Title : Conference News Part I
Author : various
==Phrack Magazine==
Volume Four, Issue Forty-Four, File 6 of 27
Conference News
Part I
****************************************************************************
[Official Announcement / Call For Participation]
(Distribute Freely)
dFx, Phrack Magazine and cDc - Cult Of The Dead Cow proudly present :
The Fourth Annual
H O H O C O N
"Cliff Stoll My K0DEZ!@$#!"
Who: All Hackers, Journalists, Security Personnel, Federal Agents,
Lawyers, Authors, Cypherpunks, Virtual Realists, Modem Geeks,
Telco Employees, and Other Interested Parties.
Where: Austin North Hilton & Towers and Super 8 Motel
6000 Middle Fiskville Road
Austin, Texas 78752
U.S.A.
Hilton : (800) 347-0330 / (512) 451-5757
Super 8: (800) 800-8000 / (512) 467-8163
When: Friday December 17 through Sunday December 19, 1993
What is HoHoCon?
----------------
HoHoCon is the largest annual gathering of those in, related to, or
wishing to know more about the computer underground. Attendees generally
include some of the most notable members of the "hacking" and "telecom"
community, journalists, authors, security professionals, lawyers, and a
host of others. Previous speakers include John Draper (Cap'n Crunch), Ray
Kaplan, Chris Goggans (Erik Bloodaxe), Bruce Sterling, and many more. The
conference is also one of the very few that is completely open to the
public and we encourage anyone who is interested to attend.
Hotel Information
-----------------
The Austin North Hilton recently split its complex into two separate
hotels; the Hilton and the newly added Super 8. HoHoCon guests have the
choice of staying in either hotel. Group rates are as followed :
Super 8: Single - $46.50, Double - $49.50, Triple - $52.50, Quad - $55.50
Hilton : Single - $69.00, Double - $79.00, Triple - $89.00, Quad - $99.00
Once again, the hotel has set aside a block of rooms for the conference
and we recommend making your reservations as early as possible to
guarantee a room within the block, if not to just guarantee a room period.
Rooms for the handicapped are available upon request. To make your
reservations, call the number listed above that corresponds with where
you are and where you want to stay and make sure you tell them you are
with the HoHoCon conference or else you'll end up throwing more money
away. The hotel accepts American Express, Visa, Master Card, Discover,
Diner's Club, and Carte Blanche credit cards.
Check-in is 3:00 p.m. and check-out is 12:00 noon. Earlier check-in is
available if there are unoccupied rooms available. Please note that in
order for the hotel to hold a room past 6:00 p.m. on the date of arrival,
the individual reservation must be secured by a deposit or guaranteed
with one of the credit cards listed above. Also, any cancellations of
guaranteed reservations must be made prior to 6:00 p.m. on the date of
arrival. You will be responsible for full payment of any guaranteed
reservations which are not cancelled by this time.
The hotel provides transportation to and from the airport and will give
you full information when you make your reservations.
Directions
----------
For those of you who will be driving to the conference, the following
is a list of directions provided by the hotel (so, if they're wrong,
don't blame me):
Dallas : Take IH 35 south to exit 238-B, the Houston exit. At the first
stop light, turn right on to 2222. Turn off of 2222 onto Clayton
Lane (by the Greyhound Station). At the stop sign, turn right
onto Middle Fiskville, the hotel is on the left.
San Antonio : Take IH 35 north to exit 238-B, the Houston exit. At the
second stop light, turn left onto 2222. Turn off 2222 onto
Clayton Lane (by the Greyhound Station). At the stop sign,
turn right onto Middle Fiskville, the hotel is on the left.
Houston (on 290) : Take 290 west into Austin. Exit off of 290 at the IH35
exit (do not get on 35). Stay on the access road
heading west, you will pass two stop lights. Turn off
the access road onto Clayton Lane (by the Greyhound
Station). At the stop sign, turn right onto Middle
Fiskville, the hotel is on the left.
Houston (on 71) : Take 71 west into Austin. Exit onto 183 north. Take
183 north to 290 west. Take 290 west to the IH 35 exit.
Exit off of 290 at the IH 35 exit (do not get on 35).
Stay on the access road heading west, you will pass two
stop lights. Turn off the access road onto Clayton Lane
(by the Greyhound Station). At the stop sign, turn
right onto Middle Fiskville, the hotel in on the left.
Airport : Exit the airport parking lot and turn right onto Manor Road.
Take Manor Road to Airport Boulevard and turn right. Take
Airport Boulevard to IH 35 north. Take IH 35 to exit 238-B. At
the second stop light, turn left onto 2222. Turn off of 2222
onto Clayton Lane (by the Greyhound Station). At the stop sign,
turn right onto Middle Fiskville, the hotel is on the left.
Call the hotel if these directions aren't complete enough or if you need
additional information.
Conference Details
__________________
HoHoCon will last 3 days, with the actual conference being held on
Saturday, December 18 starting at 11:00 a.m. and continuing until 5 p.m.
or earlier depending on the number of speakers. Although a few speakers
have confirmed their attendance, we are still in the planning stages and
will wait until the next update to release a speaking schedule. We welcome
any speaker or topic recommendations you might have (except for, say, "Why
I Luv Baked Potatos On A Stik!"), or, if you would like to speak yourself,
please contact us as soon as possible and let us know who you are, who you
represent (if anyone), the topic you wish to speak on, a rough estimate of
how long you will need, and whether or not you will be needing any
audio-visual aids.
