately decrypts received mail and stores it unencrypted, specifically to discourage the "You must escrow your private keys so we can decode your plaintext" attacks that the FBI/NSA/WhiteHouse anti-crypto mafia were pushing a couple of years ago. That's a different issue from storing your mailbox in a PGPdisk volume or some other encrypted filesystem or having the mail decryptor re-encrypt for storage with a different key (which wouldn't be that hard, since you could use a different public key to encrypt the session key and leave the symmetric-encrypted part of the message alone.) Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: SF Internet self-defense course
Tim May wrote: are you required to provide your private keys to an enemy (e.g. someone who is sueing you) ? The lawyers and lawyer larvae can comment better than I can. I believe the answer is "yes, documents must be in usable form by your ex-wife's lawyers," for example. This probably doesn't mean turning over a private key, but it means decrypting one's financial records, one's communications with a lover, etc. I guessed so. however, this is a perfect territory for the "selectable decryption" we've been talking about here recently. just decrypt that love letter to a boring business mail. or better: refuse to hand it over because it is a business mail, THEN if ordered by the court, decrypt it to one. I expect 95% or more of all encryption is done at the transport layer, i.e., for transmission. Most peoplee, I surmise, keep their original compositions in unencrypted form and their decrypted transmissions in that form, too. The perceived threat model is for interception by ISPs, snoops, and government agencies. that's where good software comes in. mutt, for example, stores the received encrypted mail - well, encrypted. decryption is done when you view the mail. also, encrypted mails you send are encrypted twice - once with the receipient's key and sent to him, once with your key for your "outbox" archive. It might make sense to encrypt more stuff on local computers, but I expect this is rare up to this point. it won't become more if you rely on people doing it. it WILL become more if good software just does it. the above example for mutt is, I believe, a very good solution - if you encrypt the mail in the first place, it would be stupid to keep a plaintext copy in the archive. on the other hand, the one encrypted with the receipients key wouldn't help you much.
Re: SF Internet self-defense course
At 12:09 PM +0200 8/28/00, Tom Vogt wrote: Tim May wrote: Who uses crypto on a regular basis are those for whom the risks of getting caught with certain material or certain thoughts are nonzero, and for whom the penalties are significant. The usual examples: freedom fighters plotting to blow up government buildings, child pornographers, money launderers making plans, etc. what about discovery? I'm not aware of the precise details of your legal system (except that it appears to be completely insane from an outside perspective) but I learned that lots of nasty stuff has been discovered by subpoenas etc. are you required to provide your private keys to an enemy (e.g. someone who is sueing you) ? The lawyers and lawyer larvae can comment better than I can. I believe the answer is "yes, documents must be in usable form by your ex-wife's lawyers," for example. This probably doesn't mean turning over a private key, but it means decrypting one's financial records, one's communications with a lover, etc. "Discovery," as you allude to, is very broad. However, I haven't heard of a case like this so far. Perhaps for reasons below. otherwise, having your mail encrypted on the disk would be a great thing. and different from having an encrypted filesystem, it IS true that handing them your key would compromise any and all past, present and future conversations. provided your legal system has some sanity left, that should be overbroad. I expect 95% or more of all encryption is done at the transport layer, i.e., for transmission. Most peoplee, I surmise, keep their original compositions in unencrypted form and their decrypted transmissions in that form, too. The perceived threat model is for interception by ISPs, snoops, and government agencies. It might make sense to encrypt more stuff on local computers, but I expect this is rare up to this point. --Tim May -- -:-:-:-:-:-:-: Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Re: SF Internet self-defense course
Tim May wrote: Who uses crypto on a regular basis are those for whom the risks of getting caught with certain material or certain thoughts are nonzero, and for whom the penalties are significant. The usual examples: freedom fighters plotting to blow up government buildings, child pornographers, money launderers making plans, etc. what about discovery? I'm not aware of the precise details of your legal system (except that it appears to be completely insane from an outside perspective) but I learned that lots of nasty stuff has been discovered by subpoenas etc. are you required to provide your private keys to an enemy (e.g. someone who is sueing you) ? otherwise, having your mail encrypted on the disk would be a great thing. and different from having an encrypted filesystem, it IS true that handing them your key would compromise any and all past, present and future conversations. provided your legal system has some sanity left, that should be overbroad.
