Re: Gov't Orders Air Passenger Data for Test
... they can't really test how effective the system is ... Effective at what? Preventing people from traveling? The whole exercise ignores the question of whether the Executive Branch has the power to make a list of citizens (or lawfully admitted non-citizens) and refuse those people their constitutional right to travel in the United States. Doesn't matter whether there's 1, 19, 20,000, or 100,000 people on the list. The problem is the same: No court has judged these people. They have not been convicted of any crime. They have not been arrested. There is no warrant out for them. They all have civil rights. When they walk into an airport, there is nothing in how they look that gives reason to suspect them. They have every right to travel throughout this country. They have every right to refuse a government demand that they identify themselves. So why are armed goons keeping them off airplanes, trains, buses, and ships? Because the US constitution is like the USSR constitution -- nicely written, but unenforced? Because the public is too afraid of the government, or the terrorists, or Emmanuel Goldstein, or the boogie-man, to assert the rights their ancestors died to protect? John (under regional arrest) Gilmore PS: Oral argument in Gilmore v. Ashcroft will be coming up in the Ninth Circuit this winter. http://papersplease.org/gilmore
Re: RIAA turns against Hollings bill
How does this latest development change the picture? If there is no Hollings bill, does this mean that Trusted Computing will be voluntary, as its proponents have always claimed? And if we no longer have such a threat of a mandated Trusted Computing technology, how bad is it for the system to be offered in a free market? The detailed RIAA statement tries to leave exactly this impression, but it's the usual smokescreen. Check the sentence in their 7 policy principles joint statement, principle 6: ... The role of government, if needed at all, should be limited to enforcing compliance with voluntarily developed functional specifications reflecting consensus among affected interests. I.e. it's the same old game. TCPA is such a voluntarily developed functional spec. So is the broadcast flag, and the HDCP copy protection of your video cable, and IBM's copy-protection for hard disk drives. Everything is all voluntary, until some competitor reverse engineers one of these, and builds a product that lets the information get out of the little consensus boxes. Consumers want that, but it can't be allowed to happen. THEN the role of government is to eliminate that competitor by outlawing them and their product. John
Re: AIR TRAVELER ID REQUIREMENT CHALLENGED
I was browsing some of my old mail when I came across this. What's the status of Gilmore's case? The regulations I'm challenging purport to require air and train travelers to show a government issued ID. Every traveler has been subjected to these requirements, but it turns out that they aren't really required by any published law or regulation. And if you refuse to meet the supposed requirements, you find out that there are alternative requirements, that they weren't telling you about. The government has responded, as have the airlines. Their response is to ask the court to dismiss the case, as expected. See the web site http://cryptome.org/freetotravel.htm for copies of their motions. The Federal one has the most interesting arguments. In summary, they argue that I can't challenge the no-fly list or anything other than the ID demand because, having not shown ID, the no-fly list was not applied to me; that I can't sue in a District Court anyway because the Court of Appeals is supposed to have original jurisdiction; that the government can make any rule it wants which relates to air security, and penalize the public over violations, without ever telling the public what the rule is; that being refused passage unless I present an ID does not infringe my constitutional right to travel anyway; that being prevented from traveling anoymously does not implicate any First Amendment interests; that every possible form of airport security is a fully constitutional 4th-Amendment search; and that since my right to travel is not being infringed, these searches give me equal protection just like all members of the public, because any 'rational' reason for singling out anonymous travelers will suffice. If everyone shows ID to fly, and they can get away with preventing anonymous travel, it becomes easy for the government to single out e.g. members of the Green Party. (If no ID was required, any persecuted minority would soon learn to book their tickets under assumed names.) The Nixon Administration had its enemies list, who it subjected to IRS audits and other harassment. But even that evil President didn't prevent his enemies from moving around the country to associate with anyone they liked. The Bush Administration's list interferes with freedom of association and with the constitutional right to travel. As my experience on July 4th, 2002, in the San Francisco airport demonstrated, citizens are free to not show ID to fly, if they spend half an hour arguing with security personnel over what the secret rules actually say. But then, catch-22, the citizen can board the plane only if they'll submit to a physical search like the ones that Green Party members and other on the list people are subjected to. So, you can identify yourself to them and be harassed for your political beliefs, unconstitutionally. Or you can stand up for your right to travel anonymously, and be searched unconstitutionally. Or you can just not travel. That's why I'm suing Mr. Ashcroft and his totalitarian buddies. The government motion to dismiss my case is filed at: http://cryptome.org/gilmore-v-usa-fmd.pdf The index to all the related documents is at: http://cryptome.org/freetotravel.htm Has there been a secret trial? No. We will file a response to this motion by approx Dec 1. Then they will file their reply in mid December or so. Both of those will go on the web site. (If anybody wants to OCR the PDFs of the gov't documents, please go for it and email me the text.) Then the court will read all this stuff, and we'll have a hearing, which is tentatively scheduled for mid-January. John
