- cypherpunks-legacy@lists.ogf.org

Offshore Data Havens and
by Duncan Frissell 06 Aug '93

06 Aug '93

To: cypherpunks(a)toad.com J >From: jet(a)netcom.com (J. Eric Townsend) J >Actually, the Feds can do anything they want. Theyve taking to J >raiding off-short pirate radio statons in international waters, there J >was that bit with Noriega, etc etc. Reagan set a standard by J >completely ignore the world court. Omniscience, omnipotence, and omnipresence eh? We might as well give up and go home. <G> The feds have many powers including the ability to nuke the hell out of everything. The question becomes how usefull those powers are. After all, Caeser or Louis XIV could "destroy the city, leave no stone standing upon stone and sow the ground with salt." The difference today is that the "peasants" of the OECD countries are much more powerful than those of 18th century France. The Feds can apply point force but they can't apply it everywhere. They can do some things in international waters, they can kidnap some "drug kingpins" they can't go after every "criminal" *inside* the US much less overseas. Their limited current powers will be further limited once secure untraceable communications nets are in place. More than that, their power and prestige depend on how the people they rule view them. If we turn aside from them, their power will evaporate overnight. If the KGB couldn't block liberalization, the Fibbies, the Company, and Ft. Meade won't be able to either. Don't worry about it. Social change is underway. We'll achieve autonomy Just In Time. Duncan Frissell ************************************************************************* ATMs, Contracting Out, Digital Switching, Downsizing, EDI, Fax, Fedex, Home Workers, Internet, Just In Time, Leasing, Quants, Securitization, Temps - Not as sexy as Tim May's signature line but just as important. --- WinQwk 2.0b#0

1 0

No Subject
by koontzd＠lrcs.loral.com 06 Aug '93

06 Aug '93

Subject: AT&T DES vs. Clipper phone security products Uncertainty on the availability of DES versus Clipper based products from AT&T has sparked some interest. Parties within AT&T were contacted to determine the state of their products. DES is not available in AT&T TSD products and one person said "NSA doesn't want DES in the TSD." # Also, the clipper algorithm is currently unavailable and expected in "September". This person deferred to a second person who provided the following: The 3600 is available with two proprietary AT&T encryption algorithms, one ITAR compliant, one for U.S. persons only. Two Telephone Security Devices (TSD) will attempt to hierarchially establish security, the higher security being non-ITAR compliant. This will be extended to the clipper algorithm (highest) when available. Neither proprietary algorithm is in the public domain. [Apparently NSA is perfectly happy with these. + ] You can buy TSDs now, and pay an extra fee (reasonable) for the ungrade path to clipper when available (September not absolutely guaranteed). Paying the fee will allow you to exchange the TSD for a new and improved one at a later date. The hold up on clipper is availability from Mykotronx and questions were deferred to "the NSA". AT&T has been performed product integration tests with clipper and is ready to go as soon as chips are available. Their willingness to sell clipper phones is predicated on marketplace acceptance and the prospect of having a national standard with the chance of interoperability between different manufacturers. There is a perceived need for voice security products, and the balance with respect to "legitimate law enforcement access" was discussed. There was some confusion about key management, which was inferred to be present in the clipper chip. [The question arises as to which clipper chip they are waiting on, the MYK-78 or the MYK-80 which has key management features. The question also arises as to whether or not the MYK-78 is susceptible to a captured control programming attack to prevent transmission of the Law Enforcement Access Field, with an inferred assumption that the MKY-80 does not share this vulnerability. *] AT&T will continue to market the present 3600 sans clipper with the two proprietary encryption algorithms (ITAR/U.S. ONLY). This was stressed rather strongly. The question of relative strenght of cryptographic algorithms was brought up. There were no conclusions, as no common metric can be used, with one public algorithm, two proprietary and one classified algorithm. DES availability was discussed and was inferred to be affected by international agreements limiting DES proliferation. The TSD uses RCELP, a proprietary vocoder that is supposed to add fidelity over CELP, and is supposed to encode female voices better, with better treble. AT&T feels RCELP is superior to anything else at 4800 baud. This raised the question of licensing for RCELP. RCELP is not in the public domain to date. Executive resistance to CELP at 4800 baud is supposedly a good sell for RCELP. The 4800 baud limitation is based on the least common denominator of analog cellular communications paths, which won't support V.32 (9600 baud). The greatest need for telephone security devices is seen for cellular communications. The 3600 optionally comes with 5 handset interface modules (as opposed to one for the base product) that interface different phones to the TSD. This is required based on different frequency response of handset microphones as well as signal amplitudes. The 5 interface modules are considered universal - covering all types of phones. Think of this as signal conditioning to make the RCELP vocoder perform better. The standard power supply takes 110 VAC, 60 Hz. An optional universal power supply and international power package are available. ------ # Is DES secure enough to cause heartburn for our 3 letter agencie cousins? + the inferrence being that DES is higher security than either proprietary algorithm. * It has been reported that MYK-80 chips exist and have been tested by Mykotronx.

1 0

a question to ask NSA
by cme＠ellisun.sw.stratus.com 06 Aug '93

06 Aug '93

Would they be happy using Skipjack phones for their own communication if the key escrow agencies were in Bagdad and Tripoli, respectively, and the key generation and chip programming were done in Tehran? There are more details, but you get the drift.

