Computer underground Digