One Writer's Experience With Pgp (was Re: [ILN] INTERNET LAWNEWS - NOVEMBER 26, 1999)
At 8:16 AM -0500 11/26/99, Michael Geist wrote: ONE WRITER'S EXPERIENCE WITH PGP The Washington Post runs an interesting column on the limited usage of PGP and other encryption programs. http://www.washingtonpost.com/wp-srv/business/feed/a48453-1999nov26.htm Internet Law News is compiled weekdays by Professor Michael Geist of the University of Ottawa Law School. During this startup period, permission is granted to freely distribute this issue in its entirety to colleagues, students, friends or other interested parties. To subscribe to this free service, send an email to [EMAIL PROTECTED] with the message "subscribe netlaw". Please send any comments or suggestions for future issues to Michael Geist at [EMAIL PROTECTED] or visit his Web site at http://www.lawbytes.com. - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Marked cash in Lucre
--- begin forwarded text Date: 21 Nov 1999 22:20:08 - To: [EMAIL PROTECTED] From: lcs Mixmaster Remailer [EMAIL PROTECTED] Subject: Marked cash in Lucre Sender: [EMAIL PROTECTED] Earlier this year there was discussion of David Wagner's blinding as a way of creating electronic cash that would not be covered by existing patents. See the archives at http://privacy.nb.ca/cryptography/archives/coderpunks/new/1999-03/ for the threads "Anonymous cash via blinded authentication" and "Getting around Chaum's patent". David Wagner's original posting is at http://www.deja.com/getdoc.xp?AN=145097228. This algorithm has been implemented by Ben Laurie in his Lucre package, info at http://anoncvs.aldigital.co.uk/lucre/. There have been rumors that Lucre might serve as the foundation for an actual field trial of electronic cash. The idea is that the bank "signs" a number by raising it to a secret exponent k, modulo a strong prime p. The bank can then recognize a signed pair y, y^k by raising the first one to the k power. The y values have some internal redundancy, like the right half is the hash of the left half. To blind, David Wagner suggested the bank also publish a generator g and a value g^k, similar to what is done in Diffie Hellman exchanges. The client then chooses a random blinding factor r and calculates y * g^r, which he sends to the bank. The bank raises this to the k power (a power unknown to the client), producing y^k * g^rk. The client is able to calculate g^rk by taking the published g^k value to the r power. (g^k)^r = g^kr = g^rk. He can therefore divide this out and be left with y^k, a properly "signed" value. This is what is implemented in Lucre. However, there is a flaw. During the discussion earlier this year, it was pointed out that Chaum had proposed a similar algorithm for another purpose, blind undeniable signatures. Instead of blinding by multiplying by g^r, he blinded by raising to a random power. Unblinding was then done by raising to the inverse power. This worked OK for Chaum, but in the Coderpunks discussion it was pointed out that it would allow the bank to "mark" the cash. It could misbehave during the transaction and raise the blinded y value to a power k' instead of k. This cannot be detected by the client since there is no public key to verify the "signature" against (which is why these are not technically signatures). Then when the coin is deposited after unblinding, the bank can recognize that it was the same coin which was marked with the special k' power. It was suggested at the time that David Wagner's blinding was immune to this marking attack. However recently it has been learned that this is not true; the bank can mark cash using Wagner blinding as well. The current Lucre implementation would be vulnerable. During withdrawal, the user submits y * g^r. The bank, to mark the cash, raises it to the k' power rather than the k power. The creates y^k' * g^rk'. The user unsuspectingly unblinds by calculating g^kr and dividing it, leaving y^k' * g^(r(k'-k)). This is what is later submitted to the bank, along with y. The bank, at this point, knows y, k, k', g, and the product above. It does not know r. It can calculate y^k' and divide to get g^(r(k'-k)). It can raise to the inverse power of (k'-k) to get g^r. Now it can multiply by y to get y * g^r. This is the same value which was submitted to be signed in the first place. By keeping a record of the values which were signed using the special k' exponent, the bank can look back and see which one this one is, thereby linking the deposit to the withdrawal, which is exactly what blinding is supposed to prevent. Hence the current Lucre implementation cannot be viewed as safe. It appears that there is a simple fix, but other people should look at it to be sure. The flaw in the existing implementation was not discovered for months, presumably because no one looked closely at it. The fix is simple but it would add confidence for more people to study it. The proposed fix is to combine the two forms of blinding, Wagner's and Chaum's. Choose two random blinding factors, r and s, and blind by calculating y^s * g^r. This is sent to the bank which returns (if it is not cheating) y^sk * g^rk. As in Wagner's blinding, the user can calculating g^rk and divide out, to leave y^sk. As in Chaum's blinding, the user can then raise to the 1/s power to leave y^k. Hence the blinding is easily removed. If the bank cheats by raising to the k' power, the user gets y^sk' * g^rk'. He divides by g^rk to get y^sk' * g^((k'-k)r). He then raises to the 1/s power to get y^k' * g^((k'-k)r/s). This is what he gives to the bank at deposit time, along with y. The bank can calculate and divide off y^k', and raise to the inverse (k'-k) power as before, leaving g^(r/s). However at this point it appears to be stopped. There seems to be no way to correlate this value to the y^s * g^r that it saw at blinding time. If it
DCSB: Pat Cain; Trustable Internet Time and Digital Commerce
--- begin forwarded text Date: Tue, 16 Nov 1999 10:46:23 -0500 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Robert Hettinga [EMAIL PROTECTED] Subject: DCSB: Pat Cain; Trustable Internet Time and Digital Commerce Cc: Muni Savyon [EMAIL PROTECTED], Elias Israel [EMAIL PROTECTED], Suzan Dionne [EMAIL PROTECTED], Rodney Thayer [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: Robert Hettinga [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- The Digital Commerce Society of Boston Presents Pat Cain, GTE Internetworking Does anybody know what time it is? (And can prove it?) Tuesday, December 7th, 1999 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA As more and more things become internet-enhanced, the ability to note when a certain event happened is based upon the timestamp generated from a computer. In most cases the computer's concept of time was retrieved from a trusted server using the internet Network Time Protocol (NTP). This talk will show some examples where trustable time is beneficial and problematic, followed by a quick overview of the NTP protocol and the assurance enhancements proposed as part of the IETF Secure Time WG. The talk will conclude with an unsolved problems discussion. Pat Cain is a principal member of the technical staff, and security advocate, at GTE Internetworking. Mr. Cain provides consulting and guidance to both internal and external clients on the realistic use of security technologies. In Mr. Cain's 18 years at GTE/BBN, he was the lead engineer of the MISSI CAW (a medium-assurance X.509 CA), was the hardware architect of the BBN SafeKeyper, and did numerous cryptographic and network security projects. He currently represents GTEI in ANSI X9F, is a member of the ABA Information Security Committee, and is the co-chair of the IETF's Secure Time working group. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, December 7th, 1999, from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, on One Federal Street. The price for lunch is $35.00. This price includes lunch, room rental, A/V hardware if necessary, and the speakers' lunch. The Harvard Club *does* have dress code: jackets and ties for men (and no sneakers or jeans), and "appropriate business attire" (whatever that means), for women. Fair warning: since we purchase these luncheons in advance, we will be unable to refund the price of your lunch if the Club finds you in violation of the dress code. We need to receive a company check, or money order, (or, if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, December 4th, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston", in the amount of $35.00. Please include your e-mail address so that we can send you a confirmation If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Upcoming speakers for DCSB are: JanuaryElias Israel The Libertarians and Digital Commerce February Suzan Dionne The Law of Digital Cash TBARodney Thayer Cryptographic Transnationality We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you are a principal in digital commerce, and would like to make a presentation to the Society, please send e-mail to the DCSB Program Committee, care of Robert Hettinga, mailto: [EMAIL PROTECTED]. For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . We look forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.1 iQEVAwUBODF71sUCGwxmWcHhAQFeDggAr6gRg9qTOBlsmkkNme2Rg9vJP5XNN590 ZJis8STSH+PU7aFirmQPFFvH/OoWznfWOadqWCIRvp+M3rRCuSjD53Hqx8MHaA6Z sBsYnRxiVJQM2a8qcC8B6M4kcClPSZy8zZSDI7v4q7EK7kR8jCH5Mfg4i5xQeByC ISwgEXZv/BDEhBeb6aIkemTPEPMbTjM32iLp2qTtgK4Q1s8fW35AqrhZSiqn+KNG bRxVE+h0/LpcSkufwwsXIeUYSW6tsKm3kQjUARzsHDbuTP5YaV+oRGpmni0ZM10D Ufz+g9Kqen3Rs+KS2YhU7s9aHkql+lDquQf92WpCsrzTmcQ0n07OyQ== =vGIv -END PGP SIGNATURE- - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.
WSJ: Crypto Regs begin circulating today (was Re: INTERNET LAWNEWS - NOVEMBER 15, 1999)
At 9:20 AM -0500 on 11/15/99, Michael Geist wrote: CONCERN OVER CRYPTO REGS Concern continues to grow over the Clinton administration's forthcoming crypto export regs. A new draft may be circulated internally as soon as today, reports the WSJ. http://interactive.wsj.com/articles/SB942621233614972446.htm Internet Law News is compiled weekdays by Professor Michael Geist of the University of Ottawa Law School. During this startup period, permission is granted to freely distribute this issue in its entirety to colleagues, students, friends or other interested parties. To subscribe to this free service, send an email to [EMAIL PROTECTED] with the message "subscribe net news". Please send any comments or suggestions for future issues to Michael Geist at [EMAIL PROTECTED] or visit his Web site at http://www.lawbytes.com. - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
WPI Crypto Seminar: A High-Speed FPGA Implementation of Serpent
--- begin forwarded text Date: Thu, 11 Nov 1999 09:21:41 -0500 (EST) From: Christof Paar [EMAIL PROTECTED] To: WPI Crypto Seminar: ; Subject: WPI Crypto Seminar, Monday, Nov 15 Sender: [EMAIL PROTECTED] Reply-To: Christof Paar [EMAIL PROTECTED] WPI Cryptography Seminar A High-Speed FPGA Implementation of Serpent Adam Elbirt WPI Monday, November 15 4:30 pm, AK 218 (refreshments at 4:15 pm) With the expiration of the Data Encryption Standard (DES) in 1998, the Advanced Encryption Standard (AES) development process is well underway. It is hoped that the result of the AES process will be the specification of a new non-classified encryption algorithm that will have the global acceptance achieved by DES as well as the capability of long-term protection of sensitive information. The technical analysis used in determining which of the potential AES candidates will be selected as the Advanced Encryption Algorithm includes efficiency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as Field Programmable Gate Arrays (FPGAs) are highly attractive options for hardware implementations of encryption algorithms as they provide cryptographic algorithm agility, physical security, and potentially much higher performance than software solutions. This contribution investigates the significance of an FPGA implementation of Serpent, one of the AES candidate algorithms. Multiple architecture options of the Serpent algorithm will be explored with a strong focus being placed on a high speed implementation within an FPGA, in order to support security for current and future high bandwidth applications. One of the main findings is that Serpent can be implemented with encryption rates beyond 4 Gbit/s on current commercially available FPGAs. DIRECTIONS: The WPI Cryptoseminar is being held in the Atwater Kent building on the WPI campus. The Atwater Kent building is at the intersection of the extension of West Street (labeled "Private Way) and Salisbury Street. Directions to the campus can be found at http://www.wpi.edu/About/Visitors/directions.html ATTENDANCE: The seminar is open to everyone and free of charge. Simply send me a brief email if you plan to attend. TALKS IN THE FALL '99 SEMESTER: 10/4 Berk Sunar, SITI Comparison of Elliptic Curve Implementations 10/18 Jim Goodman, MIT Energy Scalable Reconfigurable Cryptographic Hardware for Portable Applications 10/28 Brendon Chetwynd, WPI/Raytheon Towards an Universal Block Cipher Module 11/15 Adam Elbirt, WPI A High-Speed FPGA Implementation of Serpent 12/6 Richard Stanley, GTE Labs Using Cryptography to Combat Wireless Fraud -- A Case Study See http://www.ece.WPI.EDU/Research/crypt/seminar/index.html for talk abstracts. MAILING LIST: If you want to be added to the mailing list and receive talk announcements together with abstracts, please send me a short mail. Likewise, if you want to be removed from the list, just send me a short mail. Regards, Christof Paar ! WORKSHOP ON CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS (CHES 2000)! ! WPI, August 17 18, 2000! ! http://www.ece.wpi.edu/Research/crypt/ches! *** Christof Paar, Assistant Professor Cryptography and Information Security (CRIS) Group ECE Dept., WPI, 100 Institute Rd., Worcester, MA 01609, USA fon: (508) 831 5061email: [EMAIL PROTECTED] fax: (508) 831 5491www: http://ee.wpi.edu/People/faculty/cxp.html *** For help on using this list (especially unsubscribing), send a message to "[EMAIL PROTECTED]" with one line of text: "help". --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Truth About Encryption (Re: NewsScan Daily, 5 November 1999(Above The Fold))
At 9:32 AM -0700 on 11/5/99, NewsScan wrote: THE TRUTH ABOUT ENCRYPTION Cambridge University cryptography expert Ross Anderson says governments' efforts to keep encryption technology out of the hands of criminals and terrorists is misguided: "If I were to hold a three-hour encrypted conversation with someone in the Medellin drug cartel, it would be a dead giveaway. In routine monitoring, GCHQ (Britain's signals intelligence service) would pick up the fact that there was encrypted traffic and would instantly mark down my phone as being suspect. Quite possibly the police would then send in the burglars to put microphones in all over my house. In circumstances like this, encryption does not increase your security. It immediately and rapidly decreases it. You are mad to use encryption if you are a villain." (New Scientist 6 Nov 99) http://www.newscientist.com/ns/19991106/confidenti.html - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Call for papers, Malicious Information Technology (was Re: RisksDigest 20.64)
At 8:17 AM -0800 on 11/4/99, [EMAIL PROTECTED] wrote: Date: Fri, 22 Oct 1999 15:51:57 -0400 From: "Jeffrey M. Voas" [EMAIL PROTECTED] Subject: Call for papers, Malicious Information Technology Co-Authored: Software Assessment: Reliability, Safety, and Testability (Wiley, 1995) http://www.rstcorp.com/books/sa Software Fault Injection: Inoculating Programs Against Errors (Wiley, 1998) http://www.rstcorp.com/books/sfi Videos: Developing Software for Safety Critical Systems (IEEE, 1998) http://www.rstcorp.com/videos/safety_critical.html Software Testing: Building Infrastructure, Due Dilligence, and OO Software (IEEE, 1999) http://www.rstcorp.com/videos/software_testing.html IEEE Software Call for Articles Reviewers Malicious Information Technology: The Software vs. The People Publication: Sept./Oct. 2000 Software was intended to improve the quality of human life by doing tasks more quickly, reliably, and efficiently. But today, a "software vs. people" showdown appears eminent. Software is increasingly becoming a threat to people, organizations, and nations. For example, the spread of the Melissa virus illustrates the ease with which systems can be penetrated and the ubiquity of the consequences; the Melissa virus caused many companies to shut down their EMail systems for days or even weeks. The origin of these threats stems from a variety of problems. One problem is negligent development practices that lead to defective software. Security vulnerabilities that occur as a result of negligent development practices (e.g., commercial Web browsers allowing unauthorized individuals to access confidential data) are likely to be discovered by rogue individuals with malicious intentions. Other security vulnerabilities are deliberately programmed into software (e.g., logic bombs, Trojan Horses, and Easter eggs). Regardless of the reason why information systems are vulnerable, the end result can be disastrous and widespread. Because of the increased danger that malicious software now poses, we seek original articles on the following specific issues: + Intrusion detection + Information survivability + Federal critical infrastructure protection plans + Federal laws prohibiting encryption exports vs. US corporations + State-of-the-practice in security testing + The Internet's "hacker underground" + Corporate information insurance + Penalties for those convicted of creating viruses + Case studies in information security and survivability Submissions due: 1 April 2000 Guest Editors: Nancy MeadJeffrey Voas Carnie Mellon University Reliable Software Technologies [EMAIL PROTECTED] [EMAIL PROTECTED] Authors: Submit one electronic copy in RTF interchange or MS-Word format and one PostScript or PDF version to the magazine assistant at [EMAIL PROTECTED] Articles must not exceed 5,400 words including tables and figures, which count for 200 words each. For detailed author guidelines, see www.computer.org/software/edguide.htm. Reviewers: Please e-mail your contact information and areas of interest to a guest editor. Jeffrey M. Voas, Co-Founder, Reliable Software Technologies, Suite 400, 21351 Ridgetop Circle, Dulles, VA 20166 USA, [EMAIL PROTECTED], Phone: 703.404.9293, Fax: 703.404.9295 - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Here's Wot's the scuttlebut
-BEGIN PGP SIGNED MESSAGE- At 8:58 AM -0400 on 11/9/99, Ian Grigg wrote, on the egold list, re yesterday's IETF micropay BOF: Wot's the scuttlebut? IBM and ATT both have counter-cash book-entry credit-card/telephone billing accumulators, which, apparently, look a lot alike structurally, and are both patented and/or PAF. That should be fun. Compaq (nee DEC) has merchant-issued (to absolutely, positively, prevent double-spending) bearer scrip, capable of, um, millicents. Also patented. The W3C is building (or has built, depending on who you listen to) pay-per-click XML. Probably not patented. IBUC large intake of breath will pay -- or hopes to pay -- some clueful IETFer to build a public-domain (spec and reference code), millidollar and smaller, fully-fungible, unsigned, internet bearer transaction system using a generally accepted, and preferrably unencumbered, bearer financial cryptography protocol. Little money first, bigger money soon, biggest money later. All of the above folks would dearly love an IETF-approved(whatever) internet-level spec: Something which moves payments, preferrably micro ones, from Alice to Bob on the net regardless of the payment protocol, as long as it doesn't descriminate according to a whole set of variables we all don't have definitions for yet, including what, exactly, a micropayment is. The room was too small and too full, which was, at least, gratifying. Everyone who was there *really* wants to do micropayments on the net if they can figure out how to do it for, um, money. We've all been *really* trying to figure out how, and for at least 5 years, as far as anyone can tell. Even after all that some of us still think we can, for some reason. :-). So, to be perfectly frank, it appears a bunch of historically-non-IETFers (every single person speaking, me included, except for J[...] I[...] :-) of ATT, who quite fortunately got shoehorned into the agenda at the last minute, had never been to IETF before; including, apparently, the BOF's substitute chairman, flown in from Isreal by IBM for the occasion at the late minute), called a meeting to get the IETF to Do Something, which is not generally a good way to get IETF folks to do anything. Lots of people observed lots of things, but the observation I remember most came from Jon Callas: Maybe IETF folk will be motivated to write a standard, but first there has to be enough running code for there to be a rough consensus. Or something. My personal opinion is, cool, let's go buy/build some running code and make it all go, because we're burning daylight, and we have nothing to lose but our transfer-priced information goods and services. Finally, and maybe most important, Fearghas McKay has set up a list for - --IETF-- folks to talk about getting an --IETF-- micropay working-group[s] together (or not), and then getting [a] spec[s], etc., together, (or not), called, appropriately enough, [EMAIL PROTECTED]. It can be subscribed to (I hope I got this right) here: mailto: [EMAIL PROTECTED]. See you all there. Cheers, RAH -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.1 iQEVAwUBOChR58UCGwxmWcHhAQHUlQgApMPfFzUxiJHM4WRmSHFYfiJSCjK3b/VU XQIirf3/LVDkG5K7V9NK+u4bn4P+jiB7ohaKbbXsn9JyCQQVFDKrsKVUWWdbp7J7 o/gTS3xFm2WKkrM1vQgJMwG646Y39rduAzA3LbyoO9tEAVAyT6HA3XXUIuhjTMB2 csrD0CgzXCcHuEv36aBdNmuDwoYbdM/OQjtRHHaT4P/bl+kIJo0JHKJcxSzudcLa E9ry7Ib0RjKRcIPESQn+L92L5hhOkFzpaSge0knZ5rDg2C/QrjLKSTro2jF3f6oI w3gVin9h+c/bZoc49FdDRVFdGNlJzaBzxmGcoVIYllfeZOXmQHjSqQ== =fTa3 -END PGP SIGNATURE- - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "Camels, fleas, and princes exist everywhere." -- Persian proverb
Cypherpunks Final Exam
[I would not normally forward this along -- it isn't, by my lights, interesting enough. However, the vision of #11 is so astounding to me (even though I suppose it shouldn't be) that I felt I had to pass the whole thing along so that it would be in context. --Perry] --- begin forwarded text Date: Sat, 6 Nov 1999 13:20:02 -0800 (PST) To: [EMAIL PROTECTED] From: BPM Mixmaster Remailer [EMAIL PROTECTED] Subject: Cypherpunks Final Exam Sender: [EMAIL PROTECTED] Reply-To: BPM Mixmaster Remailer [EMAIL PROTECTED] This is from http://www.skyhunter.com/marcs/finalexam.html, by Marc Stiegler, sci-fi author and a pretty smart guy. Should be a required test for those who want to call themselves cypherpunks. -- This is a slightly modified version of the Final Exam I recently gave to a class of college students taking a special advanced course on The Future Of Computing. A number of friends to whom I showed it suggested that it might be a good Final Exam for people considering passing thousands of new laws and regulations, to make sure that the Web is "safe", and to eliminate the "Wild West nature" of the Web. If you can answer all these questions, you probably know why thousands of new laws are not the right way to make the Web "safe". Final Exam A new version of the Web springs to life with the following enhanced capabilities: Unforgeable pseudonymous identities Bidirectional, typed, filterable links Arbitrage agents Bonding agents Escrow agents Digital Cash Capability Based Security with Strong Encryption Pick any 5 of the essay questions below. Identify which advanced features listed above are needed to solve each problem, and explain how those features would work together. Note: I doubt that anyone will choose Question 11 as one of their 5 questions to answer, because it requires a far more extensive answer than the others. But...if you can answer Question 11 in your own mind, even though you choose not to write up that answer for this examination, then a most remarkable thing will happen: you will walk out of this class with something profoundly worth knowing. 1) Searching for a decision analysis tool on the Web, you find a review in which the reviewer raves about a particular product. You buy the product and discover it just doesn't work. You desire to prevent this person's ravings from harming anyone else--and you desire to prevent the product from disappointing anyone else. 2) A product you buy based on a rave review opens your email address book, grabs your entire list of friends, sends itself to them, and sends your password files to a mysterious IP address. It's too late now, but which features would you install before ever touching your computer again? 3) A product is advertised on the Web. It sounds good, but the offerer has no Web reputation. What arrangement would you consider adequate to go ahead and procure the product (Note: there are several possible answers; give 2 entirely separate solutions, and that is considered answering 2 questions). 4) You start receiving thousands of emails from organizations you don't know, all hawking their wares. You want it to stop, just stop! 5) You wish to play poker with your friends. They live in Tampa Florida, you live in Kingman. This is illegal in the nation where you happen to be a citizen. You want to do it anyway. 6) You hear a joke that someone, somewhere, would probably find offensive. You wish to tell your precocious 17-year-old daughter, who is a student at Yale. The Common Decency Act Version 2 has just passed; it is a $100,000 offense to send such material electronically to a minor. You want to send it anyway--it is a very funny joke. 7) Someone claiming to be you starts roaming the Web making wild claims. You want to make sure people know it isn't really you. 8) You have brought out a remarkable new product. There is a competing product making claims you know are false. You want to make sure anyone going to their site finds out your product is better. 9) Your elderly aunt sees a drug advertised on the Web that promises relief from arthritis. She dies shortly after starting to take the drug. You think the drug, and the company that made it, is at fault. Meanwhile the company is sure they didn't have anything to do with it. You want justice. 10) You are the CEO of Bloomberg News, one of the most prestigious (and expensive) stock information services in the world. An article circulates on the Web, based on a mock-up of the Bloomberg News information page, claiming that PairGain Corp. will be acquired by ECI Telecom. PairGain stock rises 32% in 8 hours. Investigators later find that the false report was created by a PairGain employee about to cash in his options. You want to ensure that your brand is never used like this again. 11) You live in North Korea. Three days ago the soldiers
Re: Encryption Expert Witness Wanted
At 9:19 AM -0600 on 11/5/99, Kennedy, Linda wrote: Preferably an academic type in Chicago or a suburb thereof. Will also consider industry types, especially if local to Chicago. You want Schneier. He lives in Minneapolis. That's a suburb of Chicago. ;-). Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
news (I guess...)