1 0

No Subject
by Peter Wayner 06 Aug '93

06 Aug '93

The Rule of Law and the Clipper Escrow Project Last Thursday, I attended the first day of the Computer System Ssecurity and Privacy Advisory Board in Washington. This is a group of industry experts who discuss topics in computer security that should affect the public and industry. Some of the members are from users like banks and others are from service providing companies like Trusted Information Services. Lately, their discussion has centered on the NSA/NIST's Clipper/Capstone/Skipjack project and the effects it will have on society. At the last meeting, the public was invited to make comments and they were almost unanimously skeptical and critical. They ranged from political objections to the purely practical impediments. Some argued that this process of requiring the government to have the key to all conversations was a violation of the fourth amendment of the constitution prohibiting warrentless searches. Others noted that a software solution was much simpler and cheaper even if the chips were going to cost a moderate $25. There were many different objections, but practically everyone felt that a standard security system was preferable. This meeting was largely devoted to the rebutals from the government. The National Security Association, the Department of Justice, the FBI, the national association of District Attorneys and Sheriffs and several others were all testifying today. The board itself runs with a quasi-legal style they make a point of making both video and audio tapes of the presentations. The entire discussion is conducted with almost as much gravity as Congressional hearings. The entire meeting was suffused with an air of ernest lawfullness that came these speakers. All of them came from the upper ranks of the military or legal system and a person doesn't rise to such a position without adopting the careful air of the very diligent bureaucrat. People were fond of saying things like, "Oh, it's in the Federal Register. You can look it up." This is standard operating procedure in Washington agencies and second nature to many of the day's speakers. Dorothy Denning was one of the first speakers and she reported on the findings of the committee of five noted public cryptologists who agreed to give the Clipper standard a once-over. Eleven people were asked, but six declined for a variety of reasons. The review was to be classified "Secret" and some balked at this condition because they felt it would compromise their position in public. The talk made clear that the government intended to keep the standard secret for the sole purpose of preventing people from making unauthorized implementations without the law enforcement back door. Dr. Denning said that everyone at the NSA believes that the algorithm could withstand public knowledge with no trouble. The review by the panel revealed no reason why they shouldn't trust this assessment. Although lack of time lead the panel to largely rubberstamp the more extensive review by the NSA, they did conduct a few tests of their own. They programmed the algorithm on a Cray YMP, which incidentally could process 89,000 encryptions per second in single processor mode. This implementation was used for a cycling test which they found seemed to imply that there was good randomness. The test is done by repeatedly encrypting one value of data until a cycle occurs. The results agreed with what a random process should generate. They also tested the system for strength against a differential cryptanalysis attack and found it worthy. There was really very little other technical details in the talk. Saying more would have divulged something about the algorithm. My general impression is that the system is secure. Many people have played paranoid and expressed concerns that the classified algorithm might be hiding a trapdoor. It became clear to me that these concerns were really silly. There is a built-in trapdoor to be used by the government when it is "legal authorized" to intercept messages. The NSA has rarely had trouble in the past exercising either its explicitly granted legal authority or its implied authority. The phrase "national security" is a powerful pass phrase around Washington and there is no reason for me to believe that the NSA wouldn't get all of the access to the escrow database that it needs to do its job. Building in a backdoor would only leave a weakness for an opponent to exploit and that is something that is almost as sacrilidgeous at the NSA as just putting the classified secrets in a Fed Ex package to Saddam Hussein. Next there was a report from Geoff Greiveldinger , the man from the Department of Justice with the responsibility of implementing the the Key Escrow plan. After the Clipper/Capstone/SkipJack chips are manufactured, they will be programmed with an individual id number and a secret, unique key. A list is made of the id, key pairs and this list is split into two halves by taking each unique key, k, and finding two numbers a and b such that a+b=k. (+ represents XOR). One new list will go to one of the escrow agencies and one will go to the other. It will be impossible to recover the secret key without getting the list entry from both agencies. At this point, they include an additional precaution. Each list will be encrypted so even the escrow agency won't be able to know what is in its list. The key for decoding this list will be locked away in the evesdropping box. When a wiretap is authorized, each escrow agency will lookup the halves of the key that correspond to the phone being tapped and send these to evesdropping box where they will be decrypted and combined. That means that two clerks from the escrow agencies could not combine their knowledge. They would need access to a third key or an evesdropping box. It became clear that the system was not fully designed. It wasn't obvious how spontenaeous and fully automated the system would be. Mr. Greiveldinger says that he is trying to balance the tradeoffs between security and efficiency. Officers are bound to be annoyed and hampered if they can't start a tap instanteneously. The kidnapping of a child is the prototypical example of when this would be necessary. The courts also grant authority for "roving" wiretaps that allow the police to intercept calls from any number of phones. A tap like this begs out for a highly automated system for delivering the keys. I imagine that the system as it's designed will consist of escrow computers with a few clerks who have nothing to do all day. When a tap is authorized, the evesdropping box will be programmed with a private key and shipped to the agents via overnight express. When they figure out the id number of the phone being tapped, the evesdropping box will probably phone the two escrow computers, perform a bit of zero-knowledge authorization and then receive the two halves of the key. This would allow them to switch lines and conduct roving taps effectively. The NSA would presumably have a box that would allow them to decrypt messages from foreign suspects. At this point, I had just listened to an entirely logical presentation from a perfect gentleman. We had just run though a system that had many nice technological checks and balances in it. Subverting it seemed very difficult. You would need access to the two escrow agencies and an evesdropping box. Mr. Greiveldinger said that there would be many different "auditting" records that would be kept of the taps. It was very easy to feel rather secure about the whole system in a nice, air-conditioned auditorium where clean, nice legally precise people were speaking in measured tones. It was very easy to believe in the Rule of Law. To counteract this, I tried to figure out the easiest way for me to subvert the system. The simplest way is to be a police officer engaged in a stakeout of someone for whom you've already received a warrant. You request the Clipper evesdropping box on the off chance that the suspect will buy a Clipper phone and then you "lend" it to a friend who needs it. I think that the automation will allow the person who possesses the box to listen in to whatever lines that they want. The escrow agency doesn't maintain a list of people and id numbers-- they only know the list matching the id number to the secret key. There is no way that they would know that a request from the field was unreasonable. Yes, the audit trails could be used later to reconstruct what the box was used for, but that would only be necessary if someone got caught. The bribe value of this box would probably be hard to determine, but it could be very valuable. We know that the government of France is widely suspected of using its key escrow system to evesdrop on US manufacturers in France. Would they be willing to buy evesdropping time here in America? It is not uncommon to see reports of industrial espionage where the spies get millions of dollars. On the other hand, cops on the beat in NYC have been influenced for much less. The supply and demand theory of economics virtually guarantees that some deals are going to be done. It is not really clear what real effect the key escrow system is going to have on security. Yes, theives would need to raid two different buildings and steal two different copies of the tapes. This is good. But it is still impossible to figure out if the requests from the field are legitimate-- at least within the time constraints posed by urgent cases involving terrorism and kidnapping. The net effect of implementing the system is that the phone system would be substantially strengthened against nieve intruders, but the police (and those that bribe them) would still be able to evesdrop with impunity. Everyone needs to begin to do a bit of calculus between the costs and benefits of this approach. On one hand, not letting the police intercept signals will let the crooks run free but on the other hand, the crooks are not about to use Clipper phones for their secrets if they know that they can be tapped. The most interesting speaker was the assistant director of the National Security Agency, Dr. Clint Brooks. He immediately admitted that the entire Clipper project was quite unusual because the Agency was not used to dealing with the open world. Speaking before a wide audience was strange for him and he admitted that producing a very low cost commercial competitive chip was also a new challenge for them. Never-the-less, I found him to be the deepest thinker at the conference. He readily admitted that the Clipper system isn't intended to catch any crooks. They'll just avoid the phones. It is just going to deny them access to the telecommunications system. They just won't be able to go into Radio Shack and buy a secure phone that comes off the line. It was apparent that he was somewhat skeptical of the Clipper's potential for success. He said at one point the possibilities in the system made it worth taking the chance that it would succeed. If it could capture a large fraction of the market then it could help many efforts of the law enforcement and intelligence community. When I listened, though, I began to worry about what is going to happen as we begin to see the eventual blurring of data and voice communications systems. Right now, people go to Radio Shack to buy a phone. It's the only way you can use the phone system. In the future, computers, networks and telephones are going to be linked in much more sophisticated ways. I think that Intel and Microsoft are already working on such a technology. WHen this happens, programmable phones are going to emerge. People will be able to pop a new ROM in their cellular digital phone or install new software in their computer/video game/telephone. This could easily be a proprietary encryption system that scrambles everything. The traditional way of controlling technology by controlling the capital intensive manufacturing sites will be gone. Sure, the NSA and the police will go to Radio Shack and say "We want your cooperation" and they'll get it. But it's the little, slippery ones that will be trouble in the new, software world. The end of the day was dominated by a panel of Law Enforcement specialists from around the country. These were sheriffs, district attorneys, FBI agents and other officers from different parts of the system. Their message was direct and they didn't hesitate to compare encryption with assault rifles. One even said, "I don't want to see the officers outgunned in a technical arena." They repeatedly stressed the incredible safe guards placed upon the wiretapping process and described the hurdles that the officers must go through to use the system. One DA from New Jersey said that in his office, they process about 10,000 cases a year, but they only do one to two wiretaps on average. It just seems like a big hassle and expense for them. It is common for the judges to require that the officers have very good circumstantial evidence from informers before giving them the warrant. This constraint coupled with the crooks natural hesitation to use the phone meant that wiretaps weren't the world's greatest evidence producers. One moment of levity came when a board member asked what the criminals favorite type of encryption was. The police refused to answer this one and I'm not that sure if they've encountered enough cases to build a profile. At the end of all of the earnestness and "support-the-cop-on-the-beat", I still began to wonder if there was much value to wiretaps at all. The police tried to use the low numbers of wiretaps as evidence that they're not out there abusing the system, but I kept thinking that this was mainly caused by the high cost and relatively low utility of the technique. It turns out that there is an easy way to check the utility of these devices. Only 37 states allow their state and local police to use wiretaps in investigations. One member of the panel repeated the rumor that this is supposedly because major politicians were caught with wiretaps. The state legislatures in these states supposedly realized that receipients of graft and influence peddlers were the main target of wiretaps. Evesdropping just wasn't a tool against muggers. So they decided to protect themselves. It would be possible to check the crime statistics from each of these states and compare them against the evesdropping states to discover which has a better record against crime. I would like to do this if I can dig up the list of states that allow the technique. I'm sure that this would prove little, but it could possibly clarify something about this technique. It is interesting to note that the House of Representative committee on the Judiciary was holding hearings on abuses of the National Crime Information Center. They came in the same week as the latest round of Clipper hearings before the CSAB. The NCIC is a large computer system run by the FBI to provide all the police departments with a way to track down the past records of people. The widespread access to the system makes it quite vulnerable to abuse. In the hearings, the Congress heard many examples of unauthorized access. Some were as benign as people checking out employees. The worst was an ex-police officer who used the system to track down his ex-girlfriend and kill her. They also heard of a woman who looked up clients for her drug-dealing boyfriend so he could avoid the undercover cops. These hearings made it obvious that there were going to be problems determining the balance of grief. For every prototypical example of a child kidnapped to make child pornography, there is a rengade police officer out to knock off his ex-girlfriend. On the whole, the police may be much more trustworthy than the criminals, but we need to ask how often a system like Clipper will aid the bad guys. In the end, I reduced the calculus of the decision about Clipper to be a simple tradeoff. If we allow widespread, secure encryption, will the criminals take great advantage of this system? The secure phones won't be useful in rapes and random street crime, but they'll be a big aid to organized endeavors. It would empower people to protect their own information unconditionally, but at the cost of letting the criminals do the same. Built-in back doors for the law enforcement community, on the other hand, will deny the power of off-the-shelf technology to crooks, but it would also leave everyone vulnerable to organized attacks on people. I began to wonder if the choice between Clipper and totally secure encryption was moot. In either case, there would be new opportunities for both the law-abiding and the law-ignoring. The amount of crime in the country would be limited only by the number of people who devote their life to the game-- not by any new fangled technology that would shift the balance. I did not attend the Friday meeting so someone else will need to summarize the details.

