One Writer's Experience With Pgp (was Re: [ILN] INTERNET LAWNEWS - NOVEMBER 26, 1999)

[Robert Hettinga]

At 8:16 AM -0500 11/26/99, Michael Geist wrote:

 ONE WRITER'S EXPERIENCE WITH PGP
 The Washington Post runs an interesting column on the limited usage of PGP
 and other encryption programs.
 http://www.washingtonpost.com/wp-srv/business/feed/a48453-1999nov26.htm

 
 Internet Law News is compiled weekdays by Professor Michael Geist of the
 University of Ottawa Law School.  During this startup period, permission is
 granted to freely distribute this issue in its entirety to colleagues,
 students, friends or other interested parties.

 To subscribe to this free service, send an email to [EMAIL PROTECTED]
 with the message "subscribe netlaw".

 Please send any comments or suggestions for future issues to Michael Geist
 at [EMAIL PROTECTED] or visit his Web site at http://www.lawbytes.com.

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Marked cash in Lucre

[Robert Hettinga]

--- begin forwarded text


Date: 21 Nov 1999 22:20:08 -
To: [EMAIL PROTECTED]
From: lcs Mixmaster Remailer [EMAIL PROTECTED]
Subject: Marked cash in Lucre
Sender: [EMAIL PROTECTED]

Earlier this year there was discussion of David Wagner's blinding as a way
of creating electronic cash that would not be covered by existing patents.
See the archives at
http://privacy.nb.ca/cryptography/archives/coderpunks/new/1999-03/
for the threads "Anonymous cash via blinded authentication" and
"Getting around Chaum's patent".  David Wagner's original posting is
at http://www.deja.com/getdoc.xp?AN=145097228.

This algorithm has been implemented by Ben Laurie in his Lucre package,
info at http://anoncvs.aldigital.co.uk/lucre/.  There have been rumors
that Lucre might serve as the foundation for an actual field trial of
electronic cash.

The idea is that the bank "signs" a number by raising it to a secret
exponent k, modulo a strong prime p.  The bank can then recognize a
signed pair y, y^k by raising the first one to the k power.  The y values
have some internal redundancy, like the right half is the hash of the
left half.

To blind, David Wagner suggested the bank also publish a generator g
and a value g^k, similar to what is done in Diffie Hellman exchanges.
The client then chooses a random blinding factor r and calculates
y * g^r, which he sends to the bank.  The bank raises this to the k
power (a power unknown to the client), producing y^k * g^rk.  The
client is able to calculate g^rk by taking the published g^k value to
the r power.  (g^k)^r = g^kr = g^rk.  He can therefore divide this out
and be left with y^k, a properly "signed" value.

This is what is implemented in Lucre.

However, there is a flaw.  During the discussion earlier this year, it
was pointed out that Chaum had proposed a similar algorithm for another
purpose, blind undeniable signatures.  Instead of blinding by multiplying
by g^r, he blinded by raising to a random power.  Unblinding was then
done by raising to the inverse power.  This worked OK for Chaum, but
in the Coderpunks discussion it was pointed out that it would allow
the bank to "mark" the cash.  It could misbehave during the transaction
and raise the blinded y value to a power k' instead of k.  This cannot
be detected by the client since there is no public key to verify the
"signature" against (which is why these are not technically signatures).
Then when the coin is deposited after unblinding, the bank can recognize
that it was the same coin which was marked with the special k' power.

It was suggested at the time that David Wagner's blinding was immune to
this marking attack.  However recently it has been learned that this
is not true; the bank can mark cash using Wagner blinding as well.
The current Lucre implementation would be vulnerable.

During withdrawal, the user submits y * g^r.  The bank, to mark the cash,
raises it to the k' power rather than the k power.  The creates
y^k' * g^rk'.  The user unsuspectingly unblinds by calculating g^kr and
dividing it, leaving y^k' * g^(r(k'-k)).  This is what is later submitted
to the bank, along with y.

The bank, at this point, knows y, k, k', g, and the product above.  It
does not know r.  It can calculate y^k' and divide to get g^(r(k'-k)).
It can raise to the inverse power of (k'-k) to get g^r.  Now it can
multiply by y to get y * g^r.

This is the same value which was submitted to be signed in the first
place.  By keeping a record of the values which were signed using the
special k' exponent, the bank can look back and see which one this one
is, thereby linking the deposit to the withdrawal, which is exactly what
blinding is supposed to prevent.

Hence the current Lucre implementation cannot be viewed as safe.

It appears that there is a simple fix, but other people should look at it
to be sure.  The flaw in the existing implementation was not discovered
for months, presumably because no one looked closely at it.  The fix
is simple but it would add confidence for more people to study it.

The proposed fix is to combine the two forms of blinding, Wagner's
and Chaum's.  Choose two random blinding factors, r and s, and blind
by calculating y^s * g^r.  This is sent to the bank which returns (if
it is not cheating) y^sk * g^rk.  As in Wagner's blinding, the user can
calculating g^rk and divide out, to leave y^sk.  As in Chaum's blinding,
the user can then raise to the 1/s power to leave y^k.  Hence the blinding
is easily removed.

If the bank cheats by raising to the k' power, the user gets
y^sk' * g^rk'.  He divides by g^rk to get y^sk' * g^((k'-k)r).  He then
raises to the 1/s power to get y^k' * g^((k'-k)r/s).  This is what he
gives to the bank at deposit time, along with y.

The bank can calculate and divide off y^k', and raise to the inverse
(k'-k) power as before, leaving g^(r/s).  However at this point it appears
to be stopped.  There seems to be no way to correlate this value to the
y^s * g^r that it saw at blinding time.  If it 

DCSB: Pat Cain; Trustable Internet Time and Digital Commerce

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 16 Nov 1999 10:46:23 -0500
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Robert Hettinga [EMAIL PROTECTED]
Subject: DCSB: Pat Cain; Trustable Internet Time and Digital Commerce
Cc: Muni Savyon [EMAIL PROTECTED], Elias Israel [EMAIL PROTECTED],
Suzan Dionne [EMAIL PROTECTED], Rodney Thayer [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: Robert Hettinga [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

  The Digital Commerce Society of Boston

Presents

Pat Cain,
   GTE Internetworking

   Does anybody know what time it is? (And can prove it?)


 Tuesday, December 7th, 1999
12 - 2 PM
The Downtown Harvard Club of Boston
   One Federal Street, Boston, MA


As more and more things become internet-enhanced, the ability to note
when a certain event happened is based upon the timestamp generated from
a computer. In most cases the computer's concept of time was retrieved
from a trusted server using the internet Network Time Protocol (NTP).
This talk will show some examples where trustable time is beneficial and
problematic, followed by a quick overview of the NTP protocol and the
assurance enhancements proposed as part of the IETF Secure Time WG. The
talk will conclude with an unsolved problems discussion.

Pat Cain is a principal member of the technical staff, and security
advocate, at GTE Internetworking. Mr. Cain provides consulting and
guidance to both internal and external clients on the realistic use of
security technologies. In Mr. Cain's 18 years at GTE/BBN, he was the lead
engineer of the MISSI CAW (a medium-assurance X.509 CA), was the hardware
architect of the BBN SafeKeyper, and did numerous cryptographic and
network security projects. He currently represents GTEI in ANSI X9F, is a
member of the ABA Information Security Committee, and is the co-chair of
the IETF's Secure Time working group.

This meeting of the Digital Commerce Society of Boston will be held on
Tuesday, December 7th, 1999, from 12pm - 2pm at the Downtown Branch of
the Harvard Club of Boston, on One Federal Street. The price for lunch is
$35.00. This price includes lunch, room rental, A/V hardware if
necessary, and the speakers' lunch. The Harvard Club *does* have dress
code: jackets and ties for men (and no sneakers or jeans), and
"appropriate business attire" (whatever that means), for women. Fair
warning: since we purchase these luncheons in advance, we will be unable
to refund the price of your lunch if the Club finds you in violation of
the dress code.


We need to receive a company check, or money order, (or, if we
*really* know you, a personal check) payable to "The Harvard Club of
Boston", by Saturday, December 4th, or you won't be on the list for
lunch.  Checks payable to anyone else but The Harvard Club of Boston
will have to be sent back.

Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston,
Massachusetts, 02131. Again, they *must* be made payable to "The
Harvard Club of Boston", in the amount of $35.00. Please include your
e-mail address so that we can send you a confirmation

If anyone has questions, or has a problem with these arrangements
(We've had to work with glacial A/P departments more than once, for
instance), please let us know via e-mail, and we'll see if we can
work something out.

Upcoming speakers for DCSB are:

JanuaryElias Israel   The Libertarians and Digital Commerce
February   Suzan Dionne   The Law of Digital Cash
TBARodney Thayer  Cryptographic Transnationality


We are actively searching for future speakers.  If you are in Boston
on the first Tuesday of the month, and you are a principal in digital
commerce, and would like to make a presentation to the Society,
please send e-mail to the DCSB Program Committee, care of Robert
Hettinga, mailto: [EMAIL PROTECTED].


For more information about the Digital Commerce Society of Boston,
send "info dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail
list, send "subscribe dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] .

We look forward to seeing you there!

Cheers,
Robert Hettinga
Moderator,
The Digital Commerce Society of Boston

-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.1

iQEVAwUBODF71sUCGwxmWcHhAQFeDggAr6gRg9qTOBlsmkkNme2Rg9vJP5XNN590
ZJis8STSH+PU7aFirmQPFFvH/OoWznfWOadqWCIRvp+M3rRCuSjD53Hqx8MHaA6Z
sBsYnRxiVJQM2a8qcC8B6M4kcClPSZy8zZSDI7v4q7EK7kR8jCH5Mfg4i5xQeByC
ISwgEXZv/BDEhBeb6aIkemTPEPMbTjM32iLp2qTtgK4Q1s8fW35AqrhZSiqn+KNG
bRxVE+h0/LpcSkufwwsXIeUYSW6tsKm3kQjUARzsHDbuTP5YaV+oRGpmni0ZM10D
Ufz+g9Kqen3Rs+KS2YhU7s9aHkql+lDquQf92WpCsrzTmcQ0n07OyQ==
=vGIv
-END PGP SIGNATURE-
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.

WSJ: Crypto Regs begin circulating today (was Re: INTERNET LAWNEWS - NOVEMBER 15, 1999)

[Robert Hettinga]

At 9:20 AM -0500 on 11/15/99, Michael Geist wrote:


 CONCERN OVER CRYPTO REGS
 Concern continues to grow over the Clinton administration's forthcoming
 crypto export regs.  A new draft may be circulated internally as soon as
 today, reports the WSJ.
 http://interactive.wsj.com/articles/SB942621233614972446.htm

 
 Internet Law News is compiled weekdays by Professor Michael Geist of the
 University of Ottawa Law School.  During this startup period, permission is
 granted to freely distribute this issue in its entirety to colleagues,
 students, friends or other interested parties.

 To subscribe to this free service, send an email to [EMAIL PROTECTED]
 with the message "subscribe net news".

 Please send any comments or suggestions for future issues to Michael Geist
 at [EMAIL PROTECTED] or visit his Web site at http://www.lawbytes.com.
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

WPI Crypto Seminar: A High-Speed FPGA Implementation of Serpent

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 11 Nov 1999 09:21:41 -0500 (EST)
From: Christof Paar [EMAIL PROTECTED]
To: WPI Crypto Seminar: ;
Subject: WPI Crypto Seminar, Monday, Nov 15
Sender: [EMAIL PROTECTED]
Reply-To: Christof Paar [EMAIL PROTECTED]


  WPI Cryptography Seminar

  A High-Speed FPGA Implementation of Serpent

Adam Elbirt
   WPI

Monday, November 15
 4:30 pm,  AK 218
 (refreshments at 4:15 pm)


With the expiration of the Data Encryption Standard (DES) in 1998, the
Advanced Encryption Standard (AES) development process is well underway.
It is hoped that the result of the AES process will be the specification
of a new non-classified encryption algorithm that will have the global
acceptance achieved by DES as well as the capability of long-term
protection of sensitive information.  The technical analysis used in
determining which of the potential AES candidates will be selected as the
Advanced Encryption Algorithm includes efficiency testing of both hardware
and software implementations of candidate algorithms.  Reprogrammable
devices such as Field Programmable Gate Arrays (FPGAs) are highly
attractive options for hardware implementations of encryption algorithms
as they provide cryptographic algorithm agility, physical security, and
potentially much higher performance than software solutions.

This contribution investigates the significance of an FPGA implementation
of Serpent, one of the AES candidate algorithms.  Multiple architecture
options of the Serpent algorithm will be explored with a strong focus
being placed on a high speed implementation within an FPGA, in order to
support security for current and future high bandwidth applications.  One
of the main findings is that Serpent can be implemented with encryption
rates beyond 4 Gbit/s on current commercially available FPGAs.


DIRECTIONS:

The WPI Cryptoseminar is being held in the Atwater Kent building on the
WPI campus. The Atwater Kent building is at the intersection of the
extension of West Street (labeled "Private Way) and Salisbury Street.
Directions to the campus can be found at
   http://www.wpi.edu/About/Visitors/directions.html


ATTENDANCE:

The seminar is open to everyone and free of charge. Simply send me a brief
email if you plan to attend.


TALKS IN THE FALL '99 SEMESTER:

10/4  Berk Sunar, SITI
   Comparison of Elliptic Curve Implementations

10/18 Jim Goodman, MIT
   Energy Scalable Reconfigurable Cryptographic
   Hardware for Portable Applications

10/28 Brendon Chetwynd, WPI/Raytheon
   Towards an Universal Block Cipher Module

11/15 Adam Elbirt, WPI
   A High-Speed FPGA Implementation of Serpent

12/6  Richard Stanley, GTE Labs
   Using Cryptography to Combat Wireless Fraud -- A Case Study


See
   http://www.ece.WPI.EDU/Research/crypt/seminar/index.html
for talk abstracts.


MAILING LIST:

If you want to be added to the mailing list and receive talk
announcements together with abstracts, please send me a short mail.
Likewise, if you want to be removed from the list, just send me a
short mail.

Regards,

Christof Paar


! WORKSHOP ON CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS (CHES 2000)!
!   WPI, August 17  18, 2000!
!  http://www.ece.wpi.edu/Research/crypt/ches!

***
  Christof Paar,  Assistant Professor
   Cryptography and Information Security (CRIS) Group
   ECE Dept., WPI, 100 Institute Rd., Worcester, MA 01609, USA
fon: (508) 831 5061email: [EMAIL PROTECTED]
fax: (508) 831 5491www:   http://ee.wpi.edu/People/faculty/cxp.html
***







For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Truth About Encryption (Re: NewsScan Daily, 5 November 1999(Above The Fold))

[Robert Hettinga]

At 9:32 AM -0700 on 11/5/99, NewsScan wrote:


 THE TRUTH ABOUT ENCRYPTION
 Cambridge University cryptography expert Ross Anderson says governments'
 efforts to keep encryption technology out of the hands of criminals and
 terrorists is misguided: "If I were to hold a three-hour encrypted
 conversation with someone in the Medellin drug cartel, it would be a dead
 giveaway. In routine monitoring, GCHQ (Britain's signals intelligence
 service) would pick up the fact that there was encrypted traffic and would
 instantly mark down my phone as being suspect. Quite possibly the police
 would then send in the burglars to put microphones in all over my house. In
 circumstances like this, encryption does not increase your security. It
 immediately and rapidly decreases it. You are mad to use encryption if you
 are a villain." (New Scientist 6 Nov 99)
 http://www.newscientist.com/ns/19991106/confidenti.html

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Call for papers, Malicious Information Technology (was Re: RisksDigest 20.64)

[Robert Hettinga]

At 8:17 AM -0800 on 11/4/99, [EMAIL PROTECTED] wrote:


 Date: Fri, 22 Oct 1999 15:51:57 -0400
 From: "Jeffrey M. Voas" [EMAIL PROTECTED]
 Subject: Call for papers, Malicious Information Technology

 Co-Authored:

 Software Assessment: Reliability, Safety, and Testability (Wiley, 1995)
 http://www.rstcorp.com/books/sa

 Software Fault Injection: Inoculating Programs Against Errors
 (Wiley, 1998)  http://www.rstcorp.com/books/sfi

 Videos:

 Developing Software for Safety Critical Systems
 (IEEE, 1998) http://www.rstcorp.com/videos/safety_critical.html

 Software Testing: Building Infrastructure, Due Dilligence, and OO
 Software
 (IEEE, 1999) http://www.rstcorp.com/videos/software_testing.html

 IEEE Software
 Call for Articles  Reviewers
 Malicious Information Technology: The Software vs. The People
 Publication: Sept./Oct. 2000

 Software was intended to improve the quality of human life by doing
 tasks more quickly, reliably, and efficiently. But today, a "software
 vs. people" showdown appears eminent.  Software is increasingly
 becoming a threat to people, organizations, and nations.  For example,
 the spread of the Melissa virus illustrates the ease with which
 systems can be penetrated and the ubiquity of the consequences; the
 Melissa virus caused many companies to shut down their EMail systems
 for days or even weeks.  The origin of these threats stems from a
 variety of problems.  One problem is negligent development practices
 that lead to defective software.  Security vulnerabilities that occur
 as a result of negligent development practices (e.g., commercial Web
 browsers allowing unauthorized individuals to access confidential
 data) are likely to be discovered by rogue individuals with malicious
 intentions.  Other security vulnerabilities are deliberately
 programmed into software (e.g., logic bombs, Trojan Horses, and Easter
 eggs).  Regardless of the reason why information systems are
 vulnerable, the end result can be disastrous and widespread.

 Because of the increased danger that malicious software now poses, we
 seek original articles on the following specific issues:

   + Intrusion detection
   + Information survivability
   + Federal critical infrastructure protection plans
   + Federal laws prohibiting encryption exports vs. US corporations
   + State-of-the-practice in security testing
   + The Internet's "hacker underground"
   + Corporate information insurance
   + Penalties for those convicted of creating viruses
   + Case studies in information security and survivability

 Submissions due: 1 April 2000

 Guest Editors:

 Nancy MeadJeffrey Voas
 Carnie Mellon University  Reliable Software Technologies
 [EMAIL PROTECTED]   [EMAIL PROTECTED]

 Authors: Submit one electronic copy in RTF interchange or MS-Word
 format and one PostScript or PDF version to the magazine assistant at
 [EMAIL PROTECTED]  Articles must not exceed 5,400 words including
 tables and figures, which count for 200 words each.  For detailed
 author guidelines, see www.computer.org/software/edguide.htm.
 Reviewers: Please e-mail your contact information and areas of
 interest to a guest editor.

 Jeffrey M. Voas, Co-Founder, Reliable Software Technologies, Suite 400,
 21351 Ridgetop Circle, Dulles, VA  20166 USA, [EMAIL PROTECTED],
 Phone: 703.404.9293, Fax: 703.404.9295

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Here's Wot's the scuttlebut

[Robert Hettinga]

-BEGIN PGP SIGNED MESSAGE-

At 8:58 AM -0400 on 11/9/99, Ian Grigg wrote, on the egold list, re
yesterday's IETF micropay BOF:


 Wot's the scuttlebut?

IBM and ATT both have counter-cash book-entry credit-card/telephone
billing accumulators, which, apparently, look a lot alike structurally,
and are both patented and/or PAF. That should be fun.

Compaq (nee DEC) has merchant-issued (to absolutely, positively, prevent
double-spending) bearer scrip, capable of, um, millicents. Also patented.

The W3C is building (or has built, depending on who you listen to)
pay-per-click XML. Probably not patented.

IBUC large intake of breath will pay -- or hopes to pay -- some clueful
IETFer to build a public-domain (spec and reference code), millidollar
and smaller, fully-fungible, unsigned, internet bearer transaction system
using a generally accepted, and preferrably unencumbered, bearer
financial cryptography protocol. Little money first, bigger money soon,
biggest money later.


All of the above folks would dearly love an IETF-approved(whatever)
internet-level spec: Something which moves payments, preferrably micro
ones, from Alice to Bob on the net regardless of the payment protocol, as
long as it doesn't descriminate according to a whole set of variables we
all don't have definitions for yet, including what, exactly, a
micropayment is.

The room was too small and too full, which was, at least, gratifying.
Everyone who was there *really* wants to do micropayments on the net if
they can figure out how to do it for, um, money. We've all been *really*
trying to figure out how, and for at least 5 years, as far as anyone can
tell. Even after all that some of us still think we can, for some reason.
:-).


So, to be perfectly frank, it appears a bunch of historically-non-IETFers
(every single person speaking, me included, except for J[...] I[...] :-)
of ATT, who quite fortunately got shoehorned into the agenda at the last
minute, had never been to IETF before; including, apparently, the BOF's
substitute chairman, flown in from Isreal by IBM for the occasion at the
late minute), called a meeting to get the IETF to Do Something, which is
not generally a good way to get IETF folks to do anything.


Lots of people observed lots of things, but the observation I remember
most came from Jon Callas: Maybe IETF folk will be motivated to write a
standard, but first there has to be enough running code for there to be a
rough consensus. Or something.


My personal opinion is, cool, let's go buy/build some running code and
make it all go, because we're burning daylight, and we have nothing to
lose but our transfer-priced information goods and services.


Finally, and maybe most important, Fearghas McKay has set up a list for
- --IETF-- folks to talk about getting an --IETF-- micropay
working-group[s] together (or not), and then getting [a] spec[s], etc.,
together, (or not), called, appropriately enough,
[EMAIL PROTECTED]. It can be subscribed to (I hope I got this
right) here: mailto: [EMAIL PROTECTED].

See you all there.

Cheers,
RAH

-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.1

iQEVAwUBOChR58UCGwxmWcHhAQHUlQgApMPfFzUxiJHM4WRmSHFYfiJSCjK3b/VU
XQIirf3/LVDkG5K7V9NK+u4bn4P+jiB7ohaKbbXsn9JyCQQVFDKrsKVUWWdbp7J7
o/gTS3xFm2WKkrM1vQgJMwG646Y39rduAzA3LbyoO9tEAVAyT6HA3XXUIuhjTMB2
csrD0CgzXCcHuEv36aBdNmuDwoYbdM/OQjtRHHaT4P/bl+kIJo0JHKJcxSzudcLa
E9ry7Ib0RjKRcIPESQn+L92L5hhOkFzpaSge0knZ5rDg2C/QrjLKSTro2jF3f6oI
w3gVin9h+c/bZoc49FdDRVFdGNlJzaBzxmGcoVIYllfeZOXmQHjSqQ==
=fTa3
-END PGP SIGNATURE-
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"Camels, fleas, and princes exist everywhere."  -- Persian proverb

Cypherpunks Final Exam

[Robert Hettinga]

[I would not normally forward this along -- it isn't, by my lights,
interesting enough. However, the vision of #11 is so astounding to me
(even though I suppose it shouldn't be) that I felt I had to pass the
whole thing along so that it would be in context. --Perry]

--- begin forwarded text


Date: Sat, 6 Nov 1999 13:20:02 -0800 (PST)
To: [EMAIL PROTECTED]
From: BPM Mixmaster Remailer [EMAIL PROTECTED]
Subject: Cypherpunks Final Exam
Sender: [EMAIL PROTECTED]
Reply-To: BPM Mixmaster Remailer [EMAIL PROTECTED]

This is from http://www.skyhunter.com/marcs/finalexam.html, by
Marc Stiegler, sci-fi author and a pretty smart guy.  Should be a
required test for those who want to call themselves cypherpunks.
--

This is a slightly modified version of the Final Exam I recently gave
to a class of college students taking a special advanced course on The
Future Of Computing. A number of friends to whom I showed it suggested
that it might be a good Final Exam for people considering passing
thousands of new laws and regulations, to make sure that the Web is
"safe", and to eliminate the "Wild West nature" of the Web. If you can
answer all these questions, you probably know why thousands of new laws
are not the right way to make the Web "safe".



  Final Exam

A new version of the Web springs to life with the following enhanced
capabilities:

   Unforgeable pseudonymous identities
   Bidirectional, typed, filterable links
   Arbitrage agents
   Bonding agents
   Escrow agents
   Digital Cash
   Capability Based Security with Strong Encryption

Pick any 5 of the essay questions below. Identify which advanced features
listed above are needed to solve each problem, and explain how those
features would work together.

Note: I doubt that anyone will choose Question 11 as one of their 5
questions to answer, because it requires a far more extensive answer
than the others. But...if you can answer Question 11 in your own mind,
even though you choose not to write up that answer for this examination,
then a most remarkable thing will happen: you will walk out of this
class with something profoundly worth knowing.

1) Searching for a decision analysis tool on the Web, you find a review
in which the reviewer raves about a particular product. You buy the
product and discover it just doesn't work. You desire to prevent this
person's ravings from harming anyone else--and you desire to prevent
the product from disappointing anyone else.

2) A product you buy based on a rave review opens your email address book,
grabs your entire list of friends, sends itself to them, and sends your
password files to a mysterious IP address. It's too late now, but which
features would you install before ever touching your computer again?

3) A product is advertised on the Web. It sounds good, but the offerer
has no Web reputation. What arrangement would you consider adequate to go
ahead and procure the product (Note: there are several possible answers;
give 2 entirely separate solutions, and that is considered answering
2 questions).

4) You start receiving thousands of emails from organizations you don't
know, all hawking their wares. You want it to stop, just stop!

5) You wish to play poker with your friends. They live in Tampa Florida,
you live in Kingman. This is illegal in the nation where you happen to
be a citizen. You want to do it anyway.

6) You hear a joke that someone, somewhere, would probably find
offensive. You wish to tell your precocious 17-year-old daughter, who
is a student at Yale. The Common Decency Act Version 2 has just passed;
it is a $100,000 offense to send such material electronically to a
minor. You want to send it anyway--it is a very funny joke.

7) Someone claiming to be you starts roaming the Web making wild
claims. You want to make sure people know it isn't really you.

8) You have brought out a remarkable new product. There is a competing
product making claims you know are false. You want to make sure anyone
going to their site finds out your product is better.

9) Your elderly aunt sees a drug advertised on the Web that promises
relief from arthritis. She dies shortly after starting to take
the drug. You think the drug, and the company that made it, is at
fault. Meanwhile the company is sure they didn't have anything to do
with it. You want justice.

10) You are the CEO of Bloomberg News, one of the most prestigious (and
expensive) stock information services in the world. An article circulates
on the Web, based on a mock-up of the Bloomberg News information page,
claiming that PairGain Corp. will be acquired by ECI Telecom. PairGain
stock rises 32% in 8 hours. Investigators later find that the false report
was created by a PairGain employee about to cash in his options. You
want to ensure that your brand is never used like this again.

11) You live in North Korea. Three days ago the soldiers 

Re: Encryption Expert Witness Wanted

[Robert Hettinga]

At 9:19 AM -0600 on 11/5/99, Kennedy, Linda wrote:


 Preferably an academic type in Chicago or a suburb thereof.
 Will also consider industry types, especially if local to Chicago.

You want Schneier. He lives in Minneapolis. That's a suburb of Chicago. ;-).

Cheers,
RAH
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

news (I guess...)

[Robert Hettinga]

--- begin forwarded text


From: "DONALD" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: news
Date: Sun, 7 Nov 1999 07:25:52 -0700

see http://www.killen.com/tvwww.killen.com/tv  for the 
interview..messagingdirect 
also see... 
http://www.messagingdirect.com/press/killenprofile.pdfhttp://www.mes 
sagingdirect.com/press/killenprofile.pdf
 
InternetNews.com
 
Fall ISPCON Live!
 
-- 
--
 
MessagingDirect, Sendmail Partner to Produce Secure Mail Platform
By Patricia Fusco
InternetNews.com Assistant Editor  October 27, 1999
 

 
[San Jose] MessagingDirect, Ltd. and Sendmail, Inc. have partnered to design a
secure environment for companies' e-business efforts by integrating Sendmails
Internet Mail platform with MessagingDirect's M-Mail messaging and M-Vault
directory.
 
As a part of the deal, Sendmail will resell MessagingDirect's M-Secure and
M-Bill, electronic billing and payment application software to ISPs that may in
turn, offer the enhanced e-mail services to businesses looking for a secure way
to bill and communicate with clients online.
 
M-Secure is an e-mail pipeline for creating, sending and receiving digitally
signed and encrypted documents that can authenticate valid users of the
service, anywhere in the world.
 
M-Bill is an electronic bill delivery and payment application that can store
more than 50 million bills and deliver up to 500 e-mails per second. The
program virtually eliminates the need for paper billing systems because the
commerce class application meets tough non-repudiation billing standards.
 
Greg Olson, Sendmail, Inc. chief executive officer, said the partnership
evolved when the company determined that in 5 to 10 years, most of paper mail
commerce will move to e-mail. Olson said the development makes for fantastic
opportunities for ISPs to enhance their e-mail services, today.
 
"By working with technology partners to support a single Internet Mail
platform, Sendmail will provide customers with more applications that use
Internet Mail to reduce costs, increase productivity and build more profitable
customer relationships," Olson said. "MessagingDirects e-business applications
and services provide our customers with a secure and cost-effective means for
communicating on the Internet."
 
According to Jupiter Communications (JPTR), Sendmail powers more than 75
percent of the Internet mail servers and 80 percent of the Fortune 100 e-mail
interfaces for the public Internet. Sendmails market dominance is due to
founder Eric Allmans passion for open standards computing that motivated him
to first offering Sendmail for free, and the fact that ISP technicians find
Sendmails programming exceptionally user friendly.
 
ISPs will find Sendmails same familiar, easy to use, standards-based system
has been put to work to offer MessagingDirects M-Secure and M-Bill
Applications. Olson said ISPs looking to enhance their profits would recognize
that its a good time for them to consider carrier class e-mail as part of
their value-added services for e-commerce enterprises."
 
"Now is a great time for ISPs and ASPs to get into the e-commerce e-mail
market," Olson said. "Today, $400 billion is being spent on direct marketing
mail, order processing, bill and distribution payment and account systems. Its
the biggest part of a $700 billion industry that is easy for ISPs to tap into
and deploy."
 
Don Pare, MessagingDirect Ltd. chief executive officer, said constructing the
foundation for commerce class, managed end-to-end e-mail system was no small
feat.
 
"To put a bill in your in-box electronically, we had to make 3.5 million lines
of code easy for ISPs to deploy. Then we had to seamlessly deliver the secure
messages to an authenticated client for pennies per delivery, in order to
entice businesses" Pare said.
 
Pare added that partnering with the master of e-mail delivery systems was the
best way to make sure a standards-based approach was utilized.
 
"By partnering with Sendmail, we believe that our Internet Mail services and
applications will meet the requirements of doing e-business on the Internet,
now and in the future," Pare said. "Our standards-based approach to development
will provide out customers with the functionality, transactional reliability
and the security critical to do e-business commerce on the Internet."
 
The Sendmail, MessagingDirect partnership secure mail applications have already
produced a price breakthrough for delivering secure messaging over the
Internet. In the near future, the two companies plan to further develop e-mail
applications operating off from the same robust Sendmail platform to offer
content management, unified messaging and certified e-mail delivery.
 
 

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may 

Must-read capabilities paper

[Robert Hettinga]

--- begin forwarded text


Date: Sun, 31 Oct 1999 16:29:20 -0800
From: Lucky Green [EMAIL PROTECTED]
Old-Subject: Must-read capabilities paper
To: "cypherpunks@Algebra. COM" [EMAIL PROTECTED]
Subject:  Must-read capabilities paper
Sender: [EMAIL PROTECTED]
Reply-To: Lucky Green [EMAIL PROTECTED]

This is probably the most significant and insightful CS paper I have read in
years. The paper didn't actually teach me something fundamentally new,
having paid close attention to capabilities ever since a fateful Cypherpunks
meeting at Stanford a few years back, but I have never seen such synthesis
between so many seemingly disjoint important topics. From OS design to PKI,
this paper touches on it all. What impressed me about this paper is that it
made me think in new ways about stuff I already well understood.

http://www.erights.org/elib/capability/ode/index.html

--Lucky Green [EMAIL PROTECTED]

   "Among the many misdeeds of British rule in India, history will look upon
   the Act depriving a whole nation of arms as the blackest."
   - Mohandas K. Gandhi, An Autobiography, pg 446
   http://www.citizensofamerica.org/missing.ram

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Lie in X.509, Go to Jail, Pt. III (Was Re: Edupage, 29 October1999)

[Robert Hettinga]

At 1:55 PM -0600 on 10/29/99, EDUCAUSE wrote:


 ACTIVISTS DECRY BILLS ON 'DIGITAL SIGNATURE'
 Consumer groups are up in arms over two bills in Congress, the
 Millennium Digital Commerce Act and the Electronic Signatures in
 Global and National Commerce Act, that would give digital
 signatures equal legal footing with traditional signatures.  The
 bills, one in the House and one in the Senate, undermine the
 effectiveness of state consumer-protection laws and do not
 provide the same consumer protections as those given to
 traditional paper records.  The Senate bill leaves out key state
 and federal consumer protections and interferes "with a state's
 rights to protect its own consumers, without imposing any
 protections against misuse, mistake, or fraud," says a letter
 from the National Consumer Law Center.  The White House has
 soured on the Senate bill due to the effect it will have on
 consumer protections and regulations, while Commerce Department
 General Counsel Andrew J. Pincus says both the House and Senate
 versions would have a devastating effect on state and federal
 consumer protections.  "Unscrupulous people" will be able to use
 the bills to their advantage by preying on online consumers,
 leading to a loss of consumer confidence in the Internet,
 predicts Pincus. (Washington Post 10/29/99)

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC)

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Date: Thu, 28 Oct 1999 13:20:08 +0300
Subject: Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC)
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]



Reminder:  the Micro Payments BOF at the next IETF (in Wahington DC) will occur
on
Monday, Nov. 8th, at 1530-1730. Enclosed are the current agenda (subject to
change - proposals welcome) and description. Notice that at least we (IBM) plan
to describe in details our payment messages, to facilitate interoperable
implementations and to serve as potential basis for a standard.