Re: Re: SF Internet self-defense course
Mr. May: someone: (While I don't think it is possible, I'm eager to hear ideas on how an anonymous physical gathering could be planned and executed with the public in attendance, while preserving the anonymity of the organizers. Venue should be irrelevant, because all the attendees should be able to be anonymous as well, which would mean permitting Agent Gordon to show up if he so desired. Thoughts?) Yeah, my thoughts are that you are now joking. Why? Because the "anonymous" organizing of an event is almost too easy to figure out? Or because you think it's silly? It's really trivial to anonymously organize an event in a place where you don't need to pay for the space. If you do, it's not much more difficult. Having "anonymous" speakers is more difficult only in that the more interesting the speaker, the more likely the speaker is to be recognized. -- A quote from Petro's Archives: *** Today good taste is often erroneously rejected as old-fashioned because ordinary man, seeking approval of his so-called personality, prefers to follow the dictates of his own peculiar style rather than submit to any objective criterion of taste.--Jan Tschichold
Re: Re: SF Internet self-defense course
Fact is, "ordinary people" are not in any significant danger of having their e-mail or files intercepted and read by "ripoff artists, criminals, and spies." Next-door neighbors and other non-governmental entities rarely have access to packet sniffers, Carnivore-type intercept systems, or other surveillance gear. A buddy of mine ran a Windows based packet sniffer on his Cable Modem for a while. He claimed to have seen some interesting stuff from his neighbors. Who uses crypto on a regular basis are those for whom the risks of getting caught with certain material or certain thoughts are nonzero, and for whom the penalties are significant. The usual examples: freedom fighters plotting to blow up government buildings, child pornographers, money launderers making plans, etc. Or who prefer to read certain Usenet News Groups. Not arguing much, just pointing out a possible way of getting people interested. -- A quote from Petro's Archives: *** Today good taste is often erroneously rejected as old-fashioned because ordinary man, seeking approval of his so-called personality, prefers to follow the dictates of his own peculiar style rather than submit to any objective criterion of taste.--Jan Tschichold
Re: SF Internet self-defense course
"Tim" == Tim May [EMAIL PROTECTED] writes: Tim Who uses crypto on a regular basis are those for whom the risks Tim of getting caught with certain material or certain thoughts are Tim nonzero, and for whom the penalties are significant. I don't know how often this is true, but it's certainly not universally true. Among many of my regular email correspondents, PGP has been integrated into the mailer and is trivial to use. (I use mailcrypt for X?Emacs and know many others who do also. Some others use something else ... I don't really know or care what.) Many of us encrypt our messages when the "risk of getting caught" isn't especially attractive from the perspective of those who want to see what's happening in email. Some examples: o Discussion of research topics o Papers and articles in progress o Discussion of commercial ventures The risk of getting caught in most of these cases probably is no greater than anyone else who engages in Internet security and privacy work, which probably isn't much greater than anyone else who is doing any type of Internet design or development. Penalties in most of these cases isn't especially significant. Someone might see our research notes in progress or an unfinished draft of an article. Or someone might catch some business plans. In any case, particularly when excluding the commercial aspects of the message, there isn't much in the way of "penalties" of interception. More than anything else, any such penalty would come in the form of an annoyance. So why bother? Because it's nobody else's business and with good tools, it's easy. There's no point in tempting someone with a sniffer who happens to catch a piece of mail in transit. -- Matt Curtin [EMAIL PROTECTED] http://www.interhack.net/people/cmcurtin/
Re: Re: SF Internet self-defense course
At 12:25 PM -0700 8/24/00, Ray Dillinger wrote: On Wed, 23 Aug 2000, Tim May wrote: Having Cypherpunks meetings inside the belly of the beast may strike some as a great irony, but it was what Mike the Computer would call a "funny once." I strongly, strongly urge Cypherpunks to "just say no" to meetings held at cop centers, whether these centers are the Campaign for Marijuans Eradication chopper landing site, the Regional Citizen-Unit Retraining Center, or the Hoover Building. Cops are _not_ our friends. Anyone who thinks otherwise, in the context of freedom and crypto anarchy, is a fool. Mister Tim, I have to say I don't agree with you. I don't see the Cypherpunks list as an association of criminals. I don't have a problem with the idea of teaching ordinary people to use crypto to protect themselves from