2 1

Cliphack?
by gnu 06 Aug '93

06 Aug '93

Tim was calling it Clipjack, but I think Cliphack is better. John PS: Would you trust your momma to escrow your private key? The government is not your momma!

2 1

Our Rights are Dropping like Flies
by demon＠aql.gatech.edu 06 Aug '93

06 Aug '93

[ I just saw this posted. I think it might be of some interest. Though I hesitate to say "enjoy it". --demon ] ------------ Feel free to copy this article far and wide, but please keep my name and this sentence on it. The Bill of Rights, a Status Report by Eric Postpischil 4 September 1990 6 Hamlett Drive, Apt. 17 Nashua, NH 03062 edp(a)jareth.enet.dec.com How many rights do you have? You should check, because it might not be as many today as it was a few years ago, or even a few months ago. Some people I talk to are not concerned that police will execute a search warrant without knocking or that they set up roadblocks and stop and interrogate innocent citizens. They do not regard these as great infringements on their rights. But when you put current events together, there is information that may be surprising to people who have not yet been concerned: The amount of the Bill of Rights that is under attack is alarming. Let's take a look at the Bill of Rights and see which aspects are being pushed on or threatened. The point here is not the degree of each attack or its rightness or wrongness, but the sheer number of rights that are under attack. Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. ESTABLISHING RELIGION: While campaigning for his first term, George Bush said "I don't know that atheists should be considered as citizens, nor should they be considered patriots." Bush has not retracted, commented on, or clarified this statement, in spite of requests to do so. According to Bush, this is one nation under God. And apparently if you are not within Bush's religious beliefs, you are not a citizen. Federal, state, and local governments also promote a particular religion (or, occasionally, religions) by spending public money on religious displays. FREE EXERCISE OF RELIGION: Robert Newmeyer and Glenn Braunstein were jailed in 1988 for refusing to stand in respect for a judge. Braunstein says the tradition of rising in court started decades ago when judges entered carrying Bibles. Since judges no longer carry Bibles, Braunstein says there is no reason to stand -- and his Bible tells him to honor no other God. For this religious practice, Newmeyer and Braunstein were jailed and are now suing. FREE SPEECH: We find that technology has given the government an excuse to interfere with free speech. Claiming that radio frequencies are a limited resource, the government tells broadcasters what to say (such as news and public and local service programming) and what not to say (obscenity, as defined by the Federal Communications Commission [FCC]). The FCC is investigating Boston PBS station WGBH-TV for broadcasting photographs from the Mapplethorpe exhibit. FREE SPEECH: There are also laws to limit political statements and contributions to political activities. In 1985, the Michigan Chamber of Commerce wanted to take out an advertisement supporting a candidate in the state house of representatives. But a 1976 Michigan law prohibits a corporation from using its general treasury funds to make independent expenditures in a political campaign. In March, the Supreme Court upheld that law. According to dissenting Justice Kennedy, it is now a felony in Michigan for the Sierra Club, the American Civil Liberties Union, or the Chamber of Commerce to advise the public how a candidate voted on issues of urgent concern to their members. FREE PRESS: As in speech, technology has provided another excuse for government intrusion in the press. If you distribute a magazine electronically and do not print copies, the government doesn't consider you a press and does not give you the same protections courts have extended to printed news. The equipment used to publish Phrack, a worldwide electronic magazine about phones and hacking, was confiscated after publishing a document copied from a Bell South computer entitled "A Bell South Standard Practice (BSP) 660-225-104SV Control Office Administration of Enhanced 911 Services for Special Services and Major Account Centers, March, 1988." All of the information in this document was publicly available from Bell South in other documents. The government has not alleged that the publisher of Phrack, Craig Neidorf, was involved with or participated in the copying of the document. Also, the person who copied this document from telephone company computers placed a copy on a bulletin board run by Rich Andrews. Andrews forwarded a copy to AT&T officials and cooperated with authorities fully. In return, the Secret Service (SS) confiscated Andrews' computer along with all the mail and data that were on it. Andrews was not charged with any crime. FREE PRESS: In another incident that would be comical if it were not true, on March 1 the SS ransacked the offices of Steve Jackson Games (SJG); irreparably damaged property; and confiscated three computers, two laser printers, several hard disks, and many boxes of paper and floppy disks. The target of the SS operation was to seize all copies of a game of fiction called GURPS Cyberpunk. The Cyberpunk game contains fictitious break-ins in a futuristic world, with no technical information of actual use with real computers, nor is it played on computers. The SS never filed any charges against SJG but still refused to return confiscated property. PEACEABLE ASSEMBLY: The right to assemble peaceably is no longer free -- you have to get a permit. Even that is not enough; some officials have to be sued before they realize their reasons for denying a permit are not Constitutional. PEACEABLE ASSEMBLY: In Alexandria, Virginia, there is a law that prohibits people from loitering for more than seven minutes and exchanging small objects. Punishment is two years in jail. Consider the scene in jail: "What'd you do?" "I was waiting at a bus stop and gave a guy a cigarette." This is not an impossible occurrence: In Pittsburgh, Eugene Tyler, 15, has been ordered away from bus stops by police officers. Sherman Jones, also 15, was accosted with a police officer's hands around his neck after putting the last bit of pizza crust into his mouth. The police suspected him of hiding drugs. PETITION FOR REDRESS OF GRIEVANCES: Rounding out the attacks on the first amendment, there is a sword hanging over the right to petition for redress of grievances. House Resolution 4079, the National Drug and Crime Emergency Act, tries to "modify" the right to habeas corpus. It sets time limits on the right of people in custody to petition for redress and also limits the courts in which such an appeal may be heard. Amendment II A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. RIGHT TO BEAR ARMS: This amendment is so commonly challenged that the movement has its own name: gun control. Legislation banning various types of weapons is supported with the claim that the weapons are not for "legitimate" sporting purposes. This is a perversion of the right to bear arms for two reasons. First, the basis of freedom is not that permission to do legitimate things is granted to the people, but rather that the government is empowered to do a limited number of legitimate things -- everything else people are free to do; they do not need to justify their choices. Second, should the need for defense arise, it will not be hordes of deer that the security of a free state needs to be defended from. Defense would be needed against humans, whether external invaders or internal oppressors. It is an unfortunate fact of life that the guns that would be needed to defend the security of a state are guns to attack people, not guns for sporting purposes. Firearms regulations also empower local officials, such as police chiefs, to grant or deny permits. This results in towns where only friends of people in the right places are granted permits, or towns where women are generally denied the right to carry a weapon for self-defense. Amendment III No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law. QUARTERING SOLDIERS: This amendment is fairly clean so far, but it is not entirely safe. Recently, 200 troops in camouflage dress with M-16s and helicopters swept through Kings Ridge National Forest in Humboldt County, California. In the process of searching for marijuana plants for four days, soldiers assaulted people on private land with M-16s and barred them from their own property. This might not be a direct hit on the third amendment, but the disregard for private property is uncomfortably close. Amendment IV The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. RIGHT TO BE SECURE IN PERSONS, HOUSES, PAPERS AND EFFECTS AGAINST UNREASONABLE SEARCHES AND SEIZURES: The RICO law is making a mockery of the right to be secure from seizure. Entire stores of books or videotapes have been confiscated based upon the presence of some sexually explicit items. Bars, restaurants, or houses are taken from the owners because employees or tenants sold drugs. In Volusia County, Florida, Sheriff Robert Vogel and his officers stop automobiles for contrived violations. If large amounts of cash are found, the police confiscate it on the PRESUMPTION that it is drug money -- even if there is no other evidence and no charges are filed against the car's occupants. The victims can get their money back only if they prove the money was obtained legally. One couple got their money back by proving it was an insurance settlement. Two other men who tried to get their two thousand dollars back were denied by the Florida courts. RIGHT TO BE SECURE IN PERSONS, HOUSES, PAPERS AND EFFECTS AGAINST UNREASONABLE SEARCHES AND SEIZURES: A new law goes into effect in Oklahoma on January 1, 1991. All property, real and personal, is taxable, and citizens are required to list all their personal property for tax assessors, including household furniture, gold and silver plate, musical instruments, watches, jewelry, and personal, private, or professional libraries. If a citizen refuses to list their property or is suspected of not listing something, the law directs the assessor to visit and enter the premises, getting a search warrant if necessary. Being required to tell the state everything you own is not being secure in one's home and effects. NO WARRANTS SHALL ISSUE, BUT UPON PROBABLE CAUSE, SUPPORTED BY OATH OR AFFIRMATION: As a supporting oath or affirmation, reports of anonymous informants are accepted. This practice has been condoned by the Supreme Court. PARTICULARLY DESCRIBING THE PLACE TO BE SEARCHED AND PERSONS OR THINGS TO BE SEIZED: Today's warrants do not particularly describe the things to be seized -- they list things that might be present. For example, if police are making a drug raid, they will list weapons as things to be searched for and seized. This is done not because the police know of any weapons and can particularly describe them, but because they allege people with drugs often have weapons. Both of the above apply to the warrant the Hudson, New Hampshire, police used when they broke down Bruce Lavoie's door at 5 a.m. with guns drawn and shot and killed him. The warrant claimed information from an anonymous informant, and it said, among other things, that guns were to be seized. The mention of guns in the warrant was used as reason to enter with guns drawn. Bruce Lavoie had no guns. Bruce Lavoie was not secure from unreasonable search and seizure -- nor is anybody else. Other infringements on the fourth amendment include roadblocks and the Boston Police detention of people based on colors they are wearing (supposedly indicating gang membership). And in Pittsburgh again, Eugene Tyler was once searched because he was wearing sweat pants and a plaid shirt -- police told him they heard many drug dealers at that time were wearing sweat pants and plaid shirts. Amendment V No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject to the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use without just compensation. INDICTMENT OF A GRAND JURY: Kevin Bjornson has been proprietor of Hydro-Tech for nearly a decade and is a leading authority on hydroponic technology and cultivation. On October 26, 1989, both locations of Hydro-Tech were raided by the Drug Enforcement Administration. National Drug Control Policy Director William Bennett has declared that some indoor lighting and hydroponic equipment is purchased by marijuana growers, so retailers and wholesalers of such equipment are drug profiteers and co-conspirators. Bjornson was not charged with any crime, nor subpoenaed, issued a warrant, or arrested. No illegal substances were found on his premises. Federal officials were unable to convince grand juries to indict Bjornson. By February, they had called scores of witnesses and recalled many two or three times, but none of the grand juries they convened decided there was reason to criminally prosecute Bjornson. In spite of that, as of March, his bank accounts were still frozen and none of the inventories or records had been returned. Grand juries refused to indict Bjornson, but the government is still penalizing him. TWICE PUT IN JEOPARDY OF LIFE OR LIMB: Members of the McMartin family in California have been tried two or three times for child abuse. Anthony Barnaby was tried for murder (without evidence linking him to the crime) three times before New Hampshire let him go. COMPELLED TO BE A WITNESS AGAINST HIMSELF: Oliver North was forced to testify against himself. Congress granted him immunity from having anything he said to them being used as evidence against him, and then they required him to talk. After he did so, what he said was used to find other evidence which was used against him. The courts also play games where you can be required to testify against yourself if you testify at all. COMPELLED TO BE A WITNESS AGAINST HIMSELF: In the New York Central Park assault case, three people were found guilty of assault. But there was no physical evidence linking them to the crime; semen did not match any of the defendants. The only evidence the state had was confessions. To obtain these confessions, the police questioned a 15-year old without a parent present -- which is illegal under New York state law. Police also refused to let the subject's Big Brother, an attorney for the Federal government, see him during questioning. Police screamed "You better tell us what we want to hear and cooperate or you are going to jail," at 14-year-old Antron McCray, according to Bobby McCray, his father. Antron McCray "confessed" after his father told him to, so that police would release him. These people were coerced into bearing witness against themselves, and those confessions were used to convict them. COMPELLED TO BE A WITNESS AGAINST HIMSELF: Your answers to Census questions are required by law, with a $100 penalty for each question not answered. But people have been evicted for giving honest Census answers. According to the General Accounting Office, one of the most frequent ways city governments use census information is to detect illegal two-family dwellings. This has happened in Montgomery County, Maryland; Pullman, Washington; and Long Island, New York. The August 8, 1989, Wall Street Journal reports this and other ways Census answers have been used against the answerers. COMPELLED TO BE A WITNESS AGAINST HIMSELF: Drug tests are being required from more and more people, even when there is no probable cause, no accident, and no suspicion of drug use. Requiring people to take drug tests compels them to provide evidence against themselves. DEPRIVED OF LIFE, LIBERTY, OR PROPERTY WITHOUT DUE PROCESS OF LAW: This clause is violated on each of the items life, liberty, and property. Incidents including such violations are described elsewhere in this article. Here are two more: On March 26, 1987, in Jeffersontown, Kentucky, Jeffrey Miles was killed by police officer John Rucker, who was looking for a suspected drug dealer. Rucker had been sent to the wrong house; Miles was not wanted by police. He received no due process. In Detroit, $4,834 was seized from a grocery store after dogs detected traces of cocaine on three one-dollar bills in a cash register. PRIVATE PROPERTY TAKEN FOR PUBLIC USE WITHOUT JUST COMPENSATION: RICO is shredding this aspect of the Bill of Rights. The money confiscated by Sheriff Vogel goes directly into Vogel's budget; it is not regulated by the legislature. Federal and local governments seize and auction boats, buildings, and other property. Under RICO, the government is seizing property without due process. The victims are required to prove not only that they are not guilty of a crime, but that they are entitled to their property. Otherwise, the government auctions off the property and keeps the proceeds. Amendment VI In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining Witnesses in his favor, and to have the assistance of counsel for his defence. THE RIGHT TO A SPEEDY AND PUBLIC TRIAL: Surprisingly, the right to a public trial is under attack. When Marion Barry was being tried, the prosecution attempted to bar Louis Farrakhan and George Stallings from the gallery. This request was based on an allegation that they would send silent and "impermissible messages" to the jurors. The judge initially granted this request. One might argue that the whole point of a public trial is to send a message to all the participants: The message is that the public is watching; the trial had better be fair. BY AN IMPARTIAL JURY: The government does not even honor the right to trial by an impartial jury. US District Judge Edward Rafeedie is investigating improper influence on jurors by US marshals in the Enrique Camarena case. US marshals apparently illegally communicated with jurors during deliberations. OF THE STATE AND DISTRICT WHEREIN THE CRIME SHALL HAVE BEEN COMMITTED: This is incredible, but Manuel Noriega is being tried so far away from the place where he is alleged to have committed crimes that the United States had to invade another country and overturn a government to get him. Nor is this a unique occurrence; in a matter separate from the Camarena case, Judge Rafeedie was asked to dismiss charges against Mexican gynecologist Dr. Humberto Alvarez Machain on the grounds that the doctor was illegally abducted from his Guadalajara office in April and turned over to US authorities. TO BE INFORMED OF THE NATURE AND CAUSE OF THE ACCUSATION: Steve Jackson Games, nearly put out of business by the raid described previously, has been stonewalled by the SS. "For the past month or so these guys have been insisting the book wasn't the target of the raid, but they don't say what the target was, or why they were critical of the book, or why they won't give it back," Steve Jackson says. "They have repeatedly denied we're targets but don't explain why we've been made victims." Attorneys for SJG tried to find out the basis for the search warrant that led to the raid on SJG. But the application for that warrant was sealed by order of the court and remained sealed at last report, in July. Not only has the SS taken property and nearly destroyed a publisher, it will not even explain the nature and cause of the accusations that led to the raid. TO BE CONFRONTED WITH THE WITNESSES AGAINST HIM: The courts are beginning to play fast and loose with the right to confront witnesses. Watch out for anonymous witnesses and videotaped testimony. TO HAVE COMPULSORY PROCESS FOR OBTAINING WITNESSES: Ronald Reagan resisted submitting to subpoena and answering questions about Irangate, claiming matters of national security and executive privilege. A judge had to dismiss some charges against Irangate participants because the government refused to provide information subpoenaed by the defendants. And one wonders if the government would go to the same lengths to obtain witnesses for Manuel Noriega as it did to capture him. TO HAVE THE ASSISTANCE OF COUNSEL: The right to assistance of counsel took a hit recently. Connecticut Judge Joseph Sylvester is refusing to assign public defenders to people ACCUSED of drug-related crimes, including drunk driving. TO HAVE THE ASSISTANCE OF COUNSEL: RICO is also affecting the right to have the assistance of counsel. The government confiscates the money of an accused person, which leaves them unable to hire attorneys. The IRS has served summonses nationwide to defense attorneys, demanding the names of clients who paid cash for fees exceeding $10,000. Amendment VII In Suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise reexamined in any Court of the United States, than according to the rules of common law. RIGHT OF TRIAL BY JURY IN SUITS AT COMMON LAW: This is a simple right; so far the government has not felt threatened by it and has not made attacks on it that I am aware of. This is our only remaining safe haven in the Bill of Rights. Amendment VIII Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted. EXCESSIVE BAIL AND FINES: Tallahatchie County in Mississippi charges ten dollars a day to each person who spends time in the jail, regardless of the length of stay or the outcome of their trial. This means innocent people are forced to pay. Marvin Willis was stuck in jail for 90 days trying to raise $2,500 bail on an assault charge. But after he made that bail, he was kept imprisoned because he could not pay the $900 rent Tallahatchie demanded. Nine former inmates are suing the county for this practice. CRUEL AND UNUSUAL PUNISHMENTS: House Resolution 4079 sticks its nose in here too: "... a Federal court shall not hold prison or jail crowding unconstitutional under the eighth amendment except to the extent that an individual plaintiff inmate proves that the crowding causes the infliction of cruel and unusual punishment of that inmate." CRUEL AND UNUSUAL PUNISHMENTS: A life sentence for selling a quarter of a gram of cocaine for $20 -- that is what Ricky Isom was sentenced to in February in Cobb County, Georgia. It was Isom's second conviction in two years, and state law imposes a mandatory sentence. Even the judge pronouncing the sentence thinks it is cruel; Judge Tom Cauthorn expressed grave reservations before sentencing Isom and Douglas Rucks (convicted of selling 3.5 grams of cocaine in a separate but similar case). Judge Cauthorn called the sentences "Draconian." Amendment IX The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people. OTHER RIGHTS RETAINED BY THE PEOPLE: This amendment is so weak today that I will ask not what infringements there are on it but rather what exercise of it exists at all? What law can you appeal to a court to find you not guilty of violating because the law denies a right retained by you? Amendment X The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people. POWERS RESERVED TO THE STATES OR THE PEOPLE: This amendment is also weak, although it is not so nonexistent as the ninth amendment. But few states set their own speed limits or drinking age limits. Today, we mostly think of this country as the -- singular -- United States, rather than a collection of states. This concentration of power detaches laws from the desires of people -- and even of states. House Resolution 4079 crops up again here -- it uses financial incentives to get states to set specific penalties for certain crimes. Making their own laws certainly must be considered a right of the states, and this right is being infringed upon. Out of ten amendments, nine are under attack, most of them under multiple attacks of different natures, and some of them under a barrage. If this much of the Bill of Rights is threatened, how can you be sure your rights are safe? A right has to be there when you need it. Like insurance, you cannot afford to wait until you need it and then set about procuring it or ensuring it is available. Assurance must be made in advance. The bottom line here is that your rights are not safe. You do not know when one of your rights will be violated. A number of rights protect accused persons, and you may think it is not important to protect the rights of criminals. But if a right is not there for people accused of crimes, it will not be there when you need it. With the Bill of Rights in the sad condition described above, nobody can be confident they will be able to exercise the rights to which they are justly entitled. To preserve our rights for ourselves in the future, we must defend them for everybody today.

1 0

My personal objection to NIST's DSS exclusive licensing proposal
by gnu 06 Aug '93

06 Aug '93

[I encourage you to file objections too. They don't have to be eight pages long! One page will do.] John Gilmore PO Box 170608 San Francisco, California, USA 94117 August 5, 1993 Michael R. Rubin Active Chief Counsel for Technology Room A-1111, Administration Building, National Institute of Standards and Technology Gaithersburg, Maryland 20899 Phone: +1(301) 975-2803. Fax: +1(301) 926-2569. Dear Sir: I am writing to provide written evidence and argument that the grant of your prospective license for the Digital Signature Algorithm (DSA) to Public Key Partners (PKP) would not be consistent with the requirements of 35 U.S.C. 209 and 37 CFR 404.7. I am also applying for a personal, non-exclusive, sublicensable, and transferable license for the DSA. I propose that instead of granting a license to PKP, the Government: Put its DSA technology into the public domain, and Standardize RSA as a digital signature algorithm. In particular, the NIST proposal must meet the following criteria from 35 U.S.C. 209 (c)(1): (A) the interests of the Federal Government and the public will best be served by the proposed license, in view of the applicant's intentions, plans, and ability to bring the invention to practical application or otherwise promote the invention's utilization by the public; I argue that interests of the Federal Government and the public will best be served by my proposed approach to the problem. The RSA cryptosystem was strongly considered as a digital signature standard by NIST, and was reportedly rejected for two reasons: (1) RSA is patented, while NIST wanted a royalty-free algorithm. (2) The National Security Agency objected to the standardization of RSA, for reasons it did not specify. The first objection is interesting; both DSA and RSA are now controlled by patents, and both would require royalty payments by users in the United States. However, the RSA patents only apply in the United States, so that the public (which includes all people on the Earth) will be better served by standardizing on the algorithm that is available for royalty-free use in other countries. Also, the RSA patent is royalty-free to the government, because it was invented with government grants. The patents which control the DSA are in force worldwide, and the government does not have free use of the algorithm. This gives a clear edge to the RSA algorithm. Also, the patents controlling RSA will expire at least ten years earlier than the DSA patent (if issued) and more than seven years before the Schnorr patent which controls use of DSA. In particular, the RSA patent will expire on September 20, 2000, and all other patents which control the use of RSA expire in 1997. The Schnorr patent expires on February 19, 2008, and the DSA patent would expire seventeen years after it is issued, which has not occurred yet. The traditional model of market acceptance of technology begins with a long slow climb, requiring years, and only peaks after this momentum has built up the proper infrastructure to support the technology. At the peak, many millions of people use the technology (in some cases, almost everyone in society). Digital signature technology has followed this model, and is widely expected to reach millions of people within the next five to ten years. This is important for two reasons: (a) RSA's patent will expire before or near the point when this technology enters the "mass market" of millions of users. This will benefit the public by reducing the cost of deploying the technology to these users. The size of the market clearly provides an economic incentive sufficient to cause its deployment even in the absence of exclusive licensing. (b) RSA digital signature technology has already been climbing the curve for many years. Standardizing on it will produce quicker deployment of digital signature technology. PKP is already licensing the RSA technology on terms similar to the proposed DSA terms, and has promised non-discriminatory licensing if RSA is standardized by NIST. As for the second problem with standardizing on RSA, the objection of the National Security Agency, there are two possible reasons: (a) NSA does not want to see a digital signature technology standardized if it would also allow data encryption, because that could make interception of intelligence data harder. This objection is completely specious. NSA does not have a valid role in setting domestic policy. It is a secret agency, not accountable to the public, and explicitly prohibited by statute from operating in the United States or against United States citizens. Its advice to NIST under the Computer Security Act is restricted to be of a technical nature, not straying onto questions of policy. NIST is required to give full weight to the interests of the public when deliberating on standards. Secret agencies whose policies oppose the public interest have no weight in NIST's standardization process. In fact, the standardization of identical technology for digital signatures and for key exchange and other data encryption uses would be a *good* decision. This technology has already been implemented in Lotus Notes and Privacy Enhanced Mail, and is well proven to be acceptable to users, implementable by manufacturers, and without fault as regards domestic encryption policy. Tens of thousands of copies of these products are in daily use without any impact on domestic tranquility. (b) NSA knows of a technical reason why RSA is not suitable. In this scenario, NSA has learned how to "break" RSA, either by factoring large composites, or by some other method. The proper response of the Government, in that case, is to publicize this fact, in order to protect domestic communications. Because if NSA knows it, it's likely that opposing intelligence agencies also know how to break RSA. The United States is the most computerized society, the most networked, the most communicative. We have the most to lose by having unsecured communications that we believe are secure. In addition, it's likely that the revelation of the NSA method of breaking RSA would result in substantial progress in mathematics in other areas besides cryptography, providing further benefit to the public. Further reasons to standardize RSA rather than DSA: The strengths and weaknesses of the RSA algorithm are better understood by the technical community. More than ten years of research has gone into understanding and implementing it. The DSA has had much less research and thought brought to bear on it. A prominent cryptographer, Gustavus Simmons, alleges that the DSA contains flaws which permit small amounts of secret information to be conveyed in its digital signatures. These flaws, which appear to have been deliberately designed in, would permit the signing party to send information to recipients of the signature, without the affected party having any way to determine this. For example, if a Government agency provided a digital signature on a passport, it could secretly communicate messages such as "this person should be searched at every border crossing" or "this person is suspected of anti-American leanings". Such unproved `information' would not be tolerated by the public if communicated on the face of the passport, but using the DSA, an unscrupulous agency could use such suspicions to harass citizens in the free exercise of their rights. All of the above information should convince NIST that standardizing the RSA technology and freeing the DSA technology would best serve the interest of the Federal Government and the public, rather than granting an exclusive license for the DSA technology to PKP. The NIST proposal must also meet the following criterion from 35 U.S.C. 209 (c)(1): (B) the desired practical application has not been achieved, or is not likely expeditiously to be achieved, under any non-exclusive license which has been granted, or which may be granted, on the invention; NIST's own experience with the Data Encryption Standard (DES) makes it clear that releasing an encryption system for public use, without assignment of exclusive rights to any organization, produces widespread use within a short period of time. The DES is clearly the premier private-key encryption system in the country and in the world today. It is used in every Automatic Teller Machine, in every bank, as well as on the Fedwire interbank network. A derivative algorithm is used in the Unix password security system, which runs on more than a million computers in daily use. It is used in electronic mail privacy systems, including Lotus Notes and the Privacy Enhanced Mail system for the Internet. It was used in secure telephones built by AT&T -- and in fact the deployment there was too rapid for government comfort (the FBI, NIST and NSA ended up rushing the Clipper/Skipjack program into the public eye to prevent further deployment of telephones using this algorithm.) Whenever private-key encryption is used, DES is likely to be there. DES products are available worldwide from a large number of chip, board, peripheral, system, and software vendors, providing data rates ranging from very slow to a gigabit per second. It is clear that the non-exclusive licensing of DES, as well as its technical capability, was directly responsible for its widespread adoption and use. Had it been exclusively licensed, say to IBM, its originator, it would not have enjoyed the wide use it has received. IBM has built DES into products, but they did not sell well and capture the market. It was the innovative uses pioneered by others, who were free to build on IBM's