Re: Seth on TCPA at Defcon/Usenix
It reminds me of an even better way for a word processor company to make money: just scramble all your documents, then demand ONE MILLION DOLLARS for the keys to decrypt them. The money must be sent to a numbered Swiss account, and the software checks with a server to find out when the money has arrived. Some of the proposals for what companies will do with Palladium seem about as plausible as this one. Isn't this how Windows XP and Office XP work? They let you set up the system and fill it with your data for a while -- then lock up and won't let you access your locally stored data, until you put the computer on the Internet and register it with Microsoft. They charge less than a million dollars to unhand your data, but otherwise it looks to me like a very similar scheme. There's a first-person report about how Office XP made the computers donated for the 9/11 missing persons database useless after several days of data entry -- so the data was abandoned, and re-entered into a previous (non-DRM) Microsoft word processor. The report came through this very mailing list. See: http://www.mail-archive.com/cryptography@wasabisystems.com/msg02134.html This scenario of word processor vendors denying people access to their own documents until they do something to benefit the vendor is not just plausible -- it's happening here and now. John
Re: responding to claims about TCPA
I asked Eric Murray, who knows something about TCPA, what he thought of some of the more ridiculous claims in Ross Anderson's FAQ (like the SNRL), and he didn't respond. I believe it is because he is unwilling to publicly take a position in opposition to such a famous and respected figure. Many of the people who know something about TCPA are constrained by NDA's with Intel. Perhaps that is Eric's problem -- I don't know. (I have advised Intel about its security and privacy initiatives, under a modified NDA, for a few years now. Ross Anderson has also. Dave Farber has also. It was a win-win: I could hear about things early enough to have a shot at convincing Intel to do the right things according to my principles; they could get criticized privately rather than publicly, if they actually corrected the criticized problems before publicly announcing. They consult me less than they used to, probably because I told them too many things they didn't want to hear.) One of the things I told them years ago was that they should draw clean lines between things that are designed to protect YOU, the computer owner, from third parties; versus things that are designed to protect THIRD PARTIES from you, the computer owner. This is so consumers can accept the first category and reject the second, which, if well-informed, they will do. If it's all a mishmash, then consumers will have to reject all of it, and Intel can't even improve the security of their machines FOR THE OWNER, because of their history of security projects that work against the buyer's interest, such as the Pentium serial number and HDCP. TCPA began in that protect third parties from the owner category, and is apparently still there today. You won't find that out by reading Intel's modern public literature on TCPA, though; it doesn't admit to being designed for, or even useful for, DRM. My guess is that they took my suggestion as marketing advice rather than as a design separation issue. Pitch all your protect-third-party products as if they are protect-the-owner products was the opposite of what I suggested, but it's the course they (and the rest of the DRM industry) are on. E.g. see the July 2002 TCPA faq at: http://www.trustedcomputing.org/docs/TPM_QA_071802.pdf 3. Is the real goal of TCPA to design a TPM to act as a DRM or Content Protection device? No. The TCPA wants to increase the trust ... [blah blah blah] I believe that No is a direct lie. Intel has removed the first public version 0.90 of the TCPA spec from their web site, but I have copies, and many of the examples in the mention DRM, e.g.: http://www.trustedcomputing.org/docs/TCPA_first_WP.pdf (still there) This TCPA white paper says that the goal is ubiquity. Another way to say that is monopoly. The idea is to force any other choices out of the market, except the ones that the movie record companies want. The first scenario (PDF page 7) states: For example, before making content available to a subscriber, it is likely that a service provider will need to know that the remote platform is trustworthy. http://www.trustedpc.org/home/pdf/spec0818.pdf (gone now) Even this 200-page TCPA-0.90 specification, which is carefully written to be obfuscatory and misleading, leaks such gems as: These features encourage third parties to grant access to by the platform to information that would otherwise be denied to the platform (page 14). The 'protected store' feature...can hold and manipulate confidential data, and will allow the release or use of that data only in the presence of a particular combination of access rghts and software environment. ... Applications that might benefit include ... delivery of digital content (such as movies and songs). (page 15). Of course, they can't help writing in the DRM mindset regardless of their intent to confuse us. In that July 2002 FAQ again: 9. Does TCPA certify applications and OS's that utilize TPMs? No. The TCPA has no plans to create a certifying authority to certify OS's or applications as trusted. The trust model the TCPA promotes for the PC is: 1) the owner runs whatever OS or applications they want; 2) The TPM assures reliable reporting of the state of the platform; and 3) the two parties engaged in the transaction determine if the other platform is trusted for the intended transaction. The transaction? What transaction? They were talking about the owner getting reliable reporting on the security of their applications and OS's and -- uh -- oh yeah, buying music or video over the Internet. Part of their misleading technique has apparently been to present no clear layman's explanations of the actual workings of the technology. There's a huge gap between the appealing marketing sound bites -- or FAQ lies -- and the deliberately dry and uneducational 400-page technical specs. My own judgement is that this is probably deliberate, since if the public had an accurate 20-page