We would like to have people bring interesting items and videos again this
year. If you have anything you think people would enjoy having the chance
to see, please let us know ahead of time, and tell us if you will need any
help getting it to the conference. If all else fails, just bring it to the
con and give it to us when you arrive. Any organization or individual that
wants to bring flyers to distribute during the conference may do so. You
may also send your flyers to us ahead of time if you can not make it to
the conference and we will distribute them for you. Left over flyers are
included with information packets and orders that we send out, so if you
want to send extras, go ahead.
Cost
----
Unlike smaller, less informative conferences, we do not ask you to shell
out hundreds of dollars just to get in the door, nor do we take your money
and then make you sleep in a tent. We are maintaining the motto of "give
$5 if you can", but due to the incredibly high conference room rate this
year, we may step up to "$5 minimum required donation" or "give us $5 or
we'll smash your head in". Five dollars is an outrageously low price
compared to the suit infested industry conferences or even the new "Cons
are k00l and trendy, I gotta do one too!" conferences that are charging
up to $50 for admission alone.
To encourage people to donate, we will once again be having our wonderless
"Raffle For The Elite" during the conference. We will issue a prize list
in a future update, but we can guarantee that this year there will be a
lot more (and better) prizes than last year, including a full system (and,
no, it's not a c64 or 286). Anyone who wishes to donate worthwhile items
to the raffle, please let us know ahead of time, or if it's a last minute
acquirement, just bring it to the conference.
Miscellaneous Notes
-------------------
To save myself some time by mailing responses to a lot of the same
questions I expect to get, I'll answer a few of them here.
Although I have not talked to him myself yet, Steve Ryan has told me that
Bruce Sterling will indeed be in attendance and may say a few words.
As far as I know, there will not be any visitors from any other planets
at the conference. Scot Chasin is still on Earth and will be making an
appearance.
Video cameras will *not* be allowed inside the conference room without
prior consent due to previous agreements made with speakers who do not
wish for certain parts of their speech to be rebroadcast. Still cameras
and Etch-A-Sketch's are fine and tape recorders are too easily hidden
for us to be able to control.
Videos and T-Shirts from last year's conference are still available, and
will also be on hand during the conference. We do not handle the LoD World
Tour shirts, but I can tell you that the old ones are gone and a
*new* LoD shirt will be unveiled at the conference. The HoHoCon shirts are
$15 plus $3 shipping ($4.00 for two shirts). At this time, they only come
in extra large. We may add additional sizes if there is a demand for them.
The front of the shirt has the following in a white strip across the
chest:
I LOVE FEDS
(Where LOVE = a red heart, very similar to the I LOVE NY logo)
And this on the back:
dFx & cDc Present
HOHOCON '92
December 18-20
Allen Park Inn
Houston, Texas
There is another version of the shirt available with the following:
I LOVE WAREZ
The video includes footage from all three days, is six hours long and
costs $18 plus $3 shipping ($4.00 if purchasing another item also). Please
note that if you are purchasing multiple items, you only need to pay one
shipping charge of $4.00, not a charge for each item. If you wish to send
an order in now, make all checks or money orders payable to O.I.S.,
include your phone number and mail it to the street address listed below.
Allow a few weeks for arrival.
There will be new HoHoCon '93 shirts available at the conference and a
video of the festivities will be out early next year.
Correspondence
--------------
If anyone requires any additional information, needs to ask any questions,
wants to RSVP, wants to order anything, or would like to be added to the
mailing list to receive the HoHoCon updates, you may mail us at:
hohocon@cypher.com
drunkfux@cypher.com
cDc@cypher.com
drunkfux@crimelab.com
dfx@nuchat.sccsi.com
drunkfux@5285 (WWIV Net)
or via sluggo mail at:
HoHoCon
1310 Tulane, Box 2
Houston, Texas
77008-4106
We also have a VMB which includes all the conference information and is
probably the fastest way to get updated reports. The number is:
713-867-9544
You can download any of the conference announcements and related
materials by calling Metalland Southwest at 713-468-5802, which is the
offical HoHoCon BBS. The board is up 24 hours a day and all baud rates
are supported.
Those of you with net access can ftp to cypher.com and find all the
HoHoCon information available in /pub/hohocon. The .gifs from previous
cons are *not* currently online.
Conference information and updates will most likely also be found in most
computer underground related publications and mailing lists, including
CuD, CSP, Mondo 2000, 2600, Phrack, TUC, phn0rd, cypherpunks, etc. They
should also appear in a number of newsgroups including comp.dcom.telecom,
alt.security, comp.org.eff.talk, and sci.crypt. We completely encourage
people to use, reprint, and distribute any information in this file.
Same stupid ending statement from last year to make us look good
----------------------------------------------------------------
HoHoCon '93 will be a priceless learning experience for professionals and
gives journalists a chance to gather information and ideas direct from the
source. It is also one of the very few times when all the members of the
computer underground can come together for a realistic purpose. We urge
people not to miss out on an event of this caliber, which doesn't happen
very often. If you've ever wanted to meet some of the most famous people
from the hacking community, this may be your one and only chance. Don't
wait to read about it in all the magazines and then wish you had been
there, make your plans to attend now! Be a part of what we hope to be our
largest and greatest conference ever.
-------------------------------------------------------------------------------
COMPUTERS, FREEDOM, AND PRIVACY '94
Conference Announcement
Scholarships, Writing Competition Notice
23-26 March 1994, Chicago, Il.