--- begin forwarded text From: "DONALD" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: news Date: Sun, 7 Nov 1999 07:25:52 -0700 see http://www.killen.com/tvwww.killen.com/tv for the interview..messagingdirect also see... http://www.messagingdirect.com/press/killenprofile.pdfhttp://www.mes sagingdirect.com/press/killenprofile.pdf InternetNews.com Fall ISPCON Live! -- -- MessagingDirect, Sendmail Partner to Produce Secure Mail Platform By Patricia Fusco InternetNews.com Assistant Editor October 27, 1999 [San Jose] MessagingDirect, Ltd. and Sendmail, Inc. have partnered to design a secure environment for companies' e-business efforts by integrating Sendmails Internet Mail platform with MessagingDirect's M-Mail messaging and M-Vault directory. As a part of the deal, Sendmail will resell MessagingDirect's M-Secure and M-Bill, electronic billing and payment application software to ISPs that may in turn, offer the enhanced e-mail services to businesses looking for a secure way to bill and communicate with clients online. M-Secure is an e-mail pipeline for creating, sending and receiving digitally signed and encrypted documents that can authenticate valid users of the service, anywhere in the world. M-Bill is an electronic bill delivery and payment application that can store more than 50 million bills and deliver up to 500 e-mails per second. The program virtually eliminates the need for paper billing systems because the commerce class application meets tough non-repudiation billing standards. Greg Olson, Sendmail, Inc. chief executive officer, said the partnership evolved when the company determined that in 5 to 10 years, most of paper mail commerce will move to e-mail. Olson said the development makes for fantastic opportunities for ISPs to enhance their e-mail services, today. "By working with technology partners to support a single Internet Mail platform, Sendmail will provide customers with more applications that use Internet Mail to reduce costs, increase productivity and build more profitable customer relationships," Olson said. "MessagingDirects e-business applications and services provide our customers with a secure and cost-effective means for communicating on the Internet." According to Jupiter Communications (JPTR), Sendmail powers more than 75 percent of the Internet mail servers and 80 percent of the Fortune 100 e-mail interfaces for the public Internet. Sendmails market dominance is due to founder Eric Allmans passion for open standards computing that motivated him to first offering Sendmail for free, and the fact that ISP technicians find Sendmails programming exceptionally user friendly. ISPs will find Sendmails same familiar, easy to use, standards-based system has been put to work to offer MessagingDirects M-Secure and M-Bill Applications. Olson said ISPs looking to enhance their profits would recognize that its a good time for them to consider carrier class e-mail as part of their value-added services for e-commerce enterprises." "Now is a great time for ISPs and ASPs to get into the e-commerce e-mail market," Olson said. "Today, $400 billion is being spent on direct marketing mail, order processing, bill and distribution payment and account systems. Its the biggest part of a $700 billion industry that is easy for ISPs to tap into and deploy." Don Pare, MessagingDirect Ltd. chief executive officer, said constructing the foundation for commerce class, managed end-to-end e-mail system was no small feat. "To put a bill in your in-box electronically, we had to make 3.5 million lines of code easy for ISPs to deploy. Then we had to seamlessly deliver the secure messages to an authenticated client for pennies per delivery, in order to entice businesses" Pare said. Pare added that partnering with the master of e-mail delivery systems was the best way to make sure a standards-based approach was utilized. "By partnering with Sendmail, we believe that our Internet Mail services and applications will meet the requirements of doing e-business on the Internet, now and in the future," Pare said. "Our standards-based approach to development will provide out customers with the functionality, transactional reliability and the security critical to do e-business commerce on the Internet." The Sendmail, MessagingDirect partnership secure mail applications have already produced a price breakthrough for delivering secure messaging over the Internet. In the near future, the two companies plan to further develop e-mail applications operating off from the same robust Sendmail platform to offer content management, unified messaging and certified e-mail delivery. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may
Must-read capabilities paper
--- begin forwarded text Date: Sun, 31 Oct 1999 16:29:20 -0800 From: Lucky Green [EMAIL PROTECTED] Old-Subject: Must-read capabilities paper To: "cypherpunks@Algebra. COM" [EMAIL PROTECTED] Subject: Must-read capabilities paper Sender: [EMAIL PROTECTED] Reply-To: Lucky Green [EMAIL PROTECTED] This is probably the most significant and insightful CS paper I have read in years. The paper didn't actually teach me something fundamentally new, having paid close attention to capabilities ever since a fateful Cypherpunks meeting at Stanford a few years back, but I have never seen such synthesis between so many seemingly disjoint important topics. From OS design to PKI, this paper touches on it all. What impressed me about this paper is that it made me think in new ways about stuff I already well understood. http://www.erights.org/elib/capability/ode/index.html --Lucky Green [EMAIL PROTECTED] "Among the many misdeeds of British rule in India, history will look upon the Act depriving a whole nation of arms as the blackest." - Mohandas K. Gandhi, An Autobiography, pg 446 http://www.citizensofamerica.org/missing.ram --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Lie in X.509, Go to Jail, Pt. III (Was Re: Edupage, 29 October1999)
At 1:55 PM -0600 on 10/29/99, EDUCAUSE wrote: ACTIVISTS DECRY BILLS ON 'DIGITAL SIGNATURE' Consumer groups are up in arms over two bills in Congress, the Millennium Digital Commerce Act and the Electronic Signatures in Global and National Commerce Act, that would give digital signatures equal legal footing with traditional signatures. The bills, one in the House and one in the Senate, undermine the effectiveness of state consumer-protection laws and do not provide the same consumer protections as those given to traditional paper records. The Senate bill leaves out key state and federal consumer protections and interferes "with a state's rights to protect its own consumers, without imposing any protections against misuse, mistake, or fraud," says a letter from the National Consumer Law Center. The White House has soured on the Senate bill due to the effect it will have on consumer protections and regulations, while Commerce Department General Counsel Andrew J. Pincus says both the House and Senate versions would have a devastating effect on state and federal consumer protections. "Unscrupulous people" will be able to use the bills to their advantage by preying on online consumers, leading to a loss of consumer confidence in the Internet, predicts Pincus. (Washington Post 10/29/99) - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC)
--- begin forwarded text From: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Date: Thu, 28 Oct 1999 13:20:08 +0300 Subject: Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC) Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Reminder: the Micro Payments BOF at the next IETF (in Wahington DC) will occur on Monday, Nov. 8th, at 1530-1730. Enclosed are the current agenda (subject to change - proposals welcome) and description. Notice that at least we (IBM) plan to describe in details our payment messages, to facilitate interoperable implementations and to serve as potential basis for a standard. Unfortunately, I found out I'll not be able to go to the IETF as I must be in another place. I'm exteremly disappointed and very sorry; I was looking forward to this event and to meet many of you in face to face. In coordination with the area director, Ilan Zisser (cc:ed) will chair the BOF instead of me. Ilan Zisser is IBM Micro Payments product manager, and while less of you know him, he is probably a better person to present our stuff anyway as he is the one doing the implementation -and also since I think he is better in explaining things. Also I'm sure he will chair the session fairly. Please excuse cross posting - and forward to relevant persons and groups. Thanks! Agenda: 15:30-15;40: Welcome and review of agenda - Ilan Zisser 15:40-15:50 Report on the W3C Micropayments Markup spec -Thierry Michell, W3C 16:00-16:40 Release 1.3 of IBM Micro Payments implementation of the W3C Micropayments Markup spec, and our goals for the standard - Ilan Zisser, IBM 16:40-16:50 Mark Manasse (Compaq): what we're (MilliCent) hoping for in a standard 16:50-16:55 Bob Hettinga on `IBUC's intent to fund open-source reference software (wallet/registerware and underwriting server) for bearer millidollar transactions conforming to an open standard. Which probably means this standard, if...` (there's always an if in these thing isn't there :-) - A.H.) 16:55-17:10 reserved for additional brief presentations on implementations and positions on the standard 17:10-17:25 Discussion - should IETF form a WG to define a (micro) payment standard? If so what should be the charter/goals? Should we simply define an open standard for interoperating with IBM Micro Payments (rather than pre-define that this is `the` micropayments standard - allow for competing proposals to be standardized as well and see what people will adopt), or should we compare different approaches and designs (are such available in open form)? 17:25-17:30 Summary by Ilan Zisser and/or area director. Description - Micro Payments BOF (micropay): The Internet is quickly becoming the prefered method of delivery for information and on-line services. The growth of this industry is resticted by the limited availability of secure online payment mechanisms, especially for small amounts. Micropayments are designed to allow charging of small amounts, where the minimal fees of credit-card payments are unacceptable. There have been, and still are, many attempts at providing a micropayments solution, however so far none of them was successful, and in particular none of the deployed systems seems to be able to reach critical mass of buyers and sellers. Furthermore, even if one or more of these systems gain popularity, the lack of standardization may slow down their availability. In this BOF we'll review some recent micropayment markup standardization spec from the W3C, and discuss whether the IETF should attempt to contribute standards in this area - i.e. should we create a micropayments WG (and if so what would its charter and goals be). Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM Research Lab in Haifa (Tel Aviv Office) http://www.hrl.il.ibm.com New e-mail: [EMAIL PROTECTED] New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
NSA transitioning to commercial services model
The NSA continues to discover that financial cryptography is the only cryptography that matters. As Whit Diffie has said in the same vein, "InfoWar", whatever *that* means, will be "fought" between businesses and private individuals, and not governments. There's little that government crypto/security agencies can do to assist entities in those conflicts, any more than post-feudal religion could help much in conflicts between secular nation-states. So, in keeping with the spirit of the following article, I propose that the US Government should follow their apparent instincts here, privatize the NSA, and take it, heh..., public. Cheers, RAH It's going to happen anyway, of course... --- begin forwarded text Mailing-List: contact [EMAIL PROTECTED] From: "Dan S" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 22 Oct 1999 07:59:31 -0400 Subject: IP: Super-secret NSA transitioning to commercial services model From http://www.fcw.com/pubs/fcw/1999/1018/web-nsa-10-21-99.html - OCTOBER 21, 1999 . . . 11:29 EDT Super-secret NSA transitioning to commercial services model BY DIANE FRANK ([EMAIL PROTECTED]) The National Security Agency, the enigmatic signals intelligence arm of the Defense Department, is breaking away from its traditional role of building "black boxes" for encrypting highly classified information in favor of offering security and certification services similar to those in commercial industry. Mike Jacobs, deputy director of information systems at NSA, said that while the agency "will always have a traditional portion of our business building 'black boxes' . . . we are an organization in transition." The agency increasingly is offering security assessment, testing, red teams and diagnostics services to other Defense and civilian agencies, Jacobs said Wednesday at the National Information Systems Security Conference. "This is the growth area [and a] burgeoning new business," he said. Rather than doing all the testing and validation of its own products for itself, NSA will be relying on the National Information Assurance Partnership (NIAP), a joint validation effort between NSA and the National Institute of Standards and Technology. In the past, NSA endorsed security products and procedures, and encouraged their use by assuring members of the Defense and intelligence community that such products would be "bulletproof" solutions, said Lou Giles, a member of the NIAP from NSA. Now, instead of products receiving NSA's endorsement, agencies will have to bring their protection profiles -- the description of their information environment and security needs -- to NSA, which will then certify that process as one that meets certain NSA-approved security standards. NSA also will evaluate and certify proposals from vendors. "The customer still wants that NSA endorsement, Giles said. "But this is a new philosophical paradigm of evaluation for commercial products that we're moving to." -- Dan S - To subscribe, send email to: [EMAIL PROTECTED] To unsubsubscribe, send email to: [EMAIL PROTECTED] --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Digital Contracts: Lie in X.509, Go to Jail
At 10:24 PM -0400 on 10/19/99, Dan Geer wrote: What is it about wanting to change the instantaneous electronic world that generates this sort of time paper hazing ritual? The lack of bearer microcash? :-). Once again, the cobbler's children have no shoes... Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: [FP] California inaugurates digital signatures - cnn.com
"Lie in X.509, Go to Jail", pt. 2 Cheers, RAH --- begin forwarded text From: [EMAIL PROTECTED] Date: Tue, 19 Oct 1999 20:58:00 -0500 To: [EMAIL PROTECTED] Subject: IP: [FP] California inaugurates digital signatures - cnn.com FORWARDED: -- From: "ScanThisNews" [EMAIL PROTECTED] Subject: [FP] California inaugurates digital signatures - cnn.com Date: Tue, 19 Oct 1999 20:06:03 -0500 SCAN THIS NEWS 10/19/99 [forwarded article] California inaugurates digital signatures www.cnn.com http://cnn.com/TECH/computing/9910/19/california.digital.idg/index.html October 19, 1999 by Dan Caterinicchia (IDG) -- Yesterday California officially authorized Verisign Inc. to begin issuing digital signature certificates to secure communications between state agencies and between the state and its citizens, ushering in a new era of electronic services delivery. Bill Jones, California's secretary of state, marked the occasion by digitally "signing" the authorization certificate for the company, making it the first such transaction since the state passed a law that spelled out the requirements for legally binding digital signatures. "We're bringing in the private sector to help us to create the opportunity for the public to access [government] services more quickly," Jones said. "Our goal is to deliver something that's easily accessible but doesn't add to the layers of government." Digital signatures are seen as a vital component of Internet-based commerce because they authenticate the identities of the parties involved in a transaction. Verisign, based in Mountain View, Calif., was the first to satisfy California's digital signature requirements. Jones said his department is interested in using digital signatures to enable residents to cast votes over the Internet. Other agencies have expressed a desire to use the tool to secure business filings and similar transactions, he said. Stratton Sclavos, Verisign's president and chief executive officer, said that for all the Internet has done to change the commerce landscape domestically and abroad, so far it has missed the "citizen-government relationship." He added that digital signature certification and the host of services it affects will exact a "fundamental change in the way citizens are going to interact with [state and local] government." Verisign is working on similar digital signature projects in Oregon, New Jersey, Utah and Washington, Sclavos said. === Don't believe anything you read on the Net unless: 1) you can confirm it with another source, and/or 2) it is consistent with what you already know to be true. === Reply to: [EMAIL PROTECTED] === To subscribe to the free Scan This News newsletter, send a message to mailto:[EMAIL PROTECTED] and type "subscribe scan" in the BODY. Or, to be removed type "unsubscribe scan" in the message BODY. For additional instructions see www.efga.org/about/maillist.html --- "Scan This News" is Sponsored by S.C.A.N. Host of the "FIGHT THE FINGERPRINT!" web page: www.networkusa.org/fingerprint.shtml === --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Digital Contracts: Lie in X.509, Go to Jail
At 10:35 AM -0400 on 10/20/99, Arnold Reinhold wrote: No. The complexity of international distribution agreements and general stupidity are much bigger factors than cash settlement costs. Two of my books are translated into Spanish. The US is the second largest Spanish speaking market in the world. Can I get the Spanish editions distributed here? No way! Fortunately, (the now-)Dr. Brands holds his copyrights, and the book was, apparently, only printed, not published. :-). So, if there were a form of bearer microcash settlement, he could sell the book over the web on a pay-per-pageview basis if he wanted to. I'm sure there are several once and future cypherpunks who, by then, would be in the whatever-to-guilder currency exchange business and would happily oblige. What this does to the publishing business is, in the above example, not particularly Dr. Brands' problem. :-). Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The sound of one shoe, dropping (was Re: IP: Jane's News Briefs)
At 8:51 PM -0500 on 10/19/99, [EMAIL PROTECTED] wrote: FORWARDED: -- From: [EMAIL PROTECTED] Date: Tue, 19 Oct 1999 13:31:59 -0400 (EDT) Subject: Jane's News Briefs ** DEFENCE Website: http://defence.janes.com ** -- Jane's Defence Weekly Read more with images at: http://jdw.janes.com Vol 32 No 16 20 October 1999 -- Canada set to harmonise with US export laws Canada will synchronise its defence export laws with the USA, creating a seamless and formal North American defence sales bloc, under an in-principle agreement that will exempt Canada from US export regulations and provide Canadian companies better access to US contracts. - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Digital Contracts: Lie in X.509, Go to Jail
-BEGIN PGP SIGNED MESSAGE- Aside from noting the vicious hypocrisy of the Clinton administration saying they support the 11th Ammendment, I've also decided that the bill mentioned in the New York Times Story excerpted below, like most current state digital signature legislation, could more properly be called the "Lie on an X.509 'Certificate' and Go to Jail Act of 1999". "Crypto in a crime", indeed. The solution to this madness, is, of course, bearer credentials, as Stephan Brands points out in his recently published doctoral dissertation "Rethinking Public Key Infrastructures and Digital Certificates -- Building in Privacy", now published by Ponsen and Looijen in the Netherlands, ISBN 90-901-3059-4. The resulting book is in very well-written English, it's about 300 pages, and, in it, Brands, the best of his generation of financial cryptographers, completely demolishes, all the way down to the level of cryptographic protocol, most of the received wisdom about "certification" - -- and the current cult-like mystification of identity which underlies it. Even better, Stefan unveils a whole class of bearer-credential cryptographic protocols which get the job done with infinitely more privacy. More important, I'm personally convinced that Brands' bearer credentials are significantly lower in cost than current book-entry methods of "certification", especially after the costs of repudiation and enforcement are taken into account. However, given my current business, my biases on this subject are rather plain here, so don't take my word for it: get the book and see for yourself. Stefan's thesis committee was Ron Rivest, Adi Shamir (yes, the R and S in RSA), and Claus Schnorr (yes, *that* Claus Schnorr). Three men who could be easily said to be the fathers of digital "certification", if its patrimony was ever in dispute. I would highly recommend that *everyone* who's serious in the study of digital commerce -- and I mean legal professionals in particular -- order this book immediately and go read it. It goes without saying that anyone who calls himself a financial cryptographer, much less a cryptographic or digital commerce software engineer, should have this book in his library as well. Cheers, RAH - --- begin forwarded text Date: Tue, 19 Oct 1999 08:20:23 +0200 (CEST) From: Anonymous [EMAIL PROTECTED] Comments: This message did not originate from the Sender address above. It was remailed automatically by anonymizing remailer software. Please report problems or inappropriate use to the remailer administrator at [EMAIL PROTECTED]. Old-Subject: NYT Story: Digital Contracts To: [EMAIL PROTECTED] Subject: NYT Story: Digital Contracts Sender: [EMAIL PROTECTED] Reply-To: Anonymous [EMAIL PROTECTED] Fight Over Electronic Contracts Heads to House Also: U.S. Shut Out in First Round of Internet Board Elections ASHINGTON -- With the clock ticking toward adjournment for the year, Congressional leaders and the Clinton Administration are working to eliminate political infighting and pass legislation that would give electronic contracts the same legal weight as their traditional paper counterparts. The legislation is considered crucial for the future of electronic commerce, and it is part of an effort by the Commerce Department both domestically and internationally to make the standards for such contracts, with their "digital signatures," as simple as possible. But Republicans and Democrats in the House are still battling over how far the legislation should go, a fight that could play out on the House floor this week. The House is scheduled to take up digital signature legislation as early as Tuesday, but first leaders must decide how to proceed. At issue are states rights, and whether individual states should have the power to make their own rules for recognizing digital signatures. The White House and most Democrats are pushing for a bill that would make digital signatures legal only in those states that don't already have laws recognizing the validity of electronic contracts. But Republican leaders in the House have been pushing for more sweeping legislation that would not only pre-empt state digital signature laws but would also eliminate some of the paper-record keeping and notification requirements that some states impose on financial institutions and insurance companies. The House Judiciary Committee last week narrowly approved a version of the bill backed by Democrats that would recognize current state laws on both electronic signatures and record-keeping. The bill is similar to a White House-endorsed Senate proposal by Senator Spencer Abraham, a Michigan Republican, that is awaiting passage in that chamber. The House Commerce Committee, meanwhile, in August approved a bill by Chairman Thomas J. Bliley Jr., a Virginia Republican, that would establish a uniform national standard for authenticating electronic signatures, and require that states pass laws
Re: Digital Contracts: Lie in X.509, Go to Jail
Evidently, there are only 500 in the first printing, but I bet Stefan didn't give them *all* away. :-). I bet that if you put in a special order to Amazon with the ISBN and the publisher in it, they'll manage to sell one to you on order. Upon receiving a bunch of orders for the book from some place like Amazon, if and when the publisher sells out, they'll probably print some more, or at least make a deal to print it on this side of the pond. Cheers, RAH At 11:56 AM -0400 on 10/19/99, Steven M. Bellovin wrote: In message v0421012db4321dc2f55c@[204.167.101.62], Robert Hettinga writes: The solution to this madness, is, of course, bearer credentials, as Stephan Brands points out in his recently published doctoral dissertation "Rethinking Public Key Infrastructures and Digital Certificates -- Building in Privacy", now published by Ponsen and Looijen in the Netherlands, ISBN 90-901-3059-4. Do you know where to order this? None of the amazon.com sites has it, nor doe s barnesandnoble.com. --Steve Bellovin - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Is there an anonymous contribution protocol?
At 3:48 PM -0400 on 10/19/99, Reusch wrote: "I contributed $100,000. Here is my receipt! Get the bedroom ready." Right. See http://www.xs4all.nl/~brands/order.txt There's an echo in the room, isn't there? :-). Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IBUC hits the road (was Re: Just got a copy of Stefan Brand'sbook)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:51 AM -0500 10/18/99, Mike Rosing wrote: On Thu, 14 Oct 1999, Peter Wayner wrote: Stefan Brands, the man who's written some great digital cash protocols, has just published a new book called "Building In Privacy: Rethinking public key infrastructures and digital certificates." I haven't read it yet, but a quick skim shows plenty of equations. It should be worth checking out. I've only barely managed to get thru half the first chapter, but it's great. Stefan's biases are clear, but also backed up with *lots* of good facts. I'm learning a lot, and haven't got to the meat of things yet. Only 500 copies were printed, I consider myself exceptionally lucky to have a copy. Hopefully I'll have more chance to read it in the next few weeks. Yup. My favorite part so far is this juicy paragraph, found right up front: "This dissertation documents and analyzes the privacy dangers of digital certificates. On the basis of the findings, highly practical digital certificates are constructed that fully preserve privacy, without sacrificing security. The new certificates function in much the same way as do cash, stamps, cinema tickets, subway tokens, and so on: anyone can establish the validity of these certificates and the data they specify, but no more than just that. Furthermore, different actions by the same person cannot be linked." Can you say "digital bearer certificates", boys and girls? *God*. I *knew* you could... And, of course, I'm now in the business of proving that such digital bearer certificates are not only more private than book-entry, database-driven "credentials" are, but that they're, more important than anything else, orders of magnitude *cheaper* than those "auditable" credentials can ever be, by their own very definition. And, of course, money, and financial instruments in general, are the ultimate credential. Money talks, Cet... But, I bet you knew I'd say all *that*, right? I mean, so what else is new? And, so, besides saying "go, Stefan, go,", or "say halelujia somebody", here's the actual *point* of this post: We've started to get some angel funds in the door (we're still looking for more, of course :-)) for this next phase of IBUC, and, as a result, I'm about about to go spend some of those brand-new "sophisticated" investor-dollars on a road-trip, coming soon to conference room near you. This first trip is to line up memoranda of understanding (MOUs) from people who sell bits (content, services, bandwidth) directly over the net, collect their money by sending a bill through meatspace, or selling a credit-card subscription -- or, of course, sell advertising, the world's worst transfer pricing mechanism. If you're one of those folks, a *current* seller of bits on the wire, and you want to get paid good-old-fashioned non-repudiable *cash* for for those bits, instantaneously upon delivery, and, more important, you want to be able to turn right around *spend* that cash on the net, for free, or to *deposit* that cash, for free, into your *own* bank account with no hassle except a reasonably small minimum deposit size, please reply directly to me, and I'll come for a visit. My objective here is to get a reasonable statistical sample of the internet content and services market signed up with a memorandum of understanding, committing to at least experiment with taking internet bearer dollars (or, more properly, millidollars) in payment, if and when when we get those millidollars on the wire. With that stack of memoranda in hand, I'll go and wave it around under the nose of the *next* collection of MOUs, this time from IBUC's prospective vendor pool: crypto-protocol, hardware, and software developers, bandwidth sellers, financial custodians and, heh, lawyers. Most of whom already know who they are, and who, God help 'em, know I'm going to be back to visit sooner or later. After that, we hire the writing of a public spec and open reference customer/server/underwriter code and, after *that*... Well, *you* get the idea. We want to go live in January 1, 2001, and, this afternoon, at least, I think we can get there from here. Stefan has me *inspired*, today. Cheers, RAH -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com iQA/AwUBOAuaPcPxH8jf3ohaEQKm4ACgj/kcXqpXfcUocP5Fzn6bxkkgT1QAoKrq kY+6CsamqDu6XJj17WOjtktv =7tJX -END PGP SIGNATURE- - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: how does disappearing.com's crypto work?
--- begin forwarded text Date: Sat, 16 Oct 1999 01:59:03 -0700 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Bill Stewart [EMAIL PROTECTED] Old-Subject: CDR: Re: how does disappearing.com's crypto work? Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: how does disappearing.com's crypto work? Sender: [EMAIL PROTECTED] Reply-To: Bill Stewart [EMAIL PROTECTED] At 01:30 AM 10/15/1999 +0100, [EMAIL PROTECTED] wrote: I haven't seen any technical discussion of what Disappearing Inc are up to. Did the employee show up at the cypherpunks meeting as advertised? My guess is that they have come up with some kind of server gated forward secrecy protocol for email. Forward secrecy is good, but forward secrecy should be end-to-end, not server based, because then you have to trust the server. Maclen Marvit from Disappearing Ink http://www.disappearingink.com/ spoke at the Cypherpunks meeting last Saturday. It's good stuff. He started his talk by explaining the business model of what Disappearing Ink does, and what it does _not_ do. That's an important part of the discussion, because some of the things that it does not do are hard or impossible and people have been flaming them for probably doing a bad job of them. And it's the critical part of the "Get Money From Venture Capitalists" talk :-) DI addresses the records destruction problem for email. It lets two or more willing, cooperative people have an email conversation with reasonable certainty that there won't be any persistent records kept for more than N days by any intervening servers - no backup tapes on email servers, no meaningful logfiles, nothing that SEC regulations require you to destroy about the potential merger acquisition discussions you had, nothing that Ken Starr or the Microsoft Anti-Trust inquisitors or the Ollie North Follow-The-Money investigators can subpoena later, nothing that your business competitors can steal. It doesn't solve the problem of the sender or receiver making copies on purpose; as many people have discussed, that's not realistic. It doesn't solve the problem of eavesdroppers listening in while you talk; if you need to do that, use encryption - sending PGP-encrypted messages using Disappearing Ink is just fine. It doesn't solve the problem of logfiles indicating who send mail to whom; if you need a remailer, use a remailer. It doesn't solve the problem of cops with warrants seizing their records to get the messages gambino.org sent today if they're doing 60-day disposal, though the users can set disposal time and conditions. DI uses plugins to several popular email packages. The sender's plugin encrypts the email and does an HTTP handshake (using whatever SSL is available) to hand the key to the DI server. The recipient's plugin fetches the key using HTTP/SSL and decrypts. Encryption is currently Blowfish, but 3DES and TwoFish are planned. If the recipient doesn't have an email plugin, the message can be handed to DI using a web-form for decryption, but otherwise DI never sees or handles the messages, only the keys and message-IDs. I don't remember how much tracking information DI's server knows - it may be only a message-ID, or it may use the sender's or recipient's address. Some followon topics we suggested were the possibility of doing something Diffie-Hellman-like in a later release. I don't think we went into random number generation strategies. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639 --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
linux-ipsec: Announce: Linux FreeS/WAN-1.1 _SHIPS_!