Unfortunately, I found out I'll not be able to go to the IETF as I must be in
another place. I'm exteremly disappointed and very sorry; I was looking forward
to this event and to meet many of you in face to face. In coordination with the
area director, Ilan Zisser (cc:ed) will chair the BOF instead of me. 
Ilan Zisser
is IBM Micro Payments product manager, and while less of you know him, he is
probably a better person to present our stuff anyway as he is the one doing the
implementation -and also since I think he is better in explaining things. Also
I'm sure he will chair the session fairly.

Please excuse cross posting - and forward to relevant persons and groups.
Thanks!

Agenda:

15:30-15;40: Welcome and review of agenda - Ilan Zisser
15:40-15:50 Report on  the W3C Micropayments Markup spec -Thierry Michell,
W3C
16:00-16:40 Release 1.3 of IBM Micro Payments implementation of the W3C
Micropayments Markup spec, and our goals for the standard - Ilan Zisser, IBM
16:40-16:50 Mark Manasse (Compaq): what we're (MilliCent) hoping for in a
standard
16:50-16:55 Bob Hettinga on `IBUC's intent to fund
open-source reference software (wallet/registerware and underwriting
server) for bearer millidollar transactions conforming to an open
standard. Which probably means this standard, if...` (there's 
always an if in
these thing isn't there :-) - A.H.)
16:55-17:10 reserved for additional brief presentations on implementations
and positions on the standard
17:10-17:25 Discussion - should IETF form a WG to define a (micro) payment
standard? If so what should be the charter/goals? Should we simply define an
open standard for interoperating with IBM Micro Payments (rather than
pre-define that this is `the` micropayments standard - allow for competing
proposals to be standardized as well and see what people will adopt), or
should we compare different approaches and designs (are such available in
open form)?
17:25-17:30 Summary by Ilan Zisser and/or area director.

Description - Micro Payments BOF (micropay):

The Internet is quickly becoming the prefered method of delivery for 
information
and on-line services. The growth of
this industry is resticted by the limited availability of secure online payment
mechanisms, especially for small amounts. Micropayments are designed to allow
charging of small amounts, where the minimal fees of credit-card payments are
unacceptable. There have been, and still are, many attempts at providing a
micropayments solution, however so far none of them was successful, and in
particular none of the deployed systems seems to be able to reach critical mass
of buyers and sellers. Furthermore, even if one or more of these systems gain
popularity, the lack of standardization may slow down their availability. In
this BOF we'll review some recent micropayment markup standardization spec from
the W3C, and discuss whether the IETF should attempt to contribute standards in
this area  - i.e. should we create a micropayments WG (and if so what would its
charter and goals be).

Best Regards,
Amir Herzberg
Manager, E-Business and Security Technologies
IBM Research Lab in Haifa (Tel Aviv Office)
http://www.hrl.il.ibm.com
New e-mail: [EMAIL PROTECTED]
New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

NSA transitioning to commercial services model

[Robert Hettinga]

The NSA continues to discover that financial cryptography is the only 
cryptography that matters.

As Whit Diffie has said in the same vein, "InfoWar", whatever *that* 
means, will be "fought" between businesses and private individuals, 
and not governments. There's little that government crypto/security 
agencies can do to assist entities in those conflicts, any more than 
post-feudal religion could help much in conflicts between secular 
nation-states.

So, in keeping with the spirit of the following article, I propose 
that the US Government should follow their apparent instincts here, 
privatize the NSA, and take it, heh..., public.

Cheers,
RAH

It's going to happen anyway, of course...



--- begin forwarded text


Mailing-List: contact [EMAIL PROTECTED]
From: "Dan S" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Fri, 22 Oct 1999 07:59:31 -0400
Subject: IP: Super-secret NSA transitioning to commercial services model

From http://www.fcw.com/pubs/fcw/1999/1018/web-nsa-10-21-99.html
-
OCTOBER 21, 1999 . . . 11:29 EDT



Super-secret NSA transitioning to commercial services model

BY DIANE FRANK ([EMAIL PROTECTED])

The National Security Agency, the enigmatic signals intelligence arm of the
Defense Department, is breaking away from its traditional role of building
"black boxes" for encrypting highly classified information in favor of
offering security and certification services similar to those in commercial
industry.

Mike Jacobs, deputy director of information systems at NSA, said that while
the agency "will always have a traditional portion of our business building
'black boxes' . . . we are an organization in transition."

The agency increasingly is offering security assessment, testing, red teams
and diagnostics services to other Defense and civilian agencies, Jacobs said
Wednesday at the National Information Systems Security Conference. "This is
the growth area [and a] burgeoning new business," he said.

Rather than doing all the testing and validation of its own products for
itself, NSA will be relying on the National Information Assurance
Partnership (NIAP), a joint validation effort between NSA and the National
Institute of Standards and Technology.

In the past, NSA endorsed security products and procedures, and encouraged
their use by assuring members of the Defense and intelligence community that
such products would be "bulletproof" solutions, said Lou Giles, a member of
the NIAP from NSA.

Now, instead of products receiving NSA's endorsement, agencies will have to
bring their protection profiles -- the description of their information
environment and security needs -- to NSA, which will then certify that
process as one that meets certain NSA-approved security standards. NSA also
will evaluate and certify proposals from vendors.

"The customer still wants that NSA endorsement, Giles said. "But this is a
new philosophical paradigm of evaluation for commercial products that we're
moving to."

--
Dan S




-
To subscribe, send email to: [EMAIL PROTECTED]
To unsubsubscribe, send email to: [EMAIL PROTECTED]

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Digital Contracts: Lie in X.509, Go to Jail

[Robert Hettinga]

At 10:24 PM -0400 on 10/19/99, Dan Geer wrote:


 What is it about wanting to change the instantaneous  electronic world
 that generates this sort of time  paper hazing ritual?

The lack of bearer microcash? :-).

Once again, the cobbler's children have no shoes...

Cheers,
RAH

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: [FP] California inaugurates digital signatures - cnn.com

[Robert Hettinga]

"Lie in X.509, Go to Jail", pt. 2

Cheers,
RAH

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Tue, 19 Oct 1999 20:58:00 -0500
To: [EMAIL PROTECTED]
Subject: IP: [FP] California inaugurates digital signatures - cnn.com

FORWARDED:
--

From: "ScanThisNews" [EMAIL PROTECTED]
Subject: [FP] California inaugurates digital signatures - cnn.com
Date: Tue, 19 Oct 1999 20:06:03 -0500


SCAN THIS NEWS
10/19/99

[forwarded article]

California inaugurates digital signatures
www.cnn.com

http://cnn.com/TECH/computing/9910/19/california.digital.idg/index.html

October 19, 1999
by Dan Caterinicchia

(IDG) -- Yesterday California officially authorized Verisign Inc. to begin
issuing digital signature certificates to secure communications between
state agencies and between the state and its citizens, ushering in a new era
of electronic services delivery.

Bill Jones, California's secretary of state, marked the occasion by
digitally "signing" the authorization certificate for the company, making it
the first such transaction since the state passed a law that spelled out the
requirements for legally binding digital signatures.

"We're bringing in the private sector to help us to create the opportunity
for the public to access [government] services more quickly," Jones said.
"Our goal is to deliver something that's easily accessible but doesn't add
to the layers of government."

Digital signatures are seen as a vital component of Internet-based commerce
because they authenticate the identities of the parties involved in a
transaction. Verisign, based in Mountain View, Calif., was the first to
satisfy California's digital signature requirements.


Jones said his department is interested in using digital signatures to
enable residents to cast votes over the Internet. Other agencies have
expressed a desire to use the tool to secure business filings and similar
transactions, he said.

Stratton Sclavos, Verisign's president and chief executive officer, said
that for all the Internet has done to change the commerce landscape
domestically and abroad, so far it has missed the "citizen-government
relationship." He added that digital signature certification and the host of
services it affects will exact a "fundamental change in the way citizens are
going to interact with [state and local] government."

Verisign is working on similar digital signature projects in Oregon, New
Jersey, Utah and Washington, Sclavos said.

===
Don't believe anything you read on the Net unless:
1) you can confirm it with another source, and/or
2) it is consistent with what you already know to be true.
===
Reply to: [EMAIL PROTECTED]
===
  To subscribe to the free Scan This News newsletter, send a message to
   mailto:[EMAIL PROTECTED] and type "subscribe scan" in the BODY.
 Or, to be removed type "unsubscribe scan" in the message BODY.
For additional instructions see www.efga.org/about/maillist.html
---
  "Scan This News" is Sponsored by S.C.A.N.
Host of the "FIGHT THE FINGERPRINT!" web page:
 www.networkusa.org/fingerprint.shtml
===

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Digital Contracts: Lie in X.509, Go to Jail

[Robert Hettinga]

At 10:35 AM -0400 on 10/20/99, Arnold Reinhold wrote:


 No. The complexity of international distribution agreements and
general stupidity are much bigger factors than cash settlement
costs. Two of my books are translated into Spanish. The US is the
second largest Spanish speaking market in the world. Can I get the
Spanish editions distributed here? No way!

Fortunately, (the now-)Dr. Brands holds his copyrights, and the book 
was, apparently, only printed, not published. :-).

So, if there were a form of bearer microcash settlement, he could 
sell the book over the web on a pay-per-pageview basis if he wanted 
to. I'm sure there are several once and future cypherpunks who, by 
then, would be in the whatever-to-guilder currency exchange 
business and would happily oblige.

What this does to the publishing business is, in the above example, 
not particularly Dr. Brands' problem. :-).

Cheers,
RAH
 
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The sound of one shoe, dropping (was Re: IP: Jane's News Briefs)

[Robert Hettinga]

At 8:51 PM -0500 on 10/19/99, [EMAIL PROTECTED] wrote:

 FORWARDED:
 --

 From: [EMAIL PROTECTED]
 Date: Tue, 19 Oct 1999 13:31:59 -0400 (EDT)
 Subject: Jane's News Briefs

 **
 DEFENCE
 Website: http://defence.janes.com
 **

 --
 Jane's Defence Weekly
 Read more with images at: http://jdw.janes.com
 Vol 32 No 16
 20 October 1999
 --


 Canada set to harmonise with US export laws
 Canada will synchronise its defence export laws with the USA, creating a
 seamless and formal North American defence sales bloc, under an
 in-principle agreement that will exempt Canada from US export
 regulations and provide Canadian companies better access to US
 contracts.

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Digital Contracts: Lie in X.509, Go to Jail

[Robert Hettinga]

-BEGIN PGP SIGNED MESSAGE-

Aside from noting the vicious hypocrisy of the Clinton administration
saying they support the 11th Ammendment, I've also decided that the bill
mentioned in the New York Times Story excerpted below, like most current
state digital signature legislation, could more properly be called the
"Lie on an X.509 'Certificate' and Go to Jail Act of 1999".

"Crypto in a crime", indeed.


The solution to this madness, is, of course, bearer credentials, as
Stephan Brands points out in his recently published doctoral dissertation
"Rethinking Public Key Infrastructures and Digital Certificates --
Building in Privacy", now published by Ponsen and Looijen in the
Netherlands, ISBN 90-901-3059-4.

The resulting book is in very well-written English, it's about 300 pages,
and, in it, Brands, the best of his generation of financial
cryptographers, completely demolishes, all the way down to the level of
cryptographic protocol, most of the received wisdom about "certification"
- -- and the current cult-like mystification of identity which underlies
it.

Even better, Stefan unveils a whole class of bearer-credential
cryptographic protocols which get the job done with infinitely more
privacy. More important, I'm personally convinced that Brands' bearer
credentials are significantly lower in cost than current book-entry
methods of "certification", especially after the costs of repudiation and
enforcement are taken into account.

However, given my current business, my biases on this subject are rather
plain here, so don't take my word for it: get the book and see for
yourself.

Stefan's thesis committee was Ron Rivest, Adi Shamir (yes, the R and S in
RSA), and Claus Schnorr (yes, *that* Claus Schnorr). Three men who could
be easily said to be the fathers of digital "certification", if its
patrimony was ever in dispute.


I would highly recommend that *everyone* who's serious in the study of
digital commerce -- and I mean legal professionals in particular -- order
this book immediately and go read it.

It goes without saying that anyone who calls himself a financial
cryptographer, much less a cryptographic or digital commerce software
engineer, should have this book in his library as well.


Cheers,
RAH


- --- begin forwarded text


Date: Tue, 19 Oct 1999 08:20:23 +0200 (CEST)
From: Anonymous [EMAIL PROTECTED]
Comments: This message did not originate from the Sender address above.
It was remailed automatically by anonymizing remailer software.
Please report problems or inappropriate use to the
remailer administrator at [EMAIL PROTECTED].
Old-Subject: NYT Story: Digital Contracts
To: [EMAIL PROTECTED]
Subject:  NYT Story: Digital Contracts
Sender: [EMAIL PROTECTED]
Reply-To: Anonymous [EMAIL PROTECTED]

Fight Over Electronic Contracts Heads to House

Also: U.S. Shut Out in First Round of Internet Board Elections

ASHINGTON -- With the clock ticking toward adjournment for the year,
Congressional leaders and the Clinton Administration are working to
eliminate political infighting and pass legislation that would give
electronic contracts the same legal weight as their traditional paper
counterparts.


The legislation is considered crucial for the future of electronic
commerce, and it is part of an effort by the Commerce Department both
domestically and internationally to make the standards for such
contracts, with their "digital signatures," as simple as possible.


But Republicans and Democrats in the House are still battling over how
far the legislation should go, a fight that could play out on the House
floor this week.


The House is scheduled to take up digital signature legislation as early
as Tuesday, but first leaders must decide how to proceed. At issue are
states rights, and whether individual states should have the power to
make their own rules for recognizing digital signatures.


The White House and most Democrats are pushing for a bill that would make
digital signatures legal only in those states that don't already have
laws recognizing the validity of electronic contracts.


But Republican leaders in the House have been pushing for more sweeping
legislation that would not only pre-empt state digital signature laws but
would also eliminate some of the paper-record keeping and notification
requirements that some states impose on financial institutions and
insurance companies.


The House Judiciary Committee last week narrowly approved a version of
the bill backed by Democrats that would recognize current state laws on
both electronic signatures and record-keeping. The bill is similar to a
White House-endorsed Senate proposal by Senator Spencer Abraham, a
Michigan Republican, that is awaiting passage in that chamber.




The House Commerce Committee, meanwhile, in August approved a bill by
Chairman Thomas J. Bliley Jr., a Virginia Republican, that would
establish a uniform national standard for authenticating electronic
signatures, and require that states pass laws 

Re: Digital Contracts: Lie in X.509, Go to Jail

[Robert Hettinga]

Evidently, there are only 500 in the first printing, but I bet Stefan 
didn't give them *all* away. :-).

I bet that if you put in a special order to Amazon with the ISBN and 
the publisher in it, they'll manage to sell one to you on order. Upon 
receiving a bunch of orders for the book from some place like Amazon, 
if and when the publisher sells out, they'll probably print some 
more, or at least make a deal to print it on this side of the pond.

Cheers,
RAH


At 11:56 AM -0400 on 10/19/99, Steven M. Bellovin wrote:


 In message v0421012db4321dc2f55c@[204.167.101.62], Robert Hettinga writes:



 The solution to this madness, is, of course, bearer credentials, as
 Stephan Brands points out in his recently published doctoral dissertation
 "Rethinking Public Key Infrastructures and Digital Certificates --
 Building in Privacy", now published by Ponsen and Looijen in the
 Netherlands, ISBN 90-901-3059-4.

 Do you know where to order this?  None of the amazon.com sites has 
it, nor doe
 s barnesandnoble.com.

   --Steve Bellovin

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Is there an anonymous contribution protocol?

[Robert Hettinga]

At 3:48 PM -0400 on 10/19/99, Reusch wrote:


 "I contributed $100,000. Here is my receipt! Get the bedroom ready."

Right.

See http://www.xs4all.nl/~brands/order.txt

There's an echo in the room, isn't there?

:-).

Cheers,
RAH
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IBUC hits the road (was Re: Just got a copy of Stefan Brand'sbook)

[Robert Hettinga]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 11:51 AM -0500 10/18/99, Mike Rosing wrote:
 On Thu, 14 Oct 1999, Peter Wayner wrote:

 Stefan Brands, the man who's written some great digital cash
 protocols, has just published a new book called "Building In Privacy:
 Rethinking public key infrastructures and digital certificates." I
 haven't read it yet, but a quick skim shows   plenty of equations. It
 should be worth checking out.

 I've only barely managed to get thru half the first chapter, but it's
 great.  Stefan's biases are clear, but also backed up with *lots* of
 good facts.  I'm learning a lot, and haven't got to the meat of things
 yet.
  Only 500 copies were printed, I consider myself exceptionally lucky to
 have a copy.  Hopefully I'll have more chance to read it in the next
 few weeks.

Yup. My favorite part so far is this juicy paragraph, found right up
front:

"This dissertation documents and analyzes the privacy dangers of digital
certificates. On the basis of the findings, highly practical digital
certificates are constructed that fully preserve privacy, without
sacrificing security.  The new certificates function in much the same way
as do cash, stamps, cinema tickets, subway tokens, and so on: anyone can
establish the validity of these certificates and the data they specify,
but no more than just that. Furthermore, different actions by the same
person cannot be linked."

Can you say "digital bearer certificates", boys and girls? *God*. I
*knew* you could...


And, of course, I'm now in the business of proving that such digital
bearer certificates are not only more private than book-entry,
database-driven "credentials" are, but that they're, more important than
anything else, orders of magnitude *cheaper* than those "auditable"
credentials can ever be, by their own very definition. And, of course,
money, and financial instruments in general, are the ultimate credential.
Money talks, Cet...

But, I bet you knew I'd say all *that*, right? I mean, so what else is
new?


And, so, besides saying "go, Stefan, go,", or "say halelujia somebody",
here's the actual *point* of this post:


We've started to get some angel funds in the door (we're still looking
for more, of course :-)) for this next phase of IBUC, and, as a result,
I'm about about to go spend some of those brand-new "sophisticated"
investor-dollars on a road-trip, coming soon to conference room near you.

This first trip is to line up memoranda of understanding (MOUs) from
people who sell bits (content, services, bandwidth) directly over the
net, collect their money by sending a bill through meatspace, or selling
a credit-card subscription -- or, of course, sell advertising, the
world's worst transfer pricing mechanism.

If you're one of those folks, a *current* seller of bits on the wire, and
you want to get paid good-old-fashioned non-repudiable *cash* for for
those bits, instantaneously upon delivery, and, more important, you want
to be able to turn right around *spend* that cash on the net, for free,
or to *deposit* that cash, for free, into your *own* bank account with no
hassle except a reasonably small minimum deposit size, please reply
directly to me, and I'll come for a visit. My objective here is to get a
reasonable statistical sample of the internet content and services market
signed up with a memorandum of understanding, committing to at least
experiment with taking internet bearer dollars (or, more properly,
millidollars) in payment, if and when when we get those millidollars on
the wire.

With that stack of memoranda in hand, I'll go and wave it around under
the nose of the *next* collection of MOUs, this time from IBUC's
prospective vendor pool: crypto-protocol, hardware, and software
developers, bandwidth sellers, financial custodians and, heh, lawyers.
Most of whom already know who they are, and who, God help 'em, know I'm
going to be back to visit sooner or later.

After that, we hire the writing of a public spec and open reference
customer/server/underwriter code and, after *that*... Well, *you* get the
idea.


We want to go live in January 1, 2001, and, this afternoon, at least, I
think we can get there from here.

Stefan has me *inspired*, today.

Cheers,
RAH


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com

iQA/AwUBOAuaPcPxH8jf3ohaEQKm4ACgj/kcXqpXfcUocP5Fzn6bxkkgT1QAoKrq
kY+6CsamqDu6XJj17WOjtktv
=7tJX
-END PGP SIGNATURE-
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: how does disappearing.com's crypto work?

[Robert Hettinga]

--- begin forwarded text


Date: Sat, 16 Oct 1999 01:59:03 -0700
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Bill Stewart [EMAIL PROTECTED]
Old-Subject: CDR: Re: how does disappearing.com's crypto work?
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: how does disappearing.com's crypto work?
Sender: [EMAIL PROTECTED]
Reply-To: Bill Stewart [EMAIL PROTECTED]

At 01:30 AM 10/15/1999 +0100, [EMAIL PROTECTED] wrote:
I haven't seen any technical discussion of what Disappearing Inc are
up to.  Did the employee show up at the cypherpunks meeting as advertised?
My guess is that they have come up with some kind of server gated
forward secrecy protocol for email.  Forward secrecy is good, but
forward secrecy should be end-to-end, not server based, because then
you have to trust the server.

Maclen Marvit from Disappearing Ink   http://www.disappearingink.com/
spoke at the Cypherpunks meeting last Saturday.  It's good stuff.

He started his talk by explaining the business model of what
Disappearing Ink does, and what it does _not_ do.
That's an important part of the discussion, because some of the things
that it does not do are hard or impossible and people have been
flaming them for probably doing a bad job of them.
And it's the critical part of the "Get Money From Venture Capitalists" talk
:-)

DI addresses the records destruction problem for email.
It lets two or more willing, cooperative people have an email conversation
with reasonable certainty that there won't be any persistent records
kept for more than N days by any intervening servers -
no backup tapes on email servers, no meaningful logfiles,
nothing that SEC regulations require you to destroy about the
potential merger  acquisition discussions you had,
nothing that Ken Starr or the Microsoft Anti-Trust inquisitors
or the Ollie North Follow-The-Money investigators can subpoena later,
nothing that your business competitors can steal.

It doesn't solve the problem of the sender or receiver making copies on
purpose;
as many people have discussed, that's not realistic.
It doesn't solve the problem of eavesdroppers listening in while you talk;
if you need to do that, use encryption - sending PGP-encrypted messages
using Disappearing Ink is just fine.
It doesn't solve the problem of logfiles indicating who send mail to whom;
if you need a remailer, use a remailer.
It doesn't solve the problem of cops with warrants seizing their records
to get the messages gambino.org sent today if they're doing 60-day disposal,
though the users can set disposal time and conditions.

DI uses plugins to several popular email packages.
The sender's plugin encrypts the email and does an HTTP handshake
(using whatever SSL is available) to hand the key to the DI server.
The recipient's plugin fetches the key using HTTP/SSL and decrypts.
Encryption is currently Blowfish, but 3DES and TwoFish are planned.
If the recipient doesn't have an email plugin, the message can be
handed to DI using a web-form for decryption, but otherwise DI never sees
or handles the messages, only the keys and message-IDs.

I don't remember how much tracking information DI's server knows -
it may be only a message-ID, or it may use the sender's or recipient's
address.

Some followon topics we suggested were the possibility of doing
something Diffie-Hellman-like in a later release.
I don't think we went into random number generation strategies.


Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

linux-ipsec: Announce: Linux FreeS/WAN-1.1 _SHIPS_!

[Robert Hettinga]

--- begin forwarded text


Date: Fri, 15 Oct 1999 10:45:11 -0700
From: Hugh Daniel [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: linux-ipsec: Announce:  Linux FreeS/WAN-1.1 _SHIPS_!
Reply-to: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

   Today the team members of the Linux FreeS/WAN project shipped their second
release of IPSEC  IKE for Linux 2.0.38, 2.2.12+ and even it is said 2.3.21
based systems!
   The release is known to work on x86 systems and said to run on
StrongArm(tm?) systems as well.
   This is a bug fix release, many many problems have been fixed including
the experimental support for Road Warrior's.
   You can get your copy from the master web site at:
 ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz
and the PGP2 signature is at:
 ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz.sig

   The team hopes that the software is useful to the community, may you do
great things with it!

 ||ugh Daniel
 [EMAIL PROTECTED]

 Systems Testing  Project mis-Management
 The Linux FreeS/WAN Project
 http://www.xs4all.nl/~freeswan

-BEGIN PGP SIGNATURE-
Version: 2.6.3i
Charset: noconv

iQCVAwUBOAdnnFZpdJR7FBQRAQFhdgP+LzhPII0ZJtUi+PlLF00v6fyc2eKbec+d
ww245eoaaXQbMU77DRHBaKwcnEXQm/DGnLqvB7NgVzHUaRlmPF7C3RP1s11uuD+K
PTlliA8EUgxo1rNhL1aHd4l/iGm9SsKt52+m3WejdEYaGpdnH0Phz6JG7HQRMV7D
/lEl+PN/D5E=
=PYdH
-END PGP SIGNATURE-

Type Bits/KeyIDDate   User ID
pub  1024/970F6D91 1998/02/10 Linux FreeS/WAN Software Team

-BEGIN PGP PUBLIC KEY BLOCK-
Version: 2.6.3i

mQCNAzTgT34AAAEEAK2aB9VuUbPOBW4LZ+JCnYsxERoo4g4PInFiniSh9aCxuztU
qTUex+zqZx4UpgbDo9m/nYjt26e89PQpiXQoNHIQUksS/KPzyYBU+wMEK2Mlo69i
AbBiqJWqHmFu36mW1xzZCZ8WpNywJa6xMN1M/4/O2N9Q7x4D6ml/dIeXD22RAAUR
tB1MaW51eCBGcmVlUy9XQU4gU29mdHdhcmUgVGVhbYkAlQMFEDTjScKtUkpRhRl/
tQEBkgwD/A5C01Tp3acgpz19CO5zC/E3TXvrNAT9xh2YztT3BpKStFklJ46BEIWa
+4jVr2X2ZfOxjLvouPZ1Th/bQkHcIR4fXF2vnEz2GMBk9UijwQp+89zHSolGj8sf
Jsy548/RXj6N5rl+4QOU1cpTqxnsuaszSlpk/HHbvlW5aKGIwHGZiQCVAwUQNOBL
Qt+sBuIhFagtAQEOagP/X0vhN80kSkErcqE/H5smVzQKHlYXM2tYYl/HF1ec+Lt2
aFKbZ0Xq1LMmKB8fQWiK+1Rvks/AC7TbCN09xPBMkNdsOrUht7KWx5Lc8cA6VZVU
Uo4nRYci8HJaxfHpOU2FO6FGvI27bdiSDoxHGSnweGFlgVF/pSZc74bfxWh7qt+J
AJUDBRA04FCxVml0lHsUFBEBAV7sA/955dXrHpFmD21n9Iwf7mH/O5DQ5We0J95y
0XbL0Wp6emW+ya3A2GuBR+puwQ5KMi9QT0POsm2mAaYREwvlqOTdbIvRm0TosK5m
UPcw7Lg8L1AWOpa6mrGuDrMjgEvVfn2r4eqcX9gjVH3eoP4hTBuiPeXf5B6Co6/j
WKTOdjyHlokAlQMFEDTgUEFpf3SHlw9tkQEBzaMD/R01kMTQ62R66U4yfHYRg7qG
f0gIJZ+Flf3tJ1UnQylaEw7yIsIyJHUMZG2W6kGTa6GjCWwFzvyxCyQNl3XfqMtW
j8NWvKXG9BN1HFV9yrXt8A6zvOrcwPP+ZsxJJ8482+kA65TNpv6K5V9CTHDR65Dn
YJnmIkhGP2tFiWDJQFIE
=QIny
-END PGP PUBLIC KEY BLOCK-

My project public key:
-BEGIN PGP PUBLIC KEY BLOCK-
Version: 4.0 Business Edition

mQCNAzIGfh0AAAEEAPDl8OmY0l50R1l3JR3BOHVdf04eYcuQaUy4Mnh+fe9ZiQ/o
gIjvfwOM6IR1HwHA7I2jqf4XD9St8wNA4Jd4TvtgdCL9jhoSpC1anJD3dBOqoMPl
BU+vGId8+k3XY4NwL3nsHk9OiRcvbCqFwmVZBcMmd5njwMMlelZpdJR7FBQRAAUR
tBtIdWdoIERhbmllbCA8aHVnaEB0b2FkLmNvbT6JAJUDBRAyBo/mrVJKUYUZf7UB
AWKpA/92pO5anNrbVu0H7uEOisGjE7TXPa6WkgxoS9katRDimVCFcikIEOQue88M
QpF7w3x2SxdKCpS1ZhPaxUHdAdE7dGO032+OHYNdgitEGJHitczHG2XpC1NbHuUf
8DsyxR6qSrJf28jeMDMyj5ynlIctvWWGJw4+/cLvLVxijqc2PA==
=lkvw
-END PGP PUBLIC KEY BLOCK-

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

DCSB: Warren Agin; Bankruptcy and Internet Commerce Assets

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 12 Oct 1999 02:17:23 -0400
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Robert Hettinga [EMAIL PROTECTED]
Subject: DCSB: Warren Agin; Bankruptcy and Internet Commerce Assets
Cc: Warren Agin [EMAIL PROTECTED], Rodney Thayer [EMAIL PROTECTED],
 Muni Savyon [EMAIL PROTECTED], Elias Israel [EMAIL PROTECTED],
 Suzan Dionne [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: Robert Hettinga [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  The Digital Commerce Society of Boston

Presents

   Warren Agin

 Founder,
   Swiggart  Agin, LLC

   From Tulips to Technology:
Treatment of Electronic Commerce Structures
When the Bubble Bursts.


 Tuesday, November 2nd, 1999
12 - 2 PM
The Downtown Harvard Club of Boston
   One Federal Street, Boston, MA



Even as the new economy grows, some companies, like Digicash and
Websecure, miss a beat. They find themselves in financial trouble and
sometimes bankrupt. When this happens, the most significant remaining
asset is the company's patent rights. The bankruptcy process provides
opportunities, both for the financially troubled companies and their
competitors, to restructure patent portfolios and licenses. It also
contains risks. The bankruptcy process can allow technology licensors
to force a termination of a patent license and at least one court has
held that a company passing through bankruptcy will lose its rights
under patent licenses.

Managing a patent portfolio requires knowledge of the bankruptcy
process and the special issues concerning technology companies.

Warren Agin will address how the bankruptcy process treats technology
companies and the various licensing and technology structures they
use. He will review treatment of patent and software licenses,
copyrights, and deal structures like partnering and web-linking
agreements. In addition to reviewing the new law being developed in
these areas, the talk will focus on the practical aspects of how
companies in bankruptcy, or those doing business with a bankrupt
company, can use the bankruptcy process to rebuild their business
structures and relationships.

Warren E. Agin is a founding member of Swiggart  Agin, LLC, a
software and Internet boutique in Boston, Massachusetts. Mr. Agin's
practice focuses in the areas of bankruptcy and insolvency law,
corporate law, and computer and Internet law. Representative
technology clients include new and established software companies,
Internet portals, hardware designers, web site design firms, and
system integrators. In the bankruptcy field, Mr. Agin represents both
debtors and creditors in a variety of consumer and commercial
bankruptcy matters, including technology related bankruptcy matters.

Mr. Agin authored BANKRUPTCY AND SECURED LENDING IN CYBERSPACE (Bowne
 Co., Inc. 1999), the first treatise to discuss how the Internet is
changing bankruptcy law and practice. A contributing editor on
intellectual property and technology issues to the Norton Bankruptcy
Law and Practice, 2d legal treatise, Mr. Agin has written and
lectured extensively on the topics of bankruptcy and technology law,
including presentations for the American Bar Association, National
Business Institute, Boston Bar Association, and Massachusetts
Continuing Legal Education. Mr. Agin currently serves as Chair of the
American Bar Association's Business Law Section's Electronic
Transactions in Bankruptcy Subcommittee (within the Business
Bankruptcy Committee) and Vice-Chair of the ABA's Joint Subcommittee
on Electronic Financial Services. Locally, he is Chair of the Boston
Bar Association's Technology Committee for the Solo  Small Firm
Practice Section.