The fourth annual conference, "Computers, Freedom, and
Privacy," (CFP'94) will be held in Chicago, Il., March 23-26, 1994.
The conference is hosted by The John Marshall Law School; George B.
Trubow, professor of law and director of the Center for Informatics
Law at John Marshall, is general chair of the conference. The
program is sponsored jointly by these Association for Computing
Machinery (ACM) Special Interest Groups: Communications (SIGCOMM);
Computers and Society (SIGCAS); Security, Audit and Control
(SIGSAC).
The advance of computer and communications technologies holds
great promise for individuals and society. From conveniences for
consumers and efficiencies in commerce to improved public health
and safety and increased participation in government and community,
these technologies are fundamentally transforming our environment
and our lives.
At the same time, these technologies present challenges to the
idea of a free and open society. Personal privacy and corporate
security is at risk from invasions by high-tech surveillance and
monitoring; a myriad of personal information data bases expose
private life to constant scrutiny; new forms of illegal activity
may threaten the traditional barriers between citizen and state and
present new tests of Constitutional protection; geographic
boundaries of state and nation may be recast by information
exchange that knows no boundaries in global data networks.
CFP'94 will assemble experts, advocates and interest groups
from diverse perspectives and disciplines to consider freedom and
privacy in today's "information society. Tutorials will be offered
on March 23, 1994, from 9:00 a.m. - noon and 2:00 - 500 p.m. The
conference program is Thursday, March 24, through Saturday, March
26, 1994, and will examine the potential benefits and burdens of
new information and communications technologies and consider ways
in which society can enjoy the benefits while minimizing negative
implications.
STUDENT PAPER COMPETITION
Full time college or graduate students may enter the student
paper competition. Papers must not exceed 3000 words and should
address the impact of computer and telecommunications technologies
on freedom and privacy in society. Winners will receive financial
support to attend the conference and present their papers. All
papers should be submitted by December 15, 1993, (either as
straight text via e-mail or 6 printed copies) to: Prof. Eugene
Spafford, Department of Computer Science, Purdue University, West
Lafeyette, IN 47907-2004. E-Mail: spaf@cs.purdue.edu; Voice:
317-494-7825
CONFERENCE REGISTRATION INFORMATION
Registration fees are as follows:
If paid by: 1/31/94 3/15/94 4/23/94
Early Regular Late
Tutorial $145 $175 $210
Conference 315 370 420
NOTE: ACM members (give membership number) and John Marshall Alumni
(give graduation date) receive a $10 discount from Tutorial and $15
discount from Conference fees.
CONFERENCE REGISTRATION: Inquiries regarding registration should be
directed to RoseMarie Knight, Registration Chair, at the JMLS
address above; her voice number is 312-987-1420; E-mail,
6rknight@jmls.edu.
CONFERENCE INFORMATION: Communications regarding the conference
should be sent to: CFP'94, The John Marshall Law School, 315 S.
Plymouth Ct., Chicago, IL 60604-3907
(Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu)
ROOM RESERVATIONS: The Palmer House Hilton, located in Chicago's
"loop," and only about a block from The John Marshall Law School,
is the conference headquarters. Room reservations only should be
made directly with the hotel, mentioning "CFP'94" to get the
special conference rate of $99.00, plus tax. (17 E. Monroe.,
Chicago, Il., 60603, Tel: 312-726-7500; 1-800-HILTONS; Fax
312-263-2556)
NOTE: More specific information about conference program
content will be available December 1, 1993.
***********
George B. Trubow, Professor of Law
Director, Center for Informatics Law
The John Marshall Law School
315 S. Plymouth Ct.
Chicago, IL 60604-3907
Fax: 312-427-8307; Voice: 312-987-1445
E-mail: 7trubow@jmls.edu
......SCHOLARSHIPS
The Conference on Computers, Freedom & Privacy (CFP'94) is pleased to
announce that it will once again provide a number of full tuition
scholarships for attendance at the conference. The conference will be held
in Chicago, IL from March 23rd through March 26th, 1995 and will be hosted
by the John Marshall Law School under the chairmanship of George Trubow.
The conference traditionally attracts an extremely diverse group of
persons concerned with issues relating to the rapid development of the
"information society"; civil libertarians, information providers, law
enforcement personnel, privacy advocates, "hackers", sociologists,
educators and students, computer professionals, cryptography advocates,
government policy makers and other interested parties have all played
major roles in the three previous conference.
Speakers at previous conferences have included Electronic Frontier
Foundation (EFF) co-founders John Perry Barlow and Mitch Kapor, FBI Deputy
Director William A. "Al" Bayse, writer Bruce Sterling, privacy advocate
Simon Davies, Harvard University law professor Lawrence Tribe, hacker
"Phiber Optik", Georgetown University's Dorothy Denning, "Cuckoo's Egg"
author Clifford Stoll, Prodigy counsel George Perry, USA Today founder Al
Neuwith, former FCC Chairman Nicholas Johnson, Computer Professionals for
Social Responsibility (CPSR)'s Marc Rotenberg, Arizona prosecutor Gail
Thackeray, and Bay Area Women in Computing's Judi Clark.
The scholarships are intended to provide access to the conference to those
that would like to attend the conference but are unable to afford the
tuition. They are available to undergraduate and graduate students in any
discipline (previous student attendees have come from computer science,
law, sociology, liberal arts, journalism, and womens' studies
backgrounds), law enforcement personnel, hackers, social scientists, and
others interested in the future of the information society.