--- begin forwarded text Date: Fri, 15 Oct 1999 10:45:11 -0700 From: Hugh Daniel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: linux-ipsec: Announce: Linux FreeS/WAN-1.1 _SHIPS_! Reply-to: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Today the team members of the Linux FreeS/WAN project shipped their second release of IPSEC IKE for Linux 2.0.38, 2.2.12+ and even it is said 2.3.21 based systems! The release is known to work on x86 systems and said to run on StrongArm(tm?) systems as well. This is a bug fix release, many many problems have been fixed including the experimental support for Road Warrior's. You can get your copy from the master web site at: ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz and the PGP2 signature is at: ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz.sig The team hopes that the software is useful to the community, may you do great things with it! ||ugh Daniel [EMAIL PROTECTED] Systems Testing Project mis-Management The Linux FreeS/WAN Project http://www.xs4all.nl/~freeswan -BEGIN PGP SIGNATURE- Version: 2.6.3i Charset: noconv iQCVAwUBOAdnnFZpdJR7FBQRAQFhdgP+LzhPII0ZJtUi+PlLF00v6fyc2eKbec+d ww245eoaaXQbMU77DRHBaKwcnEXQm/DGnLqvB7NgVzHUaRlmPF7C3RP1s11uuD+K PTlliA8EUgxo1rNhL1aHd4l/iGm9SsKt52+m3WejdEYaGpdnH0Phz6JG7HQRMV7D /lEl+PN/D5E= =PYdH -END PGP SIGNATURE- Type Bits/KeyIDDate User ID pub 1024/970F6D91 1998/02/10 Linux FreeS/WAN Software Team -BEGIN PGP PUBLIC KEY BLOCK- Version: 2.6.3i mQCNAzTgT34AAAEEAK2aB9VuUbPOBW4LZ+JCnYsxERoo4g4PInFiniSh9aCxuztU qTUex+zqZx4UpgbDo9m/nYjt26e89PQpiXQoNHIQUksS/KPzyYBU+wMEK2Mlo69i AbBiqJWqHmFu36mW1xzZCZ8WpNywJa6xMN1M/4/O2N9Q7x4D6ml/dIeXD22RAAUR tB1MaW51eCBGcmVlUy9XQU4gU29mdHdhcmUgVGVhbYkAlQMFEDTjScKtUkpRhRl/ tQEBkgwD/A5C01Tp3acgpz19CO5zC/E3TXvrNAT9xh2YztT3BpKStFklJ46BEIWa +4jVr2X2ZfOxjLvouPZ1Th/bQkHcIR4fXF2vnEz2GMBk9UijwQp+89zHSolGj8sf Jsy548/RXj6N5rl+4QOU1cpTqxnsuaszSlpk/HHbvlW5aKGIwHGZiQCVAwUQNOBL Qt+sBuIhFagtAQEOagP/X0vhN80kSkErcqE/H5smVzQKHlYXM2tYYl/HF1ec+Lt2 aFKbZ0Xq1LMmKB8fQWiK+1Rvks/AC7TbCN09xPBMkNdsOrUht7KWx5Lc8cA6VZVU Uo4nRYci8HJaxfHpOU2FO6FGvI27bdiSDoxHGSnweGFlgVF/pSZc74bfxWh7qt+J AJUDBRA04FCxVml0lHsUFBEBAV7sA/955dXrHpFmD21n9Iwf7mH/O5DQ5We0J95y 0XbL0Wp6emW+ya3A2GuBR+puwQ5KMi9QT0POsm2mAaYREwvlqOTdbIvRm0TosK5m UPcw7Lg8L1AWOpa6mrGuDrMjgEvVfn2r4eqcX9gjVH3eoP4hTBuiPeXf5B6Co6/j WKTOdjyHlokAlQMFEDTgUEFpf3SHlw9tkQEBzaMD/R01kMTQ62R66U4yfHYRg7qG f0gIJZ+Flf3tJ1UnQylaEw7yIsIyJHUMZG2W6kGTa6GjCWwFzvyxCyQNl3XfqMtW j8NWvKXG9BN1HFV9yrXt8A6zvOrcwPP+ZsxJJ8482+kA65TNpv6K5V9CTHDR65Dn YJnmIkhGP2tFiWDJQFIE =QIny -END PGP PUBLIC KEY BLOCK- My project public key: -BEGIN PGP PUBLIC KEY BLOCK- Version: 4.0 Business Edition mQCNAzIGfh0AAAEEAPDl8OmY0l50R1l3JR3BOHVdf04eYcuQaUy4Mnh+fe9ZiQ/o gIjvfwOM6IR1HwHA7I2jqf4XD9St8wNA4Jd4TvtgdCL9jhoSpC1anJD3dBOqoMPl BU+vGId8+k3XY4NwL3nsHk9OiRcvbCqFwmVZBcMmd5njwMMlelZpdJR7FBQRAAUR tBtIdWdoIERhbmllbCA8aHVnaEB0b2FkLmNvbT6JAJUDBRAyBo/mrVJKUYUZf7UB AWKpA/92pO5anNrbVu0H7uEOisGjE7TXPa6WkgxoS9katRDimVCFcikIEOQue88M QpF7w3x2SxdKCpS1ZhPaxUHdAdE7dGO032+OHYNdgitEGJHitczHG2XpC1NbHuUf 8DsyxR6qSrJf28jeMDMyj5ynlIctvWWGJw4+/cLvLVxijqc2PA== =lkvw -END PGP PUBLIC KEY BLOCK- --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
DCSB: Warren Agin; Bankruptcy and Internet Commerce Assets
--- begin forwarded text Date: Tue, 12 Oct 1999 02:17:23 -0400 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Robert Hettinga [EMAIL PROTECTED] Subject: DCSB: Warren Agin; Bankruptcy and Internet Commerce Assets Cc: Warren Agin [EMAIL PROTECTED], Rodney Thayer [EMAIL PROTECTED], Muni Savyon [EMAIL PROTECTED], Elias Israel [EMAIL PROTECTED], Suzan Dionne [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: Robert Hettinga [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Digital Commerce Society of Boston Presents Warren Agin Founder, Swiggart Agin, LLC From Tulips to Technology: Treatment of Electronic Commerce Structures When the Bubble Bursts. Tuesday, November 2nd, 1999 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Even as the new economy grows, some companies, like Digicash and Websecure, miss a beat. They find themselves in financial trouble and sometimes bankrupt. When this happens, the most significant remaining asset is the company's patent rights. The bankruptcy process provides opportunities, both for the financially troubled companies and their competitors, to restructure patent portfolios and licenses. It also contains risks. The bankruptcy process can allow technology licensors to force a termination of a patent license and at least one court has held that a company passing through bankruptcy will lose its rights under patent licenses. Managing a patent portfolio requires knowledge of the bankruptcy process and the special issues concerning technology companies. Warren Agin will address how the bankruptcy process treats technology companies and the various licensing and technology structures they use. He will review treatment of patent and software licenses, copyrights, and deal structures like partnering and web-linking agreements. In addition to reviewing the new law being developed in these areas, the talk will focus on the practical aspects of how companies in bankruptcy, or those doing business with a bankrupt company, can use the bankruptcy process to rebuild their business structures and relationships. Warren E. Agin is a founding member of Swiggart Agin, LLC, a software and Internet boutique in Boston, Massachusetts. Mr. Agin's practice focuses in the areas of bankruptcy and insolvency law, corporate law, and computer and Internet law. Representative technology clients include new and established software companies, Internet portals, hardware designers, web site design firms, and system integrators. In the bankruptcy field, Mr. Agin represents both debtors and creditors in a variety of consumer and commercial bankruptcy matters, including technology related bankruptcy matters. Mr. Agin authored BANKRUPTCY AND SECURED LENDING IN CYBERSPACE (Bowne Co., Inc. 1999), the first treatise to discuss how the Internet is changing bankruptcy law and practice. A contributing editor on intellectual property and technology issues to the Norton Bankruptcy Law and Practice, 2d legal treatise, Mr. Agin has written and lectured extensively on the topics of bankruptcy and technology law, including presentations for the American Bar Association, National Business Institute, Boston Bar Association, and Massachusetts Continuing Legal Education. Mr. Agin currently serves as Chair of the American Bar Association's Business Law Section's Electronic Transactions in Bankruptcy Subcommittee (within the Business Bankruptcy Committee) and Vice-Chair of the ABA's Joint Subcommittee on Electronic Financial Services. Locally, he is Chair of the Boston Bar Association's Technology Committee for the Solo Small Firm Practice Section. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, November 2, 1999, from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, on One Federal Street. The price for lunch is $35.00. This price includes lunch, room rental, various A/V hardware, and the speakers' lunch. The Harvard Club *does* have dress code: jackets and ties for men (and no sneakers or jeans), and "appropriate business attire" (whatever that means), for women. Fair warning: since we purchase these luncheons in advance, we will be unable to refund the price of your lunch if the Club finds you in violation of the dress code. We need to receive a company check, or money order, (or, if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, October 30th, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club
Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)
At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote: Title: Special Kurt's Closet: Is SSL dead? Resource Type: News letter Date: Semptember 30, 1999 Source: Security Portal Author: Kurt Seifried Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL Abstract/Summary: The title is a bit scary, but I wanted to get your attention (worked, didn't it?). Most security experts have been aware of problems with SSL, but generally speaking we haven't said much because there wasn't much of a replacement available for it, and it hasn't been exploited extensively (chances are it will be, though). I'll start with an explanation of the basic attack, followed by some methods to protect yourself, and finish with an interview with Dale Peterson of DigitalBond and the summary. How to do it Let's say I want to scam people's credit card numbers, and don't want to break into a server. What if I could get people to come to me, and voluntarily give me their credit card numbers? Well, this is entirely too easy. I would start by setting up a web server, and copying a popular site to it, say www.some-online-store.com, time required to do this with a tool such as wget is around 20-30 minutes. I would then modify the forms used to submit information and make sure they pointed to my server, so I now have a copy of www.some-online-store.com that looks and feels like the "real" thing. Now, how do I get people to come to it? Well I simply poison their DNS caches with my information, so instead of www.some-online-store.com pointing to 1.2.3.4, I would point it to my server at 5.6.7.8. Now when people go to www.some-online-store.com they end up at my site, which looks just like the real one. Original URL: http://securityportal.com/closet/closet19990930.html Added: Wed Oct 6 12:41:14 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
mentor needed
Reply to this person directly, please... Cheers, RAH --- begin forwarded text Date: Thu, 7 Oct 1999 01:20:46 -0400 (EDT) From: "Nina H. Fefferman" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: mentor needed Sender: [EMAIL PROTECTED] Reply-To: "Nina H. Fefferman" [EMAIL PROTECTED] Hi all, I have the following problem: a student in a course I am co-teaching on the basics of cryptography has actually become interested in the subject. She is an honors student at Rutgers who probably wants to major in political science. She wants to find someone in the field who is involved in the politics side of things. I'm at a loss for real life politics. :) I can handle the math/cs side, but hopefully one of you out there would be willing to talk to her about what it is like to think about policy issues and politics while still being a reasonably informed person about the science involved. If any of you have any inclination, I think all she is looking for are a few exchanged emails. (If you are interested, please let me know and I will send you her email address.) Thanks, Nina F. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Anonymous email snitching to police in UK
--- begin forwarded text Date: 5 Oct 99 19:05:05 EDT From: ROBERT HARPER [EMAIL PROTECTED] To: Ignition Point [EMAIL PROTECTED] Subject: IP: Anonymous email snitching to police in UK Sender: [EMAIL PROTECTED] Reply-To: ROBERT HARPER [EMAIL PROTECTED] http://news.bbc.co.uk/hi/english/uk/newsid_463000/463213.stm Friday, October 1, 1999 Published at 17:55 GMT 18:55 UK UK Web war against criminals hots up Cyber-informants have been promised anonymity - The war against crime in the UK is being beefed up with the creation of a new Website that allows members of the public to e-mail tip-offs to police. The Crimestoppers Trust has had a Web presence for a couple of years but previously relied on the public telephoning in pieces of information. Now people can e-mail tip-offs to the new site, which is being sponsored by the Trinity Mirror Group and hosted on their Internet service provide. Crimestoppers says e-mails will be filtered to strip them of any information identifying the sender, thus preserving the trust's pledge of anonymity for anyone who gets in touch. Wide range of inquiries Those who are still obsessed with secrecy can always send information via anonymous Web servers, which cover up their e-mail addresses. The site will be used by forces all over the UK to elicit information on crimes ranging from indecent exposure right up to murder. The most prominent inquiries mentioned on the site are the Jill Dando murder investigation in west London and the killing of 80-year-old Doris Dawson, her daughter Mandy and granddaughters Emily and Katie in Swansea. Dozens of other unsolved crimes will be placed on the site although cases are still being compiled in two areas - Scotland and the Midlands. Global reach The new Website was welcomed by Home Secretary Jack Straw, who said: "Fighting crime is not just down to the government and the police. "It's a partnership that requires the support of everybody." The trust says the site is designed to complement the current freephone number - 0800 555111 - and not replace it. Intelligence provided via the freephone number leads to the arrest and charging of around 14 people a day, including one person every 12 days being charged with murder. Earlier this year Scotland Yard introduced a new section on its site, where it sought the public's help in finding wanted people. E-mails have been flooding in to the Yard from all over the world. One man was arrested earlier this year and charged with a murder in London after a man e-mailed the Metropolitan Police from the Netherlands with information. He is now awaiting trial. The Yard's wanted page is also hosting appeals from other forces - Northumbria police has put up a sketch of a man suspected of the attempted murder of an IRA informer in Whitley Bay in June this year. Get free email and a permanent address at http://www.netaddress.com/?N=1 ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
PATNEWS: The growing flood of Wall Street patents
--- begin forwarded text Date: Fri, 1 Oct 1999 16:44:28 -0400 To: Digital Bearer Settlement List [EMAIL PROTECTED], [EMAIL PROTECTED] From: Robert Hettinga [EMAIL PROTECTED] Subject: PATNEWS: The growing flood of "Wall Street" patents Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] x-flowed --- begin forwarded text Date: Wed, 29 Sep 1999 13:09:42 -0400 (EDT) From: Gregory Aharonian [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PATNEWS: The growing flood of "Wall Street" patents Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] !19990929 The growing flood of "Wall Street" patents The issue of patents on methods of doing business seems to have quieted down for the time being (though I heard a hilarious rumor involving Gail Hayes, an examiner on many of these patents - anyone with a copy of her letter please fax me a copy). Despite the lull, these patents are regularly being issued. What follows is a list of 110 "Wall Street" patents, i.e., patents on things that Wall Street institutions like to do. Interestingly, 75% of them have issued since 1997, and I suspect that now that the CAFC has ruled that "anything is patentable" (ATT/Excel), there will be a flood of such patents to match the other floods coming out of the PTO. Greg Aharonian Internet Patent News Service 5,953,423 Electronic-monetary system 5,950,176 Securities trading system with a virtual specialist function 5,946,668 Funding a home investment trust 5,946,667 Financial debt instruments method 5,946,666 Financial securities monitoring system 5,940,810 Estimation method for complex securities using low-discrepancy deterministic sequences 5,933,817 Tiered interest rate revolving credit system and method 5,933,815 Providing guaranteed lifetime income with liquidity 5,930,775 Optimal investing for distressed residential real estate loans 5,930,774 Mutual fund portfolios evaluation 5,930,760 Annuity rates derivation 5,920,848 Financial transactions, services, accounting, and advice using intelligent agents 5,920,629 Electronic-monetary system 5,918,217 User interface for a financial advisory system 5,913,198 Survivor benefit plans design and administration 5,911,136 Prioritized operation of a personal financial account comprising liabilities and investment assets 5,911,135 Managing financial accounts by a priority allocation of funds among accounts 5,907,828 Lender-owned credit life insurance policies implementation and administration 5,897,621 Multi-currency transactions system and method 5,893,079 System for receiving, processing, creating, storing, and disseminating investment information 5,884,287 Displaying risk and return in an investment portfolio 5,884,285 Managing financial accounts by reallocating funds among accounts 5,884,274 Generating and executing insurance policies for foreign exchange losses 5,878,405 Pension planning and liquidity management system 5,878,404 Load amortization management 5,878,139 Electronic merchandise dispute resolution 5,875,437 Operation and management of one or more financial accounts through the use of a digital system for exchange, investment and borrowing 5,873,072 Electronically providing customer services including payment of bills, financial analysis and loans 5,873,066 Managing and documenting the underwriting of an excess casualty insurance policy 5,870,720 Implementing a restructuring exchange of an excessive undivided debt 5,866,889 Integrated full service consumer banking system and system and method for opening an account 5,864,828 Personal financial management system for creation of a client portfolio of investment and credit facilities where funds are distributed based on a preferred allocation 5,864,685 Increasing income trust computer transaction system and insured investment account system 5,857,176 Fixed income portfolio data processor 5,852,811 Managing financial accounts by a preferred allocation of funds among accounts 5,852,808 Providing professional liability coverage 5,842,178 Computerized quotation system and method 5,832,461 Investment management including means to adjust deposit and loan accounts for inflation 5,819,238 Modifying a financial portfolio through dynamic re-weighting based on non-constant function of capitalization weights 5,819,237 Determination of incremental value at risk for securities trading 5,819,236 Providing advance notification of potential presentment returns due to account restrictions 5,812,988
IP: Nation's banks create private computer security system
--- begin forwarded text Date: 1 Oct 99 19:13:56 EDT From: ROBERT HARPER [EMAIL PROTECTED] To: Ignition Point [EMAIL PROTECTED] Subject: IP: Nation's banks create private computer security system Sender: [EMAIL PROTECTED] Reply-To: ROBERT HARPER [EMAIL PROTECTED] http://www.foxnews.com/js_index.sml?content=/news/wires2/1001/n_ap_1001_276.sml Nation's banks create private computer security system 6.33 p.m. ET (2240 GMT) October 1, 1999 By Ted Bridis, Associated Press WASHINGTON (AP) - The nation's banking industry has quietly wired itself a $1.5 million private computer network to share information anonymously about electronic threats from rogue employees, software bugs, viruses and hackers, the Treasury Department said Friday. The Financial Services Information Sharing and Analysis Center is the result of orders from President Clinton to better protect America's most important industries from cyber attacks. It's in a secret location known to only about a half-dozen people, but it's believed to be nestled among a corridor of high-tech firms in northern Virginia. Similar centers are planned in the coming months for seven other industries, including telecommunications, oil and gas, electrical power, transportation and America's water supply system. This summer, the White House announced its plan to create a government-wide security network to protect its most important nonmilitary computers. "New threats call for new types of solutions,'' said Treasury Secretary Lawrence Summers, adding that banking officials need to learn about viruses and malicious software that disguises itself as innocuous code. Only licensed banks and other government-regulated financial firms that become subscribers will be able to exchange information or tap into this network's details of known security threats. Urgent alerts will be sent by e-mail, pager and cellular phones to a bank's experts - who will pay $13,000 to $125,000, depending on how many employees are using it. "Every day, everywhere, people are trying to break into financial institutions - and sometimes from within financial institutions - trying to take money they're not authorized to have,'' said Kawika Daguio, vice president of the Washington-based Financial Information Protection Association. Names and other identifying details will be stripped from submissions to ensure anonymity and encourage honesty - and partly so rival banks don't misuse the information and regulators can never know a specific financial institution was having problems. "Once we demonstrated that you could have an anonymous capability so you can't trace it, most institutions stood up immediately and said, `Let's go do this,''' said Bill Marlow, executive vice president for Global Integrity, the consulting company in Reston, Va., that built the center. Organizers said 16 financial institutions - with a total of $4.5 trillion in assets among them - have so far joined the network, with 500 to 1,000 more expected to join in the next 18 months. One of the center's greatest strengths, say organizers, will be its ability to notice trends: A report by one bank of a hacker sniffing around its network becomes more onerous if dozens of other banks also report noticing exactly the same technique. "Not a day goes by without seeing alerts about security, vulnerabilities in the products we use or news stories about Internet sites being compromised,'' said Steve Katz of Citigroup Inc., the center's coordinator. "What might appear to any one company as a random event might be more significant if looked at in the aggregate.'' Although the Treasury Department helped organize the center, government leaders said U.S. agencies won't eavesdrop on the threat information disclosed by banks. However, the government will volunteer details about security problems through the FBI's National Infrastructure Protection Center. "If they choose to give information to the government, that's nice,'' said Richard Clarke of the National Security Council. "The government, however, will share information with them ... both classified and non-classified information.'' Get free email and a permanent address at http://www.netaddress.com/?N=1 ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting
[Fwd: Phys. Rev. Focus--1 OCT 1999]
--- begin forwarded text Date: Sat, 02 Oct 1999 18:06:57 -0400 From: Somebody To: rah [EMAIL PROTECTED] Subject: [Fwd: Phys. Rev. Focus--1 OCT 1999] Bob -- More quantum cryptography - more-or-less incomprehensible... -- Somebody's .sig From: Focus List Owner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Phys. Rev. Focus--1 OCT 1999 Sender: [EMAIL PROTECTED] Precedence: bulk Reply-To: [EMAIL PROTECTED] Precedence: list PHYSICAL REVIEW FOCUS 1 OCT 1999 http://focus.aps.org/ from the American Physical Society Introductions to the Focus stories of the past week; visit http://focus.aps.org for the complete stories. PHOTONS ON DEMAND Laser physicists are good at producing and manipulating single photons, but as with good comedy, the timing is important. Even the best experiments in quantum cryptography and computing--applications that make use of single photon properties--use sources that emit photons at random times. In the 4 October PRL a French team demonstrates a system that emits single photons on a dependable schedule at a frequency of 3 MHz. One other "triggered" photon source which operates on completely different principles was reported earlier this year. With these new techniques, researchers know exactly when and where a single photon will be found, and they are a step closer to quantum applications, such as cryptography that allows the receiver of information to deduce whether a message has been intercepted. (Brunel, Lounis, Tamarat, and Orrit, Phys. Rev. Lett. 83, 2722. COMPLETE Focus story at http://focus.aps.org/v4/st17.html Link to the paper: http://publish.aps.org/abstract/PRL/v83/p2722/) SCIENCE WRITERS AND JOURNALISTS: The American Institue of Physics has just launched a web site (http://www.aip.org/physnews/pnsentry.htm) containing full-text of new, notable journal articles. Write to [EMAIL PROTECTED] to register. Sorry, this site is for writers and journalists only. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[Zero-Knowledge Press Release] ZERO-KNOWLEDGE SYSTEMS SECURES$12M IN CAPITAL FUNDING
--- begin forwarded text From: Dov Smith [EMAIL PROTECTED] To: ZKS Press Releases [EMAIL PROTECTED] Subject: [Zero-Knowledge Press Release] ZERO-KNOWLEDGE SYSTEMS SECURES $12M IN CAPITAL FUNDING Date: Thu, 30 Sep 1999 10:33:55 -0400 Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] == Zero-Knowledge Systems Press Release, http://www.zeroknowledge.com == FOR IMMEDIATE RELEASE ZERO-KNOWLEDGE SYSTEMS SECURES $12M IN CAPITAL FUNDING FROM LEADING SILICON VALLEY VENTURE CAPITAL FIRMS NetReturns2000--Aspen, Colorado--Sept. 30-- Zero-Knowledge Systems, a leading developer of Internet privacy solutions, announced today it has secured US $12 million in first round venture capital funding. The lead investors are Platinum Venture Partners, Aragon Ventures and Strategic Acquisition Ventures, the Silicon Valley venture capital firms that have funded leading Internet firms Inktomi, LiquidAudio, Star Media and YesMail.com. Zero-Knowledge is currently beta-testing its much-anticipated Freedom privacy technology, which empowers users to surf the Web, send email, post to newsgroups and chat via untraceable digital identities called "nyms." All Freedom traffic is encrypted and routed through the Freedom Network, a globally distributed network of Freedom Servers hosted by ISPs and independent server operators around the world. Heralded by privacy advocates as the only fully trustworthy privacy solution, Freedom will be available commercially in fourth quarter 1999. "In selecting our partners, we looked for investors who share our vision of a multi-billion dollar privacy, identity and trust industry, and see the incredible opportunity for Zero- Knowledge to be the market leader in privacy and identity management solutions," said Hammie Hill, CEO of Zero-Knowledge Systems. "Our partners have a solid history of backing market leaders introducing revolutionary technologies. Zero-Knowledge is poised to become a market leader by ensuring that privacy and identity reside on every consumer's desktop." "The Internet was not created with privacy concerns in mind. Zero-Knowledge will for the first time bring true privacy to the Internet," said Mike Santer, co-founder and general partner of Platinum Venture Partners. "Zero-Knowledge's technological approach is the simplest and most comprehensive way for Internet users to protect their privacy online. We see enormous growth potential for providers of Internet privacy solutions and are confident that Zero-Knowledge will establish a dominant lead in this market." "The Internet is revolutionizing consumer empowerment, and as a leader in privacy protection Zero-Knowledge will be a market leader in consumer protection and identity management," said David Brewer, founder and general partner of Aragon Ventures. "Zero-Knowledge will play a pivotal role in the evolution of the Internet, as the number one consumer empowerment company addressing the ever-increasing privacy concerns of Internet users." Mike Santer of Platinum Venture Partners and Alex Hern of Strategic Acquisition Ventures have joined the Board of Directors of Zero-Knowledge Systems. About the Investment Partners Platinum Venture Partners was founded in 1992 and maintains offices in Palo Alto, CA and Chicago, IL. Aragon Ventures' offices are in Palo Alto, CA. Strategic Acquisition Ventures' offices are in Palo Alto, CA and Tampa, FL. General Partners of these VC firms have been private equity investors in leading public Internet-related companies Inktomi (NASDAQ: INKT), Liquid Audio (NASDAQ: LIQD), Star Media Network (NASDAQ: STRM), Whittman-Hart, Inc. (NASDAQ: WHIT) and YesMail.com (NASDAQ: YESM), which have a combined market value of approximately US $10 billion. The VC firms have also backed or co-founded private companies including: Andromedia, Brainbuzz.com, Mothernature.com, National Transportation Exchange and Triton Network Systems. About Zero-Knowledge Systems, Inc. Founded in 1997, Zero-Knowledge Systems (http://www.zeroknowledge.com) is the first and only company providing a total privacy solution for all Internet activities. Zero-Knowledge is dedicated to protecting its customers' privacy and freedom on the Internet through mathematics, cryptography and source code. Based in Montreal, the company employs 80 people and is rapidly expanding its operations. Consumers interested in previewing Zero-Knowledge Systems' Freedom technology can visit http://www.zeroknowledge.com/products/download. Journalists can visit the Zero-Knowledge pressroom at http://www.zeroknowledge.com/pressroom. (Freedom is a trademark of Zero-Knowledge Systems, Inc. All other names may be trademarks of their respective owners.) For more information, please contact: Dov Smith Director of Public Relations 514.286.2636 x 248 [EMAIL PROTECTED] Meredith Markman Weber Group Public Relations 415.616.6238
IT Companies Promote New Standard For Phone Security (was Re:Edupage, 29 September 1999)
Why do I keep thinking "Radicchio" really gonna be another GSM "Pinocchio"? Cheers, RAH At 5:02 PM -0600 on 9/29/99, EDUCAUSE wrote: IT COMPANIES PROMOTE NEW STANDARD FOR PHONE SECURITY EDS, France's Gemplus, Sonera, and Ericsson have founded a forum called "Radicchio" to promote a world encryption standard. Known as "public key infrastructure," the technology provides security for mobile phone-based electronic commerce transactions. The technology can be embedded into a silicon chip that is located inside typical GSM handsets. Analysts believe that the mobile commerce market could reach $66 billion in the next four years, but forum founding members are concerned that security issues could impede the emerging market. The European initiative is currently pursuing new members, such as industry players and governments. Members of Radicchio say there could be 600 million mobile phones connected to the Internet by 2004, and easing security fears could go a long way toward making electronic transactions ubiquitous. (Financial Times 09/28/99) - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Elliptic Curve 97-bit Challenge Broken
--- begin forwarded text Date: Tue, 28 Sep 1999 16:17:07 -0400 To: [EMAIL PROTECTED] From: David Farber [EMAIL PROTECTED] Subject: IP: Elliptic Curve 97-bit Challenge Broken Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 28 Sep 1999 15:44:17 -0400 From: [EMAIL PROTECTED] (Dorothy Denning) Subject: Elliptic Curve 97-bit Challenge Broken To: [EMAIL PROTECTED] http://www.inria.fr/Actualites/pre55-eng.html INRIA leads nearly 200 international scientists in cracking code following challenge by Canadian company Certicom Paris, September 28. 1999 - A new code-cracking challenge set by Certicom has been successfully overcome using 740 computers in 20 countries over a period of 40 days. The code, ECC2-97, is based on a technique known as elliptic curves. Led by Robert Harley, a member of the Cristal project at INRIA, France's National Institute for Research in Computer Science and Control, the 195 researchers involved showed that a 97-bit encryption system based on elliptic curves is more difficult to crack than a 512-bit system based on integers such as RSA-155. Encryption systems based on elliptic curves have been known since the mid-1980s, but have only recently been adopted by leading encryption companies such as RSA Security Inc. Certicom issued its "ECC Challenge" in November 1997, specifying a series of challenges of increasing difficulty. The company offers prizes up to US$100,000. The aim of the challenge is to encourage research in the field of elliptic curves and their applications in encryption, and to strengthen arguments in favor of using elliptic curve cryptography instead of systems based on integer factorization. The challenge dubbed "ECC2-97" took place in a set of about 10^29 points on an elliptic curve chosen by Certicom. To solve the problem, participants first computed 119,248,522,782,547 (more than 10^14) using open-source software developed by Harley. Among these points, they screened 127,492 "distinctive" points and collected them on a Alpha Linux workstation at INRIA where further processing revealed two twin points. Finally Harley computed the solution using information associated with these two points, thus nailing the problem. The solution was found after less than one third of the predicted computation. The probability of finding the answer so quickly was less than one in ten. Two other twins were detected a few hours after the first - a less than one in 100 probability! Nevertheless the computing power used, around 16,000 MIPS/years, was twice as much as that used for the factorization of RSA-155 announced by Herman Te Riele of CWI (Amsterdam) and his colleagues on 26 August 1999. "These results strengthen our confidence in codes based on properly-chosen elliptic curves," said Harley. "This needs to be taken into account in standards for security and confidentiality on the Internet." According to Andrew Odlyzko, Head of Mathematics and Cryptography Research, at ATT Labs, the code-cracking operation was "a great achievement that demonstrates the value of fruitfully harnessing some of the huge computational power of the Internet that is idle most of the time". He added: "It validates theoretical security predictions, and demonstrates the need to keep increasing cryptographic key sizes to protect against growing threats." Arjen K. Lenstra, Vice President at Citibanks's Corporate Technology Office in New York and one of the main contributors to the recent successful attack on the RSA-155 challenge, compared the two computational efforts and noted that the present result makes 160-bit ECC keys look even better compared to 1024-bit RSA keys, from a security point of view. "Ideally we would like new theoretical advances to further reinforce these practical results, although such advances appear out of reach for the moment." Out of the $5000 prize money, the team members will give $4,000 to the Free Software Foundation to encourage the creation of new free software. The remaining $1,000 go to the team members who identified the twin points. Both were in fact found by Paul Bourke using a network of Alpha workstations, mainly used for studying pulsars at the Centre of Astrophysics at Swinburne University in Australia. The most active teams in the project were: Astrophysics Supercomputing Australia INRIA France University of New South Wales Australia "Friends of Rohit Khare" USA and France Ecole Polytechnique France Compaq USA and Italy Technischen Universität Wien Autriche University of Vermont USA "WinTeam" International British Telecom Labs UK Internet Security Systems UK Rupture Dot Net
IBM to built crypto-on-a-chip into all its PCs
--- begin forwarded text Date: Mon, 27 Sep 1999 17:01:05 +0100 From: Somebody To: [EMAIL PROTECTED] Subject: IBM to built crypto-on-a-chip into all its PCs Posted 27/09/99 12:09pm by Tony Smith IBM to built crypto-on-a-chip into all its PCs http://www.theregister.co.uk/990927-12.html IBM will tomorrow launch an all-in-one encryption chip designed to protect documents stored on desktop PCs and servers. The chip, as yet unnamed, will be initially installed in IBM's 300PL PC, but will soon be built into the company's full line of desktop systems. Actually, the 300PL may not feature the new chip since it's based on Intel's i820 chipset and, as Intel revealed today, http://www.theregister.co.uk/990927-11.htmlthe i820's release has been delayed indefinitely. IBM said users will pay no more for a hardware encryption-enabled PC than they will for a machine without the chip. In addition to handling key encryption -- the technology most usually associated with document protection -- the chip will also generate and verify digital signaturees. IBM's plan is clearly to make its machines more appealing to the growing number of computer users buying desktops solely to surf the Internet at do a little online shopping. The move should also make its PCs more attractive to companies performing business-to-business transactions over the Net. Of course, Big Blue is keen to be seen as acting in everyone's interest here, which is why the company's general manager for desktop systems, Anne Gardner, told Reuters: "We want this to become an industry standard. We want this on as many desktops as possible." However, IBM clearly wants to retain a lead, which no doubt explains Gardner's reluctance to discuss any plans the company may have to licence the technology to motherboard vendors. All she would say on the subject was a vague "you may see something along those lines in the future". Probably IBM will first want to see how attractive the technology is to punters. At least the approach of using an ancillary encryption chip should keep IBM safe from the nightmare Intel faced when it attempted to railroad CPU ID numbers on users. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: DoD selects vendors for public key infrastructure pilot
--- begin forwarded text From: [EMAIL PROTECTED] Date: Fri, 24 Sep 1999 17:20:44 -0500 To: [EMAIL PROTECTED] Subject: IP: DoD selects vendors for public key infrastructure pilot Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: Department of Defense http://www.defenselink.mil/news/Sep1999/b09211999_bt432-99.html DOD SELECTS VENDORS FOR PUBLIC KEY INFRASTRUCTURE PILOT The Department of Defense has made its initial selection of vendors to enable secure, electronic business services with private industry. Operational Research Consultants Inc. and Digital Signature Trust Co. are the first two candidates selected to supply the Department with Class Three Interim External Certification Authorities (IECAs) for its public key infrastructure. This capability will allow DoD to electronically communicate with industry by enabling secure, private electronic business and paperless contracting. IECAs will be used to provide non-DoD personnel with certificate services compatible with the Department's public key infrastructure. In May 1999 the Department released a solicitation for IECAs to support vendors conducting business with the Paperless Contracting Wide-Area Work Flow, Electronic Document Access and Defense Travel System applications. Operational Research Consultants Inc. and Digital Signature Trust Co. are the first two candidates to successfully complete the testing, policy and procedural requirements for IECAs. More IECA selections will be announced as available. Selection of these two vendors is a significant milestone in the rollout of the Department's public key infrastructure since it promotes broader industry participation. In addition, this pilot should provide additional data to refine the Department's requirements and procedures for use of future external certificate authorities. ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Selective DoS Attacks: Remailer Vulnerabilities
--- begin forwarded text Date: 24 Sep 1999 15:20:12 - From: RProcess [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Selective DoS Attacks: Remailer Vulnerabilities CC: [EMAIL PROTECTED] Newsgroups: alt.privacy.anon-server,alt.security.pgp,alt.privacy Sender: [EMAIL PROTECTED] Reply-To: RProcess [EMAIL PROTECTED] The following is a (somewhat long) discussion of what I consider to be some of the primary vulnerabilities in the current Cypherpunk/Mixmaster anonymous remailer system, and how I suspect some of these vulnerabilities are being quietly exploited. It is not my intention to undermine confidence in the current system, which does offer substantial security and usefulness, but to discuss potential and probable threats with the goal of long-term improvement. To date I have written three remailer clients (Potato, JBN 1 and 2) and a Windows remailer (Reliable), and in attempting to test the features thoroughly over several years time, have observed various problematic aspects of the remailer system, and have attempted to analyze anomalies very carefully. I am sharing these observations now because I am fairly confident that if they are not accurate, they are at least plausible fiction, and thus worthy of consideration. Contents: WHAT I HAVE OBSERVED SELECTIVE DOS PLAUSIBILITY THE HOLE WHAT I HAVE NOT OBSERVED OTHER ATTACKS WHY BE CONCERNED? WHAT CAN BE DONE THE NEXT GENERATION IN CLOSING WHAT I HAVE OBSERVED Briefly, I have observed the same thing that many remailer users have complained about for some time - lost mail. The possible difference is that I have investigated it a little more deliberately than most users would care to do. Some mail sent through remailers vanishes. This has previously been explained as unreliable software, hardware, networking, etc. However I have found these explanations to be insufficient to explain my observations. One of the goals of writing Potato (and likewise JBN) was to provide a remailer client that would be very accurate and dependable, thus providing a means to produce consistent and dependably formatted mail. By allowing users to save templates of message constructions, it removes a lot of human error. It also provides an artificial memory by which a user can verify whether or not a missing message was constructed properly. Likewise, Reliable (as the name implies) was designed to do everything possible to eliminate disappearing messages. Reliable is very reluctant to discard messages, and has several tiers of message disposal, with the ability to requeue messages which are unprocessed due to misconfiguration or other questionable problems. In addition, the Freedom and Mixmaster remailers have undergone a lot of work by Johannes Kroeger and Ulf Moller which I believe has made them much more dependable (and secure) than remailers operating some years ago. As a result of these improvements we have clients and servers which run consistently and with a large degree of reliability. So why is it so very difficult to generate a dependable and secure reply-block? Some of my observations: Some mail vanishes, particularly if unique (not sent through a previously established encrypted reply-block). Mail which is securely encrypted is more likely to vanish or be delayed than are simple messages. Mail which is well-chained is far more likely to be lost, even allowing for increased probability of serial failure and other causes, even when all remailers in the chain test ok. Ping messages are more reliable than real mail. The new version 2 stats reveal that most remailers are very consistent and reliable in processing pings, and true network and server down time is very obvious and quite rare. Yet actual use of the remailers in chains paints a very different picture than these stats. Established reply-blocks may work flawlessly, while a newly created reply-block with the same remailers will be delayed or lost. New reply-block chains are delayed for the first several uses. There is a correspondence between nym accounts and new reply-block unreliability. (ie a new reply-block for [EMAIL PROTECTED] will be consistently more unreliable than the same or similar reply-block for [EMAIL PROTECTED]) Remailer operators complain of their stats being low despite their remailer functioning normally. Conduction of some news messages between servers is impeded beyond expectations. Isolated incidents can be dismissed as coincidence, due to traffic levels, and other variations, but over time the trends become very clear and disturbing, the reasons ever diminishing. I think most remailer and nym users are well acquainted with this behavior, to the point where they take it for granted, and I think some of those who work
FC00 SUBMISSION DEADLINE REMINDER
--- begin forwarded text Resent-Date: Wed, 22 Sep 1999 03:34:16 -0400 Date: Wed, 22 Sep 1999 09:34:05 +0200 (MET DST) From: Ray Hirschfeld [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: FC00 SUBMISSION DEADLINE REMINDER Reply-to: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] Resent-Sender: [EMAIL PROTECTED] Resent-Bcc: Just a reminder that the deadline for Financial Cryptography '00 conference submissions is September 24 (the day after tomorrow). This year electronic submissions are possible. Instructions for electronic submission can be found at http://www.fc00.cs.uwm.edu/esub.html. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
KISA Attack
--- begin forwarded text Date: Wed, 22 Sep 1999 05:25:40 -0400 To: [EMAIL PROTECTED] From: John Young [EMAIL PROTECTED] Subject: KISA Attack Sender: [EMAIL PROTECTED] Reply-To: John Young [EMAIL PROTECTED] For the past two days jya.com has been under attack by the Korea Information Security Agency http://www.kisa.or.kr which has set up (or allowed) a couple of robots to issue a sustained flood of requests for the same three files, one per second, which has nearly stopped access by others. We've written the [EMAIL PROTECTED] to no effect. The phone listed at the KISA web site does not answer. A robot exclusion file has not worked. Any suggestions for ways to ebola the invaders? We filed criminal charges with the international cybercrimes tribunal but do not expect rapid deployment of their cooping cops -- spooned with KISA's. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Is There a Visor Security Model?