ripoff artists, criminals, and spies. I see the police as a natural ally in any 'defense of sheeple' activities folk undertake. Let's have a reality check here, shall we? Fact is, "ordinary people" are not in any significant danger of having their e-mail or files intercepted and read by "ripoff artists, criminals, and spies." Next-door neighbors and other non-governmental entities rarely have access to packet sniffers, Carnivore-type intercept systems, or other surveillance gear. Longer term, crypto will indeed be more important for ordinary folks, for lots of reasons. But it'll be a hard sell convincing Mom and Pop or Joe Sixpack that they need to encrypt all of their e-mail to each other to stop "ripoff artists" from somehow gaining access to their traffic and reading it. (You're welcome to try to sell this to them. Knock yourself out. But history shows that even very few of _us_ routinely sign our messages, use PGP, etc. There are many reasons for this, well-covered in past discussions.) Fact is, crypto takes effort to use. And the fax effect means it takes effort at the other end, too. So not only must Joe Sixpack learn PGP and install it and use it, but Fred and Mary at the other end must use it as well, else he can't communicate using crypto. Given that crypto takes effort, who uses it? Some people use it because it's seen as The Right Thing to Do. I hate it when I get a PGP-encrypted message from a stranger, fire up my non-integrated-into-my-mail-program version of PGP, decrypt it, and find a message saying something like: "Hi, Tim! Just saying Hi. Thanks for all the cool articles." Who uses crypto on a regular basis are those for whom the risks of getting caught with certain material or certain thoughts are nonzero, and for whom the penalties are significant. The usual examples: freedom fighters plotting to blow up government buildings, child pornographers, money launderers making plans, etc. These kinds of users are the ones which National Technical Means--Carnivore, NSA listening posts, Echelon, San Diego-developed sniffers, etc.--are used against. Longer-term, there is the danger that unencrypted mail will show up in search engines (especially offshore search engines, as such interceptions in the U.S. would legally run afoul of the ECPA). At this point, at least a few years off, automatic encryption should be more widespread. (In the same way credit card transactions are encrypted automatically.) There will be some tensions, because there are laws which cannot stand in a state where people have access to strong crypto and a good protocol library. But society, and law, will have to adapt, just as it, however belatedly, adapted to the existence of the printing press. Crypto will either be criminalized and the cops will prosecute it, or it will become a civil right and the cops will defend it. Crypto is speech, and there are no significant court precedents banning crypto speech or banning the use of crypto tools. Key escrow was never mandated--never even really became technically plausible, fortunately--and _had_ it been mandated, numerous groups would have jumped in with legal challenges based largely on the First and Fourth Amendments. It is highly likely that mandatory key escrow would be overturned as a clear-cut violation of the First Amendment, as it compels speech to be in certain forms even when done in private. (On a side note, the government has not been able to even compel non-English speakers to speak in English, or in any other understandable language. A person speaking only his own private language may have a hard time dealing with society, filling out his tax forms properly, etc., but there is no official law saying he must learn English or Spanish or Mandarin or other widely-used languages in the U.S. And of course not in private or in chats with his family and friends, even if it means wiretaps are ineffective.) As for the "cops will defend it" point, this is naive. Cops make busts, they don't "defend" rights. Right now, it's neither. Getting it into the hands of the masses is the strongest thing we can
Re: SF Internet self-defense course
Sassaman said: Please explain to me how you could have a public gathering of anonymous individuals. I don't think that it is possible to do what is being proposed: plan, anonymously, a gathering of people organized on the Internet and conducted in physical space. Do this in such a way that no attendee needs to know the identity of any other, and make it so that malicious attendees (law enforcement, Scientologists, etc.) are irrelevant. Not only should the anonymity of each person be preserved, but there should be no correlations between the "cyberspace" and "meatspace" existences. Pretty simple -- announce it on the net, hold it in a public place, and do it as a masked ball sort of even. Mardi Gras for cypherpunks. Every year the Rainbow Tribe hold an annual rendevous on National Forest or BLM land, they don't get a permit, they don't have "organizers" who can be sued, etc. And I agree with Tim, having it at the pig palace deserves killing of the organizer.