Persons interested in a scholarship should send the following information
(e-mail greatly preferred) to:
John F. McMullen
Perry Street
Jefferson Valley, NY 10535
mcmullen@panix.com
(914) 245-2734 (voice)
(914) 245-8464 (fax)
1. Personal Information -- Name, Addresses (including e-mail), Phone
Numbers, School and/or Business Affiliation
2. Short Statement explaining what the applicant helps to get from CFP'94
and what impact that attendance may have in the applicant's community or
future work.
3. Stipulation that the applicant understands that he/she is responsible
for transportation and lodging expenses related to the conference. The
scholarship includes tuition and those meals included with the conference.
4. Stipulation that the applicant would not be able to attend the
conference if a scholarship is not granted. The applicant stipulates
that, if granted a scholarship, he /she will attend the conference.
6. Stipulation that the applicant, if granted a scholarship, will provide
a contact John McMullen at the above e-mail address or phone numbers with
any questions.
The number of available scholarships will be determined by funding available.
-------------------------------------------------------------------------------
Notes from the Austin Crypto Conference, September 22, 1993
by Gregory W. Kamen
--- Dinosaur Warning ---
Disclaimer: A lot of people here noted disclaimed what they said as "not
legal advice". In addition, this was prepared from notes which were not
necessarily legible or complete, therefore I disclaim any responsibility
for misquoting or mistranscribing this information. (If you don't like
it, you try typing "cypherpunks" over and over again :P). Please note
that in Q & A sessions, the answers were relevant, though not always
responsive to the questions. In addition, I state that this information
does not represent legal advice from me or solicitation of legal
representation, and does not necessarily represent the position of EFH,
EFF, EFF-Austin, the individual conference participants, or any living
person.
-----------
The room was set up to seat approximately 180 people. It was essentially
full, and there were a few people standing--not bad for a Wednesday
afternoon.
There was a large (about 14 people) contingent from EFH present.
Steve Jackson opened the meeting with a few introductory remarks, among
which were that a subpoena had been served on Austin Code Works, a
publisher of cryptographic software.
We can expect to hear about the case in news magazines of general
circulation in about two months.
Bruce Sterling delivered the keynote address.
He began by establishing a context by defining cryptography:
-- as secret coding to avoid the scrutiny of a long list of entities,
-- as a way to confine knowledge to those initiated and trusted,
-- as a means to ensure the privacy of digital communication, and
-- as a new form of information economics
Sterling then noted that crypto is "out of the closet"
-- it is heard of on the streets
-- the government acknowledges it by bringing forth its Clipper chip
-- it is in the hands of the people
-- public key crypto is out there and commercially available
-- the typical time to market from first publication of a new idea is
20 years. Diffie published the first public key crypto algorithm in 1975,
thus the target date for mass crypto would be 1995. Bringing it to market
will require bringing of political pressure, lawsuits, and money.
Next, Sterling moved to the subject of the grand jury proceedings in San
Jose on 9/22.
-- Export law violations have been alleged. Whatever the outcome,
this proceeding is certainly not the end of the subject.
Finally, before closing by noting that EFF-Austin is not EFF, Sterling
shared a brief background of the panelists:
-- they are people who can tell us about the future
-- they are directors of national EFF and can share information
Panelists on First Panel
-- Mitch Kapor - co-founder of EFF, software designer, entrepreneur,
journalist, philanthropist, activist. He spoke out on obscure issues in
the beginning and made them seem less obscure. He has done good deeds for
the public.
-- Jerry Berman - President of EFF, activist background, published
widely on security and privacy issues, formerly active with ACLU, and is
on Clinton administration's National Information Infrastructure team.
Panelists on Second Panel
-- Esther Dyson - journalist, has widely read project "Release 1.0",
is a guru in Europe.
-- Mike Godwin - lawyer for EFF, veteran public speaker, attended UT-
Austin, on the board of EFF-Austin as well as EFF.
Panelists on Third Panel
-- Eric Hughes - not EFF member, started cypherpunks mailing list,
from California
-- John Gilmore - 20 year programmer, pioneer at Sun, civil
libertarian
-- John Perry Barlow - co-founder of EFF, media junkie, and author.
PANEL #1: POLICY
Kapor - Opening remarks: Framing the issue
a. Series of conferences in Washington, briefed EFF on how laws are
made, at a technical level of the process. Berman was instrumental in
passing the ECPA, which was later used successfully in Steve Jackson Games
case.
b. ECPA is a good thing: it says Email should be as private as postal
mail. However, it doesn't go far enough because it is easy to listen in
on cell phones.
c. Kapor felt need technology to protect privacy. Laws alone are not
enough. Berman stated view (at that time. He has since changed his mind)
widely held within the Beltway that laws were sufficient.
d. Survey: 20 percent of those present use PGP. 80 percent have
heard of PGP.
Berman -
a. Following on Kapor's point that ECPA was soft, Berman says the
politicians will remain clueless until we educate them. If it is
knowledge that can alter the political process, it must be done.
b. EFF established a Washington presence because policy is being made
to design and govern the electronic frontier by the big commercial
players. The public and the consumer are not represented.
c. We're working on a goal that the national information
infrastructure serve the public interest. For example, if the big players
are allowed to dominate the process, they will control access and the NII
will look like 500 cable channels rather than a point-to-point switched
network like Internet.
d. There's a big battle coming: computers and communication are in
abundance such that everyone can be a publisher. This raises at the very
least a First Amendment issue.
e. The Clipper Chip
-- has great potential for the net; however, government agencies are
not sure of control
-- privacy and security are essential for development of the national
information infrastructure. This is a threat to the law enforcement
community.