Everyone's probably heard of the new Palm-alike Visor by now, and it's got this "springboard" slot in the back processors, memory, and other stuff. The Palm's security model is, by most accounts I've seen, non-existant. Is the Visor any better? It would be nice to have a portable cryptographic/signature/digital money device. Are we any closer? Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Smart Cards with Chips encouraged
I remember Ian, Adam, someone else and I talking about the card-in-a-floppy thing at CFP '96. Soulda, woulda, coulda, and all that... Cheers, RAH --- begin forwarded text From: [EMAIL PROTECTED] Date: Mon, 20 Sep 1999 08:50:44 -0500 To: [EMAIL PROTECTED] Subject: IP: Smart Cards with Chips encouraged Cc: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: New York Times http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html September 20, 1999 By BOB TEDESCHI New Hardware Could Help Web Merchants Cut Fraud Credit card companies love the Internet, since they pocket a share of most e-commerce transactions. But like everything in the world of revolving credit, that love has limits. Stolen cards used to make purchases online, in particular, cost credit card issuers millions each year -- pushing the price of doing business on the Web higher for banks, merchants and, ultimately, users. So even as the major credit card companies and the banks that issue those cards explore ways to build Internet market share, they are also looking for creative ways to limit fraud. The recent launch of the American Express blue card, which comes with an embedded computer chip, is an example of both efforts. Since the card's chip can access a user's personal information, it will eliminate the hassle of typing in that data in every Web purchase -- and, American Express hopes, encourage people to use its card. At the same time, the chip limits the fraud by guaranteeing the shopper's identity and offering greater protection to the buyer's information during the transaction. The key to these features is a piece of computer hardware that, until now, has been foreign to the desktop: a credit card reading device. Starting in November, blue card owners will be able to obtain such a device, which they will be able to plug into their PC's, enabling them to swipe the card at home much like a sales clerk would at a retail store. Other credit card issuers are exploring similar technologies. One company that makes a card-reading device for personal computers, UTM Systems, recently announced that four major U.S. banks affiliated with both Visa and Mastercard International will begin distributing its system free to consumers before the end of the year. UTM's founder and chief executive, Robert Lee, declined to name the banks, but said they served "well over 10 million customers." The device, which costs the card issuers $6 a unit, is simple. When a user is ready to make an online purchase, the credit or debit card is placed in the UTM card reader, which is inserted into a floppy disk drive. A small window then appears on screen, asks for a personal identification number and sends the encrypted information to the retail site. When the transaction is complete, the window disappears. David Robertson, president of the Nilson Report, a credit card industry newsletter, predicted that credit card companies would be aggressive in spreading such technologies. "American Express is the first, but you'll see everyone start to do this by the end of the first quarter of next year," he said. "It's inevitable." From the standpoint of fraud prevention, card issuers have great incentive to promote the devices, he said. Issuers lose roughly 8 cents for every $100 in online sales to fraudulent card use -- "slightly higher than the market at large, but it's growing," Robertson said. "The industry has been fabulously successful at pushing fraud down in general," he added. "But that just highlights the liability associated with the Internet." Which is not to say that Visa, American Express and Mastercard are stepping lightly into the electronic frontier. Each has begun major Internet-related advertising efforts, of which Visa's is the most aggressive. According to the Nilson Report, 59 percent of Internet credit card purchases are made with Visa, 28 percent with Mastercard and 12 percent with American Express. Off line, Visa has a 51 percent share, compared with 25 percent for Mastercard and 17 percent for American Express. In part, the success of PC-based credit card readers hinges on how secure consumers feel about credit card transactions on the Web. While such devices in fact provide users more security than typical Internet transactions, surveys indicate that consumers are less concerned about entering their credit card data online than they used to be. One recent survey by Navidec, a consulting firm, indicated that 21 percent of Internet users worry about credit card security during transactions, about half the number that expressed such concerns in 1997. However, Paul Hughes, an analyst with the Yankee Group consulting firm, says that new Internet users might warm to these devices, given the trepidation with which many still approach online shopping in general. "That said, the credit card companies are going to have to do some creative marketing to drive these into the hands of consumers," he
Re: Secure Digital Memory Chip??
--- begin forwarded text Resent-Date: Mon, 20 Sep 1999 14:43:10 -0400 Date: Mon, 20 Sep 1999 11:28:35 -0700 (PDT) From: Peter A Pongracz-Bartha [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Secure Digital Memory Chip?? To: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] Resent-Sender: [EMAIL PROTECTED] Resent-Bcc: I think it was Scientific American within the last 2-3 months. I won't check right now, but it could be I really saw it in CACM, or IEEE/Computer instead. Basically a MEMS research project where you have a keyed pinblock that is driven by electronics, but can't be spoofed like existing smart card solutions. That is, you can't use fault-injection (via microwaves or other means) then analyze the resultant output to make it orders of magnitude easier to break the key. I'd like to see what Ron Rivest thinks of this. He's probably commented on it in a crypto list somewhere. Peter On Mon, 20 Sep 1999, Carlos Mora wrote: A friend of mine just mentioned that he had read in some paper about a "secure digital memory chip" or "secure miniature memory chip". -- Subcription/unsubscription/info requests: send e-mail with subject of "subscribe", "unsubscribe", or "info" to [EMAIL PROTECTED] Wear-Hard Mailing List Archive (searchable): http://wearables.blu.org --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Ecash without a mint
At 1:52 PM -0700 on 9/20/99, Wei Dai wrote: Unfortunately it seems unavoidable unless you have a trusted party control the money supply. Yes. In business, they call this quaint phenomenon "financial intermediation". ;-). Seriously, if you have *lots* of intermediaries in competition, the situation is *quite* stable and very robust, which is the whole point of free banking. Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: fc00 boat charter
Let's see if the fc00 list is up yet. I bet it isn't... At 3:52 PM -0400 on 9/20/99, Declan McCullagh wrote, on cypherpunks: Just maybe. Depends on how long it takes -- I can't justify an overwhelming amount of time away from the office. Seems to me there'd be a huge difference in terms of time and cost from Boston and Miami. (Heck, how about Norfolk or somewhere in MD/VA near DC?) Quite a long haul from either place, in fact, and I'd rather *sail*, anyway :-). Of course, booking a block of cruise-ship rooms out of Miami, or San Juan, or St. Thomas even, might not be a bad thing. Can't really expect it to park in Anguilla for a week, though, as Ryan notes below. I've been kicking around the idea of boat-cabin-as-hotel-room ever since we started the Financial Cryptography conference; you can't look down on the brilliant turquoise water of Sandy Ground from the cliff near the InterIsland by Raffi's and *not* imagine sitting on the the world's greatest back porch, Rum-something-or-other in hand, watching the sun go down. We could never make it work out, for one reason or another. This year, however, a friend on our Boston harbor round-the-cans crew owns 50-footer for charter out of Virgin Gorda, and some of that crew, and some sailing FCXX regulars, and I, have been kicking around the idea pretty seriously between tacks and climbs to the next high side. I've got 5 to 8 people so far, I think, which probably fills the boat at the high side of *that*, though people will probably sign on and drop off. We're probably looking at two weeks on the boat, with various people dropping in and out at various locations. We haven't figured out whether we'd start in the BVIs or end there, though. And, of course, the idea is to park on Sandy Ground for the conference no matter what we do. I have to be on Anguilla some part of the weekend before and/or after, but, besides that, it doesn't matter to me, when or where we sail at all :-). I can see it now... Do the conference in the AM, and sail a bit in the PM... Yes, boys and girls, there *is* a reason I invented the conference with *no* afternoon sessions... :-). Chartering a sailboat on Saint Martin/Maarten (the island is French/Dutch and has a nice, big runway with lots of direct flights to Europe and the States) and sailing over to Anguilla is pretty straightforward, and the only reason we're even thinking about sailing a boat, overnight, out of sight of land, all the way across the Gut from the Virgins is, well, because we *can*, :-), having a boat full of sailing "ringers", as it were. But, however you want do it, FC00 is in the middle of the Carribbean high season, so getting your boat chartered should be done quickly, if it's still even possible. Cheers, RAH At 3:52 PM -0400 on 9/20/99, Declan McCullagh wrote, on cypherpunks: Just maybe. Depends on how long it takes -- I can't justify an overwhelming amount of time away from the office. Seems to me there'd be a huge difference in terms of time and cost from Boston and Miami. (Heck, how about Norfolk or somewhere in MD/VA near DC?) -Declan At 05:25 9/19/1999 -0700, Ryan Lackey wrote: Would anyone be interested in potentially chartering a boat (or block-booking on a cruise) from a major East Coast city (probably Boston, NYC, Miami) to Anguilla for fc00? It'll certainly not be a cost savings over flying, but would be far more fun. This idea came up last year, but didn't happen. (a cruise would presumably terminate in Sint Maarten, which is an 8 nm ferry away; a chartered boat could hang around and be housing...) There are also possibilities for getting group airfare from SFO to cruise port in the US... -- [EMAIL PROTECTED] http://www.venona.com/rdl/ 1024D/4096g 0xD2E0301F B8B8 3D95 F940 9760 C64B DE90 07AD BE07 D2E0 301F - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: more re Encryption Technology Limits Eased
--- begin forwarded text Date: Thu, 16 Sep 1999 16:08:10 -0700 To: [EMAIL PROTECTED] From: John Muller [EMAIL PROTECTED] Subject: Re: more re Encryption Technology Limits Eased Sender: [EMAIL PROTECTED] Reply-To: John Muller [EMAIL PROTECTED] You can now find a fuller set of White House materials, including the press statement and fact sheet on the crypto export policy and a fact sheet and letter to Congress on the Cyberspace Electronic Security Act, at http://www.pub.whitehouse.gov/search/white-house-publications?everything+%3 Eyesterday+%3D200+. This URL is probably only good for one day. John Muller [EMAIL PROTECTED] [EMAIL PROTECTED] "Just because it's simple doesn't mean it's easy" For help on using this list (especially unsubscribing), send a message to "[EMAIL PROTECTED]" with one line of text: "help". --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Ah. That's more like it...
Sorry for the confusion. The title above referred to me passing the *right* information along, as opposed to last year's press announcement, which was, of course, embarrassing, but not the end of the world. As to whether the current administration's new cryptography regulations are better, I agree with John Young's indictment of this latest beaurosophistic spin-festival. Their Xenonian process of recursive half-regulation is as much a sham as everything else the government has done with respect to strong cryptography. If they were to say they were completely decontrolling cryptography export, then it would matter, but, of course, they will never say it. And, frankly, as Tim May says time and time again, it doesn't really matter whether American companies can sell cryptography to the rest of the world, as long as they can sell cryptography in America. The rest of the world is demonstrating a marked ability to take care of itself in that regard, anyway. To my mind, the market, and not the law, matters here, and the market is doing just fine, thank you very much. Furthermore, the market for internet financial cryptography understands the theory of limits a whole lot better than our current crop of innumerate, latter-day Sophist "policymakers" ever can: Just keep taking halfsies, and, quite quickly, you eventually end up with the whole thing. Even better, the half-life of this particular game of halfsies seems to go down geometrically as the number of dollars spent over the internet goes up. More fun with numbers. "Policymakers" can claim a geocentric universe and a flat earth as far into the age of discovery as they want to, in other words. What they *say* doesn't matter nearly as much as what the market *does*. Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
ACP Applauds Modernization of Encryption Policy
More a proof of the uselessness of the new encryption policy than an endorsement, I'd say. If the lobbyists like it, there must be something wrong with it? Cheers, RAH --- begin forwarded text Date: 17 Sep 1999 02:39:53 - To: [EMAIL PROTECTED] From: "Privacy Concerns" [EMAIL PROTECTED] Subject: IP: Encryption Policy Sender: [EMAIL PROTECTED] Reply-To: "Privacy Concerns" [EMAIL PROTECTED] Status: U Privacy Concerns - http://www.angelfire.com/biz/privacyconcerns/index.html ACP Applauds Modernization of Encryption Policy WASHINGTON--(BUSINESS WIRE)--Sept. 16, 1999--The following statement was issued today by Ed Gillespie, executive director, and Jack Quinn, counsel, Americans for Computer Privacy (ACP), in response to the Clinton Administration's announcement of new encryption export regulations: "We congratulate the Administration for providing the effective leadership this complicated issue deserves. Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure. "Having worked closely for the past 18 months with the Administration and Congress to ensure that America has a clear and realistic encryption policy, ACP is particularly gratified by today's announcement. We applaud the Administration for providing U.S. manufacturers with a level playing field in the global high-tech marketplace. We also wish to pay tribute to those in Congress who tirelessly sought reforms through their support of the Security and Freedom Through Information (SAFE) Act -- particularly Representatives Bob Goodlatte (R-Va.), Zoe Lofgren (D-Calif.) and the bi-partisan leadership of the House. We also want to recognize Senators McCain and Leahy who championed the PROTECT and E-Rights bills in the Senate. "ACP understands today's announcement to mean that all strengths and types of encryption hardware and software can be sold to individuals and businesses throughout the world, with the exception of the seven terrorist states. We understand that the Administration will replace the existing export licensing scheme with a simple technical review of products and reporting on sales where practical. Importantly, we understand that the Administration recognizes that the realities of mass market distribution mean it is impossible to report information on individual end users. "This development is the new policy America needs to maintain its technological leadership, strengthen the government's abilities to protect our critical infrastructure, and fight crime in the Information Age. We look forward to working with the Administration and Congress in coming months on details and implementation of the new policy, and to do so in ways that do not jeopardize our statutory and constitutional rights to privacy." Americans for Computer Privacy (ACP) is a broad-based coalition that brings together more than 100 companies and 40 associations representing financial services, manufacturing, telecommunications, high-tech and transportation, as well as law enforcement, civil-liberty, pro-family and taxpayer groups. ACP supports policies that advance the rights of American citizens to encode information without fear of government intrusion, and advocates the lifting of export restrictions on U.S.-made encryption. For more information on ACP, visit the Web site at www.computerprivacy.org --30--AR/na CONTACT: Americans for Computer Privacy Sue Richard or Kristin Litterst, 202/625-1256 Web site: http://www.computerprivacy.org * Like to contribute an article or comment about this one? E-mail [EMAIL PROTECTED] * Privacy Concerns is a free public service of D. A. H. Investigative Consultants, a Cincinnati based private investigation firm. E-mail: [EMAIL PROTECTED] or toll free, 888-249-2404. ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
White House Report: Preserving America's Privacy in the NextCentury
--- begin forwarded text From: [EMAIL PROTECTED] Date: Fri, 17 Sep 1999 09:50:09 -0500 To: [EMAIL PROTECTED] Subject: IP: Privacy: Watch Out for Doublespeak Cc: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: US Newswire http://www.usnewswire.com/topnews/Current_Releases/0916-164.htm WH Report: Preserving America's Privacy U.S. Newswire 16 Sep 20:14 White House Report: Preserving America's Privacy in the Next Century To: National Desk, Technology Reporter Contact: White House Press Office, 202-456-2100 WASHINGTON, Sept. 16 /U.S. Newswire/ -- The following was released today by the White House: PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY: A STRATEGY FOR AMERICA IN CYBERSPACE A REPORT TO THE PRESIDENT OF THE UNITED STATES September 16, 1999 William Cohen, Secretary of Defense Janet Reno, Attorney General Jacob J. Lew, Director of the Office of Management and Budget William Daley, Secretary of Commerce -- PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY: A STRATEGY FOR AMERICA IN CYBERSPACE 1. A TIME OF PIVOTAL CHANGE American history has been punctuated by periods in which the Nation had to respond to sweeping social, economic and technological developments. In the best of times, people working together in government and industry became the engine of progress that shaped the character of the time and facilitated new prosperity and opportunity for Americans. Three examples illustrate this point. Opening the Heartland and Expanding the Frontier. Beginning with the Louisiana Purchase in 1803, the government initiated a remarkably successful policy to open up a vast new area. Over the next five decades, the United States doubled the size of its territory. Under the government's plan, land grants were given to railroads to open the Midwest and in turn to create a future market for rail services. Land was awarded to homesteaders, and yet other parcels were reserved as income sources for institutions of higher education. The technological advance of the railroad was the engine pulling this growth. From the 1820s to 1900, American railroads added an average of more than 2,000 miles of track each year. By the close of the 19th century, the combination of these factors had served to triple the size of our nation. The Administration and the Congress, working together and in concert with technology advances, created an infrastructure for a new society. -- Industrialization and the Great Depression Produce a New Society. Around the turn of the century, the country was firmly in the Industrial Age. Technical innovations in automation and machinery spurred the growth of factories, assembly lines and mass production in our nation's cities. The Ford assembly line for the Model T and the Wright brother's flight catapulted us into a mobile society and drove further technological innovations. Telephones became more commonplace and the nation began to shrink as news and information traveled faster. As a nation, we created new opportunities in industries never heard of, and created a new class of wealth, based on opportunity and innovation, not birthright. The economy moved from an agrarian society to an industrial society. But the growth and prosperity experienced by many halted when the Great Depression gripped the country. In response, the government developed a series of creative policies and programs that brought government and business to the common task of restoring productivity to America. While there were a number of social programs, government support for technology was key to driving development. For example, the government took a pivotal role in expanding the electrical grids that would become the backbone of our national infrastructure, first with the creation of the Tennessee Valley Authority in 1933 and two years later with the creation of the Rural Electrification Administration. Electrical technology, in the ensuing years, radically altered the capabilities of America's rural farms and industry. Just as important, it created a transmission belt that further disseminated the ideas and technology being generated in the nation's cities. -- A World War Produces a Global Community and the American Century. In a third case, World War II shattered the international political system at the same time that it brought an end to 19th century colonialism. The creation of the World Bank, the International Monetary Fund, and the rules for a global trading system became the cornerstones of the emerging global economy. The urgent need for increased production and the burst of scientific funding associated with the war effort -- sustained by a continuing Federal commitment to new science and technology in the following years -- vaulted the United States into the age of electronics and computers -- the beginning of the Information Age. Advances in telecommunications, such as broad-band carrier systems and switching devices, combined
DCSB: Gerald Gold; Internet Content -- Stories from the Front
--- begin forwarded text Date: Thu, 16 Sep 1999 08:24:58 -0400 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Robert Hettinga [EMAIL PROTECTED] Subject: DCSB: Gerald Gold; Internet Content -- Stories from the Front Cc: Gerald Gold [EMAIL PROTECTED], Warren Agin [EMAIL PROTECTED], Rodney Thayer [EMAIL PROTECTED], Muni Savyon [EMAIL PROTECTED], Elias Israel [EMAIL PROTECTED], Suzan Dionne [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: Robert Hettinga [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- The Digital Commerce Society of Boston Presents Gerald Gold Vice President, eCommerce Application Development Peanut Press Internet Content: Stories from the Front Tuesday, October 5th, 1999 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Are people willing to spend money to download an electronic file that contains the text of a novel? Are book publishers willing to risk piracy by offering their products in electronic format for sale via the web? What does geography have to do with selling ebooks online? Practical answers to these questions (and many others) had to be found in order to build peanutpress.com: the world's premier provider of ebooks from publishers' front lists, designed to be read on PDAs (such as Palm connected organizers). The discussion will focus on real world issues that surround the interesting complexities of building an online store that creates, sells, and delivers electronic books. Gerald Gold has been working with text since he was a toddler. From about the age of two, the alphabet held a particular fascination. Numbers weren't far behind; arithmetic and then logic soon occupied a significant part of his daily thinking. Since 1994 Gerald has been developing web sites. What better venue is there than programming for the World Wide Web in which to share a passion for managing, manipulating, and processing text and numbers? This meeting of the Digital Commerce Society of Boston will be held on Tuesday, October 5, 1999, from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, on One Federal Street. The price for lunch is $35.00. This price includes lunch, room rental, various A/V hardware, and the speakers' lunch. The Harvard Club *does* have dress code: jackets and ties for men (and no sneakers or jeans), and "appropriate business attire" (whatever that means), for women. Fair warning: since we purchase these luncheons in advance, we will be unable to refund the price of your lunch if the Club finds you in violation of the dress code. We need to receive a company check, or money order, (or, if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, September 2nd, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston", in the amount of $35.00. Please include your e-mail address so that we can send you a confirmation If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Upcoming speakers for DCSB are: November Warren AginSecured Internet Lending December Rodney Thayer Cryptographic Transnationality JanuaryElias Israel The Libertarians and Digital Commerce February Suzan Dionne The Law of Digital Cash We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you are a principal in digital commerce, and would like to make a presentation to the Society, please send e-mail to the DCSB Program Committee, care of Robert Hettinga, mailto: [EMAIL PROTECTED]. For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . We look forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com iQEVAwUBN+DhbMUCGwxmWcHhAQF8YAf/Q/jv2GUJeTfX4hhZKVoOJ/ZQZWiEjrEf eX0fm90G2HJ+KqIoD7AxEEKOKkS95SUuX4WJrGWkLlyAUm24/isLXhaUizTRBmul 6XuqrSCf+4ijUpdwce9KyFVwqf9vqacg9C7NoDkMg0KBhv+/2uEaZsHKlm4SjBpi BC6QUgDIIdTXQ/IJDpR4tRVszRtKxbS3wqmyV1N7LFKo8M519VgDhpJE8vUssCYv W2e8/YFLcAVR1Z12tz8g+AH6x6s8rw8Kb243e9f4YwmEUr3NeUWpvm3NoesfKC7K 53QLf09seTJF
Administration Updates Encryption Policy
--- begin forwarded text Date: Thu, 16 Sep 1999 14:36:39 -0400 To: [EMAIL PROTECTED] From: Hudson Barton [EMAIL PROTECTED] Subject: Administration Updates Encryption Policy Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe%20mac-crypto Office of the Press Secretary For Immediate Release September 16, 1998 STATEMENT BY THE PRESS SECRETARY Administration Updates Encryption Policy The Clinton Administration today announced a series of steps to update its encryption policy in a way that meets the full range of national interests: promotes electronic commerce, supports law enforcement and national security and protects privacy. These steps are a result of several months of intensive dialogue between the government and U.S. industry, the law enforcement community and privacy groups that was called for by the Vice President and supported by members of Congress. As the Vice President stated in a letter to Senator Daschle, the Administration remains committed to assuring that the nation's law enforcement community will be able to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information. The Administration intends to support FBI's establishment of a technical support center to help build the technical capacity of law enforcement - Federal, State, and local - to stay abreast of advancing communications technology. The Administration will also strengthen its support for electronic commerce by permitting the export of strong encryption when used to protect sensitive financial, health, medical, and business proprietary information in electronic form. The updated export policy will allow U.S. companies new opportunities to sell encryption products to almost 70 percent of the world's economy, including the European Union, the Caribbean and some Asian and South American countries. These changes in export policy were based on input from industry groups while being protective of national security and law enforcement interests. The new export guidelines will permit exports to other industries beyond financial institutions, and further streamline exports of key recovery products and other recoverable encryption products. Exports to those end users and destination countries not addressed by today's announcement will continue to be reviewed on a case-by-case basis. Very strong encryption with any key length (with or without key recovery) will now be permitted for export under license exception, to several industry sectors. For example, U.S. companies will be able to export very strong encryption for use between their headquarters and their foreign subsidiaries worldwide except the seven terrorist countries (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba) to protect their sensitive company proprietary information. On-line merchants in 45 countries will be able to use robust U.S. encryption products to protect their on-line electronic commerce transactions with their customers over the Internet. Insurance companies as well as the health and medical sectors in those same 45 countries will be able to purchase and use robust U.S. encryption products to secure health and insurance data among legitimate users such as hospitals, health care professionals, patients, insurers and their customers. The new guidelines also allow encryption hardware and software products with encryption strength up to 56-bit DES or equivalent to be exported without a license, after a one time technical review, to all users outside the seven terrorist countries. Currently, streamlined exports of DES products are permitted for those companies that have filed key recovery business plans. However, with the new guidelines, key recovery business plans will no longer be required. The Administration will continue to promote the development of key recovery products by easing regulatory requirements. For the more than 60 companies which have submitted plans to develop and market key recovery encryption products, the six month progress reviews will no longer be required. Once the products are ready for market they can be exported, with any bit length -- without a license -- world-wide (except to terrorist nations) after a one-time review. Furthermore, exporters will no longer need to name or submit additional information on a key recovery agent prior to export. These requirements will be removed from the regulations. Finally, industry has identified other so-called "recoverable" products and techniques that allow for the recovery of plaintext by a system or network administrator and that can also assist law enforcement access,subject to strict procedures. The administration will permit their export for use within most foreign commercial firms, and their wholly-owned subsidiaries, in large markets, including Western Europe,
IP: Statement By The Press Secretary: Administration AnnouncesNew Approach to Encryption
--- begin forwarded text Date: Thu, 16 Sep 1999 15:32:09 -0400 To: [EMAIL PROTECTED] From: David Farber [EMAIL PROTECTED] Subject: IP: Statement By The Press Secretary: Administration Announces New Approach to Encryption Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] THE WHITE HOUSE Office of the Press Secretary ___ For Immediate Release September 16, 1999 STATEMENT BY THE PRESS SECRETARY Administration Announces New Approach to Encryption One year ago today, Vice President Gore announced updates to the Administration?s encryption policy to serve the full range of national interests: promoting electronic commerce, supporting law enforcement and national security, and protecting privacy. The announcement permitted the export of strong encryption to protect sensitive information in the financial, health, medical, and electronic commerce sectors. It also included support for the continued ability of the nation?s law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information. At that time the Administration committed to reviewing its policy in one year. Today, the Administration announces the results of that review, conducted in consultation with industry and privacy groups and the Congress. The strategy announced today continues to maintain the balance among privacy, commercial interests, public safety and national security. This approach is comprised of three elements ? information security and privacy, a new framework for export controls, and updated tools for law enforcement. First, the strategy recognizes that sensitive electronic information ? government, commercial, and privacy information -- requires strong protection from unauthorized and unlawful access if the great promise of the electronic age is to be realized. Second, it protects vital national security interests through an updated framework for encryption export controls that also recognizes growing demands in the global marketplace for strong encryption products. Finally, it is designed to assure that, as strong encryption proliferates, law enforcement remains able to protect America and Americans in the physical world and in cyberspace. With respect to encryption export controls, the strategy announced today rests on three principles: a one-time technical review of encryption products in advance of sale, a streamlined post-export reporting system, and a process that permits the government to review the exports of strong encryption to foreign government and military organizations and to nations of concern. Consistent with these principles, the government will significantly update and simplify export controls on encryption. The updated guidelines will allow U.S. companies new opportunities to sell their products to most end users in global markets. Under this policy: ?Any encryption commodity or software of any key length may be exported under license exception (i.e., without a license), after a technical review, to individuals, commercial firms, and other non-government end users in any country except for the seven state supporters of terrorism. ?Any retail encryption commodities and software of any key length may be exported under license exception, after a technical review, to any end user in any country, except for the seven state supporters of terrorism. ?Streamlined post-export reporting will provide government with an understanding of where strong encryption is being exported, while also reflecting industry business models and distribution channels. ?Sector definitions and country lists are eliminated. The Administration intends to codify this new policy in export regulations by December 15, 1999, following consultations on the details with affected stakeholders. In support of public safety, the President is today transmitting to the Congress legislation that seeks to assure that law enforcement has the legal tools, personnel, and equipment necessary to investigate crime in an encrypted world. Specifically, the Cyberspace Electronic Security Act of 1999 would: ? Ensure that law enforcement maintains its ability to access decryption information stored with third parties, while protecting such information from inappropriate release. ? Authorize $80 million over four years for the FBI?s Technical Support Center, which will serve as a centralized technical resource for Federal, State, and local law enforcement in responding to the increasing use of encryption by criminals. ? Protect sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials
Ah. That's more like it...