Re: SF Internet self-defense course
Tim, do you think that rubbing shoulders with police is too high price to pay for getting, say, hundred people to use crypto ? Of course. Who the fuck cares, or should care, if 100 of the sheeple start using crypto? What are we, bleeding heart altruists? Tim, what did you do lately ? I've been following this list for several years now, and apart from "needs killing" kind of rant I've never seen anything else from you. It seems, from the patience others have with you, that long time ago you did something useful, although I do not know what it was. When was that ? 5 years ago ? 20 years ago ? Did you at least kill someone that "needs killing" ? Or you just bullshit ad nauseam ? Got laid recently ? ** To the interested parties, what should go to the giveaway CD ? I was thinking about basic set of PGP tools, with sources: PGP 2.6.2, PGP 5.5.3i, PGP 6.5.2 (with PGPNet), PGPfone. All this for windoze/unix/mac platforms. What are good mixmaster user interfaces for windoze ?
Re: SF Internet self-defense course
At 11:00 AM -0700 8/24/00, Anonymous wrote: Tim, what did you do lately ? I've been following this list for several years now, and apart from "needs killing" kind of rant I've never seen anything else from you. And what I've seen from "Anonymous," at least your probable instance of it, is this kind of "hide behind anonymity" attack. Your inclusion of sexual innuendo means you are _probably_ either ML or GJ. Got laid recently ? ** To the interested parties, what should go to the giveaway CD ? See what people were proposing in 1993-4 for the "giveaway CD-ROM." Just do it. It's been talked about, and some CD-ROMs were even pressed, back in the days when it cost a lot more. These days, 5th graders can burn CD-ROMs for well under a buck apiece. So, put your money where your mouth is. Collect a bunch of stuff that is readily available from the Net (which ought to be a clue as to why this is a pointless exercise), put it on a Windows CD-ROM, start handing out these coasters in front of an As game, or at a Further Festival concert. A hundred bucks for more than a hundred CD-ROMs. (Then watch them sail across the parking lot as frisbees.) Fact is, anyone with any awareness of issues knows how to get the actual software. Is the software ideally set up for novices? Some is, some isn't. Mixmaster requires a local client. Of course, this is now a different kettle of fish: this is back to the standard issue of "why aren't tools easier to use?" And "why don't we have usable digital cash?" Making the coasters and handing them out to the sheeple is the trivial part. But, hey, knock yourself out. --Tim May -- -:-:-:-:-:-:-: Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Re: SF Internet self-defense course
Straight Ray rote: Mister Tim, I have to say I don't agree with you. I don't see the Cypherpunks list as an association of criminals. I don't have a problem with the idea of teaching ordinary people to use crypto to protect themselves from ripoff artists, criminals, and spies. I see the police as a natural ally in any 'defense of sheeple' activities folk undertake. == Speak for yourself. I'm mighty proud to say that I'm an outlaw -- been one all my life, and will die illegal and proud of it. Pretty damn hard to *NOT* be a outlaw these days. I like psycho-active plant materials, and I frankly don't give a flying fuck about those scum who try to criminalize Mother Nature. They are the real criminals. I'm never going to quit partaking, and I'll be damned if I'm going to go to jail for it either. I'd much rather die with a gun in my hands killing cops. Beats dying of cancer or old age anyway. And that brings up another thing that makes me an outlaw -- I like guns, lot's of 'em, and especially ones that the assholes in power don't want me to have. Full-auto, sawed-off shotguns, silencers, C-4, all that good shit that's so much fun to play with -- So when I'm talking with my stoner buddies, or my gunny buddies, it's nice to use pgphone, eh? And stego, and all the other little goodies that my cypher buddies got. Yup -- and when they make crypto illegal, like everything else, so what? Just another groovy illegal thing to do.
Re: SF Internet self-defense course
I'm available to speak. I just have to wonder if the sheeple will care enough to make this worth while... but I am willing to try. Good. BTW, it just occurred to me that logistics of anonymous organizing of meatspace events are quite peculiar. I could sign my posts (and later on say: "*I* get to teach the "Crypto for chicks" class), but then it would really not be anonymous, as the rubber hosing could brute force the key from me. If I don't sign my posts, agent Gordon can step in and propose a fbi facility as the venue ... wait, we already had this, in SF police academy ...