This meeting of the Digital Commerce Society of Boston will be held
on Tuesday, November 2, 1999, from 12pm - 2pm at the Downtown Branch of
the Harvard Club of Boston, on One Federal Street. The price for
lunch is $35.00. This price includes lunch, room rental, various A/V
hardware, and the speakers' lunch.  The Harvard Club *does* have
dress code: jackets and ties for men (and no sneakers or jeans), and
"appropriate business attire" (whatever that means), for women.  Fair
warning: since we purchase these luncheons in advance, we will be
unable to refund the price of your lunch if the Club finds you in
violation of the dress code.


We need to receive a company check, or money order, (or, if we
*really* know you, a personal check) payable to "The Harvard Club of
Boston", by Saturday, October 30th, or you won't be on the list for
lunch.  Checks payable to anyone else but The Harvard Club of Boston
will have to be sent back.

Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston,
Massachusetts, 02131. Again, they *must* be made payable to "The
Harvard Club 

Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

[Robert Hettinga]

At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote:


 Title: Special Kurt's Closet: Is SSL dead?
 Resource Type: News letter
 Date: Semptember 30, 1999
 Source: Security Portal
 Author: Kurt Seifried
 Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL

 Abstract/Summary:
 The title is a bit scary, but I wanted to get your attention 
(worked, didn't it?). Most
 security experts have been aware of problems with SSL, but 
generally speaking we
 haven't said much because there wasn't much of a replacement 
available for it,
 and it hasn't been exploited extensively (chances are it will be, 
though). I'll start
 with an explanation of the basic attack, followed by some methods 
to protect yourself,
 and finish with an interview with Dale Peterson of DigitalBond and 
the summary.

 How to do it

 Let's say I want to scam people's credit card numbers, and don't 
want to break into
 a server. What if I could get people to come to me, and voluntarily 
give me their
 credit card numbers? Well, this is entirely too easy.

 I would start by setting up a web server, and copying a popular 
site to it, say
 www.some-online-store.com, time required to do this with a tool 
such as wget is
 around 20-30 minutes. I would then modify the forms used to submit 
information
 and make sure they pointed to my server, so I now have a copy of
 www.some-online-store.com that looks and feels like the "real" 
thing. Now, how do
 I get people to come to it? Well I simply poison their DNS caches 
with my information,
 so instead of www.some-online-store.com pointing to 1.2.3.4, I 
would point it to
 my server at 5.6.7.8. Now when people go to 
www.some-online-store.com they end
 up at my site, which looks just like the real one.

 Original URL: http://securityportal.com/closet/closet19990930.html

 Added: Wed  Oct  6 12:41:14 -040 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

mentor needed

[Robert Hettinga]

Reply to this person directly, please...

Cheers,
RAH

--- begin forwarded text


Date: Thu, 7 Oct 1999 01:20:46 -0400 (EDT)
From: "Nina H. Fefferman" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: mentor needed
Sender: [EMAIL PROTECTED]
Reply-To: "Nina H. Fefferman" [EMAIL PROTECTED]


Hi all,

I have the following problem: a student in a course I am
co-teaching on the basics of cryptography has actually become
interested in the subject. She is an honors student at Rutgers who
probably wants to major in political science. She wants to find someone in
the field who is involved in the politics side of things. I'm at a loss
for real life politics. :) I can handle the math/cs side, but hopefully
one of you out there would be willing to talk to her about what it is
like to think about policy issues and politics while still being a
reasonably informed person about the science involved. If any of you
have any inclination, I think all she is looking for are a few exchanged
emails. (If you are interested, please let me know and I will send you
her email address.)

Thanks,


Nina F.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Anonymous email snitching to police in UK

[Robert Hettinga]

--- begin forwarded text


Date:  5 Oct 99 19:05:05 EDT
From: ROBERT HARPER [EMAIL PROTECTED]
To: Ignition Point [EMAIL PROTECTED]
Subject: IP: Anonymous email snitching to police in UK
Sender: [EMAIL PROTECTED]
Reply-To: ROBERT HARPER [EMAIL PROTECTED]

http://news.bbc.co.uk/hi/english/uk/newsid_463000/463213.stm

Friday, October 1, 1999 Published at 17:55 GMT 18:55 UK

UK Web war against criminals hots up


Cyber-informants have been promised anonymity
-

The war against crime in the UK is being beefed up with the creation of
a new Website that allows members of the public to e-mail tip-offs to
police.

The Crimestoppers Trust has had a Web presence for a couple of years
but previously relied on the public telephoning in pieces of information.

Now people can e-mail tip-offs to the new site, which is being
sponsored by the Trinity Mirror Group and hosted on their Internet
service provide.

Crimestoppers says e-mails will be filtered to strip them of any
information identifying the sender, thus preserving the trust's pledge
of anonymity for anyone who gets in touch.

Wide range of inquiries

Those who are still obsessed with secrecy can always send information
via anonymous Web servers, which cover up their e-mail addresses.

The site will be used by forces all over the UK to elicit information on
crimes ranging from indecent exposure right up to murder.

The most prominent inquiries mentioned on the site are the Jill Dando
murder investigation in west London and the killing of 80-year-old
Doris Dawson, her daughter Mandy and granddaughters Emily and
Katie in Swansea.

Dozens of other unsolved crimes will be placed on the site although
cases are still being compiled in two areas - Scotland and the
Midlands.

Global reach

The new Website was welcomed by Home Secretary Jack Straw, who
said: "Fighting crime is not just down to the government and the
police.

"It's a partnership that requires the support of everybody."

The trust says the site is designed to complement the current
freephone number - 0800 555111 - and not replace it.

Intelligence provided via the freephone number leads to the arrest and
charging of around 14 people a day, including one person every 12
days being charged with murder.


Earlier this year Scotland Yard
introduced a new section on its site,
where it sought the public's help in
finding wanted people.

E-mails have been flooding in to the
Yard from all over the world.

One man was arrested earlier this
year and charged with a murder in
London after a man e-mailed the
Metropolitan Police from the
Netherlands with information. He is
now awaiting trial.

The Yard's wanted page is also
hosting appeals from other forces -
Northumbria police has put up a
sketch of a man suspected of the
attempted murder of an IRA informer
in Whitley Bay in June this year.


Get free email and a permanent address at http://www.netaddress.com/?N=1

**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

PATNEWS: The growing flood of Wall Street patents

[Robert Hettinga]

--- begin forwarded text


Date: Fri, 1 Oct 1999 16:44:28 -0400
To: Digital Bearer Settlement List [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Robert Hettinga [EMAIL PROTECTED]
Subject: PATNEWS: The growing flood of "Wall Street" patents
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]

x-flowed
--- begin forwarded text


Date: Wed, 29 Sep 1999 13:09:42 -0400 (EDT)
From: Gregory Aharonian [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: PATNEWS: The growing flood of "Wall Street" patents
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

!19990929  The growing flood of "Wall Street" patents

  The issue of patents on methods of doing business seems to have quieted
down for the time being (though I heard a hilarious rumor involving Gail
Hayes, an examiner on many of these patents - anyone with a copy of her
letter please fax me a copy).  Despite the lull, these patents are regularly
being issued.  What follows is a list of 110 "Wall Street" patents, i.e.,
patents on things that Wall Street institutions like to do. Interestingly,
75% of them have issued since 1997, and I suspect that now that the CAFC has
ruled that "anything is patentable" (ATT/Excel), there will be a flood of
such patents to match the other floods coming out of the PTO.

Greg Aharonian
Internet Patent News Service


5,953,423   Electronic-monetary system
5,950,176   Securities trading system with a virtual specialist function
5,946,668   Funding a home investment trust
5,946,667   Financial debt instruments method
5,946,666   Financial securities monitoring system
5,940,810   Estimation method for complex securities using low-discrepancy
 deterministic sequences
5,933,817   Tiered interest rate revolving credit system and method
5,933,815   Providing guaranteed lifetime income with liquidity
5,930,775   Optimal investing for distressed residential real estate loans
5,930,774   Mutual fund portfolios evaluation
5,930,760   Annuity rates derivation
5,920,848   Financial transactions, services, accounting, and advice using
 intelligent agents
5,920,629   Electronic-monetary system
5,918,217   User interface for a financial advisory system
5,913,198   Survivor benefit plans design and administration
5,911,136   Prioritized operation of a personal financial account
 comprising liabilities and investment assets
5,911,135   Managing financial accounts by a priority allocation of funds
 among accounts
5,907,828   Lender-owned credit life insurance policies implementation and
 administration
5,897,621   Multi-currency transactions system and method
5,893,079   System for receiving, processing, creating, storing, and
 disseminating investment information
5,884,287   Displaying risk and return in an investment portfolio
5,884,285   Managing financial accounts by reallocating funds among accounts
5,884,274   Generating and executing insurance policies for foreign
 exchange losses
5,878,405   Pension planning and liquidity management system
5,878,404   Load amortization management
5,878,139   Electronic merchandise dispute resolution
5,875,437   Operation and management of one or more financial accounts
 through the use of a digital system for exchange, investment
 and borrowing
5,873,072   Electronically providing customer services including payment
 of bills, financial analysis and loans
5,873,066   Managing and documenting the underwriting of an excess casualty
 insurance policy
5,870,720   Implementing a restructuring exchange of an excessive undivided
 debt
5,866,889   Integrated full service consumer banking system and system and
 method for opening an account
5,864,828   Personal financial management system for creation of a client
 portfolio of investment and credit facilities where funds
 are distributed based on a preferred allocation
5,864,685   Increasing income trust computer transaction system and insured
 investment account system
5,857,176   Fixed income portfolio data processor
5,852,811   Managing financial accounts by a preferred allocation of funds
 among accounts
5,852,808   Providing professional liability coverage
5,842,178   Computerized quotation system and method
5,832,461   Investment management including means to adjust deposit and
 loan accounts for inflation
5,819,238   Modifying a financial portfolio through dynamic re-weighting
 based on non-constant function of capitalization weights
5,819,237   Determination of incremental value at risk for securities trading
5,819,236   Providing advance notification of potential presentment returns
 due to account restrictions
5,812,988 

IP: Nation's banks create private computer security system

[Robert Hettinga]

--- begin forwarded text


Date:  1 Oct 99 19:13:56 EDT
From: ROBERT HARPER [EMAIL PROTECTED]
To: Ignition Point [EMAIL PROTECTED]
Subject: IP: Nation's banks create private computer security system
Sender: [EMAIL PROTECTED]
Reply-To: ROBERT HARPER [EMAIL PROTECTED]

http://www.foxnews.com/js_index.sml?content=/news/wires2/1001/n_ap_1001_276.sml

  Nation's banks create private computer security system
  6.33 p.m. ET (2240 GMT) October 1, 1999

  By Ted Bridis, Associated Press

  WASHINGTON (AP) - The nation's banking industry has quietly
  wired itself a $1.5 million private computer network to
  share information anonymously about electronic threats from
  rogue employees, software bugs, viruses and hackers, the
  Treasury Department said Friday.

  The Financial Services Information Sharing and Analysis
  Center is the result of orders from President Clinton to
  better protect America's most important industries from
  cyber attacks. It's in a secret location known to only about
  a half-dozen people, but it's believed to be nestled among a
  corridor of high-tech firms in northern Virginia.

  Similar centers are planned in the coming months for seven
  other industries, including telecommunications, oil and gas,
  electrical power, transportation and America's water supply
  system.

  This summer, the White House announced its plan to create a
  government-wide security network to protect its most
  important nonmilitary computers.

  "New threats call for new types of solutions,'' said
  Treasury Secretary Lawrence Summers, adding that banking
  officials need to learn about viruses and malicious software
  that disguises itself as innocuous code.

  Only licensed banks and other government-regulated financial
  firms that become subscribers will be able to exchange
  information or tap into this network's details of known
  security threats. Urgent alerts will be sent by e-mail,
  pager and cellular phones to a bank's experts - who will pay
  $13,000 to $125,000, depending on how many employees are
  using it.

  "Every day, everywhere, people are trying to break into
  financial institutions - and sometimes from within financial
  institutions - trying to take money they're not authorized
  to have,'' said Kawika Daguio, vice president of the
  Washington-based Financial Information Protection
  Association.

  Names and other identifying details will be stripped from
  submissions to ensure anonymity and encourage honesty - and
  partly so rival banks don't misuse the information and
  regulators can never know a specific financial institution
  was having problems.

  "Once we demonstrated that you could have an anonymous
  capability so you can't trace it, most institutions stood up
  immediately and said, `Let's go do this,''' said Bill
  Marlow, executive vice president for Global Integrity, the
  consulting company in Reston, Va., that built the center.

  Organizers said 16 financial institutions - with a total of
  $4.5 trillion in assets among them - have so far joined the
  network, with 500 to 1,000 more expected to join in the next
  18 months.

  One of the center's greatest strengths, say organizers, will
  be its ability to notice trends: A report by one bank of a
  hacker sniffing around its network becomes more onerous if
  dozens of other banks also report noticing exactly the same
  technique.

  "Not a day goes by without seeing alerts about security,
  vulnerabilities in the products we use or news stories about
  Internet sites being compromised,'' said Steve Katz of
  Citigroup Inc., the center's coordinator. "What might appear
  to any one company as a random event might be more
  significant if looked at in the aggregate.''

  Although the Treasury Department helped organize the center,
  government leaders said U.S. agencies won't eavesdrop on the
  threat information disclosed by banks. However, the
  government will volunteer details about security problems
  through the FBI's National Infrastructure Protection Center.

  "If they choose to give information to the government,
  that's nice,'' said Richard Clarke of the National Security
  Council. "The government, however, will share information
  with them ... both classified and non-classified
  information.''



Get free email and a permanent address at http://www.netaddress.com/?N=1

**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting 

[Fwd: Phys. Rev. Focus--1 OCT 1999]

[Robert Hettinga]

--- begin forwarded text


Date: Sat, 02 Oct 1999 18:06:57 -0400
From: Somebody
To: rah [EMAIL PROTECTED]
Subject: [Fwd: Phys. Rev. Focus--1 OCT 1999]

Bob --

More quantum cryptography - more-or-less
incomprehensible...
-- 
 Somebody's .sig

From: Focus List Owner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Phys. Rev. Focus--1 OCT 1999
Sender: [EMAIL PROTECTED]
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
Precedence: list

PHYSICAL REVIEW FOCUS   1 OCT 1999   http://focus.aps.org/
from the American Physical Society

Introductions to the Focus stories of the past week;
visit http://focus.aps.org for the complete stories.

PHOTONS ON DEMAND
Laser physicists are good at producing and manipulating single
photons, but as with good comedy, the timing is important. Even the
best experiments in quantum cryptography and computing--applications
that make use of single photon properties--use sources that emit
photons at random times. In the 4 October PRL a French team
demonstrates a system that emits single photons on a dependable
schedule at a frequency of 3 MHz. One other "triggered" photon
source which operates on completely different principles was
reported earlier this year. With these new techniques, researchers
know exactly when and where a single photon will be found, and they
are a step closer to quantum applications, such as cryptography that
allows the receiver of information to deduce whether a message has
been intercepted.
(Brunel, Lounis, Tamarat, and Orrit, Phys. Rev. Lett. 83, 2722.
COMPLETE Focus story at http://focus.aps.org/v4/st17.html
Link to the paper: http://publish.aps.org/abstract/PRL/v83/p2722/)

SCIENCE WRITERS AND JOURNALISTS:
The American Institue of Physics has just launched a web site
(http://www.aip.org/physnews/pnsentry.htm) containing full-text of
new, notable journal articles. Write to [EMAIL PROTECTED] to
register. Sorry, this site is for writers and journalists only.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

[Zero-Knowledge Press Release] ZERO-KNOWLEDGE SYSTEMS SECURES$12M IN CAPITAL FUNDING

[Robert Hettinga]

--- begin forwarded text


From: Dov Smith [EMAIL PROTECTED]
To: ZKS Press Releases [EMAIL PROTECTED]
Subject: [Zero-Knowledge Press Release] ZERO-KNOWLEDGE SYSTEMS 
SECURES $12M IN CAPITAL FUNDING
Date: Thu, 30 Sep 1999 10:33:55 -0400
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

==
Zero-Knowledge Systems Press Release, http://www.zeroknowledge.com
==

FOR IMMEDIATE RELEASE

ZERO-KNOWLEDGE SYSTEMS SECURES $12M IN CAPITAL FUNDING
FROM LEADING SILICON VALLEY VENTURE CAPITAL FIRMS
 
NetReturns2000--Aspen, Colorado--Sept. 30--

Zero-Knowledge Systems, a leading developer of Internet
privacy solutions, announced today it has secured US
$12 million in first round venture capital funding. The
lead investors are Platinum Venture Partners, Aragon
Ventures and Strategic Acquisition Ventures, the Silicon
Valley venture capital firms that have funded leading
Internet firms Inktomi, LiquidAudio, Star Media and
YesMail.com.

Zero-Knowledge is currently beta-testing its much-anticipated
Freedom privacy technology, which empowers users to surf the
Web, send email, post to newsgroups and chat via untraceable
digital identities called "nyms." All Freedom traffic is
encrypted and routed through the Freedom Network, a globally
distributed network of Freedom Servers hosted by ISPs and
independent server operators around the world. Heralded by
privacy advocates as the only fully trustworthy privacy
solution, Freedom will be available commercially in fourth
quarter 1999.

"In selecting our partners, we looked for investors who share
our vision of a multi-billion dollar privacy, identity and
trust industry, and see the incredible opportunity for Zero-
Knowledge to be the market leader in privacy and identity
management solutions," said Hammie Hill, CEO of Zero-Knowledge
Systems. "Our partners have a solid history of backing market
leaders introducing revolutionary technologies. Zero-Knowledge
is poised to become a market leader by ensuring that privacy
and identity reside on every consumer's desktop."

"The Internet was not created with privacy concerns in mind.
Zero-Knowledge will for the first time bring true privacy to
the Internet," said Mike Santer, co-founder and general partner
of Platinum Venture Partners. "Zero-Knowledge's technological
approach is the simplest and most comprehensive way for Internet
users to protect their privacy online. We see enormous growth
potential for providers of Internet privacy solutions and are
confident that Zero-Knowledge will establish a dominant lead
in this market."

"The Internet is revolutionizing consumer empowerment, and as
a leader in privacy protection Zero-Knowledge will be a market
leader in consumer protection and identity management," said
David Brewer, founder and general partner of Aragon Ventures.
"Zero-Knowledge will play a pivotal role in the evolution of
the Internet, as the number one consumer empowerment company
addressing the ever-increasing privacy concerns of Internet
users."

Mike Santer of Platinum Venture Partners and Alex Hern of
Strategic Acquisition Ventures have joined the Board of
Directors of Zero-Knowledge Systems.

About the Investment Partners

Platinum Venture Partners was founded in 1992  and maintains
offices in Palo Alto, CA and Chicago, IL. Aragon Ventures'
offices are in Palo Alto, CA. Strategic Acquisition Ventures'
offices are in Palo Alto, CA and Tampa, FL.

General Partners of these VC firms have been private equity
investors in leading  public Internet-related companies
Inktomi (NASDAQ: INKT), Liquid Audio (NASDAQ: LIQD), Star
Media Network (NASDAQ: STRM), Whittman-Hart, Inc. (NASDAQ:
WHIT) and YesMail.com (NASDAQ: YESM), which have a combined
market value of approximately US $10 billion. The VC firms
have also backed or co-founded private companies including:
Andromedia, Brainbuzz.com, Mothernature.com, National
Transportation Exchange and Triton Network Systems.

About Zero-Knowledge Systems, Inc.

Founded in 1997, Zero-Knowledge Systems
(http://www.zeroknowledge.com) is the first and only company
providing a total privacy solution for all Internet activities.
Zero-Knowledge is dedicated to protecting its customers'
privacy and freedom on the Internet through mathematics,
cryptography and source code. Based in Montreal, the company
employs 80 people and is rapidly expanding its operations.
Consumers interested in previewing Zero-Knowledge Systems'
Freedom technology can visit
http://www.zeroknowledge.com/products/download. Journalists
can visit the Zero-Knowledge pressroom at
http://www.zeroknowledge.com/pressroom.

(Freedom is a trademark of Zero-Knowledge Systems, Inc. All
other names may be trademarks of their respective owners.)

For more information, please contact:

Dov Smith
Director of Public Relations
514.286.2636 x 248
[EMAIL PROTECTED]

Meredith Markman
Weber Group Public Relations
415.616.6238

IT Companies Promote New Standard For Phone Security (was Re:Edupage, 29 September 1999)

[Robert Hettinga]

Why do I keep thinking "Radicchio" really gonna be another GSM "Pinocchio"?

Cheers,
RAH


At 5:02 PM -0600 on 9/29/99, EDUCAUSE wrote:


 IT COMPANIES PROMOTE NEW STANDARD FOR PHONE SECURITY
 EDS, France's Gemplus, Sonera, and Ericsson have founded a forum
 called "Radicchio" to promote a world encryption standard.  Known
 as "public key infrastructure," the technology provides security
 for mobile phone-based electronic commerce transactions.  The
 technology can be embedded into a silicon chip that is located
 inside typical GSM handsets.  Analysts believe that the mobile
 commerce market could reach $66 billion in the next four years,
 but forum founding members are concerned that security issues
 could impede the emerging market.  The European initiative is
 currently pursuing new members, such as industry players and
 governments.  Members of Radicchio say there could be 600 million
 mobile phones connected to the Internet by 2004, and easing
 security fears could go a long way toward making electronic
 transactions ubiquitous.  (Financial Times 09/28/99)

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Elliptic Curve 97-bit Challenge Broken

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 28 Sep 1999 16:17:07 -0400
To: [EMAIL PROTECTED]
From: David Farber [EMAIL PROTECTED]
Subject: IP: Elliptic Curve 97-bit Challenge Broken
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Date: Tue, 28 Sep 1999 15:44:17 -0400
From: [EMAIL PROTECTED] (Dorothy Denning)
Subject: Elliptic Curve 97-bit Challenge Broken
To: [EMAIL PROTECTED]

http://www.inria.fr/Actualites/pre55-eng.html

INRIA leads nearly 200 international scientists in cracking code
following challenge by Canadian company Certicom

Paris, September 28.  1999 - A new code-cracking challenge set by
Certicom has been successfully overcome using 740 computers in 20
countries over a period of 40 days.  The code, ECC2-97, is based on a
technique known as elliptic curves.

Led by Robert Harley, a member of the Cristal project at INRIA, France's
National Institute for Research in Computer Science and Control, the 195
researchers involved showed that a 97-bit encryption system based on
elliptic curves is more difficult to crack than a 512-bit system based
on integers such as RSA-155.

Encryption systems based on elliptic curves have been known since the
mid-1980s, but have only recently been adopted by leading encryption
companies such as RSA Security Inc.  Certicom issued its "ECC Challenge"
in November 1997, specifying a series of challenges of increasing
difficulty.  The company offers prizes up to US$100,000.  The aim of the
challenge is to encourage research in the field of elliptic curves and
their applications in encryption, and to strengthen arguments in favor
of using elliptic curve cryptography instead of systems based on integer
factorization.

The challenge dubbed "ECC2-97" took place in a set of about 10^29 points
on an elliptic curve chosen by Certicom.  To solve the problem,
participants first computed 119,248,522,782,547 (more than 10^14) using
open-source software developed by Harley.  Among these points, they
screened 127,492 "distinctive" points and collected them on a Alpha
Linux workstation at INRIA where further processing revealed two twin
points.  Finally Harley computed the solution using information
associated with these two points, thus nailing the problem.

The solution was found after less than one third of the predicted
computation.  The probability of finding the answer so quickly was less
than one in ten.  Two other twins were detected a few hours after the
first - a less than one in 100 probability!  Nevertheless the computing
power used, around 16,000 MIPS/years, was twice as much as that used for
the factorization of RSA-155 announced by Herman Te Riele of CWI
(Amsterdam) and his colleagues on 26 August 1999.

"These results strengthen our confidence in codes based on
properly-chosen elliptic curves," said Harley.  "This needs to be taken
into account in standards for security and confidentiality on the
Internet."

According to Andrew Odlyzko, Head of Mathematics and Cryptography
Research, at ATT Labs, the code-cracking operation was "a great
achievement that demonstrates the value of fruitfully harnessing some of
the huge computational power of the Internet that is idle most of the
time".  He added:  "It validates theoretical security predictions, and
demonstrates the need to keep increasing cryptographic key sizes to
protect against growing threats."

Arjen K.  Lenstra, Vice President at Citibanks's Corporate Technology
Office in New York and one of the main contributors to the recent
successful attack on the RSA-155 challenge, compared the two
computational efforts and noted that the present result makes 160-bit
ECC keys look even better compared to 1024-bit RSA keys, from a security
point of view.  "Ideally we would like new theoretical advances to
further reinforce these practical results, although such advances appear
out of reach for the moment."

Out of the $5000 prize money, the team members will give $4,000 to the
Free Software Foundation to encourage the creation of new free software.
The remaining $1,000 go to the team members who identified the twin
points.  Both were in fact found by Paul Bourke using a network of Alpha
workstations, mainly used for studying pulsars at the Centre of
Astrophysics at Swinburne University in Australia.

The most active teams in the project were:

Astrophysics  Supercomputing
   Australia
INRIA
   France
University of New South Wales
   Australia
"Friends of Rohit Khare"
   USA and France
Ecole Polytechnique
   France
Compaq
   USA and Italy
Technischen Universität Wien
   Autriche
University of Vermont
   USA
"WinTeam"
   International
British Telecom Labs
   UK
Internet Security Systems
   UK
Rupture Dot Net
 

IBM to built crypto-on-a-chip into all its PCs

[Robert Hettinga]

--- begin forwarded text


Date: Mon, 27 Sep 1999 17:01:05 +0100
From: Somebody
To:  [EMAIL PROTECTED]
Subject: IBM to built crypto-on-a-chip into all its PCs



   Posted 27/09/99 12:09pm by Tony Smith

   IBM to built crypto-on-a-chip into all its PCs

http://www.theregister.co.uk/990927-12.html


IBM will tomorrow launch an all-in-one encryption chip designed to 
protect documents stored on desktop PCs and servers.

The chip, as yet unnamed, will be initially installed in IBM's 300PL 
PC, but will soon be built into the company's full line of desktop 
systems. Actually, the 300PL may not feature the new chip since it's 
based on Intel's i820 chipset and, as Intel revealed today, 
http://www.theregister.co.uk/990927-11.htmlthe i820's release 
has been delayed indefinitely.

IBM said users will pay no more for a hardware encryption-enabled PC 
than they will for a machine without the chip.

In addition to handling key encryption -- the technology most usually 
associated with document protection -- the chip will also generate 
and verify digital signaturees.

IBM's plan is clearly to make its machines more appealing to the 
growing number of computer users buying desktops solely to surf the 
Internet at do a little online shopping. The move should also make 
its PCs more attractive to companies performing business-to-business 
transactions over the Net.

Of course, Big Blue is keen to be seen as acting in everyone's 
interest here, which is why the company's general manager for desktop 
systems, Anne Gardner, told Reuters: "We want this to become an 
industry standard. We want this on as many desktops as possible."

However, IBM clearly wants to retain a lead, which no doubt explains 
Gardner's reluctance to discuss any plans the company may have to 
licence the technology to motherboard vendors. All she would say on 
the subject was a vague "you may see something along those lines in 
the future".

Probably IBM will first want to see how attractive the technology is 
to punters. At least the approach of using an ancillary encryption 
chip should keep IBM safe from the nightmare Intel faced when it 
attempted to railroad CPU ID numbers on users.


--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: DoD selects vendors for public key infrastructure pilot

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Fri, 24 Sep 1999 17:20:44 -0500
To: [EMAIL PROTECTED]
Subject: IP: DoD selects vendors for public key infrastructure pilot
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  Department of Defense
http://www.defenselink.mil/news/Sep1999/b09211999_bt432-99.html

DOD SELECTS VENDORS FOR PUBLIC KEY INFRASTRUCTURE PILOT

The Department of Defense has made its initial selection of vendors to
enable secure, electronic business services with private industry.

Operational Research Consultants Inc. and Digital Signature Trust Co. are
the first two candidates selected to supply the Department with Class Three
Interim External Certification Authorities (IECAs) for its public key
infrastructure. This capability will allow DoD to electronically
communicate with industry by enabling secure, private electronic business
and paperless contracting. IECAs will be used to provide non-DoD personnel
with certificate services compatible with the Department's public key
infrastructure.

In May 1999 the Department released a solicitation for IECAs to support
vendors conducting business with the Paperless Contracting Wide-Area Work
Flow, Electronic Document Access and Defense Travel System applications.
Operational Research Consultants Inc. and Digital Signature Trust Co. are
the first two candidates to successfully complete the testing, policy and
procedural requirements for IECAs. More IECA selections will be announced
as available.

Selection of these two vendors is a significant milestone in the rollout of
the Department's public key infrastructure since it promotes broader
industry participation. In addition, this pilot should provide additional
data to refine the Department's requirements and procedures for use of
future external certificate authorities.


**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Selective DoS Attacks: Remailer Vulnerabilities

[Robert Hettinga]

--- begin forwarded text


Date: 24 Sep 1999 15:20:12 -
From: RProcess [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
 [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Selective DoS Attacks: Remailer Vulnerabilities
CC: [EMAIL PROTECTED]
Newsgroups: alt.privacy.anon-server,alt.security.pgp,alt.privacy
Sender: [EMAIL PROTECTED]
Reply-To: RProcess [EMAIL PROTECTED]

The following is a (somewhat long) discussion of what I consider to be
some of the primary vulnerabilities in the current Cypherpunk/Mixmaster
anonymous remailer system, and how I suspect some of these
vulnerabilities are being quietly exploited.

It is not my intention to undermine confidence in the current system,
which does offer substantial security and usefulness, but to discuss
potential and probable threats with the goal of long-term improvement.

To date I have written three remailer clients (Potato, JBN 1 and 2) and
a Windows remailer (Reliable), and in attempting to test the features
thoroughly over several years time, have observed various problematic
aspects of the remailer system, and have attempted to analyze anomalies
very carefully.  I am sharing these observations now because I am fairly
confident that if they are not accurate, they are at least plausible
fiction, and thus worthy of consideration.


Contents:

 WHAT I HAVE OBSERVED
 SELECTIVE DOS
 PLAUSIBILITY
 THE HOLE
 WHAT I HAVE NOT OBSERVED
 OTHER ATTACKS
 WHY BE CONCERNED?
 WHAT CAN BE DONE
 THE NEXT GENERATION
 IN CLOSING




WHAT I HAVE OBSERVED

Briefly, I have observed the same thing that many remailer users have
complained about for some time - lost mail.  The possible difference is
that I have investigated it a little more deliberately than most users
would care to do.  Some mail sent through remailers vanishes.  This has
previously been explained as unreliable software, hardware, networking,
etc.  However I have found these explanations to be insufficient to
explain my observations.

One of the goals of writing Potato (and likewise JBN) was to provide a
remailer client that would be very accurate and dependable, thus
providing a means to produce consistent and dependably formatted mail.
By allowing users to save templates of message constructions, it removes
a lot of human error.  It also provides an artificial memory by which a
user can verify whether or not a missing message was constructed
properly.

Likewise, Reliable (as the name implies) was designed to do everything
possible to eliminate disappearing messages.  Reliable is very reluctant
to discard messages, and has several tiers of message disposal, with the
ability to requeue messages which are unprocessed due to
misconfiguration or other questionable problems.  In addition, the
Freedom and Mixmaster remailers have undergone a lot of work by Johannes
Kroeger and Ulf Moller which I believe has made them much more
dependable (and secure) than remailers operating some years ago.

As a result of these improvements we have clients and servers which run
consistently and with a large degree of reliability.  So why is it so
very difficult to generate a dependable and secure reply-block?

Some of my observations:

 Some mail vanishes, particularly if unique (not sent through a
 previously established encrypted reply-block).

 Mail which is securely encrypted is more likely to vanish or be
 delayed than are simple messages.
 
 Mail which is well-chained is far more likely to be lost, even
 allowing for increased probability of serial failure and other
 causes, even when all remailers in the chain test ok.
 
 Ping messages are more reliable than real mail.  The new version 2
 stats reveal that most remailers are very consistent and reliable in
 processing pings, and true network and server down time is very
 obvious and quite rare.  Yet actual use of the remailers in chains
 paints a very different picture than these stats.
 
 Established reply-blocks may work flawlessly, while a newly created
 reply-block with the same remailers will be delayed or lost.
 
 New reply-block chains are delayed for the first several uses.
 
 There is a correspondence between nym accounts and new reply-block
 unreliability.  (ie a new reply-block for [EMAIL PROTECTED] will be
 consistently more unreliable than the same or similar reply-block
 for [EMAIL PROTECTED])

 Remailer operators complain of their stats being low despite their
 remailer functioning normally.

 Conduction of some news messages between servers is impeded beyond
 expectations.
 