--- begin forwarded text Date: 16 Sep 99 15:09:33 EDT From: ROBERT HARPER [EMAIL PROTECTED] To: Ignition Point [EMAIL PROTECTED] Subject: IP: White House changes crypto policy! Sender: [EMAIL PROTECTED] Reply-To: ROBERT HARPER [EMAIL PROTECTED] http://foxnews.com/ White House bows to pressure from high-tech industry over encryption 2.43 p.m. ET (1848 GMT) September 16, 1999 By Ted Bridis, Associated Press WASHINGTON (AP) - The White House agreed Thursday to allow U.S. companies to sell the most powerful data-scrambling technology overseas with virtually no restrictions, a concession to America's high-tech industry over law enforcement and national security objections. The move was a defeat for the Justice Department, which had forcefully argued that criminals and terrorists might use the technology to scramble messages about crimes or deadly plots. On the other hand, the decision should help U.S. companies in overseas competition - and help consumers worldwide guarantee the privacy of their e-mail and online credit-card purchases. Critics of restrictions on export sales said criminals and terrorists already could buy or download powerful encryption technology made in other countries. "Those who are going to misuse encryption for criminal purchases aren't going to limit themselves to U.S.-made encryption products,'' said Ed Gillespie, executive director of Americans for Computer Privacy. The administration will allow high-tech companies to sell even the most powerful encryption technology overseas to private and commercial customers after a one-time technical review of their products. The White House will still require companies to seek permission to sell the scrambling technology to a foreign government or military, and it maintains bans on selling to seven terrorist nations: Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba. Previously, the administration allowed companies to sell the most powerful scrambling technology only to specific industries overseas; other foreign customers were generally limited to so-called 56-bit encryption products, meaning those with 72-quadrillion unlocking combinations. "This is a sweeping reform,'' said Dan Scheinman, senior vice president of legal and government affairs at Cisco Systems Inc. " Imagine you're banking online - you want to make sure those things are safe from a hacker. You buy things, you want to make sure your credit card is secure.'' The export limits never directly affected Americans, who are legally free to use encryption technology of any strength. But U.S. companies have been reluctant to develop one version of their technology for domestic use and a weaker overseas version, so they typically sell only the most powerful type that's legal for export, even to Americans. "Forcing U.S. companies to do business under tight export controls was like asking them to use a black rotary telephone in a cellular, call- waiting world,'' said Harris Miller, president of the Information Technology Association of America, a trade group. Critics cited more than 800 products available worldwide with stronger scrambling technology than the United States allowed its companies to sell overseas. "You can pull it down over the Internet in less than 20 minutes,'' said Gillespie. "Having Japanese and German and Irish companies be at the forefront of this technology is not in our best interests.'' A non-profit group of researchers demonstrated last summer it can unscramble a 56-bit coded message in just days using a custom-built computer worth less than $250,000. The White House announcement follows its decision exactly one year ago to relax export restrictions. At the time, Vice President Al Gore promised the administration would reconsider its limits within the year. Get free email and a permanent address at http://www.netaddress.com/?N=1 ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC)
--- begin forwarded text From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Date: Wed, 15 Sep 1999 16:44:49 +0300 Subject: Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC) Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] This is a reminder (see note below) that we plan to have a Micro Payments BOF in the next IETF. Please let me know if you are interested in presenting; preference will be given to presentations on the following topics: Goals of (micro)payment standardization activity in the IETF Reports on implementations of the W3C Micropayments Markup spec Reports on open designs which are proposed as basis for potential IETF standardization. In particular, I plan to present release 1.3 of IBM Micro Payments, which will implement W3C Micropayments Markup spec (I'll provide the details to make it very easy for others to interoperate), as well as open design. On that regard, I'll describe in details the APIs to allow integration (e.g. OEM) with wallet UI, merchant server, and legacy billing systems. I also plan to describe the protocols, although I can't promise to have them in Internet-Draft level of details (to allow interoperability); we'll do the effort of creating this level of documentation if there is sufficient interest by others (to implement etc.). As according to IETF regulations, proposals should describe in advance any intellectual property they believe somebody may own covering their proposals. (We believe the only patents or IPR on our design are the classical public key patents.) Please forward this note to potential interested parties. Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM Research - Haifa Lab (Tel Aviv Office) http://www.hrl.il.ibm.com New e-mail: [EMAIL PROTECTED] New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL [EMAIL PROTECTED] on 29/08/99 10:36:30 Please respond to [EMAIL PROTECTED] To: Jeffrey Schiller [EMAIL PROTECTED] cc: Keith Moore [EMAIL PROTECTED], Patrik Faltstrom [EMAIL PROTECTED], Jeffrey Schiller [EMAIL PROTECTED], Marcus Leech [EMAIL PROTECTED], mpay markup@IBMIL, micropay@IBMIL, [EMAIL PROTECTED] (bcc: Amir Herzberg/Haifa/IBM) Subject: Micro Payments BOF in the next IETF (Nov 99, Wash DC) Jeff, thanks. Please let me know the slot we got when assigned and I'll inform the community. For allocation purposes I assume a 2-hour slot unless will inform us otherwise. All: as noted below, Jeff Schiller, Security AD in the IETF, and the IESG, have agreed to hold a micropayments BOF in the next IETF (Nov. 99 in Wash. DC). The goals of the BOF are: Report on the W3C `Micro Payments Markup` recommendation which just entered `last call`. This is the result of the work of the MicroPayments working group of the W3C (chaired by Mark Manasses from Compaq and myself). Please notice the last call period will end earlier (I believe Sept. 30) so people who wish to comment on it are encouraged to do so using the (open to public) comment mailing list. The draft itself and other details are available in the W3C web site, www.w3c.org. In the traditional IETF spirit, reports on implementations (of the recommendation) would be encouraged. Explore whether there is need and sufficient interest to define an interoperable payment protocol suitable (at least) for micropayments, and if so, decide on the best means (most likely a request for new IETF WG). To this discussion, presentations by developers as well as customers and others of opinion are solicited. Please notice that the IESG has _not_ discussed or approved yet the creation of such a working group (neither was a request made yet). If time remains, short reports of developers of micropayment products may be presented, with the hope that this will eventually lead to more openness, cooperation and interoperability. Please notice there is already a mailing list dedicated to this potential standardization activity, [EMAIL PROTECTED] Please use this list to comment on the BOF or for relevant discussions even before the physical BOF. These headers explain everything: List-Subscribe: mailto:[EMAIL PROTECTED] List-Unubscribe: mailto:[EMAIL PROTECTED] List-Digest: mailto:[EMAIL PROTECTED] However, I suggest that proposals for presentations in the BOF be sent to me and I'll coordinate it (unless Jeff wants somebody else to do it). A related note: we try to maintain an updated list of _all_ resources, vendors, consultants, researches, and others in the `micropayments community`, we call this the `sub-$ registry` and it is a link off our IBM Micro Payments homepage http://www.hrl.il.ibm.com/mpay (don't have exact link now - I'm offline - but it's easy to find). Please let me know if you need to be added or have better details than what we got now... Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM
IP: Admin Plans to Loosen Encryption Restrictions
--- begin forwarded text From: [EMAIL PROTECTED] Date: Tue, 14 Sep 1999 07:55:15 -0500 To: [EMAIL PROTECTED] Subject: IP: Admin Plans to Loosen Encryption Restrictions Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Status: U Source: New York Times http://www.nytimes.com/library/tech/99/09/cyber/capital/14capital.html September 14, 1999 By JERI CLAUSING Administration Plans to Loosen Encryption Restrictions WASHINGTON -- The Clinton Administration, facing mounting pressure to eliminate controls on the export of encryption technology, is preparing to announce a further loosening of the controversial restrictions. The planned changes come on the heels of a report from a special presidential advisory committee recommending the White House abandon nearly all export controls on software that protects Internet communications. They also come as the House is preparing to debate a bill that would lift most controls on the export of products intended to keep computer communications and transactions secure. William Reinsch, the Undersecretary of Commerce and President Clinton's point man on encryption policy, declined to comment on the upcoming announcement or the advisory committee's report, which has not been made public. But he said the Administration's new policy would be announced by September 16. The changes, he said, are the "result of our own policy review," although he did acknowledge that the advisory commission report "was valuable input into that." That upcoming policy change comes exactly one year after Vice President Al Gore first announced the Administration was lifting controls on the export of strong encryption to certain business sectors, like banks and insurance companies, and was providing limited export relief for mass market products. At the time, Gore promised the Administration would review the controls again within a year. Since then, the Administration has come under continued pressure to move even further, both from Congress and the President's encryption advisory panel. In June, the President's Export Council Subcommittee on Encryption sent the White House a report recommending the Administration loosen its restrictions on encryption technology to allow for the export of consumer products based on a 128-bit key. That is significantly stronger than the current limit on encryption products exempt from control. The report also recommended allowing the export of a broad range of encryption products to online merchants who need powerful security systems to do business; eliminating approval requirements on exports to countries that "do not present a significant national security concern," and giving preferential treatment to exports aimed at utilities, telecommunications companies and other infrastructure sectors at risk of hacking attacks. White House and Commerce Department officials are keeping quiet about how far the policy changes will go. But if the changes reflect recommendations made in the advisory panel's report, it would move the Administration much closer to ending its years-long battle with the high-tech industry. Technology executives say they are losing their lead to companies in countries without export restrictions. The Administration has resisted calls to eliminate the restrictions because of strong opposition from the Federal Bureau of Investigation and other law enforcement agencies. Those groups have been pushing tying any easing of export restrictions to mandates that software developers develop "spare keys" so law officers can easily unlock scrambled data and communications when they suspect a crime is being committed. Stewart Baker, a member of the advisory panel and former counsel to the National Security Agency, characterized the committee's report as "the most sweeping set of liberalizations that have ever been recommended by a government advisory body." Although some who have been fighting the Administration's export controls doubt the planned changes will go far enough to effect a truce with House and Senate leaders pushing legislation to eliminate export controls entirely, Baker said he remained optimistic that substantial revisions would still be made. "I think it's in play," said Baker. "There's still some possibility that this will turn out to be a smaller package than some might hope, but it's still open." Ed Gillespie, executive director of Americans for Computer Privacy, a coalition of high-tech and civil libertarian groups that have for years been pushing for an elimination of all export controls on data-scrambling technology, said adoption of the advisory committee report by the White House would be significant. "But we don't know what to expect at this point. We're watching like everyone else," he said. "If it's good, great. If not, we'll continue to advocate change." This week: A special task force appointed by Congress to study Internet tax issues will hold its second meeting. The Advisory Commission on
Encrypto Mailing List
--- begin forwarded text From: online-e [EMAIL PROTECTED] To: online-e [EMAIL PROTECTED] Subject: Encrypto Mailing List Date: Mon, 6 Sep 1999 15:24:34 -0500 Originator: [EMAIL PROTECTED] __ Online Europe ___ From: Thomas Roessler [EMAIL PROTECTED] Subject: Encrypto Mailing List A new mailing list, [EMAIL PROTECTED], has been established. It's intended for discussions of crypto politics with a focus on the European Union. Topics include: - Announcements and discussions on common European issues concerning availability, use, legal framework and politics of cryptographic techniques. - Announcements and discussions on common issues concerning communications interception and related topics, e.g. state-sponsored hacking of communication end points. - Announcements and brief discussions on national issues which may be of interest abroad. Extensive and in-depth discussions on such topics should be performed on respective national mailing lists such as [EMAIL PROTECTED] (for the UK), or [EMAIL PROTECTED] (for Germany). - Announcements and discussions on joint initiatives and campaigns concerning any of the abovementioned topics. To subscribe to the list, send an e-mail containing the words "subscribe eucrypto" to [EMAIL PROTECTED]. --- SPONSOR'S MESSAGE --- 24/7 Europe provides European Web Sites with focused advertising and sponsorship sales, locally, regionally and globally. With 14 offices in 12 European markets, and through 24/7 affiliates in the US, Asia Pacific and Latin America, we provide the one-stop solution that links Europe's online markets to the rest of the World. http://www.247europe.com If you find Online Europe useful, please forward this message to a friend or colleague. It's the easiest way you can contribute to increasing the value of this forum. To subscribe: mailto:[EMAIL PROTECTED] For information about Online Europe sponsorship, please contact Steven Carlson at mailto:[EMAIL PROTECTED] Online Europe is proudly hosted by Revnet Express. To learn more about how hosted email marketing can increase sales, build customer loyalty and strengthen brand awareness, please contact Lorraine Pieterse at: mailto:[EMAIL PROTECTED] To unsubscribe, mailto:[EMAIL PROTECTED] or ask the moderator for assistance at mailto:[EMAIL PROTECTED]. __ End of Online Europe Digest --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[PGP]: Bruce Schneier weighs in
--- begin forwarded text Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm-idx-0.40(alpha) Reply-To: [EMAIL PROTECTED] From: "grt" [EMAIL PROTECTED] Organization: ... To: [EMAIL PROTECTED] Date: Sat, 4 Sep 1999 09:24:02 -0400 CC: [EMAIL PROTECTED] Priority: normal Subject: [PGP]: Bruce Schneier weighs in FYI from: sci.crypt subject: NSA and MS windows A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.counterpane.com/crypto-gram-9904.html#certificates Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?sid=1pid=47aid=52 Useful news article: http://www.wired.com/news/news/technology/story/21577.html ** Bruce Schneier, President, Counterpane SystemsPhone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com - To retrieve this thread, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] DO NOT send administrative requests/command to the list! Thanks. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More details on Operation Broken Glass
Looks like last night was a kind of crypto-Kristallnacht, ja? Cheers, RAH (Who's not too shameless to plug FC00, here, in light of the Nicko and Adi's URL, below) --- begin forwarded text Date: Fri, 3 Sep 1999 10:03:57 -0700 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: Greg Broiles [EMAIL PROTECTED] Subject: Re: Warning about Installation of Software -- Don't be fooled by NSA To: [EMAIL PROTECTED] At 09:33 AM 9/3/99 , David Lesher wrote: and I respectfully ask all the smart computer-savvy folks who read this message to check out this rumor and confirm whether it is a hoax, or whether it is for real. Your imput and wisdom is greatly appreciated. But note that the meat of the story requires you do no such thing. (More importantly, I can not see his claimed Crypto 99 rump session talk on the schedule) I spoke with a friend last night who attended the rump session at Crypto, who confirmed that the talk was given. The existence of the second key was discovered by a crypto researcher who had the insight that looking inside the executable for areas of unusually high entropy might prove revealing - he found two such areas, each1024 bits long (exactly the length of the Crypto API public key), where the design of Crypto API would only have required one .. leading to further investigation and disassembly of the code. One approach to independent verification would be to repeat the initial investigation - look through the RSABASE.DLL file in your \WINDOWS\SYSTEM directory looking for relatively high-entropy sequences. A paper describing this technique is available at http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf, and C code purporting to implement that seach is available at http://www.hedonism.demon.co.uk/paul/download/ncheck.c. -- Greg Broiles [EMAIL PROTECTED] PGP: 0x26E4488C --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: [dc-sage] Microsoft, the NSA, and you... (fwd)
--- begin forwarded text Date: Fri, 3 Sep 1999 16:32:38 -0400 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: David Lesher [EMAIL PROTECTED] Subject: Re: [dc-sage] Microsoft, the NSA, and you... (fwd) To: [EMAIL PROTECTED] This is long and nerdy, but think it's worthwhile. Bugtraq, in general, is a place real security types hang out, although I can't speak re: Ross (As I don't claim to know more than a few crypto types; draw no conclusion from that.) I'll assume NTBugtraq is similar. Here's the NTBUGTRAQ post == From [EMAIL PROTECTED] Fri Sep 3 16:01:34 1999 Date: Fri, 3 Sep 1999 15:57:43 -0400 From: Russ [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Alert: CryptoAPI and _NSAKey issue -BEGIN PGP SIGNED MESSAGE- This is also available at http://ntbugtraq.ntadvice.com/_nsakey.asp Whoa horsie... I had a long chat with Andrew Fernandes this morning, as well as another chat with others, and of course I've had a ton of messages sent my way with various links to various stories about the issue. I wanted to get a few things straight before I sent this message, but given how quickly things are spreading it makes sent to send something interim. Ok, so here's what I can tell you. 1. Andrew's speculation about the _NSAKEY being a backdoor for the NSA is based on; a) The variable is called "NSA". b) Its a second key, not known to exist in Windows previously. c) What possible purpose would a second key serve? d) Its presence, arguably, weakens CryptoAPI (Andrew explains this on his website at http://www.cryptonym.com/hottopics/msft-nsa.html, I'll elaborate more later. 2. Sources close to Microsoft say that the key is a "Backup" key. It is owned by Microsoft, and only Microsoft have the private key to it. The key was named "_NSAKEY" because the NSA insisted that Microsoft include a backup key in their CryptoAPI before the Commerce Department would approve its inclusion in NT 4.0. Editorial - - There's a bunch of somewhat understandable furor going on over the idea that the NSA might have a backdoor to Windows. Unfortunately, however, all of this is based on a variable name. Anyone who programs knows that variables might get named anything for a variety of reasons. One would expect that they would be named descriptively, but alas, not everyone follows such stringent conventions (can you spell "Easter Egg"?). The Conspiracy Theorist's theory goes; - - - - The NSA has a signing key on your box. - - The NSA can implant a Trojan to replace the module which performs encryption on your box with one that doesn't perform encryption, and because the failure of signature verification against Microsoft's key is silent, they can get their trojan'd app up and running without you being any the wiser. - - The NSA can then sniff your traffic, now being conducted in plain-text. There's obviously a ton of variations possible on this theory, they take your private key, they replace your key with another, etc... They only have to get a Trojan to you and get you to run it, and as those same Conspiracy Theorists always say, speculationthere's likely bugs in the OS designed to allow them to do this.../speculation Yeah, could be true. My take from Microsoft's Perspective; - - - We want to have one build of our products that simultaneously supports weak or strong encryption functionality. - - We want to be able to ship this one product world-wide, changing as few bits as possible for those that are being shipped outside the U.S. and Canada. - - We'll build an API (good, bad, or otherwise) that allows the controlled bits to be inserted into an infrastructure, then get the infrastructure approved, and all will be good. - - Commerce (with advice from lots of people including the NSA), agrees, and tells Microsoft they have to sign everything that can use the infrastructure. That way, Microsoft can ship its product anywhere, and Commerce will know that only those products that have been signed by Microsoft will be able to run on the OS. - - You want to build a Cryptographic Service Provider (CSP), the module that performs the encryption, you gotta get Microsoft to sign it for it to run. Microsoft doesn't sign anything that doesn't have the appropriate Commerce Department Export approvals first. Wonderful, life's good, Microsoft doesn't have to manage multiple versions based on Crypto-strength, folks can implement whatever crypto they want (assuming its Commerce approved). Oh, the second key, I almost forgot; - --- I'm told the NSA insisted there had to be a backup. No explanation as to why yet, that's what I've been told. One theory that made a lot of sense to me was the simple idea of; What happens if
Policy page redux?
Shades of the plaintext-embedded-in-the-executable Netscape "policy page"? Or is it just more stupid Microsoft crypto programming? Father Occam prefers the latter, but you never know... Cheers, RAH --- begin forwarded text Date: Fri, 3 Sep 1999 15:34:04 -0300 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: "Peter D. Junger" [EMAIL PROTECTED] Subject: Re: FW: Warning about Installation of Software -- Don't be fooled by NSA Rumors To: [EMAIL PROTECTED] Status: U Mark Shea writes: : There is a discussion of this issue at : http://www.slashdot.org/articles/99/09/03/0940241.shtml : http://www.slashdot.org/articles/99/09/03/0940241.shtml today. One of the : more informed and thoughtful posts (IMHO) was from a Windows coder who has : been working with this API for over a year. His/her comments can be seen at : http://www.slashdot.org/comments.pl?sid=99/09/03/0940241 : http://www.slashdot.org/comments.pl?sid=99/09/03/0940241cid=56 cid=56 . : I recommend, however, you take a look at the whole discussion. It is fairly : lively. I always get lost on /. but I was able to read some of the messages and some of the original material posted on the Internet. Apparently this bit of stupidity is more of an opportunity than a threat. As I understand it, the various versions of MSWindows include a Crypto Applications Program Interface---I don't really know about this, being much to snobbish to use Microsoft products---where one can plug in encryption modules. But the government would not let Microsoft export its Windows systems with this API unless it was crippled so that one could not plug in strong crypto. So the solution was to require that any crypto software installed on a MSWindows machine had to be signed by Microsoft using a public key. (I'm not quite sure of the type of key that was used.) So this crypto API contains a key that can be used to make sure that Microsoft has signed an appplication, and if an application is strong crypto it won't be signed by Microsoft and thus will not run under MSWindows. If you remove this Microsoft key from your Windows box, then you can't run any crypto applications (that use the crypto API). But now it turns out that some genius added a second key, called apparently the NSAKEY, to the API and that a crypto apllication will run if it is signed by either of the keys. You can remove the NSAKEY and anything signed by Microsoft will still run, but programs signed by NSA won't run (unless, I guess, they are also signed by Microsoft). And---and this is the good part---you can not only remove the NSAKEY, you can replace it with your own key, and then run any crypto applications programs that you want, no matter how strong! This effectively allows one to ignore the export controls on crypto applications that run on MSWindows. At least that is my understanding. If I am right, the question becomes whether the replacable second key is the result of stupidity---or of sabotage. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH EMAIL: [EMAIL PROTECTED]URL: http://samsara.law.cwru.edu NOTE: [EMAIL PROTECTED] no longer exists --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Microsoft Letting Government Snoop
--- begin forwarded text From: "Dan S" [EMAIL PROTECTED] To: "isml" [EMAIL PROTECTED] Subject: IP: Microsoft Letting Government Snoop Date: Fri, 3 Sep 1999 20:33:46 -0400 Sender: [EMAIL PROTECTED] Reply-To: "Dan S" [EMAIL PROTECTED] From http://www.news-real.com/apnews/19990903/21/01/5687004_st.html - Microsoft Letting Government Snoop Associated Press WASHINGTON (AP) -- [ Microsoft Corp. ] sought to assure consumers Friday that it did not insert a secret backdoor in its popular Windows software to allow the U.S. government to snoop on their sensitive computer data. The sensational charge of a quiet alliance between Microsoft and the U.S. National Security Agency came after a Canadian programmer stumbled across an obscure digital "signing key" that had been labeled the "NSA key" in the latest version of Microsoft's business-level Windows NT software. An organization with such a signature key accepted by Windows could theoretically load software to make it easier to look at sensitive data -- such as e-mail or financial records -- that had been scrambled. The flaw would affect almost any version of Windows, the software that runs most of the world's personal computers. Microsoft forcefully denied that it gave any government agency such a key, and explained that it called its function an "NSA key" because that federal agency reviews technical details for the export of powerful data-scrambling software. "These are just used to ensure that we're compliant with U.S. export regulations," said Scott Culp, Microsoft's security manager for its Windows NT Server software. "We have not shared the private keys. We do not share our keys." The claim against Microsoft, originally leveled by security consultant Andrew Fernandes of Ontario on his Web site, spread quickly in e-mail and discussion groups across the Internet, especially in those corners of cyberspace where Microsoft and the federal government are often criticized. Culp called Fernandes' claims "completely false." An NSA spokesman declined immediate comment. Bruce Schneier, a cryptography expert, said the claim by Fernandes "makes no sense" because a government agency as sophisticated as the NSA doesn't need Microsoft's help to unscramble sensitive computer information. "That it allows the NSA to load unauthorized security services, compromise your operating system -- that's nonsense," said Schneier, who runs Counterpane Internet Security Inc. "The NSA can already do that, and it has nothing to do with this." Fernandes, who runs a small consulting firm in Canada, said he found the suspiciously named "NSA key" -- along with another key for Microsoft -- while examining the software code within the latest version of Windows NT. The existence of the second key was discovered earlier by other cryptographers, but Fernandes was the first to find its official name and theorize about its purpose. "That (the U.S. government) has ... installed a cryptographic back door in the world's most abundant operating system should send a strong message to foreign (information technology) managers," he warned on his Web site. But Fernandes seemed less worried Friday in a telephone interview. "I don't know that they have reason to lie," he said. "The main point is, you can't really trust what they're saying. They've been caught with their hand in the cookie jar. In fact, I think they're being fairly honest, but you don't know what else is in Windows." Publication Date: September 03, 1999 Powered by NewsReal's IndustryWatch -- Dan S ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
FC: Progressive Policy Institute forum in DC on September 13
--- begin forwarded text Date: Wed, 01 Sep 1999 16:01:33 -0400 To: [EMAIL PROTECTED] From: Declan McCullagh [EMAIL PROTECTED] Subject: FC: Progressive Policy Institute forum in DC on September 13 Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 01 Sep 1999 15:54:35 -0400 From: Randolph Court [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Policy makers and high-tech execs to meet in DC Declan - Please post this conference announcement to the politech mailing list. The Progressive Policy Institute's New Economy Task Force will host a public forum on the policy implications of the information technology revolution and the New Economy on Monday September 13 at the Ronald Reagan International Trade Building in Washington, DC. The Task Force is made up of 50 leading elected officials and New Economy entrepreneurs, including Senators Jeff Bingaman, Joe Lieberman, and Ron Wyden; Representatives Cal Dooley, Zoe Lofgren, and Adam Smith; America Online CTO Marc Andreesen, Intuit founder Scott Cook, Nanogen President and COO Tina Nova, and WebTV Co-founder Steve Pearlman. Co-chairmen Senate Democratic Leader Tom Daschle and Gateway CEO Ted Waitt, along with more than 20 other Task Force members will be attending the event on the 13th, where the group will release and discuss a new framing declaration: "Rules of the Road: Governing Principles for the New Economy." - AGENDA - Monday, September 13, 1999 10:00 am - Public Program Begins 10:00 - 10:10 - Welcome/Overview: Will Marshall, PPI President 10:10 - 10:40 - Opening Remarks: Task Force Co-Chairs, Sen. Tom Daschle (SD) and Gateway CEO Ted Waitt 10:40 - Noon - Panel Discussion: "Rules of the Road: Governing Principles for the New Economy." Task Force members will present and discuss the 10 "Rules of the Road" for governing in the New Economy. Noon - 1:30 pm - Luncheon Discussion: "Ensuring Digital Opportunity" As the digital economy emerges, a key issue is ensuring that all Americans can use and benefit from these potentially empowering technologies. 1:30 - 3:00 - Panel Discussion: "Internet Policy: New Approaches for a New Medium." The digital revolution is changing the underlying rules of commerce and raising a host of policy issues, from encryption and privacy to sovereignty and governmental jurisdiction. This panel will discuss the extent to which the unique nature of the Internet both enables and requires new policy frameworks. Task Force members will be joined by two leading thinkers on e-commerce policy: - Thomas P. Vartanian, who leads the Financial Institutions Transactions and E-Commerce Practice of the Washington law firm Fried, Frank, Harris, Shriver Jacobson - Christine Varney, Partner, Internet Practice Group, Hogan Hartson; former Commissioner, Federal Trade Commission. For more information, please call PPI at 202-547-0001, or go to http://www.dlcppi.org/ppi/tech/events/99conf_home.htm -- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to [EMAIL PROTECTED] with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ -- --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Micro Payments BOF in the next IETF (Nov 99, Wash DC)
--- begin forwarded text From: [EMAIL PROTECTED] To: Jeffrey Schiller [EMAIL PROTECTED] cc: Keith Moore [EMAIL PROTECTED], Patrik Faltstrom [EMAIL PROTECTED], Jeffrey Schiller [EMAIL PROTECTED], Marcus Leech [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Sun, 29 Aug 1999 10:36:30 +0300 Subject: Micro Payments BOF in the next IETF (Nov 99, Wash DC) Reply-To: "Micropayments List" [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] Jeff, thanks. Please let me know the slot we got when assigned and I'll inform the community. For allocation purposes I assume a 2-hour slot unless will inform us otherwise. All: as noted below, Jeff Schiller, Security AD in the IETF, and the IESG, have agreed to hold a micropayments BOF in the next IETF (Nov. 99 in Wash. DC). The goals of the BOF are: Report on the W3C `Micro Payments Markup` recommendation which just entered `last call`. This is the result of the work of the MicroPayments working group of the W3C (chaired by Mark Manasses from Compaq and myself). Please notice the last call period will end earlier (I believe Sept. 30) so people who wish to comment on it are encouraged to do so using the (open to public) comment mailing list. The draft itself and other details are available in the W3C web site, www.w3c.org. In the traditional IETF spirit, reports on implementations (of the recommendation) would be encouraged. Explore whether there is need and sufficient interest to define an interoperable payment protocol suitable (at least) for micropayments, and if so, decide on the best means (most likely a request for new IETF WG). To this discussion, presentations by developers as well as customers and others of opinion are solicited. Please notice that the IESG has _not_ discussed or approved yet the creation of such a working group (neither was a request made yet). If time remains, short reports of developers of micropayment products may be presented, with the hope that this will eventually lead to more openness, cooperation and interoperability. Please notice there is already a mailing list dedicated to this potential standardization activity, [EMAIL PROTECTED] Please use this list to comment on the BOF or for relevant discussions even before the physical BOF. These headers explain everything: List-Subscribe: mailto:[EMAIL PROTECTED] List-Unubscribe: mailto:[EMAIL PROTECTED] List-Digest: mailto:[EMAIL PROTECTED] However, I suggest that proposals for presentations in the BOF be sent to me and I'll coordinate it (unless Jeff wants somebody else to do it). A related note: we try to maintain an updated list of _all_ resources, vendors, consultants, researches, and others in the `micropayments community`, we call this the `sub-$ registry` and it is a link off our IBM Micro Payments homepage http://www.hrl.il.ibm.com/mpay (don't have exact link now - I'm offline - but it's easy to find). Please let me know if you need to be added or have better details than what we got now... Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM Research - Haifa Lab (Tel Aviv Office) http://www.hrl.il.ibm.com New e-mail: [EMAIL PROTECTED] New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL Jeffrey Schiller [EMAIL PROTECTED] on 26/08/99 19:32:06 Please respond to Jeffrey Schiller [EMAIL PROTECTED] To: Amir Herzberg/Haifa/IBM@IBMIL cc: Keith Moore [EMAIL PROTECTED], Patrik Faltstrom [EMAIL PROTECTED], Jeffrey Schiller [EMAIL PROTECTED], Marcus Leech [EMAIL PROTECTED], mpay markup@IBMIL Subject: Re: Request for a Micro Payments BOF in the next IETF (Nov 99, Wash DC) We discussed this on the IESG telechat this morning and we agreed that we will host this BOF in the security area. This is not a commitment on the part of the IETF to necessarily form a working group. However a BOF makes good sense at this time. -Jeff Original Message On 8/25/99, 3:14:48 PM, [EMAIL PROTECTED] wrote regarding Request for a Micro Payments BOF in the next IETF (Nov 99, Wash DC): Dear all, I'm chairing the W3C Working Group on Micro Payments. We now move to `last call` a recommendation on Micro Payments markup. There is also interest, among the W3C WG participants and others, to proceed to define an interoperable protocol. Would you agree to allocate a BOF slot at the next IETF for us to report on our results and to gauge the level of interest in such follow-up work for interoperable payment protocol? If there will be interest, we'll see where this activity belongs - possibly another W3C/IETF cooperation. Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM Research - Haifa Lab (Tel Aviv Office) http://www.hrl.il.ibm.com New e-mail: [EMAIL PROTECTED] New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL --- end
IP: USA Today.com on PECSNEC recommendations.