-- the response of the law enforcement community has been to attempt
to throttle the technology.
-- in order to capture the future, they want to develop the
technology themselves.
-- EFF's role has been to say that we shouldn't go ahead with the
Clipper chip proposal.
-- the ultimate big question: What to do when all communications are
encrypted.
-- Clinton led off with a study of cryptography policy and introduced
the Clipper chip at the same time, which demonstrates that the policy was
already determined in the opinions of many. It was introduced not as
something being studied, but as a fait accompli.
-- Clipper proposal is bad because it is based on a secret algorithm
which has not been subjected to adequate scrutiny, it is counterintuitive
to interoperability because stronger crypto is being developed outside the
United States, and it includes a key escrow provision that includes only
"insiders" who developed the technology.
-- We don't prescreen the content of communications. The law
enforcement community needs a warrant. That is fundamental to the First,
Fourth, and Fifth Amendments.
f. We oppose the Clipper/Skipjack chip
-- there's no evidence showing that law enforcement will be unduly
hampered in its efforts to stop crime if crypto is available.
-- the positive and negative implications of widespread crypto have
not been considered.
-- law enforcement may have a problem, but if they have a warrant
they should be able to get access.
-- as long as Clipper is not mandated, people can use other types of
crypto.
g. Conclusions
-- if Clipper is voluntary, it doesn't work, because people who want
to encrypt safely will use other products.
-- if Clipper is mandated, there are serious constitutional issues.
-- Even if the Clipper chip proposal fails, we still lose under the
current scheme, because the export control laws guarantee that we will not
have crypto interoperable with the rest of the world.
h. EFF chairs a large coalition including representatives of
Microsoft, IBM, and ACLU to work against this.
i. Congress only needs one bad case, like a terrorist attack, to go
the other way.
Q & A -
Q. Is the key in the hardware or software with Clipper?
A. It's in the hardware, therefore the instrument is permanently
compromised once the keys are released from escrow. The law enforcement
arguments are really fronts for NSA and their religious commitment to
prevent the spread of crypto. It's NSA's mission to make sure it "busts"
every communication in the world, therefore why would they propose any
encryption without a "back door" through which they could decipher all
transmissions.
Q. What is the current state of the law between NIST and NSA?
A. NSA was selling "secure" phones. They wanted a new classification of
information. Responsibility for classified systems rests with NSA. NIST
is brought in to handle domestic crypto. In terms of budget and
experience, however, NSA is dominant, and NIST relies on them.
Q. How does GATT relate to the Clipper proposal
A. It's not dealt with in GATT. There's no agreement on an international
standard.
Q. What's going on with PGP?
A. Pretty Good Privacy is the people's crypto. It was independently
developed, and has been widely distributed for our information and
security. There are two current controversies regarding PGP. First is
whether it is subject to export controls, and second is its intellectual
property status.
Q. What facts do we have regarding the history of Clipper?
A. The project began during the Bush administration after AT&T introduced
phones implementing DES, the Data Encryption Standard. Clinton looked at
it early in his administration. NSA pushed the program, and the staff
wanted to "do something". A worst-case scenario about the introduction of
Clipper is that it was leaked to the press, and the story about a study
was cooked up to cover the leak. People might be surprised about how
little expertise and thought about issues goes on. Policy makers operate
under severe time constraints, handling the crisis of the moment. Most of
them are reasonable people trying to do the best thing under the
circumstances. If we push certain ideas long enough and hard enough we
can affect the outcome.
Q. Following the _AMD v. Intel_ case, there's nothing stating you cannot
clone the Clipper chips to circumvent the law enforcement field, correct?
A. It's difficult to say. The chips have not yet been delivered. There
have been technical problems with the chip. At NIST hearing a couple
weeks ago, Dorothy Denning revealed that she had reviewed the Skipjack
algorithm alone because the other four cryptographers selected to review
the algorithm were on vacation. There's a certain degree of cynicism
because the government has said it will twist people's arms using its
purchasing power and the threat of prosecution to establish Skipjack as a
de facto standard. EFF is trying to get AT&T and Motorola to do
something. Maybe the chip cannot easily be cloned. John Gilmore wants to
see how easy it is to reverse engineer.
Q. What are specific steps that can be taken?
A. Send Email to the White House, and cc to EFF. Also, focus on the
debate concerning ownership and leasing of the national information
infrastructure. Southwestern Bell wants authority to own and lease the
net and isn't quite sure whether government should be involved. This is
the other longest-running EFF policy concern: the owner of the electronic
highways shouldn't be able to control content. Bandwidth should be
provided based on the principles of common carriage and universal access.
Construction of the NII should be done by the private sector because
government doesn't have the resources available. We can't allow ourselves
to be limited to upstream bandwidth. The net should retain those of its
characteristics equivalent to BBS's.
Q. If NIST is to be an escrow agent, why are they not secure?
A. This is a source of moral outrage, but moral outrage only goes so far.
We need to swallow our distaste for dealing with the government to
compromise. It is worthwhile to get involved in the decision-making
_process_.
Q. What is the position of the ACLU and Republican think tanks on Clipper?
A. A lot of organizations have bumped into NII. ACLU is fighting the
Clipper chip. For other organizations, it's not a top priority item.
Q. With regard to DES: Export restrictions apply to scramblers, but they
are exported anyway. Why this policy of selective enforcement?