Isolated incidents can be dismissed as coincidence, due to traffic
levels, and other variations, but over time the trends become very clear
and disturbing, the reasons ever diminishing.  I think most remailer and
nym users are well acquainted with this behavior, to the point where
they take it for granted, and I think some of those who work 

FC00 SUBMISSION DEADLINE REMINDER

[Robert Hettinga]

--- begin forwarded text


Resent-Date: Wed, 22 Sep 1999 03:34:16 -0400
Date: Wed, 22 Sep 1999 09:34:05 +0200 (MET DST)
From: Ray Hirschfeld [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: FC00 SUBMISSION DEADLINE REMINDER
Reply-to: [EMAIL PROTECTED]
Resent-From: [EMAIL PROTECTED]
Resent-Sender: [EMAIL PROTECTED]
Resent-Bcc:

Just a reminder that the deadline for Financial Cryptography '00
conference submissions is September 24 (the day after tomorrow).  This
year electronic submissions are possible.  Instructions for electronic
submission can be found at http://www.fc00.cs.uwm.edu/esub.html.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

KISA Attack

[Robert Hettinga]

--- begin forwarded text


Date: Wed, 22 Sep 1999 05:25:40 -0400
To: [EMAIL PROTECTED]
From: John Young [EMAIL PROTECTED]
Subject: KISA Attack
Sender: [EMAIL PROTECTED]
Reply-To: John Young [EMAIL PROTECTED]

For the past two days jya.com has been under attack
by the Korea Information Security Agency

http://www.kisa.or.kr

which has set up (or allowed) a couple of robots to issue a
sustained  flood of requests for the same three files, one per
second, which has nearly stopped access by others.

We've written the [EMAIL PROTECTED] to no effect.
The phone listed at the KISA web site does not answer.
A robot exclusion file has not worked.

Any suggestions for ways to ebola the invaders? We filed
criminal charges with the international cybercrimes tribunal
but do not expect rapid deployment of their cooping cops --
spooned with KISA's.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Is There a Visor Security Model?

[Robert Hettinga]

Everyone's probably heard of the new Palm-alike Visor by now, and 
it's got this "springboard" slot in the back processors, memory, and 
other stuff.

The Palm's security model is, by most accounts I've seen, non-existant.

Is the Visor any better?

It would be nice to have a portable cryptographic/signature/digital 
money device. Are we any closer?

Cheers,
RAH
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Smart Cards with Chips encouraged

[Robert Hettinga]

I remember Ian, Adam, someone else and I talking about the 
card-in-a-floppy thing at CFP '96.

Soulda, woulda, coulda, and all that...

Cheers,
RAH

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Mon, 20 Sep 1999 08:50:44 -0500
To: [EMAIL PROTECTED]
Subject: IP: Smart Cards with Chips encouraged
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  New York Times
http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html

September 20, 1999

By BOB TEDESCHI

New Hardware Could Help Web Merchants Cut Fraud

Credit card companies love the Internet, since they pocket a share of most
e-commerce transactions. But like everything in the world of revolving
credit, that love has limits. Stolen cards used to make purchases online,
in particular, cost credit card issuers millions each year -- pushing the
price of doing business on the Web higher for banks, merchants and,
ultimately, users.

So even as the major credit card companies and the banks that issue those
cards explore ways to build Internet market share, they are also looking
for creative ways to limit fraud.

The recent launch of the American Express blue card, which comes with an
embedded computer chip, is an example of both efforts. Since the card's
chip can access a user's personal information, it will eliminate the hassle
of typing in that data in every Web purchase -- and, American Express
hopes, encourage people to use  its card. At the same time, the chip limits
the fraud by guaranteeing the shopper's identity and offering greater
protection to the buyer's information during the transaction.

The key to these features is a piece of computer hardware that, until now,
has been foreign to the desktop: a credit card reading device. Starting in
November, blue card owners will be able to obtain such a device, which they
will be able to plug into their PC's, enabling them to swipe the card at
home much like a sales clerk would at a retail store.

Other credit card issuers are exploring similar technologies. One company
that makes a card-reading device for personal computers, UTM Systems,
recently announced that four major U.S. banks affiliated with both Visa and
Mastercard International will begin distributing its system free to
consumers before the end of the year. UTM's founder and chief executive,
Robert Lee, declined to name the banks, but said they served "well over 10
million customers."

The device, which costs the card issuers $6 a unit, is simple. When a user
is ready to make an online purchase, the credit or debit card is placed in
the UTM card reader, which is inserted into a floppy disk drive. A small
window then appears on screen, asks for a personal identification number
and sends the encrypted information to the retail site. When the
transaction is complete, the window disappears.

David Robertson, president of the Nilson Report, a credit card industry
newsletter, predicted that credit card companies would be aggressive in
spreading such technologies. "American Express is the first, but you'll see
everyone start to do this by the end of the first quarter of next year," he
said. "It's inevitable."

From the standpoint of fraud prevention, card issuers have great incentive
to promote the devices, he said. Issuers lose roughly 8 cents for every
$100 in online sales to fraudulent card use -- "slightly higher than the
market at large, but it's growing," Robertson said.

"The industry has been fabulously successful at pushing fraud down in
general," he added. "But that just highlights the liability associated with
the Internet."

Which is not to say that Visa, American Express and Mastercard are stepping
lightly into the electronic frontier. Each has begun major Internet-related
advertising efforts, of which Visa's is the most aggressive. According to
the Nilson Report, 59 percent of Internet credit card purchases are made
with Visa, 28 percent with Mastercard and 12 percent with American Express.
Off line, Visa has a 51 percent share, compared with 25 percent for
Mastercard and 17 percent for American Express.

In part, the success of PC-based credit card readers hinges on how secure
consumers feel about credit card transactions on the Web. While such
devices in fact provide users more security than typical Internet
transactions, surveys indicate that consumers are less concerned about
entering their credit card data online than they used to be. One recent
survey by Navidec, a consulting firm, indicated that 21 percent of Internet
users worry about credit card security during transactions, about half the
number that expressed such concerns in 1997.

However, Paul Hughes, an analyst with the Yankee Group consulting firm,
says that new Internet users might warm to these devices, given the
trepidation with which many still approach online shopping in general.
"That said, the credit card companies are going to have to do some creative
marketing to drive these into the hands of consumers," he 

Re: Secure Digital Memory Chip??

[Robert Hettinga]

--- begin forwarded text


Resent-Date: Mon, 20 Sep 1999 14:43:10 -0400
Date: Mon, 20 Sep 1999 11:28:35 -0700 (PDT)
From: Peter A Pongracz-Bartha [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Secure Digital Memory Chip??
To: [EMAIL PROTECTED]
Resent-From: [EMAIL PROTECTED]
Resent-Sender: [EMAIL PROTECTED]
Resent-Bcc:

I think it was Scientific American within the last 2-3 months.
I won't check right now, but it could be I really saw it in
CACM, or IEEE/Computer instead.

Basically a MEMS research project where you have a keyed pinblock
that is driven by electronics, but can't be spoofed like existing
smart card solutions. That is, you can't use fault-injection (via
microwaves or other means) then analyze the resultant output to
make it orders of magnitude easier to break the key.

I'd like to see what Ron Rivest thinks of this. He's probably commented
on it in a crypto list somewhere.

Peter


On Mon, 20 Sep 1999, Carlos Mora wrote:

 A friend of mine just mentioned that he had read in
 some paper about a "secure digital memory chip" or
 "secure miniature memory chip".


--
Subcription/unsubscription/info requests: send e-mail with subject of
"subscribe", "unsubscribe", or "info" to [EMAIL PROTECTED]
Wear-Hard Mailing List Archive (searchable): http://wearables.blu.org

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Ecash without a mint

[Robert Hettinga]

At 1:52 PM -0700 on 9/20/99, Wei Dai wrote:


 Unfortunately it seems unavoidable unless you have a trusted party control
 the money supply.

Yes. In business, they call this quaint phenomenon "financial 
intermediation". ;-).

Seriously, if you have *lots* of intermediaries in competition, the 
situation is *quite* stable and very robust, which is the whole point 
of free banking.

Cheers,
RAH
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: fc00 boat charter

[Robert Hettinga]

Let's see if the fc00 list is up yet. I bet it isn't...

At 3:52 PM -0400 on 9/20/99, Declan McCullagh wrote, on cypherpunks:


 Just maybe. Depends on how long it takes -- I can't justify an overwhelming
 amount of time away from the office. Seems to me there'd be a huge
 difference in terms of time and cost from Boston and Miami. (Heck, how
 about Norfolk or somewhere in MD/VA near DC?)

Quite a long haul from either place, in fact, and I'd rather *sail*, 
anyway :-).

Of course, booking a block of cruise-ship rooms out of Miami, or San 
Juan, or St. Thomas even, might not be a bad thing. Can't really 
expect it to park in Anguilla for a week, though, as Ryan notes below.


I've been kicking around the idea of boat-cabin-as-hotel-room ever 
since we started the Financial Cryptography conference; you can't 
look down on the brilliant turquoise water of Sandy Ground from the 
cliff near the InterIsland by Raffi's and *not* imagine sitting on 
the the world's greatest back porch, Rum-something-or-other in hand, 
watching the sun go down. We could never make it work out, for one 
reason or another.

This year, however, a friend on our Boston harbor round-the-cans crew 
owns 50-footer for charter out of Virgin Gorda, and some of that 
crew, and some sailing FCXX regulars, and I, have been kicking around 
the idea pretty seriously between tacks and climbs to the next high 
side. I've got 5 to 8 people so far, I think, which probably fills 
the boat at the high side of *that*, though people will probably sign 
on and drop off. We're probably looking at two weeks on the boat, 
with various people dropping in and out at various locations. We 
haven't figured out whether we'd start in the BVIs or end there, 
though. And, of course, the idea is to park on Sandy Ground for the 
conference no matter what we do. I have to be on Anguilla some part 
of the weekend before and/or after, but, besides that, it doesn't 
matter to me, when or where we sail at all :-).

I can see it now... Do the conference in the AM, and sail a bit in 
the PM... Yes, boys and girls, there *is* a reason I invented the 
conference with *no* afternoon sessions... :-).


Chartering a sailboat on Saint Martin/Maarten (the island is 
French/Dutch and has a nice, big runway with lots of direct flights 
to Europe and the States) and sailing over to Anguilla is pretty 
straightforward, and the only reason we're even thinking about 
sailing a boat, overnight, out of sight of land, all the way across 
the Gut from the Virgins is, well, because we *can*, :-), having a 
boat full of sailing "ringers", as it were.

But, however you want do it, FC00 is in the middle of the Carribbean 
high season, so getting your boat chartered should be done quickly, 
if it's still even possible.

Cheers,
RAH

At 3:52 PM -0400 on 9/20/99, Declan McCullagh wrote, on cypherpunks:


 Just maybe. Depends on how long it takes -- I can't justify an overwhelming
 amount of time away from the office. Seems to me there'd be a huge
 difference in terms of time and cost from Boston and Miami. (Heck, how
 about Norfolk or somewhere in MD/VA near DC?)

 -Declan


 At 05:25 9/19/1999 -0700, Ryan Lackey wrote:
Would anyone be interested in potentially chartering a boat (or block-booking
on a cruise) from a major East Coast city (probably Boston, NYC, Miami)
to Anguilla for fc00?  It'll certainly not be a cost savings over
flying, but would be far more fun.  This idea came up last year, but didn't
happen.

(a cruise would presumably terminate in Sint Maarten, which is an 8 nm
ferry away; a chartered boat could hang around and be housing...)

There are also possibilities for getting group airfare from SFO to
cruise port in the US...

--
[EMAIL PROTECTED]
http://www.venona.com/rdl/
1024D/4096g 0xD2E0301F B8B8 3D95 F940 9760 C64B  DE90 07AD BE07 D2E0 301F


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: more re Encryption Technology Limits Eased

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 16 Sep 1999 16:08:10 -0700
To: [EMAIL PROTECTED]
From: John Muller [EMAIL PROTECTED]
Subject: Re: more re Encryption Technology Limits Eased
Sender: [EMAIL PROTECTED]
Reply-To: John Muller [EMAIL PROTECTED]

You can now find a fuller set of White House materials, including the press
statement and fact sheet on the crypto export policy and a fact sheet and
letter to Congress on the Cyberspace Electronic Security Act, at
http://www.pub.whitehouse.gov/search/white-house-publications?everything+%3
Eyesterday+%3D200+.  This URL is probably only good for one day.


John Muller
[EMAIL PROTECTED]
[EMAIL PROTECTED]

"Just because it's simple doesn't mean it's easy"


For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Ah. That's more like it...

[Robert Hettinga]

Sorry for the confusion.

The title above referred to me passing the *right* information along, 
as opposed to last year's press announcement, which was, of course, 
embarrassing, but not the end of the world.

As to whether the current administration's new cryptography 
regulations are better, I agree with John Young's indictment of this 
latest beaurosophistic spin-festival. Their Xenonian process of 
recursive half-regulation is as much a sham as everything else the 
government has done with respect to strong cryptography.

If they were to say they were completely decontrolling cryptography 
export, then it would matter, but, of course, they will never say it.

And, frankly, as Tim May says time and time again, it doesn't really 
matter whether American companies can sell cryptography to the rest 
of the world, as long as they can sell cryptography in America. The 
rest of the world is demonstrating a marked ability to take care of 
itself in that regard, anyway. To my mind, the market, and not the 
law, matters here, and the market is doing just fine, thank you very 
much.


Furthermore, the market for internet financial cryptography 
understands the theory of limits a whole lot better than our current 
crop of innumerate, latter-day Sophist "policymakers" ever can: Just 
keep taking halfsies, and, quite quickly, you eventually end up with 
the whole thing.

Even better, the half-life of this particular game of halfsies seems 
to go down geometrically as the number of dollars spent over the 
internet goes up.

More fun with numbers.

"Policymakers" can claim a geocentric universe and a flat earth as 
far into the age of discovery as they want to, in other words. What 
they *say* doesn't matter nearly as much as what the market *does*.

Cheers,
RAH

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

ACP Applauds Modernization of Encryption Policy

[Robert Hettinga]

More a proof of the uselessness of the new encryption policy than an 
endorsement, I'd say.

If the lobbyists like it, there must be something wrong with it?

Cheers,
RAH

--- begin forwarded text


Date: 17 Sep 1999 02:39:53 -
To: [EMAIL PROTECTED]
From: "Privacy Concerns" [EMAIL PROTECTED]
Subject: IP: Encryption Policy
Sender: [EMAIL PROTECTED]
Reply-To: "Privacy Concerns" [EMAIL PROTECTED]
Status: U


Privacy Concerns - http://www.angelfire.com/biz/privacyconcerns/index.html

ACP Applauds Modernization of Encryption Policy

  WASHINGTON--(BUSINESS WIRE)--Sept. 16, 1999--The following statement
was issued today by Ed Gillespie, executive director, and Jack Quinn,
counsel, Americans for Computer Privacy (ACP), in response to the Clinton
Administration's announcement of new encryption export regulations:
"We congratulate the Administration for providing the effective leadership
this complicated issue deserves. Today's decision articulates a policy
that is good for America, good for our nation's high-tech industry, and
good for the tens of millions of Americans who use computers and want them
to be secure.

  "Having worked closely for the past 18 months with the Administration
and Congress to ensure that America has a clear and realistic encryption
policy, ACP is particularly gratified by today's announcement. We applaud
the Administration for providing U.S. manufacturers with a level playing
field in the global high-tech marketplace. We also wish to pay tribute to
those in Congress who tirelessly sought reforms through their support of
the Security and Freedom Through Information (SAFE) Act -- particularly
Representatives Bob Goodlatte (R-Va.), Zoe Lofgren (D-Calif.) and the
bi-partisan leadership of the House. We also want to recognize Senators
McCain and Leahy who championed the PROTECT and E-Rights bills in the
Senate.

  "ACP understands today's announcement to mean that all strengths and
types of encryption hardware and software can be sold to individuals and
businesses throughout the world, with the exception of the seven terrorist
states. We understand that the Administration will replace the existing
export licensing scheme with a simple technical review of products and
reporting on sales where practical. Importantly, we understand that the
Administration recognizes that the realities of mass market distribution
mean it is impossible to report information on individual end users.

  "This development is the new policy America needs to maintain its
technological leadership, strengthen the government's abilities to protect
our critical infrastructure, and fight crime in the Information Age. We
look forward to working with the Administration and Congress in coming
months on details and implementation of the new policy, and to do so in
ways that do not jeopardize our statutory and constitutional rights to
privacy."

  Americans for Computer Privacy (ACP) is a broad-based coalition that
brings together more than 100 companies and 40 associations representing
financial services, manufacturing, telecommunications, high-tech and
transportation, as well as law enforcement, civil-liberty, pro-family and
taxpayer groups. ACP supports policies that advance the rights of American
citizens to encode information without fear of government intrusion, and
advocates the lifting of export restrictions on U.S.-made encryption.

For more information on ACP, visit the Web site at
www.computerprivacy.org

  --30--AR/na

CONTACT:

Americans for Computer Privacy

Sue Richard or Kristin Litterst, 202/625-1256

Web site: http://www.computerprivacy.org
*
Like to contribute an article or comment about this one? E-mail
[EMAIL PROTECTED]
*
Privacy Concerns is a free public service of D. A. H. Investigative
Consultants, a Cincinnati based private investigation firm. E-mail:
[EMAIL PROTECTED] or toll free, 888-249-2404.



**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

White House Report: Preserving America's Privacy in the NextCentury

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Fri, 17 Sep 1999 09:50:09 -0500
To: [EMAIL PROTECTED]
Subject: IP: Privacy:  Watch Out for Doublespeak
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  US Newswire
http://www.usnewswire.com/topnews/Current_Releases/0916-164.htm

WH Report: Preserving America's Privacy
U.S. Newswire
16 Sep 20:14

White House Report: Preserving America's Privacy in the Next Century
To: National Desk, Technology Reporter
Contact: White House Press Office, 202-456-2100

WASHINGTON, Sept. 16 /U.S. Newswire/ -- The following was released
today by the White House:

PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY:
A STRATEGY FOR AMERICA IN CYBERSPACE

A REPORT TO
THE PRESIDENT OF THE UNITED STATES

September 16, 1999

William Cohen, Secretary of Defense
Janet Reno, Attorney General
Jacob J. Lew, Director of the Office of Management and Budget
William Daley, Secretary of Commerce

--
PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY:
A STRATEGY FOR AMERICA IN CYBERSPACE
 

1. A TIME OF PIVOTAL CHANGE

American history has been punctuated by periods in which the
Nation had to respond to sweeping social, economic and technological
developments. In the best of times, people working together in
government and industry became the engine of progress that shaped the
character of the time and facilitated new prosperity and opportunity
for Americans. Three examples illustrate this point.

Opening the Heartland and Expanding the Frontier.

Beginning with the Louisiana Purchase in 1803, the government
initiated a remarkably successful policy to open up a vast new area.
Over the next five decades, the United States doubled the size of its
territory. Under the government's plan, land grants were given to
railroads to open the Midwest and in turn to create a future market
for rail services. Land was awarded to homesteaders, and yet other
parcels were reserved as income sources for institutions of higher
education.

The technological advance of the railroad was the engine pulling
this growth. From the 1820s to 1900, American railroads added an
average of more than 2,000 miles of track each year. By the close of
the 19th century, the combination of these factors had served to
triple the size of our nation. The Administration and the Congress,
working together and in concert with technology advances, created an
infrastructure for a new society.

-- 
Industrialization and the Great Depression Produce a New Society.

Around the turn of the century, the country was firmly in the
Industrial Age. Technical innovations in automation and machinery
spurred the growth of factories, assembly lines and mass production
in our nation's cities. The Ford assembly line for the Model T and
the Wright brother's flight catapulted us into a mobile society and
drove further technological innovations. Telephones became more
commonplace and the nation began to shrink as news and information
traveled faster. As a nation, we created new opportunities in
industries never heard of, and created a new class of wealth, based
on opportunity and innovation, not birthright. The economy moved
from an agrarian society to an industrial society.

But the growth and prosperity experienced by many halted when the
Great Depression gripped the country. In response, the government
developed a series of creative policies and programs that brought
government and business to the common task of restoring productivity
to America. While there were a number of social programs, government
support for technology was key to driving development. For example,
the government took a pivotal role in expanding the electrical grids
that would become the backbone of our national infrastructure, first
with the creation of the Tennessee Valley Authority in 1933 and two
years later with the creation of the Rural Electrification
Administration. Electrical technology, in the ensuing years,
radically altered the capabilities of America's rural farms and
industry. Just as important, it created a transmission belt that
further disseminated the ideas and technology being generated in the
nation's cities.

-- 
A World War Produces a Global Community and the American Century.

In a third case, World War II shattered the international
political system at the same time that it brought an end to 19th
century colonialism. The creation of the World Bank, the
International Monetary Fund, and the rules for a global trading
system became the cornerstones of the emerging global economy.

The urgent need for increased production and the burst of
scientific funding associated with the war effort -- sustained by a
continuing Federal commitment to new science and technology in the
following years -- vaulted the United States into the age of
electronics and computers -- the beginning of the Information Age.
 

Advances in telecommunications, such as broad-band carrier systems
and switching devices, combined 

DCSB: Gerald Gold; Internet Content -- Stories from the Front

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 16 Sep 1999 08:24:58 -0400
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Robert Hettinga [EMAIL PROTECTED]
Subject: DCSB: Gerald Gold; Internet Content -- Stories from the Front
Cc: Gerald Gold [EMAIL PROTECTED], Warren Agin [EMAIL PROTECTED],
 Rodney Thayer [EMAIL PROTECTED], Muni Savyon [EMAIL PROTECTED],
 Elias Israel [EMAIL PROTECTED], Suzan Dionne [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: Robert Hettinga [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

  The Digital Commerce Society of Boston

Presents

   Gerald Gold

 Vice President,
eCommerce Application Development
  Peanut Press

 Internet Content: Stories from the Front


 Tuesday, October 5th, 1999
12 - 2 PM
The Downtown Harvard Club of Boston
   One Federal Street, Boston, MA



Are people willing to spend money to download an electronic file that
contains the text of a novel?  Are book publishers willing to risk piracy
by offering their products in electronic format for sale via the web?
What does geography have to do with selling ebooks online?

Practical answers to these questions (and many others) had to be found
in order to build peanutpress.com: the world's premier provider of
ebooks from publishers' front lists, designed to be read on PDAs (such
as Palm connected organizers).

The discussion will focus on real world issues that surround the
interesting complexities of building an online store that creates,
sells, and delivers electronic books.


Gerald Gold has been working with text since he was a toddler.  From
about the age of two, the alphabet held a particular fascination.
Numbers weren't far behind; arithmetic and then logic soon occupied a
significant part of his daily thinking.  Since 1994 Gerald has been
developing web sites.

What better venue is there than programming for the World Wide Web in
which to share a passion for managing, manipulating, and
processing text and numbers?


This meeting of the Digital Commerce Society of Boston will be held
on Tuesday, October 5, 1999, from 12pm - 2pm at the Downtown Branch of
the Harvard Club of Boston, on One Federal Street. The price for
lunch is $35.00. This price includes lunch, room rental, various A/V
hardware, and the speakers' lunch.  The Harvard Club *does* have
dress code: jackets and ties for men (and no sneakers or jeans), and
"appropriate business attire" (whatever that means), for women.  Fair
warning: since we purchase these luncheons in advance, we will be
unable to refund the price of your lunch if the Club finds you in
violation of the dress code.


We need to receive a company check, or money order, (or, if we
*really* know you, a personal check) payable to "The Harvard Club of
Boston", by Saturday, September 2nd, or you won't be on the list for
lunch.  Checks payable to anyone else but The Harvard Club of Boston
will have to be sent back.

Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston,
Massachusetts, 02131. Again, they *must* be made payable to "The
Harvard Club of Boston", in the amount of $35.00. Please include your
e-mail address so that we can send you a confirmation

If anyone has questions, or has a problem with these arrangements
(We've had to work with glacial A/P departments more than once, for
instance), please let us know via e-mail, and we'll see if we can
work something out.

Upcoming speakers for DCSB are:

November   Warren AginSecured Internet Lending
December   Rodney Thayer  Cryptographic Transnationality
JanuaryElias Israel   The Libertarians and Digital Commerce
February   Suzan Dionne   The Law of Digital Cash


We are actively searching for future speakers.  If you are in Boston
on the first Tuesday of the month, and you are a principal in digital
commerce, and would like to make a presentation to the Society,
please send e-mail to the DCSB Program Committee, care of Robert
Hettinga, mailto: [EMAIL PROTECTED].


For more information about the Digital Commerce Society of Boston,
send "info dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail
list, send "subscribe dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] .

We look forward to seeing you there!

Cheers,
Robert Hettinga
Moderator,
The Digital Commerce Society of Boston

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com

iQEVAwUBN+DhbMUCGwxmWcHhAQF8YAf/Q/jv2GUJeTfX4hhZKVoOJ/ZQZWiEjrEf
eX0fm90G2HJ+KqIoD7AxEEKOKkS95SUuX4WJrGWkLlyAUm24/isLXhaUizTRBmul
6XuqrSCf+4ijUpdwce9KyFVwqf9vqacg9C7NoDkMg0KBhv+/2uEaZsHKlm4SjBpi
BC6QUgDIIdTXQ/IJDpR4tRVszRtKxbS3wqmyV1N7LFKo8M519VgDhpJE8vUssCYv
W2e8/YFLcAVR1Z12tz8g+AH6x6s8rw8Kb243e9f4YwmEUr3NeUWpvm3NoesfKC7K
53QLf09seTJF

Administration Updates Encryption Policy

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 16 Sep 1999 14:36:39 -0400
To: [EMAIL PROTECTED]
From: Hudson Barton [EMAIL PROTECTED]
Subject: Administration Updates Encryption Policy
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe%20mac-crypto

Office of the Press Secretary


For Immediate Release
September 16, 1998
STATEMENT BY THE PRESS SECRETARY
Administration Updates Encryption Policy
The Clinton Administration today announced a series of steps to 
update its encryption policy in a way that meets the full range of 
national interests: promotes electronic commerce, supports law 
enforcement and national security and protects privacy. These steps 
are a result of several months of intensive dialogue between the 
government and U.S. industry, the law enforcement community and 
privacy groups that was called for by the Vice President and 
supported by members of Congress.
As the Vice President stated in a letter to Senator Daschle, the 
Administration remains committed to assuring that the nation's law 
enforcement community will be able to access, under strictly defined 
legal procedures, the plain text of criminally related communications 
and stored information. The Administration intends to support FBI's 
establishment of a technical support center to help build the 
technical capacity of law enforcement - Federal, State, and local - 
to stay abreast of advancing communications technology.
The Administration will also strengthen its support for electronic 
commerce by permitting the export of strong encryption when used to 
protect sensitive financial, health, medical, and business 
proprietary information in electronic form. The updated export policy 
will allow U.S. companies new opportunities to sell encryption 
products to almost 70 percent of the world's economy, including the 
European Union, the Caribbean and some Asian and South American 
countries. These changes in export policy were based on input from 
industry groups while being protective of national security and law 
enforcement interests.
The new export guidelines will permit exports to other industries 
beyond financial institutions, and further streamline exports of key 
recovery products and other recoverable encryption products. Exports 
to those end users and destination countries not addressed by today's 
announcement will continue to be reviewed on a case-by-case basis.
Very strong encryption with any key length (with or without key 
recovery) will now be permitted for export under license exception, 
to several industry sectors. For example, U.S. companies will be able 
to export very strong encryption for use between their headquarters 
and their foreign subsidiaries worldwide except the seven terrorist 
countries (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba) to 
protect their sensitive company proprietary information.
On-line merchants in 45 countries will be able to use robust U.S. 
encryption products to protect their on-line electronic commerce 
transactions with their customers over the Internet.
Insurance companies as well as the health and medical sectors in 
those same 45 countries will be able to purchase and use robust U.S. 
encryption products to secure health and insurance data among 
legitimate users such as hospitals, health care professionals, 
patients, insurers and their customers.
The new guidelines also allow encryption hardware and software 
products with encryption strength up to 56-bit DES or equivalent to 
be exported without a license, after a one time technical review, to 
all users outside the seven terrorist countries. Currently, 
streamlined exports of DES products are permitted for those companies 
that have filed key recovery business plans. However, with the new 
guidelines, key recovery business plans will no longer be required.
The Administration will continue to promote the development of key 
recovery products by easing regulatory requirements. For the more 
than 60 companies which have submitted plans to develop and market 
key recovery encryption products, the six month progress reviews will 
no longer be required. Once the products are ready for market they 
can be exported, with any bit length -- without a license -- 
world-wide (except to terrorist nations) after a one-time review. 
Furthermore, exporters will no longer need to name or submit 
additional information on a key recovery agent prior to export. These 
requirements will be removed from the regulations.
Finally, industry has identified other so-called "recoverable" 
products and techniques that allow for the recovery of plaintext by a 
system or network administrator and that can also assist law 
enforcement access,subject to strict procedures. The administration 
will permit their export for use within most foreign commercial 
firms, and their wholly-owned subsidiaries, in large markets, 
including Western Europe, 

IP: Statement By The Press Secretary: Administration AnnouncesNew Approach to Encryption

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 16 Sep 1999 15:32:09 -0400
To: [EMAIL PROTECTED]
From: David Farber [EMAIL PROTECTED]
Subject: IP: Statement By The Press Secretary: Administration Announces New
  Approach to Encryption
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]


  THE WHITE HOUSE

   Office of the Press Secretary
___
 
For Immediate Release
September 16, 1999


 STATEMENT BY THE PRESS SECRETARY

Administration Announces New Approach to Encryption

 One year ago today, Vice President Gore announced updates to the
Administration?s encryption policy to serve the full range of national
interests: promoting electronic commerce, supporting law enforcement and
national security, and protecting privacy.  The announcement permitted the
export of strong encryption to protect sensitive information in the
financial, health, medical, and electronic commerce sectors.  It also
included support for the continued ability of the nation?s law enforcement
community to access, under strictly defined legal procedures, the plain
text of criminally related communications and stored information.  At that
time the Administration committed to reviewing its policy in one year.
Today, the Administration announces the results of that review, conducted
in consultation with industry and privacy groups and the Congress.

 The strategy announced today continues to maintain the balance among
privacy, commercial interests, public safety and national security.  This
approach is comprised of three elements ? information security and privacy,
a new framework for export controls, and updated tools for law enforcement.
First, the strategy recognizes that sensitive electronic information ?
government, commercial, and privacy information -- requires strong
protection from unauthorized and unlawful access if the great promise of
the electronic age is to be realized.  Second, it protects vital national
security interests through an updated framework for encryption export
controls that also recognizes growing demands in the global marketplace for
strong encryption products.   Finally, it is designed to assure that, as
strong encryption proliferates, law enforcement remains able to protect
America and Americans in the physical world and in cyberspace.

 With respect to encryption export controls, the strategy announced
today rests on three principles: a one-time technical review of encryption
products in advance of sale, a streamlined post-export reporting system,
and a process that permits the government to review the exports of strong
encryption to foreign government and military organizations and to nations
of concern.  Consistent with these principles, the government will
significantly update and simplify export controls on encryption.

 The updated guidelines will allow U.S. companies new opportunities to
sell their products to most end users in global markets.  Under this
policy:

?Any encryption commodity or software of any key length may be exported
 under license exception (i.e., without a license), after a technical
 review, to individuals, commercial firms, and other non-government end
 users in any country except for the seven state supporters of
 terrorism.

?Any retail encryption commodities and software of any key length may
 be exported under license exception, after a technical review, to any
 end user in any country, except for the seven state supporters of
 terrorism.

?Streamlined post-export reporting will provide government with an
 understanding of where strong encryption is being exported, while also
 reflecting industry business models and distribution channels.

?Sector definitions and country lists are eliminated.

 The Administration intends to codify this new policy in export
regulations by
December 15, 1999, following consultations on the details with affected
stakeholders.

   In support of public safety, the President is today transmitting to the
Congress legislation that seeks to assure that law enforcement has the
legal tools, personnel, and equipment necessary to investigate crime in an
encrypted world.  Specifically, the Cyberspace Electronic Security Act of
1999 would:

?  Ensure that law enforcement maintains its ability to access decryption
   information stored with third parties, while protecting such information
   from inappropriate release.

?  Authorize $80 million over four years for the FBI?s Technical Support
   Center, which will serve as a centralized technical resource for
   Federal, State, and local law enforcement in responding to the
   increasing use of encryption by criminals.

?  Protect sensitive investigative techniques and industry trade secrets
   from unnecessary disclosure in litigation or criminal trials 

Ah. That's more like it...

[Robert Hettinga]

--- begin forwarded text


Date: 16 Sep 99 15:09:33 EDT
From: ROBERT HARPER [EMAIL PROTECTED]
To: Ignition Point [EMAIL PROTECTED]
Subject: IP: White House changes crypto policy!
Sender: [EMAIL PROTECTED]
Reply-To: ROBERT HARPER [EMAIL PROTECTED]

http://foxnews.com/

White House bows to pressure from high-tech industry over encryption
2.43 p.m. ET (1848 GMT) September 16, 1999

By Ted Bridis, Associated Press


WASHINGTON (AP) - The White House agreed Thursday to allow U.S.
companies to sell the most powerful data-scrambling technology
overseas with virtually no restrictions, a concession to America's
high-tech industry over law enforcement and national security
objections.