--- begin forwarded text Date: Fri, 27 Aug 1999 12:45:47 -0400 To: [EMAIL PROTECTED] From: David Farber [EMAIL PROTECTED] Subject: IP: USA Today.com on PECSNEC recommendations. Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: "Rodger, William" [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: USA Today.com on PECSNEC recommendations. Date: Fri, 27 Aug 1999 12:38:41 -0400 From: http://www.usatoday.com/life/cyber/tech/ctf944.htm White House panel: Export crypto, not jobs By Will Rodger, USATODAY.com A presidential advisory group is recommending the White House abandon nearly all export controls on hardware and software vital to assuring the privacy of Internet users, group members tell USATODAY.com. The advice from the panel, officially known as the President's Export Council Subcommittee on Encryption, flies in the face of a Clinton Administration policy that has drawn fire from civil libertarians and industry alike. That rancorous debate between the two sides now seems likely to intensify as the White House's own group of advisers tells it to change course. and http://www.usatoday.com/life/cyber/tech/ctf958.htm --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Press release re Digicash asset sale
--- begin forwarded text Date: Wed, 25 Aug 1999 16:17:12 -0700 To: [EMAIL PROTECTED] From: John Muller [EMAIL PROTECTED] Subject: Press release re Digicash asset sale Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] I don't recall seeing this on the list: PRESS RELEASE August 17, 1999, Seattle, Washington, USA eCash Acquires Technologies from DigiCash eCash Technologies, Inc., based in Seattle, Washington, is pleased to announce its acquisition of the technologies of DigiCash Inc. These technologies include the patented "blind signature" encryption scheme that is the only known method of providing electronic cash on the Internet. eCash Technologies designs, develops and markets Internet payment software products that facilitate e-commerce. One of these products is ™ which incorporates the blind signature encryption into user-friendly software. ™ may be used to make purchases on the Internet in any denomination which are secure, private, non-counterfeitable and non-repudiable. ™ is the only virtual equivalent to hard currency and is being used by a growing number of multi-national banks and Internet merchants. eCash Technologies is committed to fostering open e-commerce standards and is currently receiving requests to license its various technologies. Interested parties should send licensing inquiries to [EMAIL PROTECTED] Please direct all non-licensing inquiries to [EMAIL PROTECTED] The investors in eCash Technologies include Ruloff Capital of Vancouver, Canada, August Capital of Menlo Park, California, Applied Technology of Boston, Massachusetts, and Gilde IT-Fund of The Netherlands. August Capital, Applied Technology and Gilde IT-Fund were shareholders of DigiCash and have carried their interests over to eCash Technologies. All trade marks are owned by eCash Technologies, Inc. http://www.ecashtechnologies.com John Muller [EMAIL PROTECTED] [EMAIL PROTECTED] "Just because it's simple doesn't mean it's easy" --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
New Clinton Anti-Privacy Czar? (was Re: NewsScan Daily, 24August 1999 (Above The Fold))
At 7:43 AM -0700 on 8/24/99, NewsScan wrote: CLINTON ADMINISTRATION APPOINTS NEW E-COMMERCE ADVISOR The Clinton Administration has appointed Elizabeth Echols to a new White House post that will coordinate e-commerce issues. The Electronic Commerce Working Group, which will be headed up by Echols, will focus its initial efforts on resolving the complex debate over broadband Internet access. Echols also plans to target consumer protections online and creating a global e-commerce framework. "My job is really to coordinate the numerous agencies that are involved," says Echols. "There are at least 12 federal agencies that are working in electronic commerce. The idea is to have one central place at the White House where we can work together and shape one Administration policy." (Cybertimes/New York Times 24 Aug 99) http://www.nytimes.com/library/tech/99/08/cyber/capital/24capital.html - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Latest in computer security revealed
--- begin forwarded text From: [EMAIL PROTECTED] Date: Mon, 16 Aug 1999 13:34:55 -0500 To: [EMAIL PROTECTED] Subject: IP: Latest in computer security revealed Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: EurekAlert! http://www.eurekalert.org/releases/wpi-lic081699.html FOR IMMEDIATE RELEASE: 16 AUGUST 1999 Contact: Arlie Corday [EMAIL PROTECTED] 508-831-6085 Worcester Polytechnic Institute Latest in computer security revealed at WPI international workshop More than 180 computer security experts, half of whom traveled from outside the United States, converged on Worcester Polytechnic Institute for the 1999 Workshop on Cryptographic Hardware and Embedded Systems (CHES), Aug. 12-13. The popular workshop provided a forum for real-world system and design issues. Conference organizers Cetin Koc of Oregon State University and Christof Paar of WPI point out that many consumer products are gaining computer-like capabilities. E-commerce and other electronic communications demand that sensitive data, such as credit card numbers, must be protected from prying eyes. The tool for protecting information, called cryptography, will be required in these products, using embedded systems that offer relatively little computational power. The challenge of adding cryptography to hardware devices and embedded systems led to the development of the WPI workshop. In its inaugural year, international experts presented new results on efficient implementation of cryptographic algorithms and attacks, as well as other practical issues in system design such as random number generation. Among the highlights of the conference was a talk by Adi Shamir, a co-inventor of the RSA code used to protect e-commerce. Shamir called the security of the world's leading web browsers into question with a new fast factoring attack. The most eagerly awaited contribution to CHES involved not only a fast way to make a code, but also a fast way to break one. The RSA public-key cryptosystem, which is widely used in web browsers such as Netscape Communicator and Microsoft Internet Explorer, is based on the problem of factoring large numbers. It is an acronym based on its inventors (Rivest-Shamir-Adleman). Fortunately for consumers and businesses, up until now, factoring algorithms have been slow and memory intensive processes. But at the workshop, Shamir, from Israel's Weizmann Institute of Science, shed light on an ingenious way to speed up part of a factoring computation known as sieving. A sieve procedure consists of repeatedly running through a long list of numbers and finding which small integers divide those in the list. Using optoelectronics, Shamir's new device, called TWINKLE, offers a 500-1000 times speedup over the fastest workstations on the market in this crucial stage of factoring. This development has grave implications for electronic commerce: Due to U.S. export laws, the strongest exportable public-key systems are restricted to 512 bits. If and when the device is actually built, these systems can be easily broken. The systems, Shamir pointed out, "protect 95 percent of today's e-commerce on the Internet," and thus render them "very vulnerable." Brian Snow of the U.S. National Security Agency emphasized the need for more research in assurance technolgy. "The scene I see is products and services sufficiently robust to counter many, but not all, of the 'hacker' attacks we hear so much about today, but not adequate against the more serious but real attacks mounted by economic adversaries and nation states," Snow noted. "We will be in a truly dangerous stance: We will think we are secure, and act accordingly, when in fact we are not secure." Experts continue to search for answers to computer security. Another development at CHES involved improved methods for generating random numbers. Nearly all real-world cryptosystems need random numbers. Unfortunately, this is an extremely difficult problem, since computers are designed to be completely predictable. At CHES, scientists from Italy's Ugo Bordoni Foundation offered a cost-effective idea based on sampling noisy semiconductor junctions. Normally in circuit design, engineers try to reduce noise. However, by building noisy circuits on purpose, one can use the noise as a source of random numbers. In addition, researchers from Bell Labs Innovations provided a variety of new, practical techniques including one based on chaos theory, which appears to be particularly cost-efficient. Of course, efficiency of performance is just as crucial as cost. Sandia National Labs researchers presented a design for a new computer chip that can encrypt up to 10 gigabits of data per second, satisfying all but the most demanding of applications. In addition, one can use three of the chips together to handle Triple-DES encryption with no loss of performance. The DES, or Data Encryption Standard, algorithm is the most widely used bulk encryption method,
ElGamal, Barnes, Callas, Parekh, etc., take over Packet Storm?
At 2:00 PM -0400 on 8/17/99, [EMAIL PROTECTED] wrote: Title: Security Firm to Revive Computer-Defense Site Resource Type: News Article Date: August 17, 1999 Source: NYT (Free Registration Required) Author: PETER WAYNER Keywords: KROLL-O'GARA,PACKET STORM,WEBSITE TAKEOVER,HACKERS Abstract/Summary: Kroll-O'Gara, the international security consulting firm, said Monday it would take over an Internet site that not only posted information about defending computer systems against attacks but also told how to break into them. In the shadowy world of hackers and crackers, it is often hard to tell the good guys from the bad. Computer-security experts frequently test systems by breaking into them, and the site, Packet Storm, posted descriptions of those break-ins. Kroll-O'Gara's computer security unit, Securify, which declined to discuss financial terms of its acquisition, said it planned to maintain the site's tradition of high-quality information as a way to market its services. But Kroll-O'Gara executives said that it would rid the site of its more contentious publications. Original URL: http://www.nytimes.com/library/tech/99/08/biztech/articles/17secure.ht ml Added: Tue Aug 17 9:15:18 -040 1999 Contributed by: David Dillard - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Nonrepudiation and what to do about it (Jueneman - FW)
--- begin forwarded text Date: Fri, 20 Aug 1999 02:27:15 -0400 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: Vin McLellan [EMAIL PROTECTED] Subject: Nonrepudiation and what to do about it (Jueneman - FW) To: [EMAIL PROTECTED] Status: U This is an excerpt -- a "history lesson" -- from a 8/19/99 proposal by cryptographer, network security architect, and PKI guru Bob Jueneman of Novell on the IETF's PKIX and S/MIME mailing lists. Please copy Mr. Jueneman on responses at [EMAIL PROTECTED]. The full post can be found at: http://www.imc.org/ietf-smime/mail-archive/msg02933.html. _Vin ooo Begin Forwarded Text ooo When the ABA Digital Signature Guidelines were being formulated within the Information Security Committee, with lots of very bright, well-informed attorneys and technologists contributing, there was a fundamental, underlying assumption that PKI technology could be used to reduce some of the uncertainty that was perceived to be a barrier to the efficient use of electronic commerce. Instead of having to use proprietary, value added networks and negotiate N*(N-1) contracts between all of the trading partners, it was expected that the use of a common PKI technology and appropriate legal frameworks would eliminate most of that overhead. It was recognized that a accretion of case law had resulted in a situation where printed forms, letterhead, FAXs, telegrams and later Telexes, ordinary e-mail, and who knows what else forms of communications could, under the proper circumstances, be interpreted as being a legally binding signature. The trouble was that the technology had moved much faster than the case law, and the uncertainty was increasing at a compounded rate. For example, back when printed forms were created on letterhead presses, and were filled in using either handwriting or a typewriter, it was pretty obvious what the difference was. And because going to a printer and having a lot of standard forms printed involved some expense, time and effort, the conventional use of such a form for purposes of trade might reasonably be considered tantamount to a signature of the company. Unfortunately, a technological decision that was rational at the time is no longer rational in the age of laser printers, when preprinted forms have almost disappeared. But the case law hasn't changed, so the question of what constitutes signature becomes more of a risk, both for the relying party who thought it was valid, and for the originator, who really didn't intend for it to be anything more than a draft proposal. In addition to these technical/legal issues, there was also the issue of liability in the event of something going wrong, such as a key being compromised. One approach would be the very loose standard of care embodied in the US credit card law (Regulation E), where even the most egregious carelessness on the part of the subscriber could only result in a $50 loss. The problem with that approach is that it effectively required the establishment of a mechanism that would be very similar to the credit card industry to centralize the reporting of every time a certificate was used to verify a transaction, so that loss limits could be enforced. At the other end of the spectrum was "strict liability,' which is the standard used between major financial institutions. Because of the volume of the business, and the difficulty of backing out transactions in error that might otherwise leave an innocent third party holding the bag for a transaction gone wrong, inter-bank transactions are generally governed by strict liability -- no matter what the extenuating circumstances might be the bank was still liable for a transaction that went out in its name. In between these two poles were standards of simple negligence or gross negligence as a possible defense. The final decision that was incorporated in the Guidelines, Section 5.6 Presumption in dispute resolution, was to create a "rebuttable presumption" that a digital signature verified by reference to the public key listed in a valid certificate is the digital signature of the subscriber listed in that certificate. The effect of this presumption was to allocate the burden of proof to the person who is challenge the validity of the signature. In the case of a claimed forgery, for example, the burden of proof (independent of the risk of loss) falls on the subscriber, who would generally be in a much better position to know how the keys were protected, etc., than the relying party. The State of Utah, in their pioneering Digital Signature Act, didn't go quite so far as that. Instead, they applied the rebuttable presumption argument only to a special class of certificates created by so-called "Licensed Certification Authorities" that were subject to a higher level of assurance, involving inspection and audit and
Computerworld on FreeS/WAN
At 2:00 PM -0400 on 8/19/99, [EMAIL PROTECTED] wrote: Title: Hackers, Consultants Embrace Secure Tool Resource Type: News Article Date: 08/16/99 Source: Computer World Author: Ann Harrison Keywords: SECURITY,ENCRYPTION ,HACKER/SECURITY ,CONSULTANTS Abstract/Summary: When IT security consultants attend hacker conferences, they have high expectations for finding open-source security tools tested in hostile environments. One that meets the standard for hacker information technology consultants is the FreeS/WAN project's free, open-source Linux-based server software that uses strong encryption to create secure data tunnels between any two points on the Internet -- a needed alternative to expensive, proprietary virtual private networks (VPN). FreeS/WAN uses the IPSec protocol, an interoperable global standard for securing IP connections. It automatically encrypts data packets at 6 bit/sec. and creates secure gateways in a VPN without modifying the operating system or application software. A PC running FreeS/WAN ( www.xs4all.nl/~freeswan ) can set up a secure tunnel in less than a second. The software generated strong interest among the 1,800 hackers who attended the Chaos Communication Camp, the Chaos Computer Club's first international hacker conference, held here last week. Among the attendees was Kurt Seifried, an independent security consultant from Edmonton, Alberta, who uses FreeS/WAN to create secure networks for customers. Original URL: http://www.computerworld.com/home/print.nsf/all/990816BBE2 Added: Thu Aug 19 10:28:26 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Clinton comes after the Internet by Joseph Farah
--- begin forwarded text Date: Mon, 09 Aug 1999 10:45:29 -0600 To: [EMAIL PROTECTED] From: Robert Huddleston [EMAIL PROTECTED] Subject: IP: Clinton comes after the Internet by Joseph Farah Sender: [EMAIL PROTECTED] Reply-To: Robert Huddleston [EMAIL PROTECTED] http://www.worldnetdaily.com/bluesky_btl/19990809_xcbtl_clinton_co.shtml WorldNetDaily MONDAY AUGUST 09 1999 between the lines Joseph Farah -- WND Exclusive Commentary -- Clinton comes after the Internet by Joseph Farah -- Well, it was a long time coming, but Bill Clinton has finally made his move on the Internet. Late last week, when reporters and members of Congress were going home for the weekend, he issued one of his now-famous executive orders -- this one on "Internet conduct." Like almost all such orders, it will sound quite innocuous on a quick first read. But these guys in the Clinton administration are clever. This action sets up a working group of top U.S. officials to study the whole concept of policing the Internet. No, Clinton doesn't use that word, but that's clearly the intent of this order -- the establishment of a national Internet police force. But if you catch that much -- and few will -- then the wording of this order is designed to make you relax because the working group is simply going to write a report! We all know government reports don't kill people, right? Nobody gets hurt by a government report unless they drop it on you. However, let's take a look at what's being studied here: No. 1 -- How the federal government can insinuate itself into this revolutionary new medium. And, No. 2 -- How new technology tools, capabilities or legal authorities may be required for effective investigation and prosecution. Let me repeat that last purpose behind this working group and this executive order in the actual language used by Clinton: "The extent to which new technology tools, capabilities, or legal authorities may be required for effective investigation and prosecution of unlawful conduct that involves the use of the Internet." Get it? "New technology" equals spying tools. "Capabilities" means surveillance capabilities. And "legal authorities" means Internet police. You've got to understand the bureaucratic jargon here. Think of me as your Clintonese translator. Remember, this is a man who questions what the word "is" means. You've got to leave this to the professionals -- and that means me. Now here's the other scary part of this executive order. Normally with these task forces, the president allows a year or more for study and reports. Not this time. Guess what his deadline is? "The Working Group shall complete its work to the greatest extent possible and present its report and recommendations to the President and Vice President within 120 days of the date of this order," the executive order states. What! That means the report must be prepared before the end of the year. I would suggest to you that this means the report is already drafted. I would suggest further evidence for that conclusion is that Clinton is also requiring the committee to circulate the report to federal agencies well before it comes to the White House. Why would he do that? Because the White House has already seen it. The White House has written it. Who's going to be a part of this working group? The chairman is Janet Reno, and the members are most of the important Cabinet officers. Do you really think those guys and gals could draft a report on policing the Internet in less than 120 days? Uh-uh. Something's up here, folks. Something smells really foul. Now what do you suppose is in that future report? Hillary once told us the Internet needed gatekeepers and controls. "We are all going to have to rethink how we deal with this, because there are all these competing values," Hillary said last year. She also deplored the fact that the Internet lacks "any kind of editing function or gatekeeping function." I think Clinton's about to make his move on our last best hope for freedom -- the Internet. Methinks the Internet is about to get an official editor or a government gatekeeper. ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
DCSB: Andrew Odlyzko; So, Where's All the Digital Cash?
--- begin forwarded text Date: Tue, 10 Aug 1999 09:19:25 -0400 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Robert Hettinga [EMAIL PROTECTED] Subject: DCSB: Andrew Odlyzko; So, Where's All the Digital Cash? Cc: Eben Moglen [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: Robert Hettinga [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- The Digital Commerce Society of Boston Presents Dr. Andrew Odlyzko Head of the Mathematics and Cryptography Research ATT Laboratories Why digital cash has not taken off (yet) Tuesday, September 7th, 1999 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA The arrival of digital cash has been predicted for a long time, but progress has been disappointing. To fully understand what has happened, and what the future will bring, it appears to be necessary to consider the important economic and psychological factors that have hampered acceptance of digital money. Content producers can usually get more revenues through various bundling strategies (subscriptions, site licensing, etc.) than through sales a la carte. Further, consumers have a strong preference for flat-rate pricing schemes. These factors suggest which methods might be most productive in speeding up penetration of electronic money. Andrew Odlyzko is Head of the Mathematics and Cryptography Research Department at ATT Labs, and also Adjunct Professor at the University of Waterloo. He has done extensive research in technical areas such as computational complexity, cryptography, number theory, combinatorics, coding theory, analysis, and probability theory. In recent years he has also been working on electronic publishing, electronic commerce, and economics of data networks. He is the authors of such widely cited papers as "Tragic loss or good riddance? The impending demise of traditional scholarly journals," "The decline of unfettered research," and "The bumpy road of electronic commerce." He is also a coinventor of a micropayment system. His home page is http://www.research.att.com/~amo. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, September 7, 1999, from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, on One Federal Street. The price for lunch is $35.00. This price includes lunch, room rental, various A/V hardware, and the speakers' lunch. The Harvard Club *does* have dress code: jackets and ties for men (and no sneakers or jeans), and "appropriate business attire" (whatever that means), for women. Fair warning: since we purchase these luncheons in advance, we will be unable to refund the price of your lunch if the Club finds you in violation of the dress code. We need to receive a company check, or money order, (or, if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, September 4th, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston", in the amount of $35.00. Please include your e-mail address so that we can send you a confirmation If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you are a principal in digital commerce, and would like to make a presentation to the Society, please send e-mail to the DCSB Program Committee, care of Robert Hettinga, mailto: [EMAIL PROTECTED]. For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . We look forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com iQEVAwUBN7Amr8UCGwxmWcHhAQFuiQf/bf1uRwIyXmKZI9J5VE5kIhJ/5UW58r8U F8K9H72Sn6yghF8krhEr63gu3Y9TpS0/utexTt8oRm37syBGvnh3+1JGKj2zI+5C 8gYiSyQUXbaZ6a086LQsC8DMOwDjKJ34AaF8ZP/vhoNUYIl8u00RhYyRJDMGRsHE SA+UsRZOv5J4IwyEuob6xls/fI9lqF51juvJkAPYCCT5yzqV7oNj5E2yTbxFlLeq /JeV5JRPTOkI1aV/6kpuxFdJXRBd8W8nAYgGedpdRQ49koO+3uCfYtkEXTaT1+Lv FvoyQjcuXZGRyTx0MCKBXTDPsi3Ld00dH+S4XumXPqj71GW5sg7Vpw== =1myx -END PGP SIGNATURE- - Robert A. Hettinga mailto: [EMAIL PROTECTE
Zero Knowledge gets it's own government commission :-) (Re: ECARMNEWS for August 09,1999 First Ed.)