A. Don't look for consistency. SPA has recognized that there are 231 DES-
equivalent products. The genie is out of the bottle. DES source is
widely available, but more so inside the US than outside.
Q. If the government has their way, what good products are out there for
us?
A. The government can only have its way by mandating use of Skipjack. If
it holds up, legally and politically, there _is_ no alternative. The
government is saying that it is considering banning the use of crypto
other than Skipjack, but has not yet adopted such a policy.
Q. If crypto is a munition, is it protected under the Second Amendment?
A. The Second Amendment probably doesn't affect the export question.
Q. Are there any legal weaknesses in the public key cryptography patents?
A. EFF has its hands full with other issues and hasn't really formulated
an answer to this, but believes there's a fatal weakness as to all
software patents. However, it would be prohibitively expensive to make
such a case at this time.
Q. Do we need different copyright laws because of encryption?
A. Recognize that without changes in the copyright law, it will be
difficult to get a true net economy going. Producers want a way to make
money from the net. Consumers want the equivalent of home taping. It's
tough to cover all the bases.
Q. How do law enforcement issues in civil cases relate?
A. This is an interesting point because the line between a commercial
dispute and a criminal act are fuzzy. There are dangers in obtaining a
wiretap. The law enforcement community shouldn't have a case to tap a
line in the event of a two-party dispute. There is a danger of misuse for
traffic analysis of calls.
Q. ECPA could have been used to regulate access to the airwaves. Has it
been tested against the First Amendment?
A. This demonstrates that technological security measures, rather than
merely laws, are needed. People have listened to cell phone calls with
scanners, and they made scanners illegal to manufacture, but cell phones
can be modified to act as scanners. Experimentation of privacy with
encryption shifts the balance. RSA is available outside the US. RICO is
being overused.
PANEL #2: INDUSTRIAL AND LEGAL ISSUES
Dyson - Beyond commercial people being citizens, there are three big
issues:
1. Protection of trade secrets
2. Intellectual property protection for net businesses and database
information
3. Exporting encryption devices: US businesses like to do business
overseas. It is cost ineffective to develop a US-only standard. There is
better encryption available in Russia and Bulgaria on BBS's.
Godwin - Talking about law enforcement arguments government makes. There
are general issues regarding computers, communication, and privacy greater
than just Clipper.
-- Godwin is the first person people talk to when they call EFF in
trouble. In addition to giving a lot of general information regarding
liability, he monitors the intake of cases for EFF. He talks at
conventions about criminal and constitutional issues.
-- This effort has produced at least one change already: law
enforcement personnel are no longer completely incompetent and clueless
about computers.
-- the most interesting are issues dealing with hackers and crypto.
FBI's involvement with digital telephony: they wanted to make it more
wiretap friendly. They discovered it is worthless without a restriction
on encryption, and Clipper was introduced a short time later.
Legal History
The right to communications privacy is a fairly new thing. The
Supreme Court faced it in the 1928 _Olmstead_ case, and held that
there was no Fourth Amendment interest to be protected at all because
there was no physical intrusion on the property. The doctrine has bee
reveisited a number of times since then.
-- a suction cup mike next door to the defendant's apartment produced
the same holding.
-- In a later case of a "spike mike" penetrating the heating duct of
the defendant's apartment, the Court held that the Fourth Amendment
applied but did not extend general Fourth Amendment protection.
Finally in the _Katz_ case in the late 60's the Court formulated its
present doctrine in holding that the defendant has a reasonable
expectation of privacy in a phone booth. The Court said that the Fourth
Amendment protects people, not places. Justice Brandeis, in dissent,
cited Olmstead, but also noted that "The right most prized by civilized
men is the right to be let alone."
Arguments regularly advanced by law enforcement types in favor of Clipper:
1. Wiretapping has been essential in making many cases.
-- this argument seems reasonable.
2. Even if they can't point to a case now, they are taking a proactive
approach, trying to anticipate problems rather than reacting.
-- Dorothy Denning was involved early on in framing the issues. Now
she's in favor of the government line. Point is that an attitude of "us
vs. them" is counterproductive.
3) There are nuclear terrorists out there
-- this argument is the result of false reasoning. Like Pascal's
wager, the price of guessing wrong is so high that the rational person
chooses to be a believer, even where the probability is very low.
-- the problem with it is that you can't live that way. There's not
necessarily one single right answer. Also there is a substantial
opportunity cost. Whenever you empower individual rights, there's a
tradeoff against government efficiency. As an example, take the case of
compelled confession. It would be very efficient for the government to be
able to compel a confession, but the cost in individual rights is too
high. There is no constitutional precedent on which to base the outlawing
of encryption. The way it ought to be, the law enforcement types should
have the right to try to intercept communications under certain
circumstances, but they should have no guarantee of success.
4) Wiretapping has created an entitlement to have access to the
communications: this argument is blatantly ridiculous.
Q & A
Q. Before the A-bomb was built, proponents said that it would cost $1
million to build. The eventual cost was $1 billion. Congress asked what
was the probability that it could work, and was told 1 in 10. Thus the
nuclear terrorist argument works, right?
A. Terrorists won't use Clipper
Q. NSA has had scramblers working. Why does it hurt for us to have the
devices?
A. We're not opening Pandora's Box. Encryption is already out there.
They think the majority of communications are not encrypted now.
Encryption will create a bottleneck, which will change the way law
enforcement does its job.
Q. What about the Davis case in Oklahoma? If convicted is there any chance
for parole?