and NIST's standard without negotiations or royalties, who produced the machines and software which has since served large numbers of government users and the public. The United States has a collection of programmers and cryptographers, numbering in the hundreds, who have made significant contributions to the development and deployment of cryptographic algorithms throughout society. I have seen at least ten different software implementations of DES, freely available to everyone who wants them, including full source code and commentary. Each of these implementers was able to study and build upon the work of the others, resulting in gradual improvement of the speed and robustness of the implementations. The algorithm has been embedded into freely available software for electronic mail (TIS-PEM and early PGP versions), computer network security (Kerberos), clock synchronization (NTP), and networked voice communications (VAT), just to name a few. (Most of the work involved in building these products was the software and infrastructure that was built up AROUND the DES, by the way.) If and when the DSA technology is released for free use by the public, the same community will produce widely available programs that employ it. PKP may argue that the same development would occur, under its grant of free noncommercial DSA licenses, but the point is that this developement would occur WITHOUT granting an exclusive license to PKP. And if this is true, then by statute, NIST cannot grant an exclusive license. PKP may also argue that its ownership of the Schnorr patent would prevent the development of noncommercial DSA products, unless it was granted an exclusive license in return for allowing noncommercial use of the Schnorr and DSA patents. However, the record clearly shows that even when a technology is patented (RSA, or Lempel-Ziv compression) and when the patent owner does not have a policy of permitting noncommercial use, the free software community will still produce widely used programs (PGP and Compress) which produce great benefit for the public and for the government. These programs can be used immediately by those willing to challenge the patent, or to whom the patent does not apply, and can be used by everyone after the patent expires, or if the patent owner's policy changes. Furthermore, Public Key Partners is in the position of having paid a lot of money for the Schnorr patent. If the government doesn't standardize DSA, and doesn't give PKP an exclusive DSA patent, then PKP will have to CONVINCE people to use their expensive patent. The traditional way to do so is by licensing it cheaply and widely. If people end up wanting to use DSA even though it has not been standardized, it's likely that a license for the Schnorr patent that controls it will be available at a similar price to what PKP proposed under the exclusive licensing scheme. PKP has already granted no-cost noncommercial licenses to other patents that it holds, including the RSA patent, so it is certainly conceivable that it would come to grant similar licenses for the Schnorr patent, for the same reasons. 35 USC 209 (c)(1)(C) requires that exclusive or partially exclusive licensing is "reasonable and necessary" to call forth capital to deploy the invention. The above discussion, particularly the DES evidence, has shown that this condition does not hold. 35 USC 209 (c)(1)(D) requires that the proposed terms and scope of exclusivity are not greater than reasonably necessary to bring the invention to practical application. The scope proposed by NIST is exclusive to a single company for seventeen years. My proposal is partially exclusive to the same company for seven years, then would eliminate the exclusivity completely. The company has promised similar terms for the licensing of the RSA patent, for that seven year period, so the terms of the NIST proposal and my proposal are similar, though the scope of exclusivity in mine is shorter. My proposal continues to provide the incentive for bringing the invention to practical application, so condition (D) does not hold either. The conditions in 35 USC 209 (c)(1) are joined with "and" and prefaced with "only if"; failure to meet any one of the conditions denies the agency the ability to issue an exclusive or partially exclusive license. All four conditions have failed to be met in this case, so for NIST to grant an exclusive license to PKP would be unlawful. The public interest in this technology is substantial, and it is unlikely that NIST would escape without being sued if it attempted to grant the exclusive license anyway. I myself contract for the full time of a lawyer, who is currently engaged in suing the Federal Government for its unlawful acts. I believe that two such suits are currently in process, against NSA and the Department of Justice. I would not be averse to adding NIST to the list. In the event that NIST fails to follow my recommendation that the DSA technology be made freely available to the public, I hereby request a personal, non-exclusive license to practice it. The information required under 37 CFR 404.8 for such an applicant is: Invention: Digital Signature Algorithm Patent application number: 07/738.431 Type of license: Personal, non-exclusive, sublicensable, and transferable. My name, address, email address, and phone number: John Gilmore PO Box 170608 San Francisco, California, USA 94117 gnu(a)toad.com +1 415 903 1418 My citizenship: USA My representative to correspond with: myself. Nature and type of my business: I am a privacy advocate, a programmer, an entrepreneur. Personally, I have no employees at this time, though I am co-founder and part owner of a business which employs 40 people. I am also co-founder and on the Board of Directors of a foundation which employs about ten people. I contract with a lawyer for his full-time services, though he is not an employee. Products and services which I have successfully commercialized: I was employee #5 at Sun Microsystems, and contributed significantly to the success of the company, which is now one of the world's largest computer companies. I have co-founded several businesses. I have written several substantial pieces of software which enjoy wide use, including PD Tar, a tape archive program, GNUUCP, which provides low-cost data communications, and GDB, which is a very widely used debugger. All of these programs were developed under an intellectual property technology that involves giving away the program itself, and selling services related to the program. The 40-person business mentioned above supports itself solely by this method, and provides commercial support for GDB among many other products. I am also a co-founder of the Electronic Frontier Foundation, which, as a non-profit educational foundation, has commercialized the services of advocating privacy and the public interest in electronic media, and the service of defending the public against unconstitutional or unlawful searches, seizures, and restrictions on rights in electronic media. I have successfully organized several volunteer teams of programmers and writers to produce products which were made available to the public, without requiring significant investment, by leveraging the goodwill of the people involved, and the availability of low cost computers and communications media. Source of information concerning the availability of the license: Internet electronic mail, including copies of the Federal Register. Statement indicating whether I am a small business: As an individual, I am probably not considered a small business. I do not seek use of the patent for business purposes, but for my activities in advocating privacy and anonymity in electronic media. Detailed description of plans for developing or marketing the invention: If granted this license, I would immediately sublicense all persons who wished to use the patent, at no charge. I challenge any other proposed licensee to provide a greater benefit at a lower cost. I would market the invention via online and printed communications, making the public and the software development community aware of their ability to freely use the invention without restraint from me or from the Government. I would negotiate with Public Key Partners to come to an agreement on terms by which noncommercial use of the Schnorr patent could proceed. Such availability would lead the way to commercial applications, as has happened with the RSA algorithm. I believe that minimal time and investment capital would be required in this endeavour: less than a month of my personal time, spread across several months of elapsed time, and less than $20,000 in investment, which I have available from personal funds. My capability and intention to fulfill the plan is shown by my record of achievements listed above. I and my sublicensees intend to practice the invention in all fields of use. I and my sublicensees intend to practice the invention in all geographical areas, limited only by Government- imposed export restrictions. I have not applied for nor been granted previous licenses for federally owned inventions. I believe that the DSA is being practiced by a small number of companies in private industry, and is being practiced by the Government and its contractors in conjunction with the Capstone program of the NSA. Further information which I believe will support a determination to grant me the license: If NIST truly wishes that the public be granted the maximum capability to use this invention, then granting me this license, or in the alternative, granting a royalty-free license to everyone, would best achieve that goal. Sincerely, John Gilmore