At 2:00 AM -0400 on 8/9/99, [EMAIL PROTECTED] wrote: Title: Ontario Promotes Private Crypto Resource Type: News Article Date: 3:00 a.m. 6.Aug.99.PDT Source: Wired News Author: Matt Friedman Keywords: GOVT POLICY ,ENCRYPTION ,ADVOCACY,PERSONAL PROTECT Abstract/Summary: While the US Congress recoils in horror at the prospect of a population armed with cryptographic tools, a government department in Ontario wants to make it clear that encryption is good. More than that, in a paper released Thursday, the Ontario Information and Privacy Commission said it wants everyone to learn to use encryption. "What we need is a shift in the mindset of how to use information," said Ann Cavoukian, Ontario's privacy commissioner. "A lot of people still think that their email is safe from prying eyes or tampering. That's not true. We have to protect ourselves, and we have to know how to use the tools We have to get that message out." Original URL: http://www.wired.com/news/print_version/politics/story/21140.html?wnpg =all Added: Sun Aug 8 22:41:23 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Text: New ExecOrder: 'Net Conduct Group
--- begin forwarded text From: [EMAIL PROTECTED] Date: Sun, 08 Aug 1999 08:33:41 -0500 To: [EMAIL PROTECTED] Subject: IP: Text: New ExecOrder: 'Net Conduct Group Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: US Newswire http://www.usnewswire.com/topnews/Current_Releases/0807-107.htm Text of Clinton Executive Order on Internet Conduct U.S. Newswire 7 Aug 11:07 Text of Clinton Executive Order Establishing Working Group to Examine Unlawful Conduct on the Internet To: National Desk Contact: White House Press Office, 202-456-2100 WASHINGTON, Aug. 7 /U.S. Newswire/ -- The following is the text of an Executive Order released today by President Clinton: EXECUTIVE ORDER - - - - - - - WORKING GROUP ON UNLAWFUL CONDUCT ON THE INTERNET By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to address unlawful conduct that involves the use of the Internet, it is hereby ordered as follows: Section 1. Establishment and Purpose. (a) There is hereby established a working group to address unlawful conduct that involves the use of the Internet ("Working Group"). The purpose of the Working Group shall be to prepare a report and recommendations concerning: (1) The extent to which existing Federal laws provide a sufficient basis for effective investigation and prosecution of unlawful conduct that involves the use of the Internet, such as the illegal sale of guns, explosives, controlled substances, and prescription drugs, as well as fraud and child pornography. (2) The extent to which new technology tools, capabilities, or legal authorities may be required for effective investigation and prosecution of unlawful conduct that involves the use of the Internet; and (3) The potential for new or existing tools and capabilities to educate and empower parents, teachers, and others to prevent or to minimize the risks from unlawful conduct that involves the use of the Internet. (b) The Working Group shall undertake this review in the context of current Administration Internet policy, which includes support for industry self-regulation where possible, technology-neutral laws and regulations, and an appreciation of the Internet as an important medium both domestically and internationally for commerce and free speech. Sec. 2. Schedule. The Working Group shall complete its work to the greatest extent possible and present its report and recommendations to the President and Vice President within 120 days of the date of this order. Prior to such presentation, the report and recommendations shall be circulated through the Office of Management and Budget for review and comment by all appropriate Federal agencies. Sec. 3. Membership. (a) The Working Group shall be composed of the following members: (1) The Attorney General (who shall serve as Chair of the Working Group). (2) The Director of the Office of Management and Budget. (3) The Secretary of the Treasury. (4) The Secretary of Commerce. (5) The Secretary of Education. (6) The Director of the Federal Bureau of Investigation. (7) The Director of the Bureau of Alcohol, Tobacco and Firearms. (8) The Administrator of the Drug Enforcement Administration. (9) The Chair of the Federal Trade Commission. (10) The Commissioner of the Food and Drug Administration; and (11) Other Federal officials deemed appropriate by the Chair of the Working Group. (b) The co-chairs of the Interagency Working Group on Electronic Commerce shall serve as liaison to and attend meetings of the Working Group. Members of the Working Group may serve on the Working Group through designees. WILLIAM J. CLINTON THE WHITE HOUSE, August 5, 1999. -0- /U.S. Newswire 202-347-2770/ 08/07 11:07 Copyright 1999, U.S. Newswire ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Security of on-line banking studied
--- begin forwarded text From: [EMAIL PROTECTED] Date: Wed, 04 Aug 1999 11:10:49 -0500 To: [EMAIL PROTECTED] Subject: IP: Security of on-line banking studied Cc: [EMAIL PROTECTED] Sender: $[EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: Washington Times http://www.WashTimes.com/business/business2.html Security of on-line banking studied By Julie Hyman THE WASHINGTON TIMES Congressional investigators said yesterday that the 6 million Americans who bank on line may be getting convenience at the expense of security. According to the General Accounting Office, 44 percent of banks, thrifts and credit unions it surveyed have not enacted strict enough measures to keep their computer systems safe from hackers. The report was released at a hearing of the House banking subcommittee on monetary policy. Lawmakers shied away from suggesting regulation as a solution to on-line banking security, but said both banks and consumers must address the risks. "We don't want to overregulate the activity to the point that we unduly dampen it or retard its growth," said Rep. Spencer Bachus, Alabama Republican. "At the same time, the public has the right to safety and soundness in Internet banking, so we can't walk away from it." Consumers who bank over the Internet use Web sites to transfer money between accounts, pay bills, check account or investment balances and apply for loans. The GAO report concluded that Internet banking is by nature riskier than conventional banking. Its review of banking regulators' examinations of 81 financial institutions found that 35 of them, about 44 percent, hadn't taken all the risk-limiting steps regulators have said are needed. Mr. Bachus said Internet banking is projected to grow 20 to 25 percent by 2004, making it necessary to be vigilant about hackers. "All the banking representatives agreed that we need to prosecute [hackers who break into on-line accounts] and we need to publicize it." He noted that the hearing was just the first stage in a congressional look at on-line banking that could help increase Internet security before consumer use explodes. The study also said that in some cases, on-line banking operations were begun at companies without the approval of boards of directors or chief executive officers. If problems arise, the report cautions, senior management will not have the foreknowledge to deal with them. The banking community is responding to the challenges of on-line banking. The Financial Services Roundtable, a District of Columbia trade group, formed a technology division in 1996 to foster the development of Internet banking and to test electronic-security measures. But Catherine A. Allen, the division's CEO, said banks alone cannot ensure security. "We would like to emphasize that security is a shared activity," she said at the hearing. Consumers should be aware of risk, and should choose on-line banks that are insured by the Federal Deposit Insurance Corporation, she said. John Hall, an American Bankers Association spokesman, said that the bottom line of banking, whether it be on-line or the more traditional, in-person fashion, is trust. "The banks' No. 1 attribute they sell is trust. Their customers have to feel completely comfortable that they are secure." For that reason, he said, the banking industry is vigorously pursuing security measures. Even with the explosive growth of electronic commerce and on-line investing, most consumers are still somewhat hesitant about conducting financial transactions on the Internet, and even more so when it comes to managing their finances. According to a June report by investment firm Goldman Sachs, only about 4 percent of U.S. households currently use on-line banking products. This article is based in part on wire service reports. Copyright © 1999 News World Communications, Inc. ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[RRE]Anonymous Communication on the Internet
--- begin forwarded text Date: Sat, 31 Jul 1999 13:39:52 -0700 (PDT) From: Phil Agre [EMAIL PROTECTED] To: "Red Rock Eater News Service" [EMAIL PROTECTED] Subject: [RRE]Anonymous Communication on the Internet Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] [Reformatted to 70 columns. Note that full text for several of the articles and abstracts for the rest can be found at the TIS web site.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html or send a message to [EMAIL PROTECTED] with Subject: info rre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Mon, 19 Jul 1999 11:33:52 -0500 From: Rob Kling [EMAIL PROTECTED] Subject: Anonymous Communication on the Internet FOR IMMEDIATE RELEASE For more information, contact Ellen Cooper, 202-326-6431, [EMAIL PROTECTED] Dave Amber, 202-326-6434, [EMAIL PROTECTED] George Vlahakis, 812-855-3911, [EMAIL PROTECTED] AAAS URGES CAUTION IN REGULATING ANONYMOUS COMMUNICATION ON THE INTERNET Benefits of Anonymity Outweigh Likely Harms Washington, DC (June 29, 1999)-Governments should be cautious in attempting to regulate how people conceal their identities on the Internet, according to a new study by the American Association for the Advancement of Science (AAAS). Such regulations could prevent people from seeking counseling, expressing political opinions or engaging in financial transactions, and could impede the development of e-commerce and the World Wide Web. The study is the first comprehensive analysis of how to balance the costs and benefits of anonymous communication on the Internet and is presented in the April-June issue of The Information Society, an international journal whose editorial offices are at Indiana University's School of Library and Information Science. The journal is published by Taylor Francis Inc. The study is the result of a two-year project funded by the National Science Foundation (NSF) to examine online anonymity. "Policymakers ought not to react overzealously because some people have misused anonymous communications on the Internet," said Al Teich, director of Science and Policy Programs at AAAS. "If anonymous communication is used for illegal purposes, the originators of the anonymous messages-if they can be found-should be punished. However, the positive values of anonymity more than offset the dangers it presents." Rachelle Hollander, director of NSF's Societal Dimensions of Engineering, Science and Technology program, which funded the study, said, "There are many differences between Internet communications and other forms, but there is one significant similarity: The content of the communication, not just whether or not it is anonymous, determines its value. Anonymous communications over the Internet have positive and negative aspects. So do anonymous communications by telephone, the U.S. Mail, or the company suggestion box." The explosive growth of the Internet over the last decade has created new avenues for anonymous communications. Anonymous remailers allow Internet users, free of charge, to post anonymous messages to most Usenet newsgroups or to send anonymous e-mail to anyone they wish. In its simplest form, an anonymous remailer works by accepting an e-mail message from a sender, stripping off the headers that would serve to identify the sender, and then forwarding the message to the intended recipient. Under the cloak of anonymity, users can participate in political and human rights advocacy, engage in whistle blowing, receive counseling and perform commercial transactions without disclosing their identities. However, anonymity also helps to protects users who take part in socially unacceptable or criminal activities because of the difficulty in holding them accountable. Harmful communications include spamming, hate mail, child pornography and online financial fraud. - more - "Anonymous communication is a form of communication, with all of the human complexities that we experience in modern society. In modern society people routinely communicate anonymously when they shop or travel. It seems a bit more exotic in discussions of the Internet because of the social significance of specially helpful or harmful communications, and because of the technological complexities in creating or hiding on-line identities," said Rob Kling, editor-in- chief of The Information Society and Indiana University professor of information science and information systems. In order to give Internet users the opportunity to communicate anonymously for legitimate reasons
IP: Protecting Computers, and Privacy
Imagine that. The New York Times opposed to government invasions of privacy... Whadda country... :-/. Cheers, RAH --- begin forwarded text From: [EMAIL PROTECTED] Date: Sun, 01 Aug 1999 13:12:01 -0500 To: [EMAIL PROTECTED] Subject: IP: Protecting Computers, and Privacy Cc: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: New York Times http://www.nytimes.com/yr/mo/day/editorial/01sun1.html EDITORIAL August 1, 1999 Protecting Computers, and Privacy The Clinton Administration is right to concern itself with protecting America's computer networks against cyber attacks by terrorists or foreign governments. But a draft plan now being considered by the White House could lead to Federal monitoring of much of the nation's governmental and commercial computer communications. Such broad governmental surveillance is not a reliable way of assuring computer security and intrudes too deeply into the privacy of law-abiding Americans. The White House proposal follows a review President Clinton ordered last year of the vulnerability of the Federal Government's computer networks to intrusion and damage by terrorists. It recommends expanding the monitoring system now used by the Defense Department throughout the Federal Government. This means automated software would be used to scan the messages and files of millions of civilian Government employees to spot suspicious patterns. The results would then be turned over to a special task force overseen by the Federal Bureau of Investigation. Computer network security is a real and growing problem. The Federal Government needs to protect not just sensitive defense secrets, but also the computers that manage air traffic control, Social Security, Medicare and a host of other civilian programs. But systematic monitoring of all Federal employees is a clumsy and inefficient way to protect Government networks. Software that can reliably detect patterns of computer manipulation does not now exist. Broad surveillance of all Government computer users would still permit some illicit tampering to go undetected. Meanwhile, innocent Federal employees are likely to be subjected to electronic snooping and investigative surveillance. Even more troubling than the monitoring of all Federal computers is the plan's proposal for extending the automated surveillance program to private-sector networks. Although this would only be done with the agreement of the relevant corporate executives, unwary employees or E-mail correspondents could find their messages and files scrutinized by the Government's software as well. The results of this monitoring would also be reviewed by Federal agencies, although separately from the F.B.I.-run system for Government employees. Sophisticated computer users could escape surveillance with readily available encryption programs, allowing serious cyber terrorists to elude detection while the software snooped on ordinary citizens. The Administration needs to come up with new approaches to the problem of computer security that depend less on the wholesale monitoring of private communications. Its current proposal would create more problems than it would solve. Copyright 1999 The New York Times Company ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Text of Letter from Rep. Bob Barr to Sandy Berger
--- begin forwarded text Date: Sun, 1 Aug 1999 12:10:51 -0400 (EDT) From: Washington Weekly [EMAIL PROTECTED] Subject: IP: Text of Letter from Rep. Bob Barr to Sandy Berger To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: Washington Weekly [EMAIL PROTECTED] TEXT OF LETTER FROM REP. BOB BARR TO NSC DIRECTOR SANDY BERGER Expressing Concerns About New National Surveillance System July 28, 1999 The Honorable Samuel R. Berger National Security Advisor Old Executive Office Building Washington, D.C. 20506 IN RE: Fidnet Dear Mr. Berger: According to media reports, the National Security Council is coordinating the development of a massive computer surveillance system -- Fidnet -- to monitor the electronic activities of millions of Americans. While it clearly is appropriate for the government to take steps to protect its technological infrastructure and its computers from attack, we must not allow fear of those threats to blind us to the need to balance the competing interests of privacy, cost, law enforcement, and national security. If the reported decision process on this project so far is any indication, you may not be adequately balancing these interests. For one thing, apparently input is being sought only from the law enforcement and national security communities. I am concerned the National Security Council is vastly underestimating the level of public concern about electronic privacy. The Clinton Administration has made this mistake before; proposing the much-reviled and now discredited Know Your Customer plan. Most recently, we witnessed the Administration's disdain for accountability and oversight, in its citation of a bogus attorney-client privilege to avoid giving basic information to the House Permanent Select Intelligence Committee. If you intend to move forward with this plan, I request a full briefing on its structure, focusing specifically on its cost and privacy implications. I look forward to your response. With kind regards, I am, very truly yours, BOB BARR Member of Congress Published in the Aug. 2, 1999 issue of The Washington Weekly Copyright 1999 The Washington Weekly (http://www.federal.com) Reposting permitted with this message intact ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM
--- begin forwarded text Date: Tue, 27 Jul 1999 22:51:23 -0400 To: [EMAIL PROTECTED] From: "L.J.Alberts" [EMAIL PROTECTED] Subject: IP: WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM Sender: [EMAIL PROTECTED] Reply-To: "L.J.Alberts" [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- X DRUDGE REPORT X TUESDAY, JULY 27, 1999 20:28:41 ET X WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM; WILL TRACK BANKING, TELECOMMUNICATIONS AND OTHER NETWORKS The Clinton administration has developed a plan for an extensive computer monitoring system, overseen by the FBI, that will track banking, telecommunications and other industries, it will be reported on Wednesday. The National Security Council is conducting a legal and technical review of the new Clinton plan, a final report is scheduled to be made public in September. NEW YORK TIMES reporter John Markoff has been shown a draft, according to publishing sources, and was busy on Tuesday afternoon preparing a story. In some government circles, the proposed system has been nicknamed "Hillary." The plan calls for the development of a "sophisticated software system to monitor activities on non-military government networks" and a separate system to "track all transactions used in the banking, telecommunications and transportation industries." The system is intended to alert law enforcement officials to computer attacks that might cripple governmental or the nation's economy. But it could also become a massive government utility used for surveillance of citizens, critics contend, with great potential for misuse. "Law enforcement agencies obviously would be under great temptation to expand the use of the information in pursuit of suspected criminals," the TIMES will report. The plan has drawn fire from civil libertarians because it blends "civilian and military functions" in protecting the nation's computer networks. Law enforcement agencies would be under great temptation to expand the use of the information in pursuit of suspected criminals. And the plan would put a new and powerful tool into the hands of the FBI. Developing. _ Reports are moved when circumstances warrant (c)DRUDGE REPORT 1999 Not for reproduction without permission of the author -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.1 iQEVAwUBN55wKuX/Rf8MRjfTAQH2qQf/fi2ru8l5gv5zkJ0zXoMPaPX+27yavkeY M0baGGRwFdhNxGt9RwWDZf4YZ36m6oZ4iF3BVM8+ujVByCtWUcP+Q1nDDmti/nZo ob69QPEACe0Nxc2g7ODvtcpsp95JA7BzMXDrYC4ryZWFdOF2xpe7D/fMYDcrpHr8 Mcgq4GibDPoXvrRszDj/Wqpao/B1f/GYtwv2vKGi0Pke9mnNMxoRTdIooUai9Qa+ kjWFsoyMBuY+qPA98u9n6C0Xbrrt1+CHM2SNYSXVEXpckg+qEcpIq58mUlvH4GI5 Dq18a4zfaVk837V06ZbczGwg1RCaJhh/hWVOTNrYTTXSZ7clIziVHg== =5A6h -END PGP SIGNATURE- To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address or (un)subscribe ignition-point-digest email@address www.telepath.com/believer --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
reputation
--- begin forwarded text Date: Thu, 22 Jul 1999 17:12:26 -0400 (EDT) From: Somebody To: [EMAIL PROTECTED] Subject: reputation Bob - would you pass on this question anonymously: I'm interested in pointers to reputation and escrow services and theory. Any pointers to someone starting out? --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Security Lab To Certify Banking Applications (was Re: ECARM NEWSfor July 23,1999 Second Ed.)
At 2:00 PM -0400 on 7/23/99, [EMAIL PROTECTED] wrote: Title: Security Lab To Certify Banking Applications Resource Type: News Article Date: Jul 22, 1999 (6:15 AM) Source: InternetWeek Author: Tischelle George Keywords: BANKING INDUSTRY,ONLINE SERVICES ,SECURITY,SOFTWARE VERIFY Abstract/Summary: A lack of security standards is holding back online banking and financial services. Or so says the Banking Industry Technology Secretariat, a technology consortium of the nation's biggest banks. Next week, BITS will open a security laboratory to certify security software for use in commercial banking applications. The Financial Services Security Laboratory will open July 28 in Reston, Va. The facility will be used to test software packages against a set of standards for securing e-commerce and bill-payment applications, as well as browsers and operating software. Original URL: http://www.techweb.com/wire/story/TWB19990722S0004 Added: Fri Jul 23 9:45:52 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
DCSB: Ari Juels; Outsourcing MicroMint Coins, and X-Cash for Contingent Financial Instruments
--- begin forwarded text Date: Mon, 19 Jul 1999 10:51:32 -0400 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Robert Hettinga [EMAIL PROTECTED] Subject: DCSB: Ari Juels; Outsourcing MicroMint Coins, and X-Cash for Contingent Financial Instruments Cc: Ari Juels [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: Robert Hettinga [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- The Digital Commerce Society of Boston Presents Dr. Ari Juels Senior Research Scientist RSA Laboratories Security Dynamics, Inc. MicroMint on the Cheap and Executable Financial Instruments Tuesday, August 3rd, 1999 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA We discuss two technologies that aim to facilitate electronic commerce in distributed environments under minimal assumptions of trust. First, we show how the MicroMint micropayment scheme of Rivest and Shamir can be broken up into a collection of small "puzzles". Distribution of these puzzles enables the minting operation for the scheme to be outsourced to a large group of untrusted computational devices. Additionally, we discuss a cryptographic technique that enables mobile agents to carry digital cash in such a way that they are secure against "pickpocketing". We refer to this technique as "X-cash" or "Executable digital cash". X-cash may also be used as the basis for creating digital financial instruments with flexibly defined properties. The first portion of the talk includes material to appear in the paper "Bread Pudding and Proofs of Work (POWs)" in Communications and Multimedia Security '99. The second portion of the talk draws on the paper "X-cash: Executable Digital Cash", which appeared in Financial Cryptography '98. Both papers are by Markus Jakobsson (Bell Laboratories) and Ari Juels (RSA Laboratories). Dr. Juels received his B.A. in Latin Literature and Mathematics from Amherst College in 1991, and his Ph.D. in Computer Science from the University of California at Berkeley in 1996. He subsequently joined RSA Laboratories, where he now holds the position of senior research scientist. His research interests span several areas of cryptography, with a special focus on protocols underlying and supporting financial applications. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, August 3, 1999, from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, on One Federal Street. The price for lunch is $32.50. This price includes lunch, room rental, various A/V hardware, and the speakers' lunch. The Harvard Club *does* have dress code: jackets and ties for men (and no sneakers or jeans), and "appropriate business attire" (whatever that means), for women. Fair warning: since we purchase these luncheons in advance, we will be unable to refund the price of your lunch if the Club finds you in violation of the dress code. We need to receive a company check, or money order, (or, if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, July 31st, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston", in the amount of $32.50. Please include your e-mail address so that we can send you a confirmation If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you are a principal in digital commerce, and would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, mailto: [EMAIL PROTECTED]. For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to mailto: [EMAIL PROTECTED] . We look forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com iQEVAwUBN5M6r8UCGwxmWcHhAQE+Ewf/eBxwvO7DQXsWhpTndg4FLSyS3NLFs5U3 mJyg62c9bt2Pdi44QLnMkJzcvkqxPSyy8uxCL/AfI/9plffqQ27u7oFJHXEwaETf +sRGT8wSm9qrc97Qkn65fkmXyxJwWjm6iI9s6QQcR0C3mRr3nLe/zgcNmWNEumqD KxQh7KBCjNaN
Drawing A Hard Line On Encryption (was Re: Edupage, 16 July 1999)
At 4:35 PM -0600 on 7/16/99, EDUCAUSE wrote: DRAWING A HARD LINE ON ENCRYPTION The House Permanent Select Committee on Intelligence unanimously approved a measure to control exports of encryption software and provide government access to encrypted data. The committee was the fourth House panel to approve the amendment, which was designed to ensure that government agencies can obtain court orders to access encrypted information. The committee also adopted a measure allowing the president to control, and deny, encryption exports significant to national security. Last, the committee approved language authorization funding to enable law enforcement and intelligence agencies to better prevent the spread of increasingly powerful encryption software. These issues have been the subject of much controversy, as software manufacturers argue that they are losing market share from export controls, while privacy activists oppose law enforcement access to encrypted data. (Washington Post 07/16/99) - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Commonwealth of Massachusetts will support uniform digitalsignataure law
Gotta watch that reply-to-all "feature" of listserv, Dan. It'll getcha. :-). Cheers, RAH --- begin forwarded text Date: Fri, 16 Jul 1999 09:57:29 -0400 Reply-To: [EMAIL PROTECTED] Sender: Digital Signature discussion [EMAIL PROTECTED] From: Daniel Greenwood [EMAIL PROTECTED] Subject: Follow up Comments: To: Digital Signature discussion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello everyone, I just accidentally sent e-mail (spam) to the whole list that was intended only for Ben (hit the "reply" button and let it fly too quickly). In any case, general participants on this list might find parts of my prior e-mail interesting, and some of the points deserve a bit deeper discussion. Later today or early next week, Massachusetts will be publishing an official statement on federal legislation, but here are some previews One: Massachusetts has agreed (via testimony before the House and Senate) to the principles that Ben has stated in his last e-mail. (see http://www.civics.com/content/99-legis.htm for the testimony of Ray Campbell and myself). That is, we are on record supporting the UETA (general lifting of real and/or perceived legal barriers to use of electronic records, e-signatures and e-contracts) and for some limited federal preemption in the interim which disappears when a state enacts UETA or other conforming law. Two: The marked up version of S. 761 and the filed version of H.R. 1714 raise some legal issues that need to be dealt with. In particular, with 761 as marked up, the the general provisions dealing with writing and signing requirements are over-broad in scope and require either exceptions or the scope of the bill should be constricted back to the original version of 761 (dealing only with e-contracts and party autonomy to use any technology or business model for electronic transactional methods). Some of our concerns mirror those stated by NCCUSL, N.J. and others on and off this list (negotiable instruments - UCC Article 3, possibly commercial real estate conveyance, certain consumer protection laws, etc.). At this point in time, it appears that people interested in this legislation in D.C. prefer not to draw a long list of exceptions and would rather constrict the scope. (This could be achieved by deleting the newly added Sections 6(a)(1),(3) and (4) and also perhaps the attribution rules). Three: Industry supporters of 761 have also voiced a desire to see certain changes in 761 and there appears to be a window within which to operate before the bill is voted out of the Senate. However, even if 761 is voted out of the Senate as it stands out of mark up, provided certain exceptions to scope were included before Congress enacted the legislation (after conference committees, possible floor amendments etc.) then Massachusetts is on record as supporting this legislation. Four: Before hitting the "send" button on an e-mail client - ALWAYS check to see whether the "reply" function addressed the message to your intended recipient or to a huge list of luminaries. Thanks, Dan --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
A wee bit of spook-humor (was re S/MIME Freeware Library)
Or at least a bad joke. (Excuse me, while I wipe the atomized remains of a latte off my monitor and keyboard...) Cheers, RAH --- begin forwarded text Date: Thu, 15 Jul 1999 16:42:10 +0200 To: [EMAIL PROTECTED] From: Somebody Subject: S/MIME Freeware Library S/Mime Freeware Library http://www.jgvandyke.com/services/infosec/sfl.htm http://www.armadillo.huntsville.al.us/software/smime S/MIME Freeware Library NOTICE: Most of the software listed below is export-controlled and is protected by a user name and password (as indicated by the padlock). Follow this link to get information about having a user name and password created for you. Click to view the FORTEZZA Export Policy. The "S/MIME Freeware Library" (SFL) is a reference implementation of the new MSP-enhanced S/MIME security protocol. The Library fully implements the Internet Engineering Task Force (IETF) standard security protocols named S/MIME Version 3, including the optional security features required to provide Message Security Protocol (MSP) services. These security features include signed receipts, security labels, algorithm independence, and mail list information. The SFL will support both commercial and government algorithms. The latest drafts of the IETF standards upon which the SFL is based are available at the Internet Mail Consortium (IMC) web site. The IMC has also established an SFL web page and maintains an SFL mail list (imc-sfl) which will be used to: distribute information regarding SFL releases; discuss SFL-related issues; and provide a means for SFL users to provide feedback, comments, bug reports, etc. Subscription information for the imc-sfl mail list is at the IMC SFL web page. The "CMS KEA and SKIPJACK Conventions" Internet-Draft describes the conventions for using the S/MIME v3 CMS EnvelopedData and EncryptedData content types with the KEA and SKIPJACK encryption algorithm. The document is intended to promote interoperability between implementations using KEA and SKIPJACK with CMS. Hints for using the FORTEZZA Card and FORTEZZA Cryptologic Interface (CI) Library to meet the requirements stated in the "CMS KEA and SKIPJACK Conventions" document are included in this text file. J.G. Van Dyke Associates (VDA), the developer of the S/MIME Freeware Library, has also established an SFL page at the VDA web site. Additional SFL information may be available there. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Sony Plans E-Money Service (Was Re: NewsScan Daily, 13 July 1999(Above The Fold))
At 7:51 AM -0700 on 7/13/99, NewsScan wrote: SONY PLANS E-MONEY SERVICE Sony Corp. is planning to test an Internet-based electronic money service, beginning with a pilot program involving 200-300 families next summer. Users will link to Sony's So-net Internet service, and then use noncontact IC cards, similar to debit cards, to make purchases. The cards and card readers will be provided to the families as part of the test. If all goes well, the system will be commercialized in late 2000, according to the Nihon Keizai Shimbun (Nikkei). (Reuters/TechWeb 13 Jul 99) http://www.techweb.com/news/story/reuters/REU19990713S0001 - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
CHES Program
--- begin forwarded text Date: Thu, 8 Jul 1999 15:33:39 -0400 (EDT) From: Christof Paar [EMAIL PROTECTED] To: DCSB [EMAIL PROTECTED] Subject: CHES Program Sender: [EMAIL PROTECTED] Reply-To: Christof Paar [EMAIL PROTECTED] Please find below the prelinarary program of the CHES workshop. For registration information, please see http://ece.wpi.edu/Research/crypt/ches -Christof --- PRELIMINARY PROGRAM Workshop on Cryptographic Hardware and Embedded Systems Worcester, Massachusetts, August 12-13, 1999 --- --- THURSDAY, AUGUST 12 --- Welcome by Ed Parrish (President, WPI) Introductory remarks by Cetin Koc and Christof Paar Invited Talk: Brian Snow, National Security Agency, USA We Need Assurance Session: CRYPTANALYTICAL HARDWARE A. Shamir Factoring large numbers with the TWINKLE device I. Hamer and P. Chow DES cracking on the Transmogrifier 2a --- break --- Session: HARDWARE ARCHITECTURES W.P. Choi and L.M. Cheng Modeling the crypto-processor from design to synthesis D.C. Wilcox, L.G. Pierson, P.J. Robertson, E.L. Witzke, and K. Gass A DES ASIC suitable for network encryption at 10 Gbps and beyond E. Hong, J.-H. Chung, and C.H. Lim Hardware design and performance estimation of the 128-bit block cipher CRYPTON Session: SMART CARDS AND EMBEDDED SYSTEMS K. Itoh, M. Takenaka, N. Torii, S. Temma, and Y. Kurihara Fast implementation of public-key cryptography on a DSP TMS320C6201 P.J. Lee, E.J. Lee, and Y.D. Kim How to implement cost-effective and secure public key cryptosystems --- lunch break --- Invited Talk: Colin D. Walter, Computation Department - UMIST, U.K. An Overview of Montgomery's Multiplication Technique: How to make it Smaller and Faster Session: ARITHMETIC ALGORITHMS A.F. Tenca and C.K. Koc A scalable architecture for Montgomery multiplication J.H. Silverman. Fast multiplication in finite fields GF(2^N) B. Kaliski and M. Liskov Efficient finite field basis conversion involving dual bases --- break --- Invited Talk: Eberhard von Faber, Debis IT Security Services, Germany Security Evaluation Schemes for the Public and Private Market with a Focus on Smart Card Systems Session: POWER ATTACKS I T.S. Messerges, E.A. Dabbish, and R.H. Sloan Power analysis attacks of modular exponentiation in smartcards L. Goubin and J. Patarin DES and differential power analysis P. Fahn and P. Pearson IPA: A new class of power attacks --- CHES Banquet on the WPI Campus, sponsored by Technical --- ---Communications Corporation, MA --- --- FRIDAY, AUGUST 13 --- Invited Talk: Dale Hopkins, Compaq - Atalla, USA Design of Hardware Encryption Systems for e-Commerce Applications Session: TRUE RANDOM GENERATORS V. Bagini and M. Bucci A design of reliable true random number generator for cryptographic applications D. Maher and B. Rance Random number generators founded on signal and information theory --- break --- Session: CRYPTOGRAPHIC ALGORITHMS ON FPGAS R.R. Taylor and S.C. Goldstein A high-performance flexible architecture for cryptography E. Mosanya, C. Teuscher, H.F. Restrepo, P. Galley, and E. Sanchez CryptoBooster: A reconfigurable and modular cryptographic coprocessor L. Gao, S. Shrivastava, and G.E. Sobelman Elliptic curve scalar multiplier design using FPGAs Session: GALOIS FIELD ARCHITECTURES H. Wu, M.A. Hasan, and I.F. Blake. Highly regular architectures for finite field computation using redundant basis H. Wu Low complexity bit-parallel finite field arithmetic using polynomial basis --- lunch break --- Invited Talk: David Naccache, Gemplus, France Significance Tests and Hardware Leakage Session: POWER ATTACKS II J.-S. Coron Resistance against differential power analysis attacks for elliptic curve cryptosystems H. Handschuh, P. Paillier, and J. Stern Probing attacks on tamper-resistant devices --- break --- Session: ELLIPTIC CURVE IMPLEMENTATIONS J. Lopez and R. Dahab Fast multiplication on elliptic curves over GF(2^m) without precomputation Y. Han, J. Zhang, and P.-C. Tan Direct computation for elliptic curve cryptosystems Session: NEW CRYPTOGRAPHIC SCHEMES AND MODES OF OPERATION M. Hartmann, S. Paulus, and T. Takagi NICE - New Ideal Coset Encryption - T. Horvath Arithmetic design for permutation groups O. Jung and C. Ruland Encryption with statistical self-synchronization in synchronous broadband networks --- Invited talks are 40 min, regular presentations 20 min long The Thursday program is from 9:00 am - 6:00 pm, the Friday program is from 8:30 am - 4:30 pm Workshop on Cryptographic Hardware and
Documents received under the US FOIA in relation to AmbassadorAaron (was Re: ECARM NEWS for July 08,1999 First Ed.)
At 2:00 AM -0400 on 7/8/99, [EMAIL PROTECTED] wrote: Title: Documents received under the US FOIA in relation to Ambassador Resource Type: News Article Date: Tuesday, 06-Jul-99 Source: cyber-rights.org Author: cyber-rights.org Keywords: GOVT DOCUMENTS ,ENCRYPTION ,GOVT POLICY ,INFLUENCES Abstract/Summary: A recently published Cabinet Office paper entitled Encryption and Law Enforcement stated that "there must be a greater degree of international co-operation, particularly in relation to setting agreed standards." (para 7.10) The paper further stated that "there has been remarkably little co-ordination of policy on encryption matters" internationally apart from the OECD Guidelines on Cryptography Policy. However, the Aaron Files that we are bringing to the attention of the public through these pages suggest otherwise - that UK Government encryption policy was closely co-ordinated by the US despite the denial in the Cabinet Office paper which concluded that the result of the absence of such a co-ordination "has been a degree of misunderstanding and suspicion as to the rationale behind attempts to regulate, or influence, the domestic use of encryption." Original URL: http://www.cyber-rights.org/foia/usfoia.htm Added: Wed Jul 7 20:46:20 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Bush Seeks to Curry Favor in Silicon Valley (was Re: ECARM NEWSfor July 02,1999 Second Ed.)