A. Davis was a BBS owner prosecuted because he allegedly had obscene
material on his board. I don't know about Oklahoma parole law.
Q. What is the current legal status of PGP?
A. That will be answered later.
Q. If "only outlaws will have crypto", how effectively can the clamp down?
A. It will probably be very easy for them to chill nonstandard crypto if
-- they investigate for another crime and find it, or
-- it may itself be probable cause for a search.
Q. Doesn't a lot of this boil down to "you wouldn't be encrypting if you
had nothing to hide"?
A. There's not any probable cause for law enforcement taking that
position. Business likes crypto. In a scenario where only certain types
of crypto are allowed, there could presumably arise a presumption from
nonstandard crypto. The more people who encrypt, the more will say it is
all right.
Q. Do you get the sense that there is a political will to protect privacy
in this country?
A. It is not clear that is the case. There is a real education hurdle to
teach the importance of technology.
Q. The law enforcement aspect is not important to NSA, right?
A. The Russians and the Japanese have done more theoretical work. Read
"The Puzzle Palace"
Q. Virtual communities and net businesses need crypto on all systems to
validate digital signatures.
A. It is not required universally. It will become cheaper as digital
signatures take off. The Clipper proposal does not address digital
signatures. NIST is also talking to IRS about helping implement Clipper
by extending the ability to file tax returns electronically to those using
Clipper.
Q. What restrictions are there right now on the IMPORT of crypto?
A. None right now.
Q. Is law enforcement misuse of commercial information anticipated?
A. It is a wash. There are laws available to protect against such things,
like the Electronic Funds Transfer laws, and also that the wiretap law
requires eventual notification of the tap. That's why they have called
for two escrow agents. The weakness is that people can be compromised.
The answer to law enforcement is that you could have more than two escrow
agents to make the bribe prohibitively expensive. Also the problem of
human weakness is not unique to the Clipper chip or key escrow systems.
Q. There's no mapping between the chip and the phone, correct?
A. The only link is the word of the officer seeking a warrant. There is
no provision right now for a database containing identities of all chips.
Q. Can the President or Congress outlaw encryption by Executive Order?
A. The president cannot by Executive Order. It's not clear whether
Congress could constitutionally.
Q. What about steganography?
A. Steganography is defined as a message appearing to be unencrypted but
containing a code. There's a constant competition between the law
enforcement community and the criminal element to stay ahead on the
technology.
Q. Are one time pads illegal, or covered by export regulations?
A. No. Few policymakers have ever heard of them.
Q. What's a vision of what we would like to see?
A. Try to give people a technological means to protect their own privacy.
Freedom to exchange information. Communities conforming to a standard
without oversight, so that we can export.
Godwin - more mystical approach. In person, you can be sure of someone's
identity. This creates intimacy. Technology has the potential to free
intimacy from the accident of geography. With crypto, you know the
identity of the other person, and that you're not being overheard.
Q. Who are the law enforcement people you've been dealing with? Do they
represent the highest levels of their organizations?
A. (Godwin) I don't claim to know what NSA thinks. I have talked to FBI,
state and local law enforcement authorities, and they all say the same
things.
PANEL #3: CYPHERPUNKS
Barlow - Doesn't have the I/O bandwidth to be a cypherpunk. Doesn't know
how they do it. The net is the biggest technological development since
fire. There's a very difficult choice to be made, and it may already be
made: Either anything is visible to anyone who is curious, or nothing is
visible. Barlow comes from a small town. He's not bothered by privacy
invasions at that level. But there's a difference between locals and the
possessors of a database.
The problem of giving up privacy (which without encryption will
happen), is that it allows "them" to protect us from ourselves. Also, no
matter how benevolent the current government may be, there will always be
a corrupt one down the road. Hidden crypto economies could break most
governments. It's not necessarily good to have no government either.
What drives the cypherpunks is a law of nature: Anarchy is breaking
out, and Barlow is one. However, the libertarian impulse begs a few
questions about crypto: What are we trying to hide, from whom, and why?
There are a lot of victimless crimes out there for which no one wants
to take responsibility.
Barlow wants crypto to create trust in identity. The real cypherpunk
question is: The war is over, and we have won. How do we make the
transition of power graceful? Human nature is to acquire some power
structure of some kind. It is critical to acquaint friends and those who
could care less with crypto.
Gilmore - There are too many laws, and they make the wrong things illegal;
We need to explain. In the existing system, the natural outgrowth has
been for cypherpunks to be labeled as "them". Gilmore's vision is
unprecedented mobility by creating privacy and authenticity at a distance.
Thus you don't have to live near work, or play near home. By focusing on
conspirators, the law enforcement community loses the focus on business
use. The formal topic of the panel is cypherpunks.
-- Crypto is not all that hard. Denning's book shows how to
implement DES and RSA.
-- Cypherpunks push the limits - taking cryptography from theory into
the realm of the practical.
-- Trying to put crypto in the hands of the people, so that the
government cannot take it back. That's why PGP is freely distributed.
-- Also working on anonymity and digital money schemes.
The areas the cypherpunk group has worked on are:
1) Anonymity - anonymous Email. What is the impact on how we
communicate? Most of the debate has been relatively uninformed. The
Supreme Court thinks there is a right of anonymity. A Los Angeles law
requiring that demonstrators who handed out flyers put their name and
address on the flyers was overturned on the grounds that it chilled free
speech. In other media, telephones are anonymous. There has been a big
ruckus with Caller ID. The postal service does not enforce return address
requirements. Telegrams and radio are similarly anonymous.