The move was a defeat for the Justice Department, which had forcefully
argued that criminals and terrorists might use the technology to
scramble messages about crimes or deadly plots.

On the other hand, the decision should help U.S. companies in overseas
competition - and help consumers worldwide guarantee the privacy of
their e-mail and online credit-card purchases.

Critics of restrictions on export sales said criminals and terrorists
already could buy or download powerful encryption technology made in
other countries.

"Those who are going to misuse encryption for criminal purchases aren't
going to limit themselves to U.S.-made encryption products,'' said
Ed Gillespie, executive director of Americans for Computer Privacy.

The administration will allow high-tech companies to sell even the
most powerful encryption technology overseas to private and commercial
customers after a one-time technical review of their products.

The White House will still require companies to seek permission to
sell the scrambling technology to a foreign government or military,
and it maintains bans on selling to seven terrorist nations: Iran,
Iraq, Libya, Syria, Sudan, North Korea and Cuba.

Previously, the administration allowed companies to sell the most
powerful scrambling technology only to specific industries overseas;
other foreign customers were generally limited to so-called 56-bit
encryption products, meaning those with 72-quadrillion unlocking
combinations.

"This is a sweeping reform,'' said Dan Scheinman, senior vice
president of legal and government affairs at Cisco Systems Inc. "
Imagine you're banking online - you want to make sure those things are
safe from a hacker. You buy things, you want to make sure your credit
card is secure.''

The export limits never directly affected Americans, who are legally
free to use encryption technology of any strength. But U.S. companies
have been reluctant to develop one version of their technology for
domestic use and a weaker overseas version, so they typically sell
only the most powerful type that's legal for export, even to Americans.

"Forcing U.S. companies to do business under tight export controls was
like asking them to use a black rotary telephone in a cellular, call-
waiting world,'' said Harris Miller, president of the Information
Technology Association of America, a trade group.

Critics cited more than 800 products available worldwide with stronger
scrambling technology than the United States allowed its companies to
sell overseas.

"You can pull it down over the Internet in less than 20 minutes,''
said Gillespie. "Having Japanese and German and Irish companies be at
the forefront of this technology is not in our best interests.''

A non-profit group of researchers demonstrated last summer it can
unscramble a 56-bit coded message in just days using a custom-built
computer worth less than $250,000.

The White House announcement follows its decision exactly one year ago
to relax export restrictions. At the time, Vice President Al Gore
promised the administration would reconsider its limits within the
year.


Get free email and a permanent address at http://www.netaddress.com/?N=1

**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC)

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Date: Wed, 15 Sep 1999 16:44:49 +0300
Subject: Re: Micro Payments BOF in the next IETF (Nov 99, Wash DC)
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]



This is a reminder (see note below) that we plan to have a Micro 
Payments BOF in
the next IETF. Please let me know if you are interested in presenting;
preference will be given to presentations on the following topics:
Goals of (micro)payment standardization activity in the IETF
Reports on implementations of the W3C Micropayments Markup spec
Reports on open designs which are proposed as basis for potential IETF
standardization.

In particular, I plan to present release 1.3 of IBM Micro Payments, which will
implement W3C Micropayments Markup spec (I'll provide the details to make it
very easy for others to interoperate), as well as open design. On that regard,
I'll describe in details the APIs to allow integration (e.g. OEM) with wallet
UI, merchant server, and legacy billing systems. I also plan to describe the
protocols, although I can't promise to have them in Internet-Draft level of
details (to allow interoperability); we'll do the effort of creating this level
of documentation if there is sufficient interest by others (to implement etc.).

As according to IETF regulations, proposals should describe in advance any
intellectual property they believe somebody may own covering their proposals.
(We believe the only patents or IPR on our design are the classical public key
patents.)

Please forward this note to potential interested parties.

Best Regards,
Amir Herzberg
Manager, E-Business and Security Technologies
IBM Research - Haifa Lab (Tel Aviv Office)
http://www.hrl.il.ibm.com
New e-mail: [EMAIL PROTECTED]
New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL


[EMAIL PROTECTED] on 29/08/99 10:36:30

Please respond to [EMAIL PROTECTED]

To:   Jeffrey Schiller [EMAIL PROTECTED]
cc:   Keith Moore [EMAIL PROTECTED], Patrik Faltstrom [EMAIL PROTECTED], Jeffrey
   Schiller [EMAIL PROTECTED], Marcus Leech [EMAIL PROTECTED], mpay
   markup@IBMIL, micropay@IBMIL, [EMAIL PROTECTED] (bcc: Amir
   Herzberg/Haifa/IBM)
Subject:  Micro Payments BOF in the next IETF (Nov 99, Wash DC)






Jeff, thanks. Please let me know the slot we got when assigned and I'll
inform the community. For allocation purposes I assume a 2-hour slot unless
will inform us otherwise.

All: as noted below, Jeff Schiller, Security AD in the IETF, and the IESG,
have agreed to hold a micropayments BOF in the next IETF (Nov. 99 in Wash.
DC). The goals of the BOF are:

Report on the W3C `Micro Payments Markup` recommendation which just
entered `last call`. This is the result of the work of the MicroPayments
working group of the W3C (chaired by Mark Manasses from Compaq and
myself). Please notice the last call period will end earlier (I believe
Sept. 30) so people who wish to comment on it are encouraged to do so
using the (open to public) comment mailing list. The draft itself and
other details are available in the W3C web site, www.w3c.org. In the
traditional IETF spirit, reports on implementations (of the
recommendation) would be encouraged.
Explore whether there is need and sufficient interest to define an
interoperable payment protocol suitable (at least) for micropayments,
and if so, decide on the best means (most likely a request for new IETF
WG). To this discussion, presentations by developers as well as
customers and others of opinion are solicited. Please notice that the
IESG has _not_ discussed or approved yet the creation of such a working
group (neither was a request made yet).
If time remains, short reports of developers of micropayment products
may be presented, with the hope that this will eventually lead to more
openness, cooperation and interoperability.

Please notice there is already a mailing list dedicated to this potential
standardization activity, [EMAIL PROTECTED] Please use this list to
comment on the BOF or for relevant discussions even before the physical
BOF. These headers explain everything:

List-Subscribe: mailto:[EMAIL PROTECTED]
List-Unubscribe: mailto:[EMAIL PROTECTED]
List-Digest: mailto:[EMAIL PROTECTED]

However, I suggest that proposals for presentations in the BOF be sent to
me and I'll coordinate it (unless Jeff wants somebody else to do it).

A related note: we try to maintain an updated list of _all_ resources,
vendors, consultants, researches, and others in the `micropayments
community`, we call this the `sub-$ registry` and it is a link off our IBM
Micro Payments homepage http://www.hrl.il.ibm.com/mpay (don't have exact
link now - I'm offline - but it's easy to find). Please let me know if you
need to be added or have better details than what we got now...

Best Regards,
Amir Herzberg
Manager, E-Business and Security Technologies
IBM 

IP: Admin Plans to Loosen Encryption Restrictions

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Tue, 14 Sep 1999 07:55:15 -0500
To: [EMAIL PROTECTED]
Subject: IP: Admin Plans to Loosen Encryption Restrictions
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Status: U

Source:  New York Times
http://www.nytimes.com/library/tech/99/09/cyber/capital/14capital.html

September 14, 1999

By JERI CLAUSING

Administration Plans to Loosen Encryption Restrictions

WASHINGTON -- The Clinton Administration, facing mounting
pressure to eliminate controls on the export of encryption
technology, is preparing to announce a further loosening of the
controversial restrictions.

The planned changes come on the heels of a report from a special
presidential advisory committee recommending the White House
abandon nearly all export controls on software that protects Internet
communications.

They also come as the House is preparing
to debate a bill that would lift most controls
on the export of products intended to keep
computer communications and transactions
secure.

William Reinsch, the Undersecretary of
Commerce and President Clinton's point
man on encryption policy, declined to
comment on the upcoming announcement
or the advisory committee's report, which
has not been made public. But he said the
Administration's new policy would be
announced by September 16. The changes, he said, are the "result of our
own policy review," although he did acknowledge that the advisory
commission report "was valuable input into that."

That upcoming policy change comes exactly one year after Vice
President Al Gore first announced the Administration was lifting controls
on the export of strong encryption to certain business sectors, like banks
and insurance companies, and was providing limited export relief for
mass market products.

At the time, Gore promised the Administration would review the controls
again within a year. Since then, the Administration has come under
continued pressure to move even further, both from Congress and the
President's encryption advisory panel.

In June, the President's Export Council Subcommittee on Encryption sent
the White House a report recommending the Administration loosen its
restrictions on encryption technology to allow for the export of consumer
products based on a 128-bit key. That is significantly stronger than the
current limit on encryption products exempt from control.

The report also recommended allowing the export of a broad range of
encryption products to online merchants who need powerful security
systems to do business; eliminating approval requirements on exports to
countries that "do not present a significant national security concern," and
giving preferential treatment to exports aimed at utilities,
telecommunications companies and other infrastructure sectors at risk of
hacking attacks.

White House and Commerce Department officials are keeping quiet
about how far the policy changes will go. But if the changes reflect
recommendations made in the advisory panel's report, it would move the
Administration much closer to ending its years-long battle with the
high-tech industry. Technology executives say they are losing their lead to
companies in countries without export restrictions.

  The Administration has resisted calls
  to eliminate the restrictions because
  of strong opposition from the Federal
  Bureau of Investigation and other law
  enforcement agencies. Those groups
  have been pushing tying any easing of
  export restrictions to mandates that
  software developers develop "spare
  keys" so law officers can easily
  unlock scrambled data and
communications when they suspect a crime is being committed.

Stewart Baker, a member of the advisory panel and former counsel to
the National Security Agency, characterized the committee's report as
"the most sweeping set of liberalizations that have ever been
recommended by a government advisory body."

Although some who have been fighting the Administration's export
controls doubt the planned changes will go far enough to effect a truce
with House and Senate leaders pushing legislation to eliminate export
controls entirely, Baker said he remained optimistic that substantial
revisions would still be made.

"I think it's in play," said Baker. "There's still some possibility that
this will
turn out to be a smaller package than some might hope, but it's still
open."

Ed Gillespie, executive director of Americans for Computer Privacy, a
coalition of high-tech and civil libertarian groups that have for years been
pushing for an elimination of all export controls on data-scrambling
technology, said adoption of the advisory committee report by the White
House would be significant.

"But we don't know what to expect at this point. We're watching like
everyone else," he said. "If it's good, great. If not, we'll continue to
advocate change."

This week:

A special task force appointed by Congress to study Internet tax issues
will hold its second meeting. The Advisory Commission on 

Encrypto Mailing List

[Robert Hettinga]

--- begin forwarded text


From: online-e [EMAIL PROTECTED]
To: online-e [EMAIL PROTECTED]
Subject: Encrypto Mailing List
Date: Mon, 6 Sep 1999 15:24:34 -0500
Originator: [EMAIL PROTECTED]

__ Online Europe ___




From: Thomas Roessler [EMAIL PROTECTED]
Subject: Encrypto Mailing List

A new mailing list, [EMAIL PROTECTED], has been established.
It's intended for discussions of crypto politics with a focus on
the European Union.

Topics include:

- Announcements and discussions on common European issues
   concerning availability, use, legal framework and politics of
   cryptographic techniques.
 
- Announcements and discussions on common issues concerning
   communications interception and related topics, e.g.
   state-sponsored hacking of communication end points.
 
- Announcements and brief discussions on national issues which may
   be of interest abroad.  Extensive and in-depth discussions on
   such topics should be performed on respective national mailing
   lists such as [EMAIL PROTECTED] (for the UK), or
   [EMAIL PROTECTED] (for Germany).
 
- Announcements and discussions on joint initiatives and campaigns
   concerning any of the abovementioned topics.
 
To subscribe to the list, send an e-mail containing the words
"subscribe eucrypto" to [EMAIL PROTECTED].



--- SPONSOR'S MESSAGE ---

24/7 Europe provides European Web Sites  with focused advertising
and sponsorship sales, locally, regionally and globally.

With 14 offices in 12 European markets, and through 24/7
affiliates in the US, Asia Pacific and Latin America, we provide
the one-stop solution that links Europe's online markets to the
rest of the World.

http://www.247europe.com



   If you find Online Europe useful, please forward this
   message to a friend or colleague. It's the easiest way you
   can contribute to increasing the value of this forum.

   To subscribe: mailto:[EMAIL PROTECTED]

   For information about Online Europe sponsorship,
   please contact Steven Carlson at mailto:[EMAIL PROTECTED]


   Online Europe is proudly hosted by Revnet Express. To
   learn more about how hosted email marketing can increase
   sales, build customer loyalty and strengthen brand
   awareness, please contact Lorraine Pieterse at:
   mailto:[EMAIL PROTECTED]


   To unsubscribe, mailto:[EMAIL PROTECTED] or ask the
   moderator for assistance at mailto:[EMAIL PROTECTED].

__  End of Online Europe Digest 

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

[PGP]: Bruce Schneier weighs in

[Robert Hettinga]

--- begin forwarded text


Mailing-List: contact [EMAIL PROTECTED]; run by 
ezmlm-idx-0.40(alpha)
Reply-To: [EMAIL PROTECTED]
From: "grt" [EMAIL PROTECTED]
Organization: ...
To: [EMAIL PROTECTED]
Date: Sat, 4 Sep 1999 09:24:02 -0400
CC: [EMAIL PROTECTED]
Priority: normal
Subject: [PGP]: Bruce Schneier weighs in

FYI

 from: sci.crypt
 subject: NSA and MS windows

 A few months ago in my newsletter Crypto-Gram, I talked about
 Microsoft's system for digitally signing cryptography suits that go
 into its operating system.  The point is that only approved crypto
 suites can be used, which makes thing like export control easier.
 Annoying as it is, this is the current marketplace.

 Microsoft has two keys, a primary and a spare.  The Crypto-Gram
 article talked about attacks based on the fact that a crypto suite
 is considered signed if it is signed by EITHER key, and that there
 is no mechanism for transitioning from the primary key to the
 backup.  It's stupid cryptography, but the sort of thing you'd
 expect out of Microsoft.

 Suddenly there's a flurry of press activity because someone notices
 that the second key is called "NSAKEY" in the code.  Ah ha!  The NSA
 can sign crypto suites.  They can use this ability to drop a
 Trojaned crypto suite into your computers.  Or so the conspiracy
 theory goes.

 I don't buy it.

 First, if the NSA wanted to compromise Microsoft's Crypto API, it
 would be much easier to either 1) convince MS to tell them the
 secret key for MS's signature key, 2) get MS to sign an
 NSA-compromised module, 3) install a module other than Crypto API to
 break the encryption (no other modules need signatures).  It's
 always easier to break good encryption.

 Second, NSA doesn't need a key to compromise security in Windows.
 Programs like Back Orifice can do it without any keys.  Attacking
 the Crypto API still requires that the victim run an executable
 (even a Word macro) on his computer.  If you can convince a victim
 to run an untrusted macro, there are a zillion smarter ways to
 compromise security.

 Third, why in the world would anyone call a secret NSA key "NSAKEY."
 Lots of people have access to source code within Microsoft; a
 conspiracy like this would only be known by a few people.  Anyone
 with a debugger could have found this "NSAKEY."  If this is a covert
 mechanism, it's not very covert.

 I see two possibilities.  One, that the backup key is just as
 Microsoft says, a backup key.  It's called "NSAKEY" for some dumb
 reason, and that's that.

 Two, that it is actually an NSA key.  If the NSA is going to use
 Microsoft products for classified traffic, they're going to install
 their own cryptography.  They're not going to want to show it to
 anyone, not even Microsoft.  They are going to want to sign their
 own modules.  So the backup key could also be an NSA internal key,
 so that they could install strong cryptography on Microsoft products
 for their own internal use.

 But it's not an NSA key so they can secretly install weak
 cryptography on the unsuspecting masses.  There are just too many
 smarter things they can do to the unsuspecting masses.

 My original article:
 http://www.counterpane.com/crypto-gram-9904.html#certificates

 Announcement:
 http://www.cryptonym.com/hottopics/msft-nsa.html

 Nice analysis:
 http://ntbugtraq.ntadvice.com/default.asp?sid=1pid=47aid=52

 Useful news article:
 http://www.wired.com/news/news/technology/story/21577.html
 
 ** Bruce Schneier, President, Counterpane SystemsPhone:
 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN  55419
 Fax: 612-823-1590   Free crypto newsletter.  See:
 http://www.counterpane.com


-
To retrieve this thread, e-mail: [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT send administrative requests/command to the list! Thanks.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More details on Operation Broken Glass

[Robert Hettinga]

Looks like last night was a kind of crypto-Kristallnacht, ja?

Cheers,
RAH
(Who's not too shameless to plug FC00, here, in light of the Nicko 
and Adi's URL, below)
--- begin forwarded text


Date: Fri, 3 Sep 1999 10:03:57 -0700
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: Greg Broiles [EMAIL PROTECTED]
Subject:  Re: Warning about Installation of Software -- Don't be fooled by
   NSA
To: [EMAIL PROTECTED]

At 09:33 AM 9/3/99 , David Lesher wrote:
  and I respectfully ask all the smart computer-savvy folks who read this
  message to check out this rumor and confirm whether it is a hoax, or
 whether
  it is for real.  Your imput and wisdom is greatly appreciated.

But note that the meat of the story requires you do no such thing.

(More importantly, I can not see his claimed Crypto 99 rump session
talk on the schedule)

I spoke with a friend last night who attended the rump session at Crypto,
who confirmed that the talk was given.

The existence of the second key was discovered by a crypto researcher who
had the insight that looking inside the executable for areas of unusually
high entropy might prove revealing - he found two such areas, each1024 bits
long (exactly the length of the Crypto API public key), where the design of
Crypto API would only have required one .. leading to further investigation
and disassembly of the code.

One approach to independent verification would be to repeat the initial
investigation - look through the RSABASE.DLL file in your \WINDOWS\SYSTEM
directory looking for relatively high-entropy sequences. A paper describing
this technique is available at
http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf, and C
code purporting to implement that seach is available at
http://www.hedonism.demon.co.uk/paul/download/ncheck.c.


--
Greg Broiles
[EMAIL PROTECTED]
PGP: 0x26E4488C

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: [dc-sage] Microsoft, the NSA, and you... (fwd)

[Robert Hettinga]

--- begin forwarded text


Date: Fri, 3 Sep 1999 16:32:38 -0400
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: David Lesher [EMAIL PROTECTED]
Subject:  Re: [dc-sage] Microsoft, the NSA, and you... (fwd)
To: [EMAIL PROTECTED]

This is long and nerdy, but think it's worthwhile.

Bugtraq, in general, is a place real security types hang out,
although I can't speak re: Ross (As I don't claim to know more
than a few crypto types; draw no conclusion from that.) I'll
assume NTBugtraq is similar.

Here's the NTBUGTRAQ post
==

From [EMAIL PROTECTED] Fri Sep  3 16:01:34 1999
Date: Fri, 3 Sep 1999 15:57:43 -0400
From: Russ [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Alert: CryptoAPI and _NSAKey issue


-BEGIN PGP SIGNED MESSAGE-

This is also available at http://ntbugtraq.ntadvice.com/_nsakey.asp

Whoa horsie...

I had a long chat with Andrew Fernandes this morning, as well as
another chat with others, and of course I've had a ton of messages
sent my way with various links to various stories about the issue.

I wanted to get a few things straight before I sent this message, but
given how quickly things are spreading it makes sent to send something
interim.

Ok, so here's what I can tell you.

1. Andrew's speculation about the _NSAKEY being a backdoor for the NSA
is based on;

a) The variable is called "NSA".

b) Its a second key, not known to exist in Windows previously.

c) What possible purpose would a second key serve?

d) Its presence, arguably, weakens CryptoAPI (Andrew explains this on
his website at http://www.cryptonym.com/hottopics/msft-nsa.html,
I'll elaborate more later.

2. Sources close to Microsoft say that the key is a "Backup" key. It
is owned by Microsoft, and only Microsoft have the private key to it.
The key was named "_NSAKEY" because the NSA insisted that Microsoft
include a backup key in their CryptoAPI before the Commerce Department
would approve its inclusion in NT 4.0.

Editorial
- -

There's a bunch of somewhat understandable furor going on over the
idea that the NSA might have a backdoor to Windows. Unfortunately,
however, all of this is based on a variable name. Anyone who programs
knows that variables might get named anything for a variety of
reasons. One would expect that they would be named descriptively, but
alas, not everyone follows such stringent conventions (can you spell
"Easter Egg"?).

The Conspiracy Theorist's theory goes;
- -

- - The NSA has a signing key on your box.

- - The NSA can implant a Trojan to replace the module which performs
encryption on your box with one that doesn't perform encryption, and
because the failure of signature verification against Microsoft's key
is silent, they can get their trojan'd app up and running without you
being any the wiser.

- - The NSA can then sniff your traffic, now being conducted in
plain-text.

There's obviously a ton of variations possible on this theory, they
take your private key, they replace your key with another, etc...

They only have to get a Trojan to you and get you to run it, and as
those same Conspiracy Theorists always say, speculationthere's
likely bugs in the OS designed to allow them to do
this.../speculation

Yeah, could be true.

My take from Microsoft's Perspective;
- 

- - We want to have one build of our products that simultaneously
supports weak or strong encryption functionality.

- - We want to be able to ship this one product world-wide, changing as
few bits as possible for those that are being shipped outside the U.S.
and Canada.

- - We'll build an API (good, bad, or otherwise) that allows the
controlled bits to be inserted into an infrastructure, then get the
infrastructure approved, and all will be good.

- - Commerce (with advice from lots of people including the NSA),
agrees, and tells Microsoft they have to sign everything that can use
the infrastructure. That way, Microsoft can ship its product anywhere,
and Commerce will know that only those products that have been signed
by Microsoft will be able to run on the OS.

- - You want to build a Cryptographic Service Provider (CSP), the module
that performs the encryption, you gotta get Microsoft to sign it for
it to run. Microsoft doesn't sign anything that doesn't have the
appropriate Commerce Department Export approvals first.

Wonderful, life's good, Microsoft doesn't have to manage multiple
versions based on Crypto-strength, folks can implement whatever crypto
they want (assuming its Commerce approved).

Oh, the second key, I almost forgot;
- ---

I'm told the NSA insisted there had to be a backup. No explanation as
to why yet, that's what I've been told. One theory that made a lot of
sense to me was the simple idea of;

What happens if 

Policy page redux?

[Robert Hettinga]

Shades of the plaintext-embedded-in-the-executable Netscape "policy page"?

Or is it just more stupid Microsoft crypto programming?

Father Occam prefers the latter, but you never know...

Cheers,
RAH

--- begin forwarded text


Date: Fri, 3 Sep 1999 15:34:04 -0300
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: "Peter D. Junger" [EMAIL PROTECTED]
Subject:  Re: FW: Warning about Installation of Software -- Don't be fooled
   by NSA Rumors
To: [EMAIL PROTECTED]
Status: U

Mark Shea writes:

: There is a discussion of this issue at
: http://www.slashdot.org/articles/99/09/03/0940241.shtml
: http://www.slashdot.org/articles/99/09/03/0940241.shtml  today. One of the
: more informed and thoughtful posts (IMHO) was from a Windows coder who has
: been working with this API for over a year. His/her comments can be seen at
: http://www.slashdot.org/comments.pl?sid=99/09/03/0940241
: http://www.slashdot.org/comments.pl?sid=99/09/03/0940241cid=56 cid=56 .
: I recommend, however, you take a look at the whole discussion. It is fairly
: lively.

I always get lost on /. but I was able to read some of the messages and
some of the original material posted on the Internet.

Apparently this bit of stupidity is more of an opportunity than a threat.

As I understand it, the various versions of MSWindows include a Crypto
Applications Program Interface---I don't really know about this, being
much to snobbish to use Microsoft products---where one can plug in
encryption modules.  But the government would not let Microsoft export
its Windows systems with this API unless it was crippled so that one
could not plug in strong crypto.  So the solution was to require that
any crypto software installed on a MSWindows machine had to be signed by
Microsoft using a public key.  (I'm not quite sure of the type of key that
was used.)  So this crypto API contains a key that can be used to make
sure that Microsoft has signed an appplication, and if an application
is strong crypto it won't be signed by Microsoft and thus will not run
under MSWindows.

If you remove this Microsoft key from your Windows box, then you can't
run any crypto applications (that use the crypto API).

But now it turns out that some genius added a second key, called
apparently the NSAKEY, to the API and that a crypto apllication will
run if it is signed by either of the keys.  You can remove the NSAKEY
and anything signed by Microsoft will still run, but programs signed by
NSA won't run (unless, I guess, they are also signed by Microsoft).

And---and this is the good part---you can not only remove the NSAKEY,
you can replace it with your own key, and then run any crypto applications
programs that you want, no matter how strong!

This effectively allows one to ignore the export controls on crypto
applications that run on MSWindows.

At least that is my understanding.

If I am right, the question becomes whether the replacable second key
is the result of stupidity---or of sabotage.

--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
  EMAIL: [EMAIL PROTECTED]URL:  http://samsara.law.cwru.edu
 NOTE: [EMAIL PROTECTED] no longer exists

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Microsoft Letting Government Snoop

[Robert Hettinga]

--- begin forwarded text


From: "Dan S" [EMAIL PROTECTED]
To: "isml" [EMAIL PROTECTED]
Subject: IP: Microsoft Letting Government Snoop
Date: Fri, 3 Sep 1999 20:33:46 -0400
Sender: [EMAIL PROTECTED]
Reply-To: "Dan S" [EMAIL PROTECTED]

From http://www.news-real.com/apnews/19990903/21/01/5687004_st.html
-
Microsoft Letting Government Snoop
Associated Press

  WASHINGTON (AP) -- [ Microsoft Corp. ] sought to assure consumers Friday
that it did not insert a secret backdoor in its popular Windows software to
allow the U.S. government to snoop on their sensitive computer data.

The sensational charge of a quiet alliance between Microsoft and the U.S.
National Security Agency came after a Canadian programmer stumbled across an
obscure digital "signing key" that had been labeled the "NSA key" in the
latest version of Microsoft's business-level Windows NT software.

An organization with such a signature key accepted by Windows could
theoretically load software to make it easier to look at sensitive data --
such as e-mail or financial records -- that had been scrambled. The flaw
would affect almost any version of Windows, the software that runs most of
the world's personal computers.

Microsoft forcefully denied that it gave any government agency such a key,
and explained that it called its function an "NSA key" because that federal
agency reviews technical details for the export of powerful data-scrambling
software.

"These are just used to ensure that we're compliant with U.S. export
regulations," said Scott Culp, Microsoft's security manager for its Windows
NT Server software. "We have not shared the private keys. We do not share
our keys."

The claim against Microsoft, originally leveled by security consultant
Andrew Fernandes of Ontario on his Web site, spread quickly in e-mail and
discussion groups across the Internet, especially in those corners of
cyberspace where Microsoft and the federal government are often criticized.

Culp called Fernandes' claims "completely false."

An NSA spokesman declined immediate comment.

Bruce Schneier, a cryptography expert, said the claim by Fernandes "makes no
sense" because a government agency as sophisticated as the NSA doesn't need
Microsoft's help to unscramble sensitive computer information.

"That it allows the NSA to load unauthorized security services, compromise
your operating system -- that's nonsense," said Schneier, who runs
Counterpane Internet Security Inc. "The NSA can already do that, and it has
nothing to do with this."

Fernandes, who runs a small consulting firm in Canada, said he found the
suspiciously named "NSA key" -- along with another key for Microsoft --
while examining the software code within the latest version of Windows NT.

The existence of the second key was discovered earlier by other
cryptographers, but Fernandes was the first to find its official name and
theorize about its purpose.

"That (the U.S. government) has ... installed a cryptographic back door in
the world's most abundant operating system should send a strong message to
foreign (information technology) managers," he warned on his Web site.

But Fernandes seemed less worried Friday in a telephone interview.

"I don't know that they have reason to lie," he said. "The main point is,
you can't really trust what they're saying. They've been caught with their
hand in the cookie jar. In fact, I think they're being fairly honest, but
you don't know what else is in Windows."

Publication Date: September 03, 1999
Powered by NewsReal's IndustryWatch

--
Dan S



**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

FC: Progressive Policy Institute forum in DC on September 13

[Robert Hettinga]

--- begin forwarded text


Date: Wed, 01 Sep 1999 16:01:33 -0400
To: [EMAIL PROTECTED]
From: Declan McCullagh [EMAIL PROTECTED]
Subject: FC: Progressive Policy Institute forum in DC on September 13
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Date: Wed, 01 Sep 1999 15:54:35 -0400
From: Randolph Court [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Policy makers and high-tech execs to meet in DC

Declan - Please post this conference announcement to the politech mailing
list.

The Progressive Policy Institute's New Economy Task Force will host a
public forum on the policy implications of the information technology
revolution and the New Economy on Monday September 13 at the Ronald Reagan
International Trade Building in Washington, DC.

The Task Force is made up of 50 leading elected officials and New Economy
entrepreneurs, including Senators Jeff Bingaman, Joe Lieberman, and Ron
Wyden; Representatives Cal Dooley, Zoe Lofgren, and Adam Smith; America
Online CTO Marc Andreesen, Intuit founder Scott Cook, Nanogen President and
COO Tina Nova, and WebTV Co-founder Steve Pearlman.

Co-chairmen Senate Democratic Leader Tom Daschle and Gateway CEO Ted
Waitt, along with more than 20 other Task Force members will be attending
the event on the 13th, where the group will release and discuss a new
framing declaration: "Rules of the Road: Governing Principles for the New
Economy."

- AGENDA -

Monday, September 13, 1999

10:00 am - Public Program Begins

10:00 - 10:10 - Welcome/Overview: Will Marshall, PPI President

10:10 - 10:40 - Opening Remarks:
 Task Force Co-Chairs, Sen. Tom Daschle (SD) and Gateway CEO Ted Waitt

10:40 - Noon - Panel Discussion: "Rules of the Road: Governing Principles
for the New Economy."
 Task Force members will present and discuss the 10 "Rules of the
Road" for governing in the New Economy.

Noon - 1:30 pm - Luncheon Discussion: "Ensuring Digital Opportunity"
 As the digital economy emerges, a key issue is ensuring that all
Americans can use and benefit from these potentially empowering technologies.

1:30 - 3:00 - Panel Discussion: "Internet Policy: New Approaches for a New
Medium."
 The digital revolution is changing the underlying rules of commerce
and raising a host of policy issues, from encryption and privacy to
sovereignty and governmental jurisdiction. This panel will discuss the
extent to which the unique nature of the Internet both enables and requires
new policy frameworks.  Task Force members will be joined by two leading
thinkers on e-commerce policy:
 - Thomas P. Vartanian, who leads the Financial Institutions
Transactions and E-Commerce Practice of the Washington law firm Fried,
Frank, Harris, Shriver  Jacobson
 - Christine Varney, Partner, Internet Practice Group, Hogan 
Hartson; former Commissioner, Federal Trade Commission.

For more information, please call PPI at 202-547-0001, or go to
http://www.dlcppi.org/ppi/tech/events/99conf_home.htm

 


--
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to [EMAIL PROTECTED] with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Micro Payments BOF in the next IETF (Nov 99, Wash DC)

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
To: Jeffrey Schiller [EMAIL PROTECTED]
cc: Keith Moore [EMAIL PROTECTED], Patrik Faltstrom [EMAIL PROTECTED],
 Jeffrey Schiller [EMAIL PROTECTED], Marcus Leech [EMAIL PROTECTED],
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Date: Sun, 29 Aug 1999 10:36:30 +0300
Subject: Micro Payments BOF in the next IETF (Nov 99, Wash DC)
Reply-To: "Micropayments List" [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]



Jeff, thanks. Please let me know the slot we got when assigned and I'll
inform the community. For allocation purposes I assume a 2-hour slot unless
will inform us otherwise.

All: as noted below, Jeff Schiller, Security AD in the IETF, and the IESG,
have agreed to hold a micropayments BOF in the next IETF (Nov. 99 in Wash.
DC). The goals of the BOF are:

Report on the W3C `Micro Payments Markup` recommendation which just
entered `last call`. This is the result of the work of the MicroPayments
working group of the W3C (chaired by Mark Manasses from Compaq and
myself). Please notice the last call period will end earlier (I believe
Sept. 30) so people who wish to comment on it are encouraged to do so
using the (open to public) comment mailing list. The draft itself and
other details are available in the W3C web site, www.w3c.org. In the
traditional IETF spirit, reports on implementations (of the
recommendation) would be encouraged.
Explore whether there is need and sufficient interest to define an
interoperable payment protocol suitable (at least) for micropayments,
and if so, decide on the best means (most likely a request for new IETF
WG). To this discussion, presentations by developers as well as
customers and others of opinion are solicited. Please notice that the
IESG has _not_ discussed or approved yet the creation of such a working
group (neither was a request made yet).
If time remains, short reports of developers of micropayment products
may be presented, with the hope that this will eventually lead to more
openness, cooperation and interoperability.