No mention in this article about crypto, but he seems to be pointed in the right direction. Anyone out there know whether GWBush has said anything on the crypto front? Will any of you reporters out there be in a position to ask him soon? Cheers, RAH At 2:00 PM -0400 on 7/2/99, [EMAIL PROTECTED] wrote: Title: Bush Seeks to Curry Favor in Silicon Valley Resource Type: News Article Date: July 2, 1999 Source: NYT (Free Registration Required) Author: RICHARD L. BERKE Keywords: POLITICS,CAMPAIGN FUNDING,TECH INDUSTRY ,LEGISLATION PROP Abstract/Summary: PALO ALTO, Calif. -- Encroaching on political turf that Vice President Al Gore has cultivated for years, Gov. George W. Bush ventured into Silicon Valley Thursday to fatten his already flush campaign treasury and to unveil proposals favored by the technology industry. The Texas Governor departed from his standard text to make an aggressive pitch to the computer titans in the room, a group with growing influence that both political camps are wooing. He chided President Clinton and Gore for, among other things, not allowing American companies to sell sensitive technology overseas when those products are available from competitors. Original URL: http://www.nytimes.com/library/politics/camp/070299wh-gop-bush.html Added: Fri Jul 2 10:44:20 -040 1999 Contributed by: David Dillard - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Papers at CHES
--- begin forwarded text Date: Wed, 30 Jun 1999 10:51:22 +0200 (MESZ) From: Christof Paar [EMAIL PROTECTED] To: DCSB [EMAIL PROTECTED] Subject: Papers at CHES Please find below a list of accepted papers and invited presentations at CHES (Workshop on Cryptographic Hardware and Embedded Systems) in Worcester, Massachusetts. For registration information, please visit our web site at http://ece.wpi.edu/Research/crypt/ches Regards, Christof *** Christof Paar, Assistant Professor Cryptography and Information Security (CRIS) Group ECE Dept., WPI, 100 Institute Rd., Worcester, MA 01609, USA fon: (508) 831 5061email: [EMAIL PROTECTED] fax: (508) 831 5491www: http://ee.wpi.edu/People/faculty/cxp.html *** --- Workshop on Cryptographic Hardware and Embedded Systems Worcester, Massachusetts, August 12-13, 1999 http://ece.wpi.edu/Research/crypt/ches --- Accepted Papers: A. Shamir Factoring large numbers with the TWINKLE device J. H. Silverman. Fast multiplication in finite fields GF(2^N) B. Kaliski and M. Liskov Efficient finite field basis conversion involving dual bases H. Wu, M. A. Hasan, and I. F. Blake. Highly regular architectures for finite field computation using redundant basis H. Wu Low complexity bit-parallel finite field arithmetic using polynomial basis K. Itoh, M. Takenaka, N. Torii, S. Temma, and Y. Kurihara Fast implementation of public-key cryptography P. J. Lee, E. J. Lee, and Y. D. Kim How to implement cost-effective and secure public key cryptosystems J. Lopez and R. Dahab Fast multiplication on elliptic curves over GF(2^m) without precomputation L. Gao, S. Shrivastava, and G. E. Sobelman Elliptic curve scalar multiplier design using FPGAs Y. Han, J. Zhang, and P.-C. Tan Direct computation for elliptic curve cryptosystems J.-S. Coron Resistance against differential power analysis attacks for elliptic curve cryptosystems L. Goubin and J. Patarin DES and differential power analysis P. Fahn and P. Pearson IPA: A new class of power attacks T. S. Messerges, E. A. Dabbish, and R. H. Sloan Power analysis attacks of modular exponentiation in smartcards H. Handschuh, . Paillier, and J. Stern Probing attacks on tamper-resistant devices V. Bagini and M. Bucci A design of reliable true random number generator for cryptographic applications D. Maher and B. Rance Random number generators founded on signal and information theory W. P. Choi and L. M. Cheng Modelling the crypto-processor from design to synthesis R. R. Taylor and S. C. Goldsteiny A high-performance flexible architecture for cryptography A. F. Tenca and C. K. Koc A scalable architecture for Montgomery multiplication E. Mosanya, C. Teuscher, H. F. Restrepo, P. Galley, and E. Sanchez CryptoBooster: A reconfigurable and modular cryptographic coprocessor I. Hamer and P. Chow DES cracking on the Transmogrifier 2a M. Hartmann, S. Paulus, and T. Takagi NICE - New Ideal Coset Encryption - D. C. Wilcox, L. G. Pierson, P. J. Robertson, and E. L. Witzke A DES ASIC suitable for network encryption at 10 Gbps and beyond E. Hong, J.-H. Chung, and C. H. Lim Hardware design and performance estimation of the 128-bit block cipher cRYPTON T. Horvath Arithmetic design for permutation groups O. Jung and C. Ruland Encryption with statistical self-synchronization in synchronous broadband networks Invited Talks: -- Brian Snow, National Security Agency, USA We Need Assurance Eberhard von Faber, Debis IT Security Services, Germany Security Evaluation Schemes for the Public and Private Market with a Focus on Smart Card Systems Dale Hopkins, Compaq - Atalla, USA Design of Hardware Encryption Systems for e-Commerce Applications Colin D. Walter, Computation Department - UMIST, U.K. An Overview of Montgomery's Multiplication Technique: How to make it Smaller and Faster David Naccache, Gemplus, France Significance Tests and Hardware Leakage --- Workshop on Cryptographic Hardware and Embedded Systems Worcester, Massachusetts, August 12-13, 1999 --- --- Information:http://ece.wpi.edu/Research/crypt/ches E-Mail: [EMAIL PROTECTED] Program Chairs: Cetin Kaya KocChristof Paar [EMAIL PROTECTED] [EMAIL PROTECTED] --- --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Digital Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity,
Re: NPR story on crypto...
-BEGIN PGP SIGNED MESSAGE- At 4:14 PM -0400 on 6/26/99, Sameer Parekh wrote: As far as I can tell Stuart Baker has realized that the time has come for crypto to be widespread. Yup. F=MA, where M stands for money. :-). Digital commerce is financial cryptography, financial crypto is strong crypto, and without strong crypto there's no digital commerce. And all that. I don't really see him standing in the way of the PECSENC issuing a recommendation in either direction. At the last meeting I was at he was truly a facilitator, not an opinion leader. Of course, lawyers are paid to be nice when they have to be, :-), but when Stu came to talk to DCSB a couple(?) of years ago, he seemed not at all like the "Smoking Man" picture we all had painted of him at the time. Just a simple country lawyer out to make a buck. :-). Stu said that at some point, say, three to five years before his DCSB talk, whenever that was, the NSA had indeed seen the handwriting on the wall about their inability to control the spread of strong cryptography in a world of ubiquitous public internetworks, and decided that the only thing left for them to do was to try to stall for as much time as they could. The best way to do that, Stu himself says he figured, was to tell Louie Freeh, probably the only guy in history who had actually busted someone using a telephone wiretap (the "Pizza Connection" herion-and-pizza-parlor case, certain proof that criminals are indeed dumb), that he (Louie) wouldn't get to play telephone with the bad guys anymore if said pizza-barons had strong crypto. And so, down Stu went, hat in hand, to hear him tell it, to the Hoover Building. And, there, Stu let slip the dogs of war. If you can call J. Edgar in a pink chenille dress, flounces, ruffles, and all, a *war*-dog, anyway... Since then, of course, Stu's been out in *private* practice, not "public" practice (a pair of word combinations which together still make me giggle), and the only actual crypto-law customers he can find are people who want to *spread* cryptography, all so that the aforementioned bad-guys won't steal their -- and, more important, their customers' -- money. Go figure. As a result, Stu has now had the required deathbed conversion to the idea that financial cryptography is the only cryptography that matters. Imagine that. Oh, well, that's why we live in a world where we have to hire sophists to keep us out of jail and still have to deferentially refer to them "counsellor", I guess. ;-). Yet, all of this is as it should be, because, repeat after me, class, "physics causes economics and economics causes law and 'policy'". Try to do it the other way around, and you look like Hitler and eugenics. Or Stalin and Lysenko's biology. Or Mao and Marx's economics. Or Carter and Lovins' engineering. Or Gore and Gore's ecology. Word to the wise, folks. In 2002, $1.1 *trillion* worth of transactions will be executed on the internet, according to the most wild-ass projection you can find out there. And, of course, every wild-ass prediction like that so far has been short by at least one order of magnitude. If you can't imagine where all that money's going to actually come from, remember that $4 trillion a *day* is still being moved around on expensive proprietary networks, like SWIFT, or whatever, using constipated old book-entry settlement methods. As opposed to the ubiquitously cheap internet and instantaneous -- and less risky -- digital bearer settlement, of course. (Betcha can't tell what kind of transactions *I* want to underwrite, can you? :-).) Better living through financial cryptography, in other words. The moral of the story, boys and girls, is that *political* cryptography is dead. Political cryptography is military cryptography, obviously, it is also, sadly, our personal favorite flavor of geek-promoted "anti-spook" cryptography, as well. In other words, and as ruthless as this sounds, if it don't make money it won't sell, and if it won't sell, who cares about it, anyway? Fortunately for freedom-loving cryptogeeks everywhere, where actual money is involved, the stronger the financial cryptography, the better the market likes it. And, oddly enough, we haven't put *actual* money on the net yet, just instructions to move money from one bank account to another. That's about to change. And, when it does, political cryptography will be a doe in the headlamp of an express-train called financial cryptography, high-balling down that intercontinental express track called the public internetwork. Bambi meets Mozilla, if you will. F = MA. Cheers, RAH -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.0.2 iQEVAwUBN3f8yMUCGwxmWcHhAQHnqggAsR9jgkZ1f9QRB2ydFC/vNklFCHvyKYDm jR3/ACNFghwEovOgsTPisjQjcWVQ0Nzd/ceFdR4xgBIEeX9XapJKbMwMiV4bjUs3 +Gyabc1J8pGJQRmS5K7iBo9rBTSXt2+Av3UUdaAT0A3dIDO4g2H7jYIjiBQWEPFf vKYNkVMnYt/uizB9Ih8Clnif1OybhRzlGzRfbO3yzNeka8Pn/mNeUiglHSOAwi3y
The creation of internet currency (was Re: We are going tolaunch our own currency....)
At 11:11 AM -0400 on 6/16/99, John Lowry wrote: Of course, they're backed by: 1: a friendly government and coordinated policy between major powers and ISPs. 2: a kiloton of gold. The book ends with only one "subscriber", the future father-in-law. :-) Yeah, I transcribed original quote from Neal Stephenson's "Cryptonomicon" just as I had finished reading it, and, you're right, the ending fizzled a bit on the original premise. I'm much more interested in creating economically trasparent digital bearer versions of existing currencies than I am with creating a currency itself. The e-gold guys are welcome to all that other fun stuff :-). However, the most important point for me, and the reason I quoted the book then, was to see a very popular science fiction author like Stephenson talk about something near and dear to cypherpunks, and ex-cypherpunks, everywhere. It was such a kick to see that happen, especially after watching people talk about it so much, in my case, for 5 years now. Of course, the cypherpunks have been talking about this ever since May and Hughes convened the first physical meeting in 1992 or so. Of course, it's not the first time that Stephenson has written about electronic money; his short story "The Great Samolean Caper" was written, for Time/Pathfinder, I think, 3 years ago, and his last novel "The Diamond Age" had a whole cash-settled anonymous-auction (dare I say geodesic? :-)) content/services market underlying the 'young ladies' primer' at the core of the story. I see the creation of any eventual internet currency itself as a second-, or, actually, third-, order effect, requiring, first, as I said, transparent exchangeability into existing currencies, the ability to actually *withdraw* book-entry cash onto the net in digital bearer 'bank-note' form, and, second, the establishment of permanent digital bearer asset classes, money market instruments, bonds, equity, derivatives, all based on the use of that cash, originally in existing meatspace currency, on the net. Tatsuo Tanaka did a talk to DCSB about this kind of thing, called "The Macroeconomic Consequences of Digital Cash", about 3 years ago or so, where he talked about how the issuance of digital bearer cash reserved by extraterritorially-held currency deposits makes things very interesting for any "controller" of national currency, but his endstate was, curiously, a central bank of cypherspace of some kind. I helped him get the paper into the web-journal First Monday, back then, as a member of its editorial board, but, personally, I would more likely see a currency board governing an internet currency instead of any central bank, and, in addition, I think we'll have many competing currencies, each one built from the bottom up, probably based on various, and now-unknown, internet economic behaviors or asset classes. Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Digital Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
CommerceNet takes over eCheck project
--- begin forwarded text Date: Tue, 08 Jun 1999 15:12:55 -0700 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: John Muller [EMAIL PROTECTED] Subject: CommerceNet takes over eCheck project Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe%20dbs ***BUZZ: SPECIAL ANNOUNCEMENT*** CommerceNet Announces New Area of Research for Members: GeCFi (The Global Electronic Commerce Finance Issues Portfolio) ** CommerceNet would like to invite you to its June Quarterly Members Meeting to learn more about a new area of research recently opened up within the Consortium - one that focuses specifically on addressing the financial issues of business online. Research that will be available to members as part of this new research portfolio will cover a broad range of financial issues that impact online business, such as: payment, taxation, authorization, security, receipt of funds, business processes, and technologies such as smart cards and digital certificates. GeCFi will examine specific developing industry trends and their impact on business strategies. The Portfolio will also serve as a springboard for both pilot project and testbed research involving member companies' products and services. As part of the development of this new area of research, and in collaboration with the FSTC, CommerceNet is pleased to announce that it will take over management of the Electronic Check Project (eCheck) http://www.echeck.org/ http://www.echeck.org/ . The goal of the Electronic Check Project is to develop an instrument that addresses payment universally. A pilot project is currently underway with the US Treasury using eCheck to make payments to SME's. Other pilots and projects will be initiated by CommerceNet involving member companies so that eCheck can be offered to consumers and businesses of all sizes, in the US, and abroad. The development of an eCheck certification program is planned, as is coordination of efforts with various global eCommerce standards organizations. This is just one of many projects that CN currently has planned for its members. If your company is interested in participating in the development of other potential research pilots, this is your opportunity to become involved! We are very excited to be adding a full financial services/issues research area to our offering, and encourage you to participate. TO REGISTER: If you are interested in registering for the CommerceNet June Quarterly Members Meeting to learn more about GeCFi, please contact Elizabeth Robinson, Member Services Representative, at 408 446 1260 x 206 or [EMAIL PROTECTED] WHEN/WHERE: The meeting will be held on June 16 and 17, 1999, at the TechMart, 5201 Great America Pkwy., Santa Clara, California. COST: There is no cost for members. The fee for non-Members is $550. If your company chooses to become a member within 30 days after attending this meeting, you will be credited the attendance fee. Additional information and registration information can be viewed on the CommerceNet web site at: http://www.commerce.net/events/member_meeting/june_99/index.html http://www.commerce.net/events/member_meeting/june_99/index.html . If you plan on attending, please identify your company as interested in GeCFi Portfolio participation opportunities when you complete the registration form -(companyname/gecfinew). If you are interested in joining the GeCFi Portfolio, please contact either:** Lara Abrams Beth Morrow Business Development ManagerBusiness Development Manager CommerceNet CommerceNet [EMAIL PROTECTED] [EMAIL PROTECTED] 408 446 1260 x 214 ph 512 335 5606 ph for more information. We look forward to your participation. ** AGENDA Agenda for the June 16, 1999 CommerceNet Quarterly Members' Meeting (Day One): 8:30am Arrive, Continental Breakfast 9:00am Welcome, Mark Resch, CommerceNet 9:15am IdentitySafe: A CommerceNet research initiative in establishing new technologies for privacy and safeguarded identity, Doug Peckover 10:00am Break **The following sessions are comprised of two parts each: Part 1 Group discussion roundtables: Facilitated discussions on the topic, with insights, ideas and general discussions. Participants will have the opportunity to join breakout groups focused on particular aspects of the marketplace. GeCF will have a breakout group focused on global Internet financial services. Each topic will be framed with a short general presentation and each breakout group will be provided a list of though provoking concepts and ideas to help encourage discussion on key issues and opportunities. Part 2 Facilitator wrap-up: Each breakout group will present their ideas and concepts based on their area of
CRYPTONOMICON review
--- begin forwarded text Date: Fri, 4 Jun 1999 13:33:44 -0700 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: Mike Godwin [EMAIL PROTECTED] Subject: CRYPTONOMICON review To: [EMAIL PROTECTED] CRYPTONOMICON REVIEW For Reason magazine By Mike Godwin About 2000 words No aficionado of trendy, complex contemporary novels by writers such as Thomas Pynchon or David Foster Wallace will be terribly surprised to come across a work of fiction that traces a single thematic thread running through the lives of a mathematical genius in World War II, his slightly less gifted but equally nerdy grandson in 1999, a gung-ho marine driven by love and morphone, and a Japanese soldier transmuted by the bestial horrors of war. What may be surprising to readers of Neal Stephenson's CRYPTONOMICON is that Stephenson thinks that thread is, or should be, cryptology -- the science (or, more accurately, the two sciences, respectively) of encoding messages to keep them secret and of extracting the secret messages from other people's communications. Indeed, Stephenson's novel continually demonstrates, in a wide range of linked scenarios that tie WWII codebreaking to the modern "cypherpunk" effort to create a currency and an economic system that is beyond governmental control, there's something centrally human about the enterprise of cryptography. And it's this thesis that keeps CRYPTONOMICON from being merely an enjoyable, exceedingly well-written, encyclopedic, and deeply comic novel. More than all this, the book is an _important_ novel, because of the ways it touches upon a critical public issue of our era: whether the power of cryptography can be trusted to individuals. CRYPTONOMICON presents the reader with several entwined narratives, switching among them on a chapter-by-chapter basis. Most of these narratives are set in World War II, and of these the greatest number of chapters are devoted to the adventures of two men: mathematical prodigy and Army officer Lawrence Waterhouse and his near-antithesis, Marine sergeant and all-around man of action Bobby Shaftoe. Both of these characters manage to complete grand tours of the European and Pacific theaters, but, more importantly, both demonstrate, in their respective ways, the human capacity to extract meanings from a the chaotic and mysterious situations generated by a world war. For Waterhouse, whose life is dominated by his gift for mathematical reasoning, the primary challenge is to crack Axis codes (and, secondarily, to conceal from the enemy the fact that the codes have been cracked). For the comparatively less cerebral and occasionally morphine-addicted Shaftoe, whose official mission is to assist in concealing Allied codebreaking efforts (although he does not at first realize this), the real goal is much more basic than Waterhouse's -- throughout the war he labors to return to the Japanese-occupied Phillipines to rescue his paramour and the child he may have fathered with her. Where Waterhouse reflexively resorts to mathematical models to characterize his experiences, Shaftoe turns to poetic ones --- during his time in the Far East he's learned to compose haiku and Stephenson has Shaftoe's individual story begin and end with haiku. (The haiku poet can be said to be engaged in a process of encoding a deep moment of experience into three short strings of words -- it takes an experienced reader of haiku to decode such a poem.) Set against the World Two narratives is a present-day story centered on Waterhouse's grandson, Randy, a computer nerd whose own genius remains unrealized until it is unlocked by a unique business opportunity -- Randy is invited by a friend to take part in cryptographically facilitated offshore "data haven" that will become the technological platform for a totally Net-based economic system. Backing that digital monetary system will, of course, require real-world gold. Working with Shaftoe's son and granddaughter, Randy may have a source for that gold, if only he can reconstruct the codebreaking efforts of his grandfather, who fifty years ago may have uncovered a plot to collect and horde German and Japanese gold bullion. You'd think such a web of narratives would be hard to follow (it is certainly difficult to summarize), but Stephenson, whose science-fiction novels SNOW CRASH and THE DIAMOND AGE have been critical and commercial successes despite their difficult plotting, has made a quantum jump here. His bravura writing style, together with certain technical choices (Stephenson tells each of his narratives in the present tense, regardless of when they occur chronologically) are carried along so deftly by his tight plotting that you never lose the thread. But this is not an author who's content just to tell good stories -- throughout the book he takes on the task of explaining cryptology and other relatively abstruse technical disciplines --
Watermark Warfare (was Re: ECARM NEWS for May 21,1999 First Ed.)
At 2:00 AM -0400 on 5/21/99, [EMAIL PROTECTED] wrote: Title: M. Ken to Offer Lists of Illegal MP3-based Web Sites Resource Type: News Article Date: May 20, 1999 Source: AsiaBizTech Author: Nikkei Multimedia Keywords: PIRACY PREVENT ,WATERMARKING,SEARCH ENGINES ,MP3 FILES Abstract/Summary: M. Ken Co., Ltd. will start a service from June 1 listing Web sites illegally providing music data in the MPEG Audio Layer-3 (MP3) format reproduced from music CDs. M. Ken is a developer of electronic watermarking technology. It plans to offer the list of such illegal sites to music companies that seek to find copyright infringements on Web pages, and it will post the information on its own Web page. Original URL: http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70746 Added: Thu May 20 20:43:51 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] Philodox Financial Technology Evangelism http://www.philodox.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: HushMail: free Web-based email with bulletproof encryption
At 9:11 PM -0400 on 5/19/99, Keith Dawson wrote: and are stored on a server located in Canada. And the code was written in Anguilla? Is there an echo in here? :-). Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] Philodox Financial Technology Evangelism http://www.philodox.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
New Book: The End of Money and the Struggle for Financial Privacy
--- begin forwarded text Date: Tue, 18 May 1999 15:06:38 +0100 To: [EMAIL PROTECTED] From: CIPE News [EMAIL PROTECTED] Subject: New Book: The End of Money and the Struggle for Financial Privacy Sender: [EMAIL PROTECTED] CIPE is pleased to announce the arrival of a new book in our bookstore: The End of Money and the Struggle for Financial Privacy By Richard W. Rahn Technology has fast outpaced governments' ability to maintain control of electronic finance. Global financial networks and systems allow any asset whose value is recognized and guaranteed by a reliable financial institution to be instantaneously transferred from one person to another. Private institutions are already developing "digital dollars" that will someday reduce transaction costs and monetary instability, thus leading to greater economic efficiency and higher standards of living. Unfortunately, this new world of digital money is fiercely resisted by many government officials. The full benefits of digital money will not be realized unless people are left free to move their financial assets around the globe in a private fashion. You can purchase this book from CIPE for $22.50--this is a 10% discount off of the list price. Visit our electronic bookstore at http://www.cipe.org/bookstore and look in the CIPE Partners' Publications section or contact Amy Wormwood by email at [EMAIL PROTECTED] or fax at (202) 721-9250. THE CENTER FOR INTERNATIONAL PRIVATE ENTERPRISE 1155 15th Street NW; Washington DC 20005 telephone: 202 721-9200; fax: 202 721-9250; email: [EMAIL PROTECTED] Visit CIPE's Web site: http://www.cipe.org --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] Philodox Financial Technology Evangelism http://www.philodox.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: MacOS 8.7 Security
--- begin forwarded text Subject: Re: MacOS 8.7 Security Date: Sat, 15 May 1999 20:29:02 -0700 From: Mark Talbot [EMAIL PROTECTED] To: "Robert Hettinga" [EMAIL PROTECTED], [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe%20mac-crypto On or about 5/15/99 2:23 PM [EMAIL PROTECTED] wrote: From: Somebody Subject: Re: MacOS 8.7 Security If you believe the spin in this bullshit, I have a bridge to sell you. The encryption is exportable, and the multi-user logon security is from At Ease, its designed for K-12 schools. There is nothing "military level" about any of this. The phrase "military level" carries about the same weight of meaning as "scientifically designed". After attending their creative typing class, the [EMAIL PROTECTED] put forth: [stuff deleted] One very interesting note on technology demonstrated under Sonata at WWDC: users will be able to log into their computers by voiceprint indentification. This technology is considered very reliable, is not easily faked by recordings and such, and can be backed up with a normal text password if the user is sick, loses their voice, etc. I watched the demo I don't recall any claims being made about "voiceprint identification". As far as I could tell the only new thing was you can now speak your pass phrase instead of typing it. If your pass phrase is "Soylent Green is people", I don't think the OS is going to be able to discern biometrically who speaks it. [stuff deleted] MST -- When you're right you're right, and when you're wrong, you're most likely Microsoft. -Anon --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] Philodox Financial Technology Evangelism http://www.philodox.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[Fwd: That spooky PECSENC]
--- begin forwarded text Date: Wed, 12 May 1999 21:10:24 -0500 Reply-To: Digital Signature discussion [EMAIL PROTECTED] Sender: Digital Signature discussion [EMAIL PROTECTED] From: Richard Hornbeck [EMAIL PROTECTED] Subject: [Fwd: That spooky PECSENC] To: [EMAIL PROTECTED] FYI: Gant Redmon wrote: Richard: As a member of PECSENC, I'm responding to you but CC the list to get a little info out about PECSENC. It isn't as clandestine a bunch as we are portrayed. Actually, our closed door briefing on the latest national security threats have been rather mind numbing and devoid of substance. Instead, we gather to represent different interests and sit down and have a dialogue. It's tough because no one camp controls. We have industry representative like myself, law enforcement representative, usually a strong BXA and NSA contingent and a smattering of DOJ and Treasury folks that drift in and out. The real fun starts when the general public takes the time to show up. The venting going on in meeting in California was a blast. I think our value add is the feedback we are able to give the folks that draft the laws that make our lives such a treat. I'd say PECSENC played a role in the relaxation of controls last December and who knows what will be next. John Gilmore and I have spoken about what this is worth before. It's true we aren't making any radical overnight changes occur, but we are trying to work towards some solutions (or maybe some realizations) that should result in encryption becoming more fundamental in everyone's lives. As for notice, we meet the second Friday every other months. Pretty simple formula. So far, all meetings have been at BXA headquarters except for one in California. Just park at the Ronald Reagan building to get off at Metro Center. See you there. Gant Redmon AXENT Technologies, Inc. P.S. Richard: can you get this back to Cyberpunks for me? Also, in response to a private inquiry, Gant provided the following: Richard People shouldn't feel slighted. Even WE don't have a final agenda yet. A lot of times, we don't get it until the night before. But it will be from 10:00 to 3:00 in room 4832 at DOC. There always seems to be chairs available. It's no rock concert. :) Gant -Original Message- From: Richard Hornbeck [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, May 12, 1999 9:32 AM To: [EMAIL PROTECTED] Subject: [Fwd: May 14 President's Export Council Subcommittee on Encryption Agenda] FYI (forwarded from Cypherpunks) - apologies for cross-posting. John Young wrote: An updated agenda for the May 14 meeting in DC of the President's Export Council Subcommittee on Encryption (PECSENC) has been provided by Lisa Ann Carpenter, Committee Liaison Officer (202-482-2583): Opening remarks by the new chairman, William Crowell (ex-Deputy DIRNSA) Encryption initiatives of the Bureau of Export Administration, by William Reinsch Overview of the Critical Infrastructure Assurance Office (CIAO) by Jeffrey Hunker, Director 1:30 Presentation by the office of Senator McCain on his crypto bill 2:00 Report on Congressional activities 2:30 Presentations on Bernstein by the two sides, Cindy Cohn and Department of Justice 3:00 Adjourn (cut back from 5:00 as the FR announced) Also, a list of PECSENC members was promised but has not yet arrived. This information is hard to come by so it will be most welcomed. Minutes of past meetings and policy recommendations are elusive too. See the one public statement: http://209.122.145.150/PresidentsExportCouncil/PECSENC/pecsenc1.htm It's shameful and maybe illegal to hide PECSENC information. Recent scutbutt was that acting PECSENC chair Stewart Baker (ex-NSA) was going to help John Gilmore set up a public web site for PECSENC affairs. That accountability initiative appears to have died with Crowell's appointment, or to be fair, is more likely being studied to slow death to cozzen natsec grizzes -- which fits NSA's MO to SIDA misfit crypto naifs. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] Philodox Financial Technology Evangelism http://www.philodox.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
FW: Next Week's FSTC May 17-18 Meeting Update
Yee-haaa! I *love* my non-job... Cheers, RAH --- begin forwarded text From: Somebody To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: FW: Next Week's FSTC May 17-18 Meeting Update Date: Thu, 13 May 1999 17:20:23 -0700 Bob: Have you seen the attachment? More ATM over the Internet projects. -Original Message- From: Gramling, Laura [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 12, 1999 7:35 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Next Week's FSTC May 17-18 Meeting Update Have you registered yet for next week's FSTC May 17 -18, 1999 meeting? FSTC has put together a great program to address your business needs for today and for tomorrow. Note, the attached word document is an example of one of the new project concepts being explored during the breakout sessions. Come with other project ideas! ATMOnePager_Revised To Register Phone: 312.527.6724 Email: [EMAIL PROTECTED] On-line: http://www.fstc.org/springmeet.html Registration Fees $50 for members $295 for nonmembers if payment is received on or before April 30th. $395 for nonmembers if payment if received after April 30th. Mastercard, VISA, American Express and Diners Club are accepted. Checks should be made payable to FSTC. All General Meeting attendee fees are non-refundable. Session Updates Our interactive breakout sessions have been expanded and our general sessions presenters will be covering the latest in technology for the financial services industry. See below for topics and session leaders. Breakout Sessions Topics and Session Leaders Customer Authentication and FAST (Financial Agent Secured Transactions) Session Leader: Dan Schutzer, Citigroup Digital Signatures Basics Session Leader: Parker Foley, First Union Moving the ATM to the Internet Session Leader: Wolf Rossmann, NCR and Susan Symons, First Union XML for Financial Messaging Session Leader: David White, Wells Fargo Issues with PKI Session Leaders: Parker Foley, First Union Privacy and P3P Session Leader: TBD General Session Topics and Presenters Leveraging Emerging Call Center Technologies for Efficiency, Quality and Revenue Steve Boehm, First Union Direct First Union Direct is a recognized leader in exploiting the latest technologies - the Internet, email, integrated desk tops, imaging, digital certificates and biometrics, and leading edge telephone platforms - to provide superior service and effective direct marketing of financial services to its growing customer base. Mr. Boehm will explore the challenges and rewards of guiding one of the nation's largest call centers into the second millennium. The Last Mile - Its Impact on Delivering Financial Services to Consumers over the Internet Mike Parsons, Wachovia Bank The focus of the session will be to review the recent developments in Internet bandwidth and the current state of Internet connections for the home consumer. In spite of advances, significant numbers of customers continue to suffer from slow connections to the Internet. What are the prospects for improvement? How does this impact presentation of services over the Internet to our customers? My goal is to impart an understanding of why financial institutions need to consider the potentially negative impact on usability that can emerge from slow downloads of complex presentations. Consumer Payments Research David Allardice and Brian Mantel, Federal Reserve Bank of Chicago David Allardice and Brian Mantel will present an overview of research on the primary motivations impacting consumer payment choice and the implications for different forms of payments, including: identification of key segments; identification of critical obstacles; and observations on potential opportunities. Update on BITS Sponsored Initiatives Kit Needham, BITS Kit Needham will be giving an update on BITS key initiatives and actions taken at the April Board meeting. Topics will include IFX, InteroperaBILL, Fraud Reduction, ECP, Privacy/Data Sharing, Shared Utilities, and Electronic Commerce Framework. Paperless Automated Check Exchange Settlement (PACES) Mariano Roldan, Chase Manhattan Bank PACES is a FSTC project whose focus is to move the financial services industry towards image-based truncation. Its primary goal is to develop a technical platform that demonstrates the viability of interbank image exchange based on truncation of paper checks at the bank of first deposit. This presentation will provide an update on the status of the project. Red Teaming: The Next Wave in Information Security Bradley Wood, Sandia National Laboratories Red Teaming is an alternative method of assessing the relative security strengths and weaknesses of an information system. Some new work in this area takes some of the "black magic" out of the process and gives decision-makers hard data for making