2) Privacy - Have been implementing key exchange systems for PGP,
experimenting with encrypted audio. Digital cash systems - so many
businesses would pop up on the net if it was possible to spend electronic
money. There are people working on the legal aspects of it now.
3) Outreach - a mailing list, contributing articles to Village Voice,
Wired, Whole Earth News.
4) Government interaction - Sent a list of questions regarding
Clipper to NIST. Made several requests under the Freedom of Information
Act. Someone searched the dumpsters at Mykotronx. In a recent FOIA
request to an Assistant Secretary of Defense, we learned that the law
enforcement and intelligence communities advocate making Clipper
mandatory. There's a FOIA request in now on Clipper. FBI returned a
clipping file, but says it will take 3 1/2 years to process and release
all the documents requested.
5) Future projects - Building encrypted phones using PGP. Real
digital banking. Automating anonymity and making an easier to use
interface for anonymized mail. Tightening security from machine to
machine protocols - Right now they transmit cleartext. At Gilmore's home
machine at Cygnus recently, a hacker monitored a session remotely, then
installed a daemon to monitor the first 200 bytes of ethernet traffic from
each connection. The daemon was removed, and the problem fixed using
kerberos.
Hughes - Cypherpunks was created by Hughes and Tim May. It's surprising
how much media attention we have gotten. They knew what they were doing
was significant, but not that so many people thought so. They are now
shooting a pilot for a TV show based on cypherpunks, and Hughes has held
himself out as a media expert. Here are a few obvious things that
nonetheless need to be stated:
1) In order to have a private key, you need to have your own CPU. To
put your key online where someone else has physical access is dumb.
Therefore, one of the consequences is that digital privacy is only for the
rich.
2) Cypherpunks is not a "hacker privacy league", but rather seeks to
ensure privacy for all. Crypto must be easy to use. It is just now
feasible to have an anonymous remailer. The user interface _must_ be
easy. The layperson's concept of security is that if the computer is not
networked, it is secure. They don't see how much of a disadvantage it is
not to be networked. Gibson calls non-networked computers "dead silicon".
Therefore, encryption needs to be transparent to the user. The
cypherpunks mailing list reached critical mass about 2 months ago with
enough people understanding the concepts to move forward. We're at a
crossroads historically now.
3) If you're the only one using crypto, it must be you who sent the
cryptographic message. Anonymity is a social construct, and it doesn't
work unless many people do it. The government is good at suppressing
small things, but bad at suppressing big things. Therefore the best
course of action is to spread the word. In the end, most of us will be
private or most will not. If encryption is available to you, use it.
In response to Dyson on the question of copyright: Copyright is dead, or
at least moribund. It will not exist as we know it in 100 years. It is
a means of using the government's power to suppress expression. You still
will be able to sell the timeliness of information, indexing, delivery,
etc.
Gilmore - If we decide to be private, the only limit to secrecy is
individual conscience.
Comments from the audience:
-- As it becomes less possible to hold on to information, marketing
shifts toward a relationship rather than a product.
-- If we want to make encryption easy, put out a mailer which
supports it. (Response: We're working on it)
Q & A
Q. Can public keys be made available through the Domain Name Servers?
A. PGP developers are working on it. Internet is an information motel.
Data checks in, but it doesn't check out.
Q. Is it possible to keep secrets at all?
A. The larger an organization is, the tougher it is to keep a secret.
Secrecy and digital signatures are not exactly related. One thing we may
see if pointers to specific documents which contain self-verifying
information. These will change the balance of power.
Q. Can we sell strong crypto to Clinton as part of his national ID card
for health care program?
A. There's a problem in dealing with the administration right now, because
they are currently defending a position and it will be tough to change.
A parallel development may make the difference. Congress is getting
Email. Seven or eight congressmen have access. A push to implement
crypto to determine who is from the districts represented should come
soon. A lot of this type application is based on the blind signature work
of David Chaum.
Q. What's the status with the legality of PGP vs. RSA?
A. It is unsettled. There are two issues: patent infringement and export.
RIPEM uses RSAREF, which is a watered down version of RSA. They're
working on PGP using RSAREF for noncommercial users.
Q. Compare the strength and security of PGP and RIPEM?
A. PGP uses a longer key. RIPEM uses DES, but will probably go to Triple-
DES.
Q. How are blind signatures used?
A. Voter cards, digital signatures, digital money. The government won't
do it if they feel it's not in their best interest. Push it.
Q. Can NSA break DES & PGP?
A. Of course.
Q. How long must a key be to slow NSA down?
A. We estimate they can break one 512 bit RSA modulus per day.
Q. Is PGP illegal, and if so, how?
A. Patent infringement issue is whether PGP infringes RSA. If you use a
product that infringes, you are civilly liable. If they were to enforce
against a random user, worst case is that the user might be tied up in the
courts for a while. Worse is copyright - it is a felony to engage in
software piracy, which means making over 10 copies with a value over
$2500. This poses a potential problem for sysadmins, and now companies
use the threat of criminal charges to force licensing. Kapor is willing
to take the case of whether or not there could ever be a valid software
patent to the Supreme Court. Godwin says prosecutors will use other laws:
Wire fraud, conspiracy, RICO.
Hughes - there should be a local cypherpunks chapter. It should meet on
the second Saturday of the month. Hughes is pursuing the idea of
teleconferencing.
Hughes concludes: "There's plenty of arguing to do. I'll see you online."