1 0

Wayner's Wonderland
by an12070＠anon.penet.fi 06 Aug '93

06 Aug '93

Mr. Wayner posts thoughtful descriptions and reflections on the CSSPAB proceedings. While I want to express my appreciation for this interesting and revealing glimpse and encourage future postings in the same vein, there are some deeply upsetting views and grating, gratuitous benedictions expressed therein that would sound worse than fingernails on a chalkboard for any hard core cypherpunk. Following is mostly vitriolic and sarcastic flame; feel free to ignore it; you've been warned. * * * Peter Wayner <pcw(a)access.digex.net> >The board itself runs with a quasi-legal style quasi-legal? and the NSA was there? how apropos! >All of them came from the upper >ranks of the military or legal system and a person doesn't rise to >such a position without adopting the careful air of the very diligent >bureaucrat. This is precisely the fluffery and facade we are *not* impressed with. The very Cream of the NSA, the brilliant minds who brought you Clipper and DSA. >The NSA has rarely had trouble in the past >exercising either its explicitly granted legal authority or >its implied authority. The phrase "national security" is a >powerful pass phrase around Washington and there is no reason >for me to believe that the NSA wouldn't get all of the access >to the escrow database that it needs [...] but you see, that is the problem. As P. Ferguson wrote, ` `National security': the root password to the Constitution.' >Building in >a backdoor would only leave a weakness for an opponent to exploit >and that is something that is almost as sacrilidgeous at the NSA >as just putting the classified secrets in a Fed Ex package to >Saddam Hussein. Hm, do you think they felt the same about DES? DSA? decreasing key size makes me wonder at night... >Next there was a report from Geoff Greiveldinger , the man from the >Department of Justice with the responsibility of implementing the the >Key Escrow plan. >[...] >It became clear that the system was not fully designed. Reminds me of the trembling, pale kid at the front of the classroom giving a book report, reading aloud from a blank page. He didn't do his homework. Not only that, but it's the wrong assignment. No matter, he's about to be expelled anyway. This key escrow system is as solid as oozing phlegm. In the Official Announcement we hear of a new Key Escrow System. Hm, what's it about? Apparently not a Key Escrow System, from what I can figure out. Denning scrambles out with some bizarre circumlocution soon after the announcement that is supposedly now Null and Void, and we have this grand new system with the Magic Eavesdropping Box. How are we to be sure that this Box is secure? Why, it utilizes a Secure Chip inside. What about the Chip? Why, there are Secure Atoms and Electrons, assuredly in the Proper Places with Correct Clearance, as designated by The Grand Holiness. >At this point, I had just listened to an entirely logical presentation >from a perfect gentleman. We had just run though a system that had many >nice technological checks and balances in it. Subverting it seemed >very difficult. Gee, I missed something there somewhere. `Not fully designed' but `difficult to subvert' because of all the `nice technological checks'. Yes, I would bet my life on that. >The most interesting speaker was the assistant director of the National >Security Agency, Dr. Clint Brooks. He immediately admitted that the >entire Clipper project was quite unusual because the Agency was not >used to dealing with the open world. Speaking before a wide audience >was strange for him and he admitted that producing a very low cost >commercial competitive chip was also a new challenge for them. their amateurism is frightening and pathetic. The lesson is not that it is `a new challenge' but a outrageous violation of their authority. I'm quite nauseated that someone here would succumb to their transparent and shifty rhetoric. They have no legal authority whatsoever in proposing this. They still fail to grasp this simple fact, despite a bludgeoning CPSR lawsuit slaps and FOIA jabs. It is a wonder they have stopped hiding behind the legs of the President. >He readily admitted that the Clipper system isn't intended to catch >any crooks. Ah, but we have the Official Announcement from Mr. Clinton explaining how it would be used to catch `criminals, drug dealers, and terrorists'! How are we to reconcile this bizarre twist? This is all so grotesque, so Orwellian, so wretched, so horribly nightmarish... we have the Key Escrow Initiative with everything but the Key Escrow read, to catch all the Criminals who aren't Criminals. >When I listened, though, I began to worry about what is going to happen >as we begin to see the eventual blurring of data and voice communications >systems. what a fantastic revelation! when did you come to this epiphany? >WHen this happens, programmable phones are going to emerge. what a ... >This >could easily be a proprietary encryption system that scrambles >everything. what a ... gosh, it would make sense for the NSA to propose Clipper for a scenario like that! what a coincidence! >The traditional way of controlling technology by >controlling the capital intensive manufacturing sites will be gone. what a ... `traditional way of controlling'? more like the `past method of manipulation'! >Sure, >the NSA and the police will go to Radio Shack and say "We want your >cooperation" and they'll get it. But it's the little, slippery ones >that will be trouble in the new, software world. what a ... It is the big, lumbering one called NSA that is already in *deep* trouble. [ sheriffs, district attorneys, FBI agents] >Their message was direct and they didn't hesitate to compare encryption >with assault rifles. One even said, "I don't want to see the officers >outgunned in a technical arena." sorry, they don't have a choice in the matter. >One DA from New Jersey said that >in his office, they process about 10,000 cases a year, but they only >do one to two wiretaps on average. It just seems like a big hassle >and expense for them. oh, perhaps you are proposing it shouldn't be a `hassle' or a `expensive'. Let me tell you, infringing on rights better DAMN WELL be more than a `hassle'! >The >police tried to use the low numbers of wiretaps as evidence that they're not >out there abusing the system, but I kept thinking that this was mainly >caused by the high cost and relatively low utility of the technique. bless you. Now I only feel 95% like strangling you. >In the end, I reduced the calculus of the decision about Clipper to be >a simple tradeoff. If we allow widespread, secure encryption, will the >criminals take great advantage of this system? who is `we'? what do you mean by `allow'? this terminology presupposes the fact that you, the NSA, or anyone else has the capability to control it. >It would empower people to protect their own >information unconditionally, but at the cost of letting the criminals >do the same. ultimately a net gain, IMHO. There is far more to gain from protection of businesses and private mail than any increased evasive power given to criminals. The point is, we can catch criminals without illegitimate crutches like wiretapping. In fact, I think wiretapping ultimately encourages laziness and inefficiency in law enforcement and investigative/detective work. We stand to gain a more efficient law enforcement system when it is ultimately rendered impossible. >I began to wonder if the choice between Clipper and totally secure >encryption was moot. for any true cypherpunk, it is not. ------------------------------------------------------------------------- To find out more about the anon service, send mail to help(a)anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin(a)anon.penet.fi.