Please notice there is already a mailing list dedicated to this potential
standardization activity, [EMAIL PROTECTED] Please use this list to
comment on the BOF or for relevant discussions even before the physical
BOF. These headers explain everything:

List-Subscribe: mailto:[EMAIL PROTECTED]
List-Unubscribe: mailto:[EMAIL PROTECTED]
List-Digest: mailto:[EMAIL PROTECTED]

However, I suggest that proposals for presentations in the BOF be sent to
me and I'll coordinate it (unless Jeff wants somebody else to do it).

A related note: we try to maintain an updated list of _all_ resources,
vendors, consultants, researches, and others in the `micropayments
community`, we call this the `sub-$ registry` and it is a link off our IBM
Micro Payments homepage http://www.hrl.il.ibm.com/mpay (don't have exact
link now - I'm offline - but it's easy to find). Please let me know if you
need to be added or have better details than what we got now...

Best Regards,
Amir Herzberg
Manager, E-Business and Security Technologies
IBM Research - Haifa Lab (Tel Aviv Office)
http://www.hrl.il.ibm.com
New e-mail: [EMAIL PROTECTED]
New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL


Jeffrey Schiller [EMAIL PROTECTED] on 26/08/99 19:32:06

Please respond to Jeffrey Schiller [EMAIL PROTECTED]

To:   Amir Herzberg/Haifa/IBM@IBMIL
cc:   Keith Moore [EMAIL PROTECTED], Patrik Faltstrom [EMAIL PROTECTED],
   Jeffrey Schiller [EMAIL PROTECTED], Marcus Leech [EMAIL PROTECTED], mpay
   markup@IBMIL
Subject:  Re: Request for a Micro Payments BOF in the next IETF (Nov 99,
   Wash DC)





We discussed this on the IESG telechat this morning and we agreed that
we will host this BOF in the security area. This is not a commitment
on the part of the IETF to necessarily form a working group. However a
BOF makes good sense at this time.

 -Jeff

 Original Message 

On 8/25/99, 3:14:48 PM, [EMAIL PROTECTED] wrote regarding
Request for a Micro Payments BOF in the next IETF (Nov 99, Wash DC):


 Dear all,

 I'm chairing the W3C Working Group on Micro Payments. We now move to
`last
 call` a recommendation on Micro Payments markup. There is also
interest,
 among the W3C WG participants and others, to proceed to define an
 interoperable protocol. Would you agree to allocate a BOF slot at the
next
 IETF for us to report on our results and to gauge the level of
interest in
 such follow-up work for interoperable payment protocol? If there will
be
 interest, we'll see where this activity belongs - possibly another
W3C/IETF
 cooperation.

 Best Regards,
 Amir Herzberg
 Manager, E-Business and Security Technologies
 IBM Research - Haifa Lab (Tel Aviv Office)
 http://www.hrl.il.ibm.com
 New e-mail: [EMAIL PROTECTED]
 New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL

--- end 

IP: USA Today.com on PECSNEC recommendations.

[Robert Hettinga]

--- begin forwarded text


Date: Fri, 27 Aug 1999 12:45:47 -0400
To: [EMAIL PROTECTED]
From: David Farber [EMAIL PROTECTED]
Subject: IP: USA Today.com on PECSNEC recommendations.
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

From: "Rodger, William" [EMAIL PROTECTED]
To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED]
Subject: USA Today.com on PECSNEC recommendations.
Date: Fri, 27 Aug 1999 12:38:41 -0400

From:

http://www.usatoday.com/life/cyber/tech/ctf944.htm


White House panel: Export crypto, not jobs

By Will Rodger, USATODAY.com

A presidential advisory group is recommending the White House abandon nearly
all export controls on hardware and software vital to assuring the privacy
of Internet users, group members tell USATODAY.com.

The advice from the panel, officially known as the President's Export
Council Subcommittee on Encryption, flies in the face of a Clinton
Administration policy that has drawn fire from civil libertarians and
industry alike. That rancorous debate between the two sides now seems likely
to intensify as the White House's own group of advisers tells it to change
course.

and

 http://www.usatoday.com/life/cyber/tech/ctf958.htm

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Press release re Digicash asset sale

[Robert Hettinga]

--- begin forwarded text


Date: Wed, 25 Aug 1999 16:17:12 -0700
To: [EMAIL PROTECTED]
From: John Muller [EMAIL PROTECTED]
Subject: Press release re Digicash asset sale
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]

I don't recall seeing this on the list:

PRESS RELEASE August 17, 1999, Seattle, Washington, USA
eCash Acquires Technologies from DigiCash

eCash Technologies, Inc., based in Seattle, Washington, is pleased to
announce its acquisition of the technologies of DigiCash Inc. These
technologies include the patented "blind signature" encryption scheme that
is the only known method of providing electronic cash on the Internet.

eCash Technologies designs, develops and markets Internet payment software
products that facilitate e-commerce. One of these products is ™ which
incorporates the blind signature encryption into user-friendly software. ™
may be used to make purchases on the Internet in any denomination which are
secure, private, non-counterfeitable and non-repudiable. ™ is the only
virtual equivalent to hard currency and is being used by a growing number
of multi-national banks and Internet merchants.

eCash Technologies is committed to fostering open e-commerce standards and
is currently receiving requests to license its various technologies.
Interested parties should send licensing inquiries to
[EMAIL PROTECTED] Please direct all non-licensing inquiries
to [EMAIL PROTECTED]

The investors in eCash Technologies include Ruloff Capital of Vancouver,
Canada, August Capital of Menlo Park, California, Applied Technology of
Boston, Massachusetts, and Gilde IT-Fund of The Netherlands. August
Capital, Applied Technology and Gilde IT-Fund were shareholders of DigiCash
and have carried their interests over to eCash Technologies.

All trade marks are owned by eCash Technologies, Inc.

http://www.ecashtechnologies.com


 
 

 
John Muller
[EMAIL PROTECTED]
[EMAIL PROTECTED]

"Just because it's simple doesn't mean it's easy"

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

New Clinton Anti-Privacy Czar? (was Re: NewsScan Daily, 24August 1999 (Above The Fold))

[Robert Hettinga]

At 7:43 AM -0700 on 8/24/99, NewsScan wrote:


 CLINTON ADMINISTRATION APPOINTS NEW E-COMMERCE ADVISOR
 The Clinton Administration has appointed Elizabeth Echols to a new White
 House post that will coordinate e-commerce issues.  The Electronic Commerce
 Working Group, which will be headed up by Echols, will focus its initial
 efforts on resolving the complex debate over broadband Internet access.
 Echols also plans to target consumer protections online and creating a
 global e-commerce framework.  "My job is really to coordinate the numerous
 agencies that are involved," says Echols.  "There are at least 12 federal
 agencies that are working in electronic commerce.  The idea is to have one
 central place at the White House where we can work together and shape one
 Administration policy."  (Cybertimes/New York Times 24 Aug 99)
 http://www.nytimes.com/library/tech/99/08/cyber/capital/24capital.html

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Latest in computer security revealed

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Mon, 16 Aug 1999 13:34:55 -0500
To: [EMAIL PROTECTED]
Subject: IP: Latest in computer security revealed
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  EurekAlert!
http://www.eurekalert.org/releases/wpi-lic081699.html

FOR IMMEDIATE RELEASE: 16 AUGUST 1999

  Contact: Arlie Corday
  [EMAIL PROTECTED]
  508-831-6085
  Worcester Polytechnic Institute

  Latest in computer security revealed at WPI international workshop

  More than 180 computer security experts, half of whom traveled from
outside the United States, converged on Worcester Polytechnic Institute for
the 1999 Workshop on Cryptographic Hardware and Embedded Systems (CHES),
Aug. 12-13. The popular workshop provided a forum for real-world system and
design issues.

  Conference organizers Cetin Koc of Oregon State University and Christof
Paar of WPI point out that many consumer products are gaining computer-like
capabilities. E-commerce and other electronic communications demand that
sensitive data, such as credit card numbers, must be protected from prying
eyes. The tool for protecting information, called cryptography, will be
required in these products, using embedded systems that offer relatively
little computational power.

  The challenge of adding cryptography to hardware devices and embedded
systems led to the development of the WPI workshop. In its inaugural year,
international experts presented new results on efficient implementation of
cryptographic algorithms and attacks, as well as other practical issues in
system design such as random number generation.

  Among the highlights of the conference was a talk by Adi Shamir, a
co-inventor of the RSA code used to protect e-commerce. Shamir called the
security of the world's leading web browsers into question with a new fast
factoring attack.

  The most eagerly awaited contribution to CHES involved not only a fast way
to make a code, but also a fast way to break one. The RSA public-key
cryptosystem, which is widely used in web browsers such as Netscape
Communicator and Microsoft Internet Explorer, is based on the problem of
factoring large numbers. It is an acronym based on its inventors
(Rivest-Shamir-Adleman).

  Fortunately for consumers and businesses, up until now, factoring
algorithms have been slow and memory intensive processes. But at the
workshop, Shamir, from Israel's Weizmann Institute of Science, shed light
on an ingenious way to speed up part of a factoring computation known as
sieving. A sieve procedure consists of repeatedly running through a long
list of numbers and finding which small integers divide those in the list.
Using optoelectronics, Shamir's new device, called TWINKLE, offers a
500-1000 times speedup over the fastest workstations on the market in this
crucial stage of factoring. This development has grave implications for
electronic commerce: Due to U.S. export laws, the strongest exportable
public-key systems are restricted to 512 bits. If and when the device is
actually built, these systems can be easily broken. The systems, Shamir
pointed out, "protect 95 percent of today's e-commerce on the Internet,"
and thus render them "very vulnerable."

  Brian Snow of the U.S. National Security Agency emphasized the need for
more research in assurance technolgy.

  "The scene I see is products and services sufficiently robust to counter
many, but not all, of the 'hacker' attacks we hear so much about today, but
not adequate against the more serious but real attacks mounted by economic
adversaries and nation states," Snow noted. "We will be in a truly
dangerous stance: We will think we are secure, and act accordingly, when in
fact we are not secure."

  Experts continue to search for answers to computer security. Another
development at CHES involved improved methods for generating random
numbers. Nearly all real-world cryptosystems need random numbers.
Unfortunately, this is an extremely difficult problem, since computers are
designed to be completely predictable.

  At CHES, scientists from Italy's Ugo Bordoni Foundation offered a
cost-effective idea based on sampling noisy semiconductor junctions.
Normally in circuit design, engineers try to reduce noise. However, by
building noisy circuits on purpose, one can use the noise as a source of
random numbers. In addition, researchers from Bell Labs Innovations
provided a variety of new, practical techniques including one based on
chaos theory, which appears to be particularly cost-efficient.

  Of course, efficiency of performance is just as crucial as cost. Sandia
National Labs researchers presented a design for a new computer chip that
can encrypt up to 10 gigabits of data per second, satisfying all but the
most demanding of applications. In addition, one can use three of the chips
together to handle Triple-DES encryption with no loss of performance. The
DES, or Data Encryption Standard, algorithm is the most widely used bulk
encryption method, 

ElGamal, Barnes, Callas, Parekh, etc., take over Packet Storm?

[Robert Hettinga]

At 2:00 PM -0400 on 8/17/99, [EMAIL PROTECTED] wrote:


 Title: Security Firm to Revive Computer-Defense Site
 Resource Type: News Article
 Date: August 17, 1999
 Source: NYT (Free Registration Required)
 Author: PETER WAYNER
 Keywords: KROLL-O'GARA,PACKET STORM,WEBSITE TAKEOVER,HACKERS

 Abstract/Summary:
 Kroll-O'Gara, the international security consulting firm, said Monday
 it would take over an Internet site that not only posted information
 about defending computer systems against attacks but also told
 how to break into them.

 In the shadowy world of hackers and crackers, it is often hard
 to tell the good guys from the bad. Computer-security experts frequently
 test systems by breaking into them, and the site, Packet Storm,
 posted descriptions of those break-ins.

 Kroll-O'Gara's computer security unit, Securify, which declined to
 discuss financial terms of its acquisition, said it planned to
 maintain the site's tradition of high-quality information as a way to
 market its services. But Kroll-O'Gara executives said that it would
 rid the site of its more contentious publications.

 Original URL: 
http://www.nytimes.com/library/tech/99/08/biztech/articles/17secure.ht 
ml

 Added: Tue  Aug  17 9:15:18 -040 1999
 Contributed by: David Dillard

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Nonrepudiation and what to do about it (Jueneman - FW)

[Robert Hettinga]

--- begin forwarded text


Date: Fri, 20 Aug 1999 02:27:15 -0400
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: Vin McLellan [EMAIL PROTECTED]
Subject:  Nonrepudiation and what to do about it (Jueneman - FW)
To: [EMAIL PROTECTED]
Status: U

 This is an excerpt -- a "history lesson" -- from a 8/19/99 proposal
by cryptographer, network security architect, and PKI guru Bob Jueneman of
Novell on the IETF's PKIX and S/MIME mailing lists.  Please copy Mr.
Jueneman on responses at [EMAIL PROTECTED].  The full post can be found
at: http://www.imc.org/ietf-smime/mail-archive/msg02933.html.   _Vin

ooo Begin Forwarded Text ooo

When the ABA Digital Signature Guidelines were being formulated within the
Information Security Committee, with lots of very bright, well-informed
attorneys and technologists contributing, there was a fundamental,
underlying assumption that PKI technology could be used to reduce some of
the uncertainty that was perceived to be a barrier to the efficient use of
electronic commerce.

Instead of having to use proprietary, value added networks and negotiate
N*(N-1) contracts between all of the trading partners, it was expected that
the use of a common PKI technology and appropriate legal frameworks would
eliminate most of that overhead.

It was recognized that a accretion of case law had resulted in a situation
where printed forms, letterhead, FAXs, telegrams and later Telexes, ordinary
e-mail, and who knows what else forms of communications could, under the
proper circumstances, be interpreted as being a legally binding signature.
The trouble was that the technology had moved much faster than the case law,
and the uncertainty was increasing at a compounded rate.

For example, back when printed forms were created on letterhead presses, and
were filled in using either handwriting or a typewriter, it was pretty
obvious what the difference was. And because going to a printer and having a
lot of standard forms printed involved some expense, time and effort, the
conventional use of such a form for purposes of trade might reasonably be
considered tantamount to a signature of the company. Unfortunately, a
technological decision that was rational at the time is no longer rational
in the age of laser printers, when preprinted forms have almost disappeared.
But the case law hasn't changed, so the question of what constitutes
signature becomes more of a risk, both for the relying party who thought it
was valid, and for the originator, who really didn't intend for it to be
anything more than a draft proposal.

In addition to these technical/legal issues, there was also the issue of
liability in the event of something going wrong, such as a key being
compromised.

One approach would be the very loose standard of care embodied in the US
credit card law (Regulation E), where even the most egregious carelessness
on the part of the subscriber could only result in a $50 loss.  The problem
with that approach is that it effectively required the establishment of a
mechanism that would be very similar to the credit card industry to
centralize the reporting of every time
a certificate was used to verify a transaction, so that loss limits could be
enforced.

At the other end of the spectrum was "strict liability,' which is the
standard used between major financial institutions.  Because of the volume
of the business, and the difficulty of backing out transactions in error
that might otherwise leave an innocent third party holding the bag for a
transaction gone wrong, inter-bank
transactions are generally governed by strict liability -- no matter what
the extenuating circumstances might be the bank was still liable for a
transaction that went out in its name.

In between these two poles were standards of simple negligence or gross
negligence as a possible defense.

The final decision that was incorporated in the Guidelines, Section 5.6
Presumption in dispute resolution, was to create a "rebuttable presumption"
that a digital signature verified by reference to the public key listed in a
valid certificate is the
digital signature of the subscriber listed in that certificate.

The effect of this presumption was to allocate the burden of proof to the
person who is challenge the validity of the signature.  In the case of a
claimed forgery, for example, the burden of proof (independent of the risk
of loss) falls on
the subscriber, who would generally be in a much better position to know how
the keys were protected, etc., than the relying party.

The State of Utah, in their pioneering Digital Signature Act, didn't go
quite so far as that. Instead, they applied the rebuttable presumption
argument only to a special class of certificates created by so-called
"Licensed Certification Authorities" that were subject to a higher level of
assurance, involving inspection and audit and

Computerworld on FreeS/WAN

[Robert Hettinga]

At 2:00 PM -0400 on 8/19/99, [EMAIL PROTECTED] wrote:


 Title: Hackers, Consultants Embrace Secure Tool
 Resource Type: News Article
 Date: 08/16/99
 Source: Computer World
 Author: Ann Harrison
 Keywords: SECURITY,ENCRYPTION  ,HACKER/SECURITY ,CONSULTANTS

 Abstract/Summary:
 When IT security consultants attend hacker conferences, they have high
 expectations for finding open-source security tools tested in hostile
 environments. One that meets the standard for hacker information technology
 consultants is the FreeS/WAN project's free, open-source Linux-based server
 software that uses strong encryption to create secure data tunnels 
between any
 two points on the Internet -- a needed alternative to expensive, 
proprietary virtual
 private networks (VPN).

 FreeS/WAN uses the IPSec protocol, an interoperable global standard for
 securing IP connections. It automatically encrypts data packets at 
6 bit/sec. and
 creates secure gateways in a VPN without modifying the operating system or
 application software. A PC running FreeS/WAN ( www.xs4all.nl/~freeswan ) can
 set up a secure tunnel in less than a second.

 The software generated strong interest among the 1,800 hackers who attended
 the Chaos Communication Camp, the Chaos Computer Club's first international
 hacker conference, held here last week. Among the attendees was 
Kurt Seifried,
 an independent security consultant from Edmonton, Alberta, who uses
 FreeS/WAN to create secure networks for customers.

 Original URL: http://www.computerworld.com/home/print.nsf/all/990816BBE2

 Added: Thu  Aug  19 10:28:26 -040 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Clinton comes after the Internet by Joseph Farah

[Robert Hettinga]

--- begin forwarded text


Date: Mon, 09 Aug 1999 10:45:29 -0600
To: [EMAIL PROTECTED]
From: Robert Huddleston [EMAIL PROTECTED]
Subject: IP: Clinton comes after the Internet by Joseph Farah
Sender: [EMAIL PROTECTED]
Reply-To: Robert Huddleston [EMAIL PROTECTED]


http://www.worldnetdaily.com/bluesky_btl/19990809_xcbtl_clinton_co.shtml
WorldNetDaily
MONDAY AUGUST 09 1999
between the lines Joseph Farah
--
WND Exclusive Commentary
--
Clinton comes after the Internet
by Joseph Farah
  --
 
   Well, it was a long time coming, but Bill Clinton has finally made his
move on the Internet.

Late last week, when reporters and members of Congress were going home for
the weekend, he issued one of his now-famous executive orders -- this one
on "Internet conduct."

Like almost all such orders, it will sound quite innocuous on a quick first
read. But these guys in the Clinton administration are clever. This action
sets up a working group of top U.S. officials to study the whole concept of
policing the Internet. No, Clinton doesn't use that word, but that's
clearly the intent of this order -- the establishment of a national
Internet police force.

But if you catch that much -- and few will -- then the wording of this
order is designed to make you relax because the working group is simply
going to write a report! We all know government reports don't kill people,
right? Nobody gets hurt by a government report unless they drop it on you.

However, let's take a look at what's being studied here: No. 1 -- How the
federal government can insinuate itself into this revolutionary new medium.
And, No. 2 -- How new technology tools, capabilities or legal authorities
may be required for effective investigation and prosecution.

Let me repeat that last purpose behind this working group and this
executive order in the actual language used by Clinton: "The extent to
which new technology tools, capabilities, or legal authorities may be
required for effective investigation and prosecution of unlawful conduct
that involves the use of the Internet."

Get it? "New technology" equals spying tools. "Capabilities" means
surveillance capabilities. And "legal authorities" means Internet police.

You've got to understand the bureaucratic jargon here. Think of me as your
Clintonese translator. Remember, this is a man who questions what the word
"is" means. You've got to leave this to the professionals -- and that means
me.

Now here's the other scary part of this executive order. Normally with
these task forces, the president allows a year or more for study and
reports. Not this time. Guess what his deadline is?

"The Working Group shall complete its work to the greatest extent possible
and present its report and recommendations to the President and Vice
President within 120 days of the date of this order," the executive order
states.

What! That means the report must be prepared before the end of the year. I
would suggest to you that this means the report is already drafted. I would
suggest further evidence for that conclusion is that Clinton is also
requiring the committee to circulate the report to federal agencies well
before it comes to the White House.

Why would he do that? Because the White House has already seen it. The
White House has written it.

Who's going to be a part of this working group? The chairman is Janet Reno,
and the members are most of the important Cabinet officers. Do you really
think those guys and gals could draft a report on policing the Internet in
less than 120 days?

Uh-uh.

Something's up here, folks. Something smells really foul.

Now what do you suppose is in that future report? Hillary once told us the
Internet needed gatekeepers and controls.

"We are all going to have to rethink how we deal with this, because there
are all these competing values," Hillary said last year. She also deplored
the fact that the Internet lacks "any kind of editing function or
gatekeeping function."

I think Clinton's about to make his move on our last best hope for freedom
-- the Internet. Methinks the Internet is about to get an official editor
or a government gatekeeper.


**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

DCSB: Andrew Odlyzko; So, Where's All the Digital Cash?

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 10 Aug 1999 09:19:25 -0400
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Robert Hettinga [EMAIL PROTECTED]
Subject: DCSB: Andrew Odlyzko; So, Where's All the Digital Cash?
Cc: Eben Moglen [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: Robert Hettinga [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

  The Digital Commerce Society of Boston

Presents

   Dr. Andrew Odlyzko
 Head of the Mathematics and Cryptography Research
   ATT Laboratories



   Why digital cash has not taken off (yet)


 Tuesday, September 7th, 1999
12 - 2 PM
The Downtown Harvard Club of Boston
   One Federal Street, Boston, MA




The arrival of digital cash has been predicted for a long time, but
progress has been disappointing. To fully understand what has
happened, and what the future will bring, it appears to be necessary
to consider the important economic and psychological factors that
have hampered acceptance of digital money. Content producers can
usually get more revenues through various bundling strategies
(subscriptions, site licensing, etc.) than through sales a la carte.
Further, consumers have a strong preference for flat-rate pricing
schemes. These factors suggest which methods might be most productive
in speeding up penetration of electronic money.

Andrew Odlyzko is Head of the Mathematics and Cryptography Research
Department at ATT Labs, and also Adjunct Professor at the University
of Waterloo.  He has done extensive research in technical areas such
as computational complexity, cryptography, number theory, combinatorics,
coding theory, analysis, and probability theory.  In recent years he
has also been working on electronic publishing, electronic commerce,
and economics of data networks.  He is the authors of such widely
cited papers as "Tragic loss or good riddance?  The impending demise
of traditional scholarly journals,"  "The decline of unfettered
research," and "The bumpy road of electronic commerce."  He is also
a coinventor of a micropayment system.  His home page is
http://www.research.att.com/~amo.


This meeting of the Digital Commerce Society of Boston will be held
on Tuesday, September 7, 1999, from 12pm - 2pm at the Downtown Branch of
the Harvard Club of Boston, on One Federal Street. The price for
lunch is $35.00. This price includes lunch, room rental, various A/V
hardware, and the speakers' lunch.  The Harvard Club *does* have
dress code: jackets and ties for men (and no sneakers or jeans), and
"appropriate business attire" (whatever that means), for women.  Fair
warning: since we purchase these luncheons in advance, we will be
unable to refund the price of your lunch if the Club finds you in
violation of the dress code.


We need to receive a company check, or money order, (or, if we
*really* know you, a personal check) payable to "The Harvard Club of
Boston", by Saturday, September 4th, or you won't be on the list for
lunch.  Checks payable to anyone else but The Harvard Club of Boston
will have to be sent back.

Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston,
Massachusetts, 02131. Again, they *must* be made payable to "The
Harvard Club of Boston", in the amount of $35.00. Please include your
e-mail address so that we can send you a confirmation

If anyone has questions, or has a problem with these arrangements
(We've had to work with glacial A/P departments more than once, for
instance), please let us know via e-mail, and we'll see if we can
work something out.


We are actively searching for future speakers.  If you are in Boston
on the first Tuesday of the month, and you are a principal in digital
commerce, and would like to make a presentation to the Society,
please send e-mail to the DCSB Program Committee, care of Robert
Hettinga, mailto: [EMAIL PROTECTED].


For more information about the Digital Commerce Society of Boston,
send "info dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail
list, send "subscribe dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] .

We look forward to seeing you there!

Cheers,
Robert Hettinga
Moderator,
The Digital Commerce Society of Boston


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com

iQEVAwUBN7Amr8UCGwxmWcHhAQFuiQf/bf1uRwIyXmKZI9J5VE5kIhJ/5UW58r8U
F8K9H72Sn6yghF8krhEr63gu3Y9TpS0/utexTt8oRm37syBGvnh3+1JGKj2zI+5C
8gYiSyQUXbaZ6a086LQsC8DMOwDjKJ34AaF8ZP/vhoNUYIl8u00RhYyRJDMGRsHE
SA+UsRZOv5J4IwyEuob6xls/fI9lqF51juvJkAPYCCT5yzqV7oNj5E2yTbxFlLeq
/JeV5JRPTOkI1aV/6kpuxFdJXRBd8W8nAYgGedpdRQ49koO+3uCfYtkEXTaT1+Lv
FvoyQjcuXZGRyTx0MCKBXTDPsi3Ld00dH+S4XumXPqj71GW5sg7Vpw==
=1myx
-END PGP SIGNATURE-
-
Robert A. Hettinga mailto: [EMAIL PROTECTE

Zero Knowledge gets it's own government commission :-) (Re: ECARMNEWS for August 09,1999 First Ed.)

[Robert Hettinga]

At 2:00 AM -0400 on 8/9/99, [EMAIL PROTECTED] wrote:


 Title: Ontario Promotes Private Crypto
 Resource Type: News Article
 Date: 3:00 a.m.  6.Aug.99.PDT
 Source: Wired News
 Author: Matt Friedman
 Keywords: GOVT POLICY ,ENCRYPTION  ,ADVOCACY,PERSONAL PROTECT

 Abstract/Summary:
 While the US Congress recoils in horror at the prospect of a 
population armed with
 cryptographic tools, a government department in Ontario wants to 
make it clear that
 encryption is good.

 More than that, in a paper released Thursday, the Ontario 
Information and Privacy
 Commission said it wants everyone to learn to use encryption.

 "What we need is a shift in the mindset of how to use information," 
said Ann Cavoukian,
 Ontario's privacy commissioner. "A lot of people still think that 
their email is safe from
 prying eyes or tampering. That's not true. We have to protect 
ourselves, and we have to
 know how to use the tools We have to get that message out."

 Original URL: 
http://www.wired.com/news/print_version/politics/story/21140.html?wnpg 
=all

 Added: Sun  Aug  8 22:41:23 -040 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Text: New ExecOrder: 'Net Conduct Group

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Sun, 08 Aug 1999 08:33:41 -0500
To: [EMAIL PROTECTED]
Subject: IP: Text: New ExecOrder: 'Net Conduct Group
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  US Newswire
http://www.usnewswire.com/topnews/Current_Releases/0807-107.htm

Text of Clinton Executive Order on Internet Conduct
U.S. Newswire
7 Aug 11:07

Text of Clinton Executive Order Establishing Working Group to
Examine Unlawful Conduct on the Internet
To: National Desk
Contact: White House Press Office, 202-456-2100

WASHINGTON, Aug. 7 /U.S. Newswire/ -- The following is the
text of an Executive Order released today by President Clinton:

EXECUTIVE ORDER
- - - - - - -

WORKING GROUP ON UNLAWFUL CONDUCT
ON THE INTERNET

By the authority vested in me as President by the Constitution
and the laws of the United States of America, and in order to
address unlawful conduct that involves the use of the Internet,
it is hereby ordered as follows:

Section 1. Establishment and Purpose.

(a) There is hereby established a working group to address
unlawful conduct that involves the use of the Internet ("Working
Group"). The purpose of the Working Group shall be to prepare
a report and recommendations concerning:

(1) The extent to which existing Federal laws provide a
sufficient basis for effective investigation and prosecution
of unlawful conduct that involves the use of the Internet, such
as the illegal sale of guns, explosives, controlled substances,
and prescription drugs, as well as fraud and child pornography.

(2) The extent to which new technology tools, capabilities,
or legal authorities may be required for effective investigation
and prosecution of unlawful conduct that involves the use
of the Internet; and

(3) The potential for new or existing tools and capabilities
to educate and empower parents, teachers, and others to prevent
or to minimize the risks from unlawful conduct that involves
the use of the Internet.

(b) The Working Group shall undertake this review in the context
of current Administration Internet policy, which includes support
for industry self-regulation where possible, technology-neutral
laws and regulations, and an appreciation of the Internet as
an important medium both domestically and internationally for
commerce and free speech.

Sec. 2. Schedule. The Working Group shall complete its work
to the greatest extent possible and present its report and
recommendations to the President and Vice President within 120
days of the date of this order. Prior to such presentation,
the report and recommendations shall be circulated through the
Office of Management and Budget for review and comment by all
appropriate Federal agencies.

Sec. 3. Membership.

(a) The Working Group shall be composed of the following
members:

(1) The Attorney General (who shall serve as Chair of the
Working Group).

(2) The Director of the Office of Management and Budget.

(3) The Secretary of the Treasury.

(4) The Secretary of Commerce.

(5) The Secretary of Education.

(6) The Director of the Federal Bureau of Investigation.

(7) The Director of the Bureau of Alcohol, Tobacco and
Firearms.

(8) The Administrator of the Drug Enforcement Administration.
 

(9) The Chair of the Federal Trade Commission.

(10) The Commissioner of the Food and Drug Administration;
and

(11) Other Federal officials deemed appropriate by the
Chair of the Working Group.

(b) The co-chairs of the Interagency Working Group on Electronic
Commerce shall serve as liaison to and attend meetings of the
Working Group. Members of the Working Group may serve on the
Working Group through designees.
 

WILLIAM J. CLINTON

THE WHITE HOUSE,
August 5, 1999.

-0-
/U.S. Newswire 202-347-2770/
08/07 11:07
 
Copyright 1999, U.S. Newswire

**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Security of on-line banking studied

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Wed, 04 Aug 1999 11:10:49 -0500
To: [EMAIL PROTECTED]
Subject: IP: Security of on-line banking studied
Cc: [EMAIL PROTECTED]
Sender: $[EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  Washington Times
http://www.WashTimes.com/business/business2.html

Security of on-line banking studied

   By Julie Hyman
   THE WASHINGTON TIMES

Congressional investigators said yesterday that the 6 million
  Americans who bank on line may be getting convenience
  at the expense of security.

According to the General Accounting Office, 44 percent of
   banks, thrifts and credit unions it surveyed have not enacted
   strict enough measures to keep their computer systems safe
   from hackers.

The report was released at a hearing of the House banking
   subcommittee on monetary policy. Lawmakers shied away from
   suggesting regulation as a solution to on-line banking security, but
   said both banks and consumers must address the risks.

"We don't want to overregulate the activity to the point that
   we unduly dampen it or retard its growth," said Rep. Spencer
   Bachus, Alabama Republican. "At the same time, the public has
   the right to safety and soundness in Internet banking, so we can't
   walk away from it."

Consumers who bank over the Internet use Web sites to
   transfer money between accounts, pay bills, check account or
   investment balances and apply for loans.

The GAO report concluded that Internet banking is by nature
   riskier than conventional banking. Its review of banking
   regulators' examinations of 81 financial institutions found that 35
   of them, about 44 percent, hadn't taken all the risk-limiting steps
   regulators have said are needed.

Mr. Bachus said Internet banking is projected to grow 20 to
   25 percent by 2004, making it necessary to be vigilant about
   hackers.

"All the banking representatives agreed that we need to
   prosecute [hackers who break into on-line accounts] and we
   need to publicize it."

He noted that the hearing was just the first stage in a
   congressional look at on-line banking that could help increase
   Internet security before consumer use explodes.

The study also said that in some cases, on-line banking
   operations were begun at companies without the approval of
   boards of directors or chief executive officers. If problems arise,
   the report cautions, senior management will not have the
   foreknowledge to deal with them.

The banking community is responding to the challenges of
   on-line banking. The Financial Services Roundtable, a District of
   Columbia trade group, formed a technology division in 1996 to
   foster the development of Internet banking and to test
   electronic-security measures.