1 0

IRS flunkies browsing your tax records (Surprise!)
by fergp＠sytex.com 06 Aug '93

06 Aug '93

excerpted from: The Washington Post 5 August 1993 page A6 Accused of Failing to Protect Data, IRS Says It Will Buttress Safeguards by Stephen Barr Washington Post Staff Writer The Internal revenue Service, assailed by senators yesterday over a breakdown in computer security that allowed IRS workers to browse through tax records and monitor fraudulent tax refunds, pledged to strengthen safeguards set up to ensure taxpayer records are kept confidential. "it's not easy. it's painful to admit mistakes you make," Internal revenue Commissioner Margaret Milner Richardson said after listening to members of the Senate Governmental Affairs Committee express outrage that IRS workers abused their public trust. Addressing committee Chairman John Glenn (D-Ohio), Richardson said,"I feel very strongly about protecting the integrity of the tax system, and I told you we will not tolerate anything that will impinge on that integrity or the credibility of the American people." But Richardson rebuffed a suggestion by Sen. David Pryor (D-Ark.) that the IRS notify the taxpayers whose files were improperly reviewed. "I'm not sure there would be a serious value to that in terms of tax administration or in the connection with what I see as protecting the taxpayer's rights," she said. Pryor said he would continue to press for taxpayer notification, saying, "I'm going to really come down hard.... I think anyone that we can identify whose files have been browsed for no official reason, I think that taxpayer needs to know." Richardson's testimony followed the release of a report this week that showed almost 370 IRS employees in the agency's Southeast Region have been investigated or disciplined for creating fraudulent tax returns or browsing through tax returns of friends, relatives, neighbors and celebrities. In 154 cases, employees were disciplined. Deputy Commissioner Michael P. Dolan said three employees were forced to resign, three were fired, 38 received suspensions, 67 were given reprimands, 24 were admonished, 17 underwent counseling and two received "caution letters." Sen. Byron L. Dorgan (D-N.D.), noting that few employees were dismissed, questioned Richardson and Dolan on whether "we are dealing appropriately enough" with violators. They said the IRS would provide the committee with detailed information on how disciplinary judgements were made. Few details emerged at the hearing on how IRS regional employees created bogus refunds. An IRS investigative report released by the committee said that four employees are facing criminal prosecution. "In one case," the IRS report said, "an employee prepared over 200 fraudulent tax returns and monitored the refunds" on IRS computers. The report suggested that the fake refunds cost the government more than $300,000. In another case, "the employee used her position to input fraudulent adjustments and monitor the accounts of local taxpayers. She also prepared fraudulent returns, including returns for herself and her parents," the IRS report said. Dolan noted that the violations ranged from the serious to the benign, such as employees who were asked by neighbors for a favor: determine the status of their income tax refund. In answering questions, Richardson pointed out that IRS's internal audit staff had uncovered the information with the General Accounting Office. The IRS audit examined the Integrated Data Retrieval System, a database of taxpayer accounts used by 56,000 IRS workers nationwide. Richardson said the IRS is developing a "comprehensive review" of computer security issues that will improve the agency's ability to detect "inappropriate use." The IRS also is reviewing its high-risk operations, such as credit transfers amd taxpayer adjustments, in a renewed effort tp avert employee misconduct. Dolan said a review of the agency's most sensitive computer commands would be completed within the next six weeks. Richardson was a washington tax attorney before being selected earlier this year by President Clinton to run the IRS. Dolan, a career civil servant, was named deputy commissioner last year. 8<--------- End article ------------------- A old friend of mine sent me an e-mail this afternoon; it appears we see eye-to-eye on this entire fiasco -- and the dangerous role the government wants to play in the Information Age: 8<--------- forwarded message -------------- Subject: Clipper, escrows, and honesty. . . To: "fergp" <sytex.com!fergp> Saw your recent posting on SCI.CRYPT. I generally shun public postings in such an arena. . . . However, it occurred to me, with only a little bit of thought, that after the recent articles in the Washington Post regarding the employee's of the IRS browsing through friends, enemies, and famous folk's 1040's -- simply for kicks -- how would this be any different than an escrow key arrangment. Isn't it simply a given truth that if one man can view a personal secret of another, that he will be tempted? And let's face it, history proves that, more often than not, the "apple is bitten," ---- or at least "nibbled." No matter how you work it, there will always be a small group, perhaps even one, that will have access to your key. Just like that little girl that sits behind the faceless terminal can pull up my 1040 and run through the schedules to see what I won on and what I lost ---- and I'll never know that it even happened. Of course, until someone who shouldn't know does know, and perhaps at a cocktail party makes mention. . . . . Small potatoes. . . . but not if you're encrypting.. 8<---------- end forwarded mail ----------- Once again -- "Be afraid; be very afraid." Paul Ferguson | "Government, even in its best state, Network Integrator | is but a necessary evil; in its worst Centreville, Virginia USA | state, an intolerable one." fergp(a)sytex.com | - Thomas Paine, Common Sense I love my country, but I fear its government.

1 0

(fwd) Re: Will SKIPJACK's algorithm get out? (Non-technical)
by tcmay＠netcom.com 06 Aug '93

06 Aug '93

Here's a posting I did on how Skipjack (which I deliberately called "Clipjack") can be likely broken by groups like ours. The anonymous remailers, and the alt.whistleblowing group, can be used to publish details of the whole Skipjack/Capstone/Mykotronx/MYK-78/etc. ball of wax as they become available. Whether we can actually be the ones to analyze the chips or not is immaterial: spreading reports that Clipjack is vulnerable will be useful disinformation (reduced confidence, fewer commercial sales, more acceptance of more provably strong software-based alternatives, etc.) -Tim Newsgroups: sci.crypt,alt.privacy.clipper From: tcmay(a)netcom.com (Timothy C. May) Subject: Re: Will SKIPJACK's algorithm get out? (Non-technical) Message-ID: <tcmayCBBJCr.BsK(a)netcom.com> Date: Fri, 6 Aug 1993 03:36:27 GMT Larry Loen (lwloen(a)rchland.vnet.ibm.com) wrote: : Myself, I confidently expect to see Skipjack published in some Eurocrypt : proceedings or other in the next 4 or 5 years, especially if the darn thing : is actually produced in any volumes. There is a decidely : different attitude in W. Europe towards this sort of thing. : It's mostly a question of economics. Will someone, somewhere put out the : bucks to do a "tear down" of the chip and figure out how it works. I could : imagine some crypto company in Europe doing just that and being also motivated : to publish what they find for competitive reasons. . . Some of us plan to do just this: once "Clipjack" phones are finalized and on sale and/or Mykotronx is selling finalized chips, they'll be looked at. I once ran Intel's electron-beam testing lab, so I have some familiarity with looking at chips, including ostensibly tamper-resistant modules. VLSI Technology is fabbing the chips, using a process said to be quite tamper-resistant. We'll see. (While publishing the algorithm may or may not be illegal, there's no reasonable law saying you can't look at something, unless perhaps it's formally classified....will the Clipjack chips have "Top Secret" stamped on them? Somehow I can't quite picture this in phones sold across the country and outside!) (I'm not saying it'll be easy to do this reverse-engineering, mind you. Between mechanical barriers to access (carbide-like particles in the packaging compound to deter grinding), complex-chemistry epoxies to deter plasma- and chemical-decapping, various chip-level countermeasures (storing bits on floating gates, using multiple layers of metal, etc.), the access to the die surface may be very difficult. The "smartcard" chip makers have led the way in devising tamper-resistant chip processes, though their task is quite a bit easier (stopping access to an active chip on an active smartcard, to modify the money amounts) than Clipjack faces (stopping any examination of the chip topology and programming which would reveal the algorithms used) But given enough samples, enough time, and some commitment, the secrets of Clipjack will fall.) As a "Cypherpunk" (cf. cover of "Wired" #2, "Whole Earth Review" Summer '93, and the current (8-2-93) "Village Voice" cover story), I see no reason not to publish the details. This'll let other folks build phones and other comm systems which spoof or defeat the Clipjack system, especially the disgusting and thoroughly un-American "key escrow" system. Naturally, we'll use our "anonymous remailers" (multiple reroutings of messages, with each node decrypting with its key and passing on what's left to the next chosen node....diffusion and confusion, a la Chaum's 1981 "CACM" paper on "digital mixes") to protect ourselves. No sense taking chances that the Feds will view our "liberation" efforts with disfavor and hit us with charges they devise (violations of Munitions Act, RICO, sedition, etc.). This is how some of our members were able to "liberate" secret Mykotoxin documents from the dumpsters of Mykotoxin (something the Supremes have said is OK for law enforcement to do, by the way) and post them anonymously to our mailing list (I believe these docs were then posted to alt.whistleblowers, but they were only _mentioned_ on sci.crypt, not actually posted). I expect at least _three_ separate groups are preparing to break the Clipjack algorithm, at least as embodied in the Clipper/Skipjack chips that come on the market. Breaking the system also allows independent observers to see if it does in fact contain deliberate weaknesses (though the focus on "weaknesses" is secondary to the basic issue of "key escrow" as a concept--it is key escrow, especially mandatory key escrow, that is the real issue. (Mandatory key escrow is not yet part of law, to be fair, but still "in the wind"...we won't really know for a few more years whether the "voluntary" key escrow system will become mandatory) It'll also be interesting to see how Clipjack phone customers react to the revelations of the algorithms. Crypto anarchy means never having to say you're sorry. Yours in the struggle, -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay(a)netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it.

1 0