But Catherine A. Allen, the division's CEO, said banks alone
   cannot ensure security.

"We would like to emphasize that security is a shared
   activity," she said at the hearing. Consumers should be aware of
   risk, and should choose on-line banks that are insured by the
   Federal Deposit Insurance Corporation, she said.

John Hall, an American Bankers Association spokesman, said
   that the bottom line of banking, whether it be on-line or the more
   traditional, in-person fashion, is trust.

"The banks' No. 1 attribute they sell is trust. Their customers
   have to feel completely comfortable that they are secure."

For that reason, he said, the banking industry is vigorously
   pursuing security measures.

Even with the explosive growth of electronic commerce and
   on-line investing, most consumers are still somewhat hesitant
   about conducting financial transactions on the Internet, and even
   more so when it comes to managing their finances.

According to a June report by investment firm Goldman
   Sachs, only about 4 percent of U.S. households currently use
   on-line banking products.

  This article is based in part on wire service reports.

   Copyright © 1999 News World Communications, Inc.


**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

[RRE]Anonymous Communication on the Internet

[Robert Hettinga]

--- begin forwarded text


Date: Sat, 31 Jul 1999 13:39:52 -0700 (PDT)
From: Phil Agre [EMAIL PROTECTED]
To: "Red Rock Eater News Service" [EMAIL PROTECTED]
Subject: [RRE]Anonymous Communication on the Internet
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]

[Reformatted to 70 columns.  Note that full text for several of the
articles and abstracts for the rest can be found at the TIS web site.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command.  For information on RRE, including instructions
for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html
or send a message to [EMAIL PROTECTED] with Subject: info rre
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Mon, 19 Jul 1999 11:33:52 -0500
From: Rob Kling [EMAIL PROTECTED]
Subject: Anonymous Communication on the Internet


FOR IMMEDIATE RELEASE
For more information, contact
 Ellen Cooper, 202-326-6431, [EMAIL PROTECTED]
 Dave Amber, 202-326-6434, [EMAIL PROTECTED]
 George Vlahakis, 812-855-3911, [EMAIL PROTECTED]

AAAS URGES CAUTION IN REGULATING
ANONYMOUS COMMUNICATION ON THE
INTERNET
Benefits of Anonymity Outweigh Likely Harms

Washington, DC (June 29, 1999)-Governments should be cautious in
attempting to regulate how people conceal their identities on the
Internet, according to a new study by the American Association for the
Advancement of Science (AAAS).  Such regulations could prevent people
from seeking counseling, expressing political opinions or engaging in
financial transactions, and could impede the development of e-commerce
and the World Wide Web.

The study is the first comprehensive analysis of how to balance
the costs and benefits of anonymous communication on the Internet
and is presented in the April-June issue of The Information Society,
an international journal whose editorial offices are at Indiana
University's School of Library and Information Science.  The journal
is published by Taylor  Francis Inc.  The study is the result of a
two-year project funded by the National Science Foundation (NSF) to
examine online anonymity.

"Policymakers ought not to react overzealously because some people
have misused anonymous communications on the Internet," said Al
Teich, director of Science and Policy Programs at AAAS. "If anonymous
communication is used for illegal purposes, the originators of the
anonymous messages-if they can be found-should be punished. However,
the positive values of anonymity more than offset the dangers it
presents."

Rachelle Hollander, director of NSF's Societal Dimensions of
Engineering, Science and Technology program, which funded the study,
said, "There are many differences between Internet communications and
other forms, but there is one significant similarity: The content of
the communication, not just whether or not it is anonymous, determines
its value.  Anonymous communications over the Internet have positive
and negative aspects.  So do anonymous communications by telephone,
the U.S. Mail, or the company suggestion box."

The explosive growth of the Internet over the last decade has created
new avenues for anonymous communications. Anonymous remailers allow
Internet users, free of charge, to post anonymous messages to most
Usenet newsgroups or to send anonymous e-mail to anyone they wish. In
its simplest form, an anonymous remailer works by accepting an e-mail
message from a sender, stripping off the headers that would serve to
identify the sender, and then forwarding the message to the intended
recipient.

Under the cloak of anonymity, users can participate in political and
human rights advocacy, engage in whistle blowing, receive counseling
and perform commercial transactions without disclosing their
identities.  However, anonymity also helps to protects users who take
part in socially unacceptable or criminal activities because of the
difficulty in holding them accountable. Harmful communications include
spamming, hate mail, child pornography and online financial fraud.

- more -

"Anonymous communication is a form of communication, with all of the
human complexities that we experience in modern society. In modern
society people routinely communicate anonymously when they shop or
travel.  It seems a bit more exotic in discussions of the Internet
because of the social significance of specially helpful or harmful
communications, and because of the technological complexities in
creating or hiding on-line identities," said Rob Kling, editor-in-
chief of The Information Society and Indiana University professor of
information science and information systems.

In order to give Internet users the opportunity to communicate
anonymously for legitimate reasons 

IP: Protecting Computers, and Privacy

[Robert Hettinga]

Imagine that. The New York Times opposed to government invasions of privacy...

Whadda country...

:-/.

Cheers,
RAH

--- begin forwarded text


From: [EMAIL PROTECTED]
Date: Sun, 01 Aug 1999 13:12:01 -0500
To: [EMAIL PROTECTED]
Subject: IP: Protecting Computers, and Privacy
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Source:  New York Times
http://www.nytimes.com/yr/mo/day/editorial/01sun1.html

EDITORIAL

August 1, 1999

Protecting Computers, and Privacy

The Clinton Administration is right to concern itself with protecting
America's computer networks against cyber attacks by terrorists or foreign
governments. But a draft plan now being considered by the White House could
lead to Federal monitoring of much of the nation's governmental and
commercial computer communications. Such broad governmental surveillance is
not a reliable way of assuring computer security and intrudes too deeply
into the privacy of law-abiding Americans.

The White House proposal follows a review President Clinton ordered last
year of the vulnerability of the Federal Government's computer networks to
intrusion and damage by terrorists. It recommends expanding the monitoring
system now used by the Defense Department throughout the Federal Government.

This means automated software would be used to scan the messages and files
of millions of civilian Government employees to spot suspicious patterns.
The results would then be turned over to a special task force overseen by
the Federal Bureau of Investigation.

Computer network security is a real and growing problem. The Federal
Government needs to protect not just sensitive defense secrets, but also
the computers that manage air traffic control, Social Security, Medicare and a
host of other civilian programs.

But systematic monitoring of all Federal employees is a clumsy and
inefficient way to protect Government networks.

Software that can reliably detect patterns of computer manipulation does
not now exist. Broad surveillance of all Government computer users would
still permit some illicit tampering to go undetected. Meanwhile, innocent
Federal employees are likely to be subjected to electronic snooping and
investigative surveillance.

Even more troubling than the monitoring of all Federal computers is the
plan's proposal for extending the automated surveillance program to
private-sector networks. Although this would only be done with the
agreement of the relevant corporate executives, unwary employees or E-mail
correspondents could find their messages and files scrutinized by the
Government's software as well. The results of this monitoring would also be
reviewed by Federal agencies, although separately from the F.B.I.-run
system for Government employees. Sophisticated computer users could escape
surveillance with readily available encryption programs, allowing serious
cyber terrorists to elude detection while the software snooped on ordinary
citizens.

The Administration needs to come up with new approaches to the problem of
computer security that depend less on the wholesale monitoring of private
communications. Its current proposal would create more problems
than it would solve.

  Copyright 1999 The New York Times Company


**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: Text of Letter from Rep. Bob Barr to Sandy Berger

[Robert Hettinga]

--- begin forwarded text


Date: Sun, 1 Aug 1999 12:10:51 -0400 (EDT)
From: Washington Weekly [EMAIL PROTECTED]
Subject: IP: Text of Letter from Rep. Bob Barr to Sandy Berger
To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: Washington Weekly [EMAIL PROTECTED]


  TEXT OF LETTER FROM REP. BOB BARR TO NSC DIRECTOR SANDY BERGER
Expressing Concerns About New National Surveillance System

July 28, 1999

The Honorable Samuel R. Berger
National Security Advisor
Old Executive Office Building
Washington, D.C.  20506

IN RE: Fidnet

Dear Mr. Berger:

According to media reports,  the  National  Security  Council  is
coordinating  the  development of a massive computer surveillance
system -- Fidnet --  to  monitor  the  electronic  activities  of
millions of Americans.

While it clearly is appropriate for the government to take  steps
to  protect  its  technological  infrastructure and its computers
from attack, we must not allow fear of those threats to blind  us
to  the need to balance the competing interests of privacy, cost,
law enforcement, and national security.  If the reported decision
process  on this project so far is any indication, you may not be
adequately balancing these interests.  For one thing,  apparently
input  is being sought only from the law enforcement and national
security communities.

I  am  concerned  the  National  Security   Council   is   vastly
underestimating  the  level  of  public  concern about electronic
privacy.   The  Clinton  Administration  has  made  this  mistake
before;  proposing the much-reviled and now discredited Know Your
Customer plan.  Most recently, we witnessed the  Administration's
disdain  for  accountability  and oversight, in its citation of a
bogus attorney-client privilege to avoid giving basic information
to the House Permanent Select Intelligence Committee.

If you intend to move forward with this plan, I  request  a  full
briefing  on its structure, focusing specifically on its cost and
privacy implications.  I look forward to your response.

With kind regards, I am,

very truly yours,

BOB BARR

Member of Congress




   Published in the Aug.  2, 1999 issue of The Washington Weekly
   Copyright 1999 The Washington Weekly (http://www.federal.com)
   Reposting permitted with this message intact


**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

IP: WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 27 Jul 1999 22:51:23 -0400
To: [EMAIL PROTECTED]
From: "L.J.Alberts" [EMAIL PROTECTED]
Subject: IP: WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM
Sender: [EMAIL PROTECTED]
Reply-To: "L.J.Alberts" [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

X DRUDGE REPORT X TUESDAY, JULY 27, 1999 20:28:41 ET X

WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM; WILL TRACK 
BANKING, TELECOMMUNICATIONS AND OTHER NETWORKS

The Clinton administration has developed a plan for an extensive 
computer monitoring system,
overseen by the FBI, that will track banking, telecommunications and 
other industries, it will
be reported on Wednesday.

The National Security Council is conducting a legal and technical 
review of the new Clinton
plan, a final report is scheduled to be made public in September.

NEW YORK TIMES reporter John Markoff has been shown a draft, 
according to publishing sources,
and was busy on Tuesday afternoon preparing a story.

In some government circles, the proposed system has been nicknamed "Hillary."

The plan calls for the development of a "sophisticated software 
system to monitor activities on
non-military government networks" and a separate system to "track all 
transactions used in the
banking, telecommunications and transportation industries."

The system is intended to alert law enforcement officials to computer 
attacks that might
cripple governmental or the nation's economy. But it could also 
become a massive government
utility used for surveillance of citizens, critics contend, with 
great potential for misuse.

"Law enforcement agencies obviously would be under great temptation 
to expand the use of the
information in pursuit of suspected criminals," the TIMES will report.

The plan has drawn fire from civil libertarians because it blends 
"civilian and military
functions" in protecting the nation's computer networks. Law 
enforcement agencies would be
under great temptation to expand the use of the information in 
pursuit of suspected criminals.
And the plan would put a new and powerful tool into the hands of the FBI.

Developing.

_
Reports are moved when circumstances warrant
(c)DRUDGE REPORT 1999
Not for reproduction without permission of the author
-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.1

iQEVAwUBN55wKuX/Rf8MRjfTAQH2qQf/fi2ru8l5gv5zkJ0zXoMPaPX+27yavkeY
M0baGGRwFdhNxGt9RwWDZf4YZ36m6oZ4iF3BVM8+ujVByCtWUcP+Q1nDDmti/nZo
ob69QPEACe0Nxc2g7ODvtcpsp95JA7BzMXDrYC4ryZWFdOF2xpe7D/fMYDcrpHr8
Mcgq4GibDPoXvrRszDj/Wqpao/B1f/GYtwv2vKGi0Pke9mnNMxoRTdIooUai9Qa+
kjWFsoyMBuY+qPA98u9n6C0Xbrrt1+CHM2SNYSXVEXpckg+qEcpIq58mUlvH4GI5
Dq18a4zfaVk837V06ZbczGwg1RCaJhh/hWVOTNrYTTXSZ7clIziVHg==
=5A6h
-END PGP SIGNATURE-




To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address

or (un)subscribe ignition-point-digest email@address

www.telepath.com/believer


--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

reputation

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 22 Jul 1999 17:12:26 -0400 (EDT)
From: Somebody
To: [EMAIL PROTECTED]
Subject: reputation


Bob - would you pass on this question anonymously: I'm interested in
pointers to reputation and escrow services and theory.  Any pointers
to someone starting out?

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Security Lab To Certify Banking Applications (was Re: ECARM NEWSfor July 23,1999 Second Ed.)

[Robert Hettinga]

At 2:00 PM -0400 on 7/23/99, [EMAIL PROTECTED] wrote:


 Title: Security Lab To Certify Banking Applications
 Resource Type: News Article
 Date: Jul 22, 1999 (6:15 AM)
 Source: InternetWeek
 Author: Tischelle George
 Keywords: BANKING INDUSTRY,ONLINE SERVICES ,SECURITY,SOFTWARE VERIFY

 Abstract/Summary:
 A lack of security standards is holding back online banking and
 financial services. Or so says the Banking Industry Technology
 Secretariat, a technology consortium of the nation's biggest banks.
 Next week, BITS will open a security laboratory to certify security
 software for use in commercial banking applications.

 The Financial Services Security Laboratory will open July 28 in
 Reston, Va. The facility will be used to test software packages against
 a set of standards for securing e-commerce and bill-payment
 applications, as well as browsers and operating software.

 Original URL: http://www.techweb.com/wire/story/TWB19990722S0004

 Added: Fri  Jul  23 9:45:52 -040 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

DCSB: Ari Juels; Outsourcing MicroMint Coins, and X-Cash for Contingent Financial Instruments

[Robert Hettinga]

--- begin forwarded text


Date: Mon, 19 Jul 1999 10:51:32 -0400
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Robert Hettinga [EMAIL PROTECTED]
Subject: DCSB: Ari Juels; Outsourcing MicroMint Coins, and X-Cash for
  Contingent Financial Instruments
Cc: Ari Juels [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: Robert Hettinga [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

  The Digital Commerce Society of Boston

Presents

  Dr. Ari Juels
 Senior Research Scientist
RSA Laboratories
  Security Dynamics, Inc.



MicroMint on the Cheap and
  Executable Financial Instruments


 Tuesday, August 3rd, 1999
12 - 2 PM
The Downtown Harvard Club of Boston
   One Federal Street, Boston, MA


We discuss two technologies that aim to facilitate electronic commerce in
distributed environments under minimal assumptions of trust. First, we show
how the MicroMint micropayment scheme of Rivest and Shamir can be broken up
into a collection of small "puzzles". Distribution of these puzzles enables
the minting operation for the scheme to be outsourced to a large group of
untrusted computational devices. Additionally, we discuss a cryptographic
technique that enables mobile agents to carry digital cash in such a way
that they are secure against "pickpocketing". We refer to this technique as
"X-cash" or "Executable digital cash". X-cash may also be used as the basis
for creating digital financial instruments with flexibly defined properties.

The first portion of the talk includes material to appear in the paper
"Bread Pudding and Proofs of Work (POWs)" in Communications and Multimedia
Security '99. The second portion of the talk draws on the paper "X-cash:
Executable Digital Cash", which appeared in Financial Cryptography '98. Both
papers are by Markus Jakobsson (Bell Laboratories) and Ari Juels (RSA
Laboratories).


Dr. Juels received his B.A. in Latin Literature and Mathematics from
Amherst College in 1991, and his Ph.D. in Computer Science from the
University of California at Berkeley in 1996. He subsequently joined
RSA Laboratories, where he now holds the position of senior research
scientist. His research interests span several areas of cryptography,
with a special focus on protocols underlying and supporting financial
applications.


This meeting of the Digital Commerce Society of Boston will be held
on Tuesday, August 3, 1999, from 12pm - 2pm at the Downtown Branch of
the Harvard Club of Boston, on One Federal Street. The price for
lunch is $32.50. This price includes lunch, room rental, various A/V
hardware, and the speakers' lunch.  The Harvard Club *does* have
dress code: jackets and ties for men (and no sneakers or jeans), and
"appropriate business attire" (whatever that means), for women.  Fair
warning: since we purchase these luncheons in advance, we will be
unable to refund the price of your lunch if the Club finds you in
violation of the dress code.


We need to receive a company check, or money order, (or, if we
*really* know you, a personal check) payable to "The Harvard Club of
Boston", by Saturday, July 31st, or you won't be on the list for
lunch.  Checks payable to anyone else but The Harvard Club of Boston
will have to be sent back.

Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston,
Massachusetts, 02131. Again, they *must* be made payable to "The
Harvard Club of Boston", in the amount of $32.50. Please include your
e-mail address so that we can send you a confirmation

If anyone has questions, or has a problem with these arrangements
(We've had to work with glacial A/P departments more than once, for
instance), please let us know via e-mail, and we'll see if we can
work something out.


We are actively searching for future speakers.  If you are in Boston
on the first Tuesday of the month, and you are a principal in digital
commerce, and would like to make a presentation to the Society,
please send e-mail to the DCSB Program Commmittee, care of Robert
Hettinga, mailto: [EMAIL PROTECTED].


For more information about the Digital Commerce Society of Boston,
send "info dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] . If you want to subscribe to the DCSB e-mail
list, send "subscribe dcsb" in the body of a message to mailto:
[EMAIL PROTECTED] .

We look forward to seeing you there!

Cheers,
Robert Hettinga
Moderator,
The Digital Commerce Society of Boston



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com

iQEVAwUBN5M6r8UCGwxmWcHhAQE+Ewf/eBxwvO7DQXsWhpTndg4FLSyS3NLFs5U3
mJyg62c9bt2Pdi44QLnMkJzcvkqxPSyy8uxCL/AfI/9plffqQ27u7oFJHXEwaETf
+sRGT8wSm9qrc97Qkn65fkmXyxJwWjm6iI9s6QQcR0C3mRr3nLe/zgcNmWNEumqD
KxQh7KBCjNaN

Drawing A Hard Line On Encryption (was Re: Edupage, 16 July 1999)

[Robert Hettinga]

At 4:35 PM -0600 on 7/16/99, EDUCAUSE wrote:


 DRAWING A HARD LINE ON ENCRYPTION
 The House Permanent Select Committee on Intelligence unanimously
 approved a measure to control exports of encryption software and
 provide government access to encrypted data.  The committee was
 the fourth House panel to approve the amendment, which was
 designed to ensure that government agencies can obtain court
 orders to access encrypted information.  The committee also
 adopted a measure allowing the president to control, and deny,
 encryption exports significant to national security.  Last, the
 committee approved language authorization funding to enable law
 enforcement and intelligence agencies to better prevent the
 spread of increasingly powerful encryption software.  These
 issues have been the subject of much controversy, as software
 manufacturers argue that they are losing market share from export
 controls, while privacy activists oppose law enforcement access
 to encrypted data.  (Washington Post 07/16/99)

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Commonwealth of Massachusetts will support uniform digitalsignataure law

[Robert Hettinga]

Gotta watch that reply-to-all "feature" of listserv, Dan. It'll getcha.

:-).

Cheers,
RAH

--- begin forwarded text


Date: Fri, 16 Jul 1999 09:57:29 -0400
Reply-To: [EMAIL PROTECTED]
Sender: Digital Signature discussion [EMAIL PROTECTED]
From: Daniel Greenwood [EMAIL PROTECTED]
Subject:  Follow up
Comments: To: Digital Signature discussion [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

Hello everyone,

I just accidentally sent e-mail (spam) to the whole list that was
intended only for Ben (hit the "reply" button and let it fly too
quickly).  In any case, general participants on this list might find
parts of my prior e-mail interesting, and some of the points deserve a
bit deeper discussion.  Later today or early next week, Massachusetts
will be publishing an official statement on federal legislation, but
here are some previews

One: Massachusetts has agreed (via testimony before the House and
Senate) to the principles that Ben has stated in his last e-mail.  (see
http://www.civics.com/content/99-legis.htm for the testimony of Ray
Campbell and myself).  That is, we are on record supporting the UETA
(general lifting of real and/or perceived legal barriers to use of
electronic records, e-signatures and e-contracts) and for some limited
federal preemption in the interim which disappears when a state enacts
UETA or other conforming law.

Two: The marked up version of S. 761 and the filed version of H.R. 1714
raise some legal issues that need to be dealt with.  In particular, with
761 as marked up, the the general provisions dealing with writing and
signing requirements are over-broad in scope and require either
exceptions or the scope of the bill should be constricted back to the
original version of 761 (dealing only with e-contracts and party
autonomy to use any technology or business model for electronic
transactional methods).  Some of our concerns mirror those stated by
NCCUSL, N.J. and others on and off this list (negotiable instruments -
UCC Article 3, possibly commercial real estate conveyance, certain
consumer protection laws, etc.).  At this point in time, it appears that
people interested in this legislation in D.C. prefer not to draw a long
list of exceptions and would rather constrict the scope.  (This could be
achieved by deleting the newly added Sections 6(a)(1),(3) and (4) and
also perhaps the attribution rules).

Three: Industry supporters of 761 have also voiced a desire to see
certain changes in 761 and there appears to be a window within which to
operate before the bill is voted out of the Senate.  However, even if
761 is voted out of the Senate as it stands out of mark up, provided
certain exceptions to scope were included before Congress enacted the
legislation (after conference committees, possible floor amendments
etc.) then Massachusetts is on record as supporting this legislation.

Four: Before hitting the "send" button on an e-mail client - ALWAYS
check to see whether the "reply" function addressed the message to your
intended recipient or to a huge list of luminaries.

Thanks,
Dan

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

A wee bit of spook-humor (was re S/MIME Freeware Library)

[Robert Hettinga]

Or at least a bad joke.

(Excuse me, while I wipe the atomized remains of a latte off my 
monitor and keyboard...)

Cheers,
RAH

--- begin forwarded text


Date: Thu, 15 Jul 1999 16:42:10 +0200
To: [EMAIL PROTECTED]
From: Somebody
Subject: S/MIME Freeware Library

S/Mime Freeware Library


http://www.jgvandyke.com/services/infosec/sfl.htm


http://www.armadillo.huntsville.al.us/software/smime

   S/MIME Freeware Library

NOTICE:  Most of the software listed below is export-controlled and 
is protected by a user name and password (as indicated by the 
padlock).  Follow this link to get information about having a user 
name and password created for you.

Click to view the FORTEZZA Export Policy.

The "S/MIME Freeware Library" (SFL) is a reference implementation of 
the new MSP-enhanced S/MIME security protocol. The Library fully 
implements the Internet Engineering Task Force (IETF) standard 
security protocols named S/MIME Version 3, including the optional 
security features required to provide Message Security Protocol (MSP) 
services.  These security features include signed receipts, security 
labels, algorithm independence, and mail list information.  The SFL 
will support both commercial and government algorithms.

The latest drafts of the IETF standards upon which the SFL is based 
are available at the Internet Mail Consortium (IMC) web site.  The 
IMC has also established an SFL web page and maintains an SFL mail 
list (imc-sfl) which will be used to:  distribute information 
regarding SFL releases; discuss SFL-related issues; and provide a 
means for SFL users to provide feedback, comments, bug reports, etc. 
Subscription information for the imc-sfl mail list is at the IMC SFL 
web page.

The "CMS KEA and SKIPJACK Conventions" Internet-Draft describes the 
conventions for using the S/MIME v3 CMS EnvelopedData and 
EncryptedData content types with the KEA and SKIPJACK encryption 
algorithm. The document is intended to promote interoperability 
between implementations using KEA and SKIPJACK with CMS. Hints for 
using the FORTEZZA Card and FORTEZZA Cryptologic Interface (CI) 
Library to meet the requirements stated in the "CMS KEA and SKIPJACK 
Conventions" document are included in this text file.

J.G. Van Dyke  Associates (VDA), the developer of the S/MIME 
Freeware Library, has also established an SFL page at the VDA web 
site.  Additional SFL information may be available there.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Sony Plans E-Money Service (Was Re: NewsScan Daily, 13 July 1999(Above The Fold))

[Robert Hettinga]

At 7:51 AM -0700 on 7/13/99, NewsScan wrote:


 SONY PLANS E-MONEY SERVICE
 Sony Corp. is planning to test an Internet-based electronic money service,
 beginning with a pilot program involving 200-300 families next summer.
 Users will link to Sony's So-net Internet service, and then use noncontact
 IC cards, similar to debit cards, to make purchases.  The cards and card
 readers will be provided to the families as part of the test.  If all goes
 well, the system will be commercialized in late 2000, according to the Nihon
 Keizai Shimbun (Nikkei). (Reuters/TechWeb 13 Jul 99)
 http://www.techweb.com/news/story/reuters/REU19990713S0001

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

CHES Program

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 8 Jul 1999 15:33:39 -0400 (EDT)
From: Christof Paar [EMAIL PROTECTED]
To: DCSB [EMAIL PROTECTED]
Subject: CHES Program
Sender: [EMAIL PROTECTED]
Reply-To: Christof Paar [EMAIL PROTECTED]

Please find below the prelinarary program of the CHES workshop. For
registration information, please see

 http://ece.wpi.edu/Research/crypt/ches

  -Christof

---
PRELIMINARY PROGRAM

Workshop on Cryptographic Hardware and Embedded Systems
  Worcester, Massachusetts, August 12-13, 1999
---

--- THURSDAY, AUGUST 12 ---

Welcome by Ed Parrish (President, WPI)

Introductory remarks by Cetin Koc and Christof Paar


Invited Talk: Brian Snow, National Security Agency, USA
   We Need Assurance


Session: CRYPTANALYTICAL HARDWARE

A. Shamir
Factoring large numbers with the TWINKLE device

I. Hamer and P. Chow
DES cracking on the Transmogrifier 2a

 --- break ---

Session: HARDWARE ARCHITECTURES

W.P. Choi and L.M. Cheng
Modeling the crypto-processor from design to synthesis

D.C. Wilcox, L.G. Pierson, P.J. Robertson, E.L. Witzke, and  K. Gass
A DES ASIC suitable for network encryption at 10 Gbps and beyond

E. Hong, J.-H. Chung, and C.H. Lim
Hardware design and performance estimation of the 128-bit block
cipher CRYPTON


Session: SMART CARDS AND EMBEDDED SYSTEMS

K. Itoh, M. Takenaka, N. Torii, S. Temma, and Y. Kurihara
Fast implementation of public-key cryptography on a DSP TMS320C6201

P.J. Lee, E.J. Lee, and Y.D. Kim
How to implement cost-effective and secure public key cryptosystems

--- lunch break ---

Invited Talk: Colin D. Walter, Computation Department - UMIST, U.K.
   An Overview of Montgomery's Multiplication Technique:
   How to make it Smaller and Faster


Session: ARITHMETIC ALGORITHMS

A.F. Tenca and C.K. Koc
A scalable architecture for Montgomery multiplication

J.H. Silverman.
Fast multiplication in finite fields GF(2^N)

B. Kaliski and M. Liskov
Efficient finite field basis conversion involving dual bases

 --- break ---

Invited Talk: Eberhard von Faber, Debis IT Security Services, Germany
   Security Evaluation Schemes for the Public and Private
   Market with a Focus on Smart Card Systems

Session: POWER ATTACKS I

T.S. Messerges, E.A. Dabbish, and R.H. Sloan
Power analysis attacks of modular exponentiation in smartcards

L. Goubin and J. Patarin
DES and differential power analysis

P. Fahn and P. Pearson
IPA: A new class of power attacks


--- CHES Banquet on the WPI Campus, sponsored by Technical ---
---Communications Corporation, MA  ---


  --- FRIDAY, AUGUST 13 ---

Invited Talk: Dale Hopkins, Compaq - Atalla, USA
   Design of Hardware Encryption Systems for
   e-Commerce Applications

Session: TRUE RANDOM GENERATORS

V. Bagini and M. Bucci
A design of reliable true random number generator for
cryptographic applications

D. Maher and B. Rance
Random number generators founded on signal and information theory

--- break ---

Session: CRYPTOGRAPHIC ALGORITHMS ON FPGAS

R.R. Taylor and S.C. Goldstein
A high-performance flexible architecture for cryptography

E. Mosanya, C. Teuscher, H.F. Restrepo, P. Galley, and E. Sanchez
CryptoBooster: A reconfigurable and modular cryptographic coprocessor

L. Gao, S. Shrivastava, and G.E. Sobelman
Elliptic curve scalar multiplier design using FPGAs


Session: GALOIS FIELD ARCHITECTURES

H. Wu, M.A. Hasan, and I.F. Blake.
Highly regular architectures for finite field computation using
redundant basis

H. Wu
Low complexity bit-parallel finite field arithmetic using polynomial
basis

--- lunch break ---

Invited Talk: David Naccache, Gemplus, France
Significance Tests and Hardware Leakage


Session: POWER ATTACKS II

J.-S. Coron
Resistance against differential power analysis attacks for
elliptic curve cryptosystems

H. Handschuh, P. Paillier, and J. Stern
Probing attacks on tamper-resistant devices

--- break ---

Session: ELLIPTIC CURVE IMPLEMENTATIONS

J. Lopez and R. Dahab
Fast multiplication on elliptic curves over GF(2^m) without
precomputation

Y. Han, J. Zhang, and P.-C. Tan
Direct computation for elliptic curve cryptosystems


Session: NEW CRYPTOGRAPHIC SCHEMES AND MODES OF OPERATION

M. Hartmann, S. Paulus, and T. Takagi
NICE - New Ideal Coset Encryption -

T. Horvath
Arithmetic design for permutation groups

O. Jung and C. Ruland
Encryption with statistical self-synchronization in synchronous
broadband networks

---
Invited talks are 40 min, regular presentations 20 min long

The Thursday program is from 9:00 am - 6:00 pm,
the Friday program is from   8:30 am - 4:30 pm


Workshop on Cryptographic Hardware and 

Documents received under the US FOIA in relation to AmbassadorAaron (was Re: ECARM NEWS for July 08,1999 First Ed.)

[Robert Hettinga]

At 2:00 AM -0400 on 7/8/99, [EMAIL PROTECTED] wrote:


 Title: Documents received under the US FOIA in relation to Ambassador
 Resource Type: News Article
 Date: Tuesday, 06-Jul-99
 Source: cyber-rights.org
 Author: cyber-rights.org
 Keywords: GOVT DOCUMENTS  ,ENCRYPTION  ,GOVT POLICY ,INFLUENCES

 Abstract/Summary:
 A recently published Cabinet Office paper entitled Encryption and 
Law Enforcement stated
 that "there must be a greater degree of international co-operation, 
particularly in relation to
 setting agreed standards." (para 7.10) The paper further stated 
that "there has been
 remarkably little co-ordination of policy on encryption matters" 
internationally apart from the
 OECD Guidelines on Cryptography Policy.

 However, the Aaron Files that we are bringing to the attention of 
the public through these
 pages suggest otherwise - that UK Government encryption policy was 
closely co-ordinated
 by the US despite the denial in the Cabinet Office paper which 
concluded that the result of
 the absence of such a co-ordination "has been a degree of 
misunderstanding and suspicion
 as to the rationale behind attempts to regulate, or influence, the 
domestic use of encryption."


 Original URL: http://www.cyber-rights.org/foia/usfoia.htm

 Added: Wed  Jul  7 20:46:20 -040 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Bush Seeks to Curry Favor in Silicon Valley (was Re: ECARM NEWSfor July 02,1999 Second Ed.)

[Robert Hettinga]

No mention in this article about crypto, but he seems to be pointed in the
right direction.


Anyone out there know whether GWBush has said anything on the crypto front?

Will any of you reporters out there be in a position to ask him soon?

Cheers,
RAH


At 2:00 PM -0400 on 7/2/99, [EMAIL PROTECTED] wrote:


 Title: Bush Seeks to Curry Favor in Silicon Valley
 Resource Type: News Article
 Date: July 2, 1999
 Source: NYT (Free Registration Required)
 Author: RICHARD L. BERKE
 Keywords: POLITICS,CAMPAIGN FUNDING,TECH INDUSTRY   ,LEGISLATION PROP

 Abstract/Summary:
 PALO ALTO, Calif. -- Encroaching on political turf that
 Vice President Al Gore has cultivated for years, Gov. George
 W. Bush ventured into Silicon Valley Thursday to fatten his already
 flush campaign treasury and to unveil proposals favored by the technology
 industry.

 The Texas Governor departed from his standard text to make an
 aggressive pitch to the computer titans in the room, a group
 with growing influence that both political camps are wooing. He chided
 President Clinton and Gore for, among other things, not allowing
 American companies to sell sensitive technology overseas when those
 products are available from competitors.

 Original URL:
http://www.nytimes.com/library/politics/camp/070299wh-gop-bush.html

 Added: Fri  Jul  2 10:44:20 -040 1999
 Contributed by: David Dillard

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Papers at CHES

[Robert Hettinga]

--- begin forwarded text


Date: Wed, 30 Jun 1999 10:51:22 +0200 (MESZ)
From: Christof Paar [EMAIL PROTECTED]
To: DCSB [EMAIL PROTECTED]
Subject: Papers at CHES

Please find below a list of accepted papers and invited presentations at
CHES (Workshop on Cryptographic Hardware and Embedded Systems) in
Worcester, Massachusetts.

For registration information, please visit our web site at

  http://ece.wpi.edu/Research/crypt/ches

Regards, Christof

***
 Christof Paar,  Assistant Professor
  Cryptography and Information Security (CRIS) Group
  ECE Dept., WPI, 100 Institute Rd., Worcester, MA 01609, USA
fon: (508) 831 5061email: [EMAIL PROTECTED]
fax: (508) 831 5491www:   http://ee.wpi.edu/People/faculty/cxp.html
***


---
Workshop on Cryptographic Hardware and Embedded Systems
 Worcester, Massachusetts, August 12-13, 1999
http://ece.wpi.edu/Research/crypt/ches
---

Accepted Papers:


A. Shamir
Factoring large numbers with the TWINKLE device

J. H. Silverman.
Fast multiplication in finite fields GF(2^N)

B. Kaliski and M. Liskov
Efficient finite field basis conversion involving dual bases

H. Wu, M. A. Hasan, and I. F. Blake.
Highly regular architectures for finite field computation using
redundant basis

H. Wu
Low complexity bit-parallel finite field arithmetic using polynomial
basis

K. Itoh, M. Takenaka, N. Torii, S. Temma, and Y. Kurihara
Fast implementation of public-key cryptography

P. J. Lee, E. J. Lee, and Y. D. Kim
How to implement cost-effective and secure public key cryptosystems

J. Lopez and R. Dahab
Fast multiplication on elliptic curves over GF(2^m) without
precomputation

L. Gao, S. Shrivastava, and G. E. Sobelman
Elliptic curve scalar multiplier design using FPGAs

Y. Han, J. Zhang, and P.-C. Tan
Direct computation for elliptic curve cryptosystems

J.-S. Coron
Resistance against differential power analysis attacks for
elliptic curve cryptosystems

L. Goubin and J. Patarin
DES and differential power analysis

P. Fahn and P. Pearson
IPA: A new class of power attacks

T. S. Messerges, E. A. Dabbish, and R. H. Sloan
Power analysis attacks of modular exponentiation in smartcards

H. Handschuh, . Paillier, and J. Stern
Probing attacks on tamper-resistant devices

V. Bagini and M. Bucci
A design of reliable true random number generator for
cryptographic applications

D. Maher and B. Rance
Random number generators founded on signal and information theory

W. P. Choi and L. M. Cheng
Modelling the crypto-processor from design to synthesis

R. R. Taylor and S. C. Goldsteiny
A high-performance flexible architecture for cryptography

A. F. Tenca and C. K. Koc
A scalable architecture for Montgomery multiplication

E. Mosanya, C. Teuscher, H. F. Restrepo, P. Galley, and E. Sanchez
CryptoBooster: A reconfigurable and modular cryptographic coprocessor

I. Hamer and P. Chow
DES cracking on the Transmogrifier 2a

M. Hartmann, S. Paulus, and T. Takagi
NICE - New Ideal Coset Encryption -

D. C. Wilcox, L. G. Pierson, P. J. Robertson, and E. L. Witzke
A DES ASIC suitable for network encryption at 10 Gbps and beyond

E. Hong, J.-H. Chung, and C. H. Lim
Hardware design and performance estimation of the 128-bit block
cipher cRYPTON

T. Horvath
Arithmetic design for permutation groups

O. Jung and C. Ruland
Encryption with statistical self-synchronization in synchronous
broadband networks

Invited Talks:
--

Brian Snow, National Security Agency, USA
We Need Assurance

Eberhard von Faber, Debis IT Security Services, Germany
Security Evaluation Schemes for the Public and Private
Market with a Focus on Smart Card Systems

Dale Hopkins, Compaq - Atalla, USA
Design of Hardware Encryption Systems for e-Commerce Applications

Colin D. Walter, Computation Department - UMIST, U.K.
An Overview of Montgomery's Multiplication Technique:
How to make it Smaller and Faster

David Naccache, Gemplus, France
Significance Tests and Hardware Leakage

---
Workshop on Cryptographic Hardware and Embedded Systems
 Worcester, Massachusetts, August 12-13, 1999
---

---
Information:http://ece.wpi.edu/Research/crypt/ches
E-Mail: [EMAIL PROTECTED]
Program Chairs: Cetin Kaya KocChristof Paar
[EMAIL PROTECTED]  [EMAIL PROTECTED]
---

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Digital Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,

Re: NPR story on crypto...

[Robert Hettinga]

-BEGIN PGP SIGNED MESSAGE-

At 4:14 PM -0400 on 6/26/99, Sameer Parekh wrote:


   As far as I can tell Stuart Baker has realized that the time
 has come for crypto to be widespread.

Yup. F=MA, where M stands for money. :-). Digital commerce is financial
cryptography, financial crypto is strong crypto, and without strong
crypto there's no digital commerce. And all that.

   I don't really see him standing in the way of the PECSENC
 issuing a recommendation in either direction. At the last meeting I
 was at he was truly a facilitator, not an opinion leader.

Of course, lawyers are paid to be nice when they have to be, :-), but
when Stu came to talk to DCSB a couple(?) of years ago, he seemed not at
all like the "Smoking Man" picture we all had painted of him at the
time. Just a simple country lawyer out to make a buck. :-).


Stu said that at some point, say, three to five years before his DCSB
talk, whenever that was, the NSA had indeed seen the handwriting on the
wall about their inability to control the spread of strong cryptography
in a world of ubiquitous public internetworks, and decided that the only
thing left for them to do was to try to stall for as much time as they
could.

The best way to do that, Stu himself says he figured, was to tell Louie
Freeh, probably the only guy in history who had actually busted someone
using a telephone wiretap (the "Pizza Connection"
herion-and-pizza-parlor case, certain proof that criminals are indeed
dumb), that he (Louie) wouldn't get to play telephone with the bad guys
anymore if said pizza-barons had strong crypto.

And so, down Stu went, hat in hand, to hear him tell it, to the Hoover
Building. And, there, Stu let slip the dogs of war. If you can call J.
Edgar in a pink chenille dress, flounces, ruffles, and all, a
*war*-dog, anyway...


Since then, of course, Stu's been out in *private* practice, not
"public" practice (a pair of word combinations which together still make
me giggle), and the only actual crypto-law customers he can find are
people who want to *spread* cryptography, all so that the aforementioned
bad-guys won't steal their -- and, more important, their customers' --
money. Go figure.

As a result, Stu has now had the required deathbed conversion to the
idea that financial cryptography is the only cryptography that matters.
Imagine that.

Oh, well, that's why we live in a world where we have to hire sophists
to keep us out of jail and still have to deferentially refer to them
"counsellor", I guess. ;-).


Yet, all of this is as it should be, because, repeat after me, class,
"physics causes economics and economics causes law and 'policy'". Try to
do it the other way around, and you look like Hitler and eugenics. Or
Stalin and Lysenko's biology. Or Mao and Marx's economics. Or Carter and
Lovins' engineering. Or Gore and Gore's ecology.


Word to the wise, folks. In 2002, $1.1 *trillion* worth of transactions
will be executed on the internet, according to the most wild-ass
projection you can find out there. And, of course, every wild-ass
prediction like that so far has been short by at least one order of
magnitude.

If you can't imagine where all that money's going to actually come from,
remember that $4 trillion a *day* is still being moved around on
expensive proprietary networks, like SWIFT, or whatever, using
constipated old book-entry settlement methods. As opposed to the
ubiquitously cheap internet and instantaneous -- and less risky --
digital bearer settlement, of course. (Betcha can't tell what kind of
transactions *I* want to underwrite, can you? :-).)

Better living through financial cryptography, in other words.


The moral of the story, boys and girls, is that *political* cryptography
is dead. Political cryptography is military cryptography, obviously, it
is also, sadly, our personal favorite flavor of geek-promoted
"anti-spook" cryptography, as well.

In other words, and as ruthless as this sounds, if it don't make money
it won't sell, and if it won't sell, who cares about it, anyway?
Fortunately for freedom-loving cryptogeeks everywhere, where actual
money is involved, the stronger the financial cryptography, the better
the market likes it. And, oddly enough, we haven't put *actual* money on
the net yet, just instructions to move money from one bank account to
another.

That's about to change. And, when it does, political cryptography will
be a doe in the headlamp of an express-train called financial
cryptography, high-balling down that intercontinental express track
called the public internetwork.

Bambi meets Mozilla, if you will.

F = MA.


Cheers,
RAH


-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.0.2

iQEVAwUBN3f8yMUCGwxmWcHhAQHnqggAsR9jgkZ1f9QRB2ydFC/vNklFCHvyKYDm
jR3/ACNFghwEovOgsTPisjQjcWVQ0Nzd/ceFdR4xgBIEeX9XapJKbMwMiV4bjUs3
+Gyabc1J8pGJQRmS5K7iBo9rBTSXt2+Av3UUdaAT0A3dIDO4g2H7jYIjiBQWEPFf
vKYNkVMnYt/uizB9Ih8Clnif1OybhRzlGzRfbO3yzNeka8Pn/mNeUiglHSOAwi3y

The creation of internet currency (was Re: We are going tolaunch our own currency....)

[Robert Hettinga]

At 11:11 AM -0400 on 6/16/99, John Lowry wrote:


 Of course, they're backed by:
   1: a friendly government and coordinated policy between
   major powers and ISPs.
   2: a kiloton of gold.

 The book ends with only one "subscriber", the future father-in-law.

 :-)

Yeah, I transcribed original quote from Neal Stephenson's "Cryptonomicon"
just as I had finished reading it, and, you're right, the ending fizzled a
bit on the original premise.

I'm much more interested in creating economically trasparent digital bearer
versions of existing currencies than I am with creating a currency itself.
The e-gold guys are welcome to all that other fun stuff :-).

However, the most important point for me, and the reason I quoted the book
then, was to see a very popular science fiction author like Stephenson talk
about something near and dear to cypherpunks, and ex-cypherpunks,
everywhere.

It was such a kick to see that happen, especially after watching people
talk about it so much, in my case, for 5 years now. Of course, the
cypherpunks have been talking about this ever since May and Hughes convened
the first physical meeting in 1992 or so. Of course, it's not the first
time that Stephenson has written about electronic money; his short story
"The Great Samolean Caper" was written, for Time/Pathfinder, I think, 3
years ago, and his last novel "The Diamond Age" had a whole cash-settled
anonymous-auction (dare I say geodesic? :-)) content/services market
underlying the 'young ladies' primer' at the core of the story.


I see the creation of any eventual internet currency itself as a second-,
or, actually, third-, order effect, requiring, first, as I said,
transparent exchangeability into existing currencies, the ability to
actually *withdraw* book-entry cash onto the net in digital bearer
'bank-note' form, and, second, the establishment of permanent digital
bearer asset classes, money market instruments, bonds, equity, derivatives,
all based on the use of that cash, originally in existing meatspace
currency, on the net.

Tatsuo Tanaka did a talk to DCSB about this kind of thing, called "The
Macroeconomic Consequences of Digital Cash", about 3 years ago or so, where
he talked about how the issuance of digital bearer cash reserved by
extraterritorially-held currency deposits makes things very interesting for
any "controller" of national currency, but his endstate was, curiously, a
central bank of cypherspace of some kind.

I helped him get the paper into the web-journal First Monday, back then, as
a member of its editorial board, but, personally, I would more likely see a
currency board governing an internet currency instead of any central bank,
and, in addition, I think we'll have many competing currencies, each one
built from the bottom up, probably based on various, and now-unknown,
internet economic behaviors or asset classes.


Cheers,
RAH
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Digital Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

CommerceNet takes over eCheck project

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 08 Jun 1999 15:12:55 -0700
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: John Muller [EMAIL PROTECTED]
Subject: CommerceNet takes over eCheck project
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe%20dbs



***BUZZ:  SPECIAL ANNOUNCEMENT***

CommerceNet Announces New Area of Research for Members:
GeCFi (The Global Electronic Commerce Finance Issues Portfolio)
**


CommerceNet would like to invite you to its June Quarterly Members Meeting
to learn more about a new area of research recently opened up within the
Consortium - one that focuses specifically on addressing the financial
issues of business online.   Research that will be available to members as
part of this new research portfolio will cover a broad range of financial
issues that impact online business, such as: payment, taxation,
authorization, security, receipt of funds, business processes, and
technologies such as smart cards and digital certificates.   GeCFi will
examine specific developing industry trends and their impact on business
strategies.  The Portfolio will also serve as a springboard for both pilot
project and testbed research involving member companies' products and
services.

As part of the development of this new area of research, and in
collaboration with the FSTC, CommerceNet is pleased to announce that it will
take over management of the Electronic Check Project (eCheck) 
http://www.echeck.org/ http://www.echeck.org/ . 

The goal of the Electronic Check Project is to develop an instrument that
addresses payment universally.
A pilot project is currently underway with the US Treasury using eCheck to
make payments to SME's. Other pilots and projects will be initiated by
CommerceNet involving member companies so that eCheck can be offered to
consumers and businesses of all sizes, in the US, and abroad.  The
development of an eCheck certification program is planned, as is
coordination of efforts with various global eCommerce standards
organizations.

This is just one of many projects that CN currently has planned for its
members.  If your company is interested in participating in the development
of other potential research pilots, this is your opportunity to become
involved!  We are very excited to be adding a full financial services/issues
research area to our offering, and encourage you to participate.

TO REGISTER:
If you are interested in registering for the CommerceNet June Quarterly
Members Meeting to learn more about GeCFi, please contact Elizabeth
Robinson, Member Services Representative, at 408 446 1260 x 206 or
[EMAIL PROTECTED]

WHEN/WHERE: 
The meeting will be held on June 16 and 17, 1999, at the TechMart, 5201
Great America Pkwy., Santa Clara, California.   

COST:   
There is no cost for members. The fee for non-Members is $550. If your
company chooses to become a member within 30 days after attending this
meeting, you will be credited the attendance fee.

Additional information and registration information can be viewed on the
CommerceNet web site at:
http://www.commerce.net/events/member_meeting/june_99/index.html
http://www.commerce.net/events/member_meeting/june_99/index.html .   If
you plan on attending, please identify your company as interested in GeCFi
Portfolio participation opportunities when you complete the registration
form -(companyname/gecfinew). 

If you are interested in joining the GeCFi Portfolio, please contact
either:**

Lara Abrams Beth Morrow
Business Development ManagerBusiness Development Manager
CommerceNet CommerceNet
[EMAIL PROTECTED]   [EMAIL PROTECTED]
408 446 1260 x 214 ph   512 335 5606 ph

for more information.

We look forward to your participation.

**
AGENDA

Agenda for the June 16, 1999 CommerceNet Quarterly Members' Meeting (Day
One):

8:30am  Arrive, Continental Breakfast
9:00am  Welcome, Mark Resch, CommerceNet
9:15am  IdentitySafe:  A CommerceNet research initiative in establishing new
technologies for privacy and safeguarded identity, Doug Peckover
10:00am Break

**The following sessions are comprised of two parts each:

Part 1  
Group discussion roundtables: Facilitated discussions on the topic, with
insights, ideas and general discussions.  Participants will have the
opportunity to join breakout groups focused on particular aspects of the
marketplace.  GeCF will have a breakout group focused on global Internet
financial services. Each topic will be framed with a short general
presentation and each breakout group will be provided a list of though
provoking concepts and ideas to help encourage discussion on key issues and
opportunities.

Part 2  
Facilitator wrap-up: Each breakout group will present their ideas and
concepts based on their area of 

CRYPTONOMICON review

[Robert Hettinga]

--- begin forwarded text


Date: Fri, 4 Jun 1999 13:33:44 -0700
Reply-To: Law  Policy of Computer Communications
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications
[EMAIL PROTECTED]
From: Mike Godwin [EMAIL PROTECTED]
Subject:  CRYPTONOMICON review
To: [EMAIL PROTECTED]

CRYPTONOMICON REVIEW
For Reason magazine
By Mike Godwin
About 2000 words

No aficionado of trendy, complex contemporary novels by writers such as
Thomas Pynchon or David Foster Wallace will be terribly surprised to come
across a work of fiction that traces a single thematic thread running
through the lives of a mathematical genius in World War II, his slightly
less gifted but equally nerdy grandson in 1999, a gung-ho marine driven by
love and morphone, and a Japanese soldier transmuted by the bestial
horrors of war.

What may be surprising to readers of Neal Stephenson's CRYPTONOMICON
is that Stephenson thinks that thread is, or should be,
cryptology -- the science (or, more accurately, the two sciences,
respectively) of encoding messages to keep them secret and of extracting
the secret messages from other people's communications.

Indeed, Stephenson's novel continually demonstrates, in a wide range of
linked scenarios that tie WWII codebreaking to the modern "cypherpunk"
effort to create a currency and an economic system that is beyond
governmental control, there's something centrally human about the
enterprise of cryptography. And it's this thesis that keeps CRYPTONOMICON
from being merely an enjoyable, exceedingly well-written, encyclopedic,
and deeply comic novel. More than all this, the book is an _important_
novel, because of the ways it touches upon a critical public issue of our
era: whether the power of cryptography can be trusted to individuals.

CRYPTONOMICON presents the reader with several entwined narratives,
switching among them on a chapter-by-chapter basis. Most of these
narratives are set in World War II, and of these the greatest number of
chapters are devoted to the adventures of two men: mathematical prodigy
and Army officer Lawrence Waterhouse and his near-antithesis, Marine
sergeant and all-around man of action Bobby Shaftoe. Both of these
characters manage to complete grand tours of the European and Pacific
theaters, but, more importantly, both demonstrate, in their respective
ways, the human capacity to extract meanings from a the chaotic and
mysterious situations generated by a world war. For Waterhouse, whose life
is dominated by his gift for mathematical reasoning, the primary challenge
is to crack Axis codes (and, secondarily, to conceal from the enemy the
fact that the codes have been cracked). For the comparatively less
cerebral and occasionally morphine-addicted Shaftoe, whose official
mission is to assist in concealing Allied codebreaking efforts (although
he does not at first realize this), the real goal is much more basic than
Waterhouse's -- throughout the war he labors to return to the
Japanese-occupied Phillipines to rescue his paramour and the child he may
have fathered with her. Where Waterhouse reflexively resorts to
mathematical models to characterize his experiences, Shaftoe turns to
poetic ones --- during his time in the Far East he's learned to compose
haiku and Stephenson has Shaftoe's individual story begin and end with
haiku. (The haiku poet can be said to be engaged in a process of encoding
a deep moment of experience into three short strings of words -- it takes
an experienced reader of haiku to decode such a poem.)

Set against the World Two narratives is a present-day story centered on
Waterhouse's grandson, Randy, a computer nerd whose own genius remains
unrealized until it is unlocked by a unique business opportunity -- Randy
is invited by a friend to take part in cryptographically facilitated
offshore "data haven" that will become the technological platform for a
totally Net-based economic system. Backing that digital monetary system
will, of course, require real-world gold. Working with Shaftoe's son and
granddaughter, Randy may have a source for that gold, if only he can
reconstruct the codebreaking efforts of his grandfather, who fifty years
ago may have uncovered a plot to collect and horde German and Japanese
gold bullion.

You'd think such a web of narratives would be hard to follow (it is
certainly difficult to summarize), but Stephenson, whose science-fiction
novels SNOW CRASH and THE DIAMOND AGE have been critical and commercial
successes despite their difficult plotting, has made a quantum jump here.
His bravura writing style, together with certain technical choices
(Stephenson tells each of his narratives in the present tense, regardless
of when they occur chronologically) are carried along so deftly by his
tight plotting that you never lose the thread.

But this is not an author who's content just to tell good stories --
throughout the book he takes on the task of explaining cryptology and
other relatively abstruse technical disciplines -- 

Watermark Warfare (was Re: ECARM NEWS for May 21,1999 First Ed.)

[Robert Hettinga]

At 2:00 AM -0400 on 5/21/99, [EMAIL PROTECTED] wrote:


 Title: M. Ken to Offer Lists of Illegal MP3-based Web Sites
 Resource Type: News Article
 Date: May 20, 1999
 Source: AsiaBizTech
 Author: Nikkei Multimedia
 Keywords: PIRACY PREVENT  ,WATERMARKING,SEARCH ENGINES  ,MP3 FILES

 Abstract/Summary:
 M. Ken Co., Ltd. will start a service from
 June 1 listing Web sites illegally providing music data in the MPEG
 Audio Layer-3 (MP3) format reproduced from music CDs.

 M. Ken is a developer of electronic watermarking technology.

 It plans to offer the list of such illegal sites to music companies
 that seek to find copyright infringements on Web pages, and it will
 post the information on its own Web page.

 Original URL:
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70746

 Added: Thu  May  20 20:43:51 -040 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: HushMail: free Web-based email with bulletproof encryption

[Robert Hettinga]

At 9:11 PM -0400 on 5/19/99, Keith Dawson wrote:


 and are stored
 on a server located in Canada.

And the code was written in Anguilla?

Is there an echo in here?

:-).

Cheers,
RAH
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

New Book: The End of Money and the Struggle for Financial Privacy

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 18 May 1999 15:06:38 +0100
To: [EMAIL PROTECTED]
From: CIPE News [EMAIL PROTECTED]
Subject: New Book: The End of Money and the Struggle for Financial Privacy
Sender: [EMAIL PROTECTED]

CIPE is pleased to announce the arrival of a new book in our bookstore:

The End of Money and the Struggle for Financial Privacy
By Richard W. Rahn

Technology has fast outpaced governments' ability to maintain control of
electronic finance. Global financial networks and systems allow any asset
whose value is recognized and guaranteed by a reliable financial
institution to be instantaneously transferred from one person to another.
Private institutions are already developing "digital dollars" that will
someday reduce transaction costs and monetary instability, thus leading to
greater economic efficiency and higher standards of living. Unfortunately,
this new world of digital money is fiercely resisted by many government
officials. The full benefits of digital money will not be realized unless
people are left free to move their financial assets around the globe in a
private fashion.


You can purchase this book from CIPE for $22.50--this is a 10% discount off
of the list price.  Visit our electronic bookstore at
http://www.cipe.org/bookstore and look in the CIPE Partners' Publications
section or contact Amy Wormwood by email at [EMAIL PROTECTED] or fax at (202)
721-9250.


THE CENTER FOR INTERNATIONAL PRIVATE ENTERPRISE
1155 15th Street NW; Washington DC 20005
telephone: 202 721-9200; fax: 202 721-9250; email: [EMAIL PROTECTED]
Visit CIPE's Web site: http://www.cipe.org


--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MacOS 8.7 Security

[Robert Hettinga]

--- begin forwarded text


Subject: Re: MacOS 8.7 Security
Date: Sat, 15 May 1999 20:29:02 -0700
From: Mark Talbot [EMAIL PROTECTED]
To: "Robert Hettinga" [EMAIL PROTECTED], [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe%20mac-crypto

On or about 5/15/99 2:23 PM [EMAIL PROTECTED] wrote:

From: Somebody
Subject: Re: MacOS 8.7 Security

If you believe the spin in this bullshit, I have a bridge to sell you. The
encryption is exportable, and the multi-user logon security is from At
Ease, its designed for K-12 schools. There is nothing "military level"
about any of this.

The phrase "military level" carries about the same weight of meaning as
"scientifically designed".


After attending their creative typing class, the
[EMAIL PROTECTED] put forth:

[stuff deleted]

 One very interesting note on technology demonstrated under Sonata at
WWDC: users will be able to log into their computers by voiceprint
indentification. This technology is considered very reliable, is not easily
faked by recordings and such, and can be backed up with a normal text
password if the user is sick, loses their voice, etc.

I watched the demo  I don't recall any claims being made about
"voiceprint identification". As far as I could tell the only new thing
was you can now speak your pass phrase instead of typing it. If your pass
phrase is "Soylent Green is people", I don't think the OS is going to be
able to discern biometrically who speaks it.

[stuff deleted]

MST

--
When you're right you're right, and when you're wrong, you're most likely
Microsoft.

-Anon

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

[Fwd: That spooky PECSENC]

[Robert Hettinga]

--- begin forwarded text


Date: Wed, 12 May 1999 21:10:24 -0500
Reply-To: Digital Signature discussion [EMAIL PROTECTED]
Sender: Digital Signature discussion [EMAIL PROTECTED]
From: Richard Hornbeck [EMAIL PROTECTED]
Subject:  [Fwd: That spooky PECSENC]
To: [EMAIL PROTECTED]

FYI:

Gant Redmon wrote:

 Richard:

 As a member of PECSENC, I'm responding to you but CC the list to get a
 little info out about PECSENC.  It isn't as clandestine a bunch as we are
 portrayed.  Actually, our closed door briefing on the latest national
 security threats have been rather mind numbing and devoid of substance.
 Instead, we gather to represent different interests and sit down and have a
 dialogue.  It's tough because no one camp controls.  We have industry
 representative like myself, law enforcement representative, usually a strong
 BXA and NSA contingent and a smattering of DOJ and Treasury folks that drift
 in and out.  The real fun starts when the general public takes the time to
 show up.  The venting going on in meeting in California was a blast.  I
 think our value add is the feedback we are able to give the folks that draft
 the laws that make our lives such a treat.  I'd say PECSENC played a role in
 the relaxation of controls last December and who knows what will be next.
 John Gilmore and I have spoken about what this is worth before.  It's true
 we aren't making any radical overnight changes occur, but we are trying to
 work towards some solutions (or maybe some realizations) that should result
 in encryption becoming more fundamental in everyone's lives.

 As for notice, we meet the second Friday every other months.  Pretty simple
 formula.  So far, all meetings have been at BXA headquarters except for one
 in California.  Just park at the Ronald Reagan building to get off at Metro
 Center.  See you there.

 Gant Redmon
 AXENT Technologies, Inc.

 P.S. Richard: can you get this back to Cyberpunks for me?


Also, in response to a private inquiry, Gant provided the following:

Richard

 People shouldn't feel slighted.  Even WE don't have a final agenda yet.  A
 lot of times, we don't get it until the night before.  But it will be from
 10:00 to 3:00 in room 4832 at DOC.  There always seems to be chairs
 available.  It's no rock concert. :)

Gant


  -Original Message-
  From: Richard Hornbeck [SMTP:[EMAIL PROTECTED]]
  Sent: Wednesday, May 12, 1999 9:32 AM
  To:   [EMAIL PROTECTED]
  Subject:  [Fwd: May 14 President's Export Council Subcommittee on
  Encryption Agenda]
 
  FYI (forwarded from Cypherpunks) - apologies for cross-posting.
 
  John Young wrote:
  
   An updated agenda for the May 14 meeting in DC of the
   President's Export Council Subcommittee on Encryption
   (PECSENC) has been provided by Lisa Ann Carpenter,
   Committee Liaison Officer (202-482-2583):
  
Opening remarks by the new chairman, William Crowell
(ex-Deputy DIRNSA)
  
Encryption initiatives of the Bureau of Export Administration,
by William Reinsch
  
Overview of the Critical Infrastructure Assurance Office (CIAO)
by Jeffrey Hunker, Director
  
1:30 Presentation by the office of Senator McCain on his crypto bill
  
2:00 Report on Congressional activities
  
2:30 Presentations on Bernstein by the two sides, Cindy Cohn and
Department of Justice
  
3:00 Adjourn (cut back from 5:00 as the FR announced)
  
   Also, a list of PECSENC members was promised but has not yet arrived.
   This information is hard to come by so it will be most welcomed.
   Minutes of past meetings and policy recommendations are elusive too.
   See the one public statement:
  
http://209.122.145.150/PresidentsExportCouncil/PECSENC/pecsenc1.htm
  
   It's shameful and maybe illegal to hide PECSENC information. Recent
   scutbutt was that acting PECSENC chair Stewart Baker (ex-NSA) was
   going to help John Gilmore set up a public web site for PECSENC
   affairs. That accountability initiative appears to have died with
   Crowell's appointment, or to be fair, is more likely being studied
   to slow death to cozzen natsec grizzes -- which fits NSA's MO to
   SIDA misfit crypto naifs.

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

FW: Next Week's FSTC May 17-18 Meeting Update

[Robert Hettinga]

Yee-haaa!

I *love* my non-job...

Cheers,
RAH

--- begin forwarded text


From: Somebody
To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED]
Subject: FW: Next Week's FSTC May 17-18 Meeting Update
Date: Thu, 13 May 1999 17:20:23 -0700

Bob:  Have you seen the attachment?  More ATM over the Internet projects.

-Original Message-
From: Gramling, Laura [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 12, 1999 7:35 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Next Week's FSTC May 17-18 Meeting Update


 Have you registered yet for next week's FSTC May 17 -18, 1999 meeting?
 FSTC has put together a great program to address your business needs for
 today and for tomorrow.

Note, the attached word document is an example of one of the new project
concepts being explored during the breakout sessions.  Come with other
project ideas!


 ATMOnePager_Revised

 To Register
 Phone:  312.527.6724
 Email:   [EMAIL PROTECTED]
 On-line:  http://www.fstc.org/springmeet.html

 Registration Fees
 $50 for members
 $295 for nonmembers if payment is received on or before April 30th.
 $395 for nonmembers if payment if received after April 30th.

 Mastercard, VISA, American Express and Diners Club are accepted.  Checks
 should be made payable to FSTC.  All General Meeting attendee fees are
 non-refundable.

 
 Session Updates
 
 Our interactive breakout sessions have been expanded and our general
 sessions presenters will be covering the latest in technology for the
 financial services industry. See below for topics and session leaders.

 Breakout Sessions Topics and Session Leaders
 Customer Authentication and FAST (Financial Agent Secured Transactions)
 Session Leader:  Dan Schutzer, Citigroup

 Digital Signatures Basics
 Session Leader: Parker Foley, First Union

 Moving the ATM to the Internet
 Session Leader:  Wolf Rossmann, NCR and Susan Symons, First Union

 XML for Financial Messaging
 Session Leader:  David White, Wells Fargo

 Issues with PKI
 Session Leaders:  Parker Foley, First Union

 Privacy and P3P
 Session Leader:  TBD

 General Session Topics and Presenters
 Leveraging Emerging Call Center Technologies for Efficiency, Quality and
 Revenue
 Steve Boehm, First Union Direct

 First Union Direct is a recognized leader in exploiting the latest
 technologies -
 the Internet, email, integrated desk tops, imaging, digital certificates
 and
 biometrics, and leading edge telephone platforms - to provide superior
 service
 and effective direct marketing of financial services to its growing
 customer
 base.  Mr. Boehm will explore the challenges and rewards of guiding one of

 the nation's largest call centers into the second millennium.

 The Last Mile - Its Impact on Delivering Financial Services to Consumers
 over the Internet
 Mike Parsons, Wachovia Bank

 The focus of the session will be to review the recent developments in
 Internet bandwidth and the current state of Internet connections for the
 home consumer.  In spite of advances, significant numbers of customers
 continue to suffer from slow connections to the Internet.  What are the
 prospects for improvement?  How does this impact presentation of services
 over the Internet to our customers?  My goal is to impart an understanding
 of why financial institutions need to consider the potentially negative
 impact on usability that can emerge from slow downloads of complex
 presentations.

 Consumer Payments Research
 David Allardice and Brian Mantel, Federal Reserve Bank of Chicago

 David Allardice and Brian Mantel will present an overview of research on
 the primary motivations   impacting consumer payment choice and the
 implications for different forms of payments, including: identification of
 key segments; identification of  critical obstacles; and observations on
 potential opportunities.

 Update on BITS Sponsored Initiatives
 Kit Needham, BITS

 Kit Needham will be giving an update on BITS key initiatives and actions
 taken at the April Board meeting.  Topics will include IFX,
 InteroperaBILL, Fraud Reduction, ECP, Privacy/Data Sharing, Shared
 Utilities, and Electronic Commerce Framework.

 Paperless Automated Check Exchange  Settlement (PACES)
 Mariano Roldan, Chase Manhattan Bank

 PACES is a FSTC project whose focus is to move the financial services
 industry towards image-based truncation. Its primary goal is to develop a
 technical platform that demonstrates the viability of interbank image
 exchange based on truncation of paper checks at the bank of first deposit.
 This presentation will provide an update on the status of the project.

 Red Teaming:  The Next Wave in Information Security
 Bradley Wood, Sandia National Laboratories

 Red Teaming is an alternative method of assessing the relative security
 strengths and weaknesses of an information system.  Some new work in this
 area takes some of the "black magic" out of the process and gives
 decision-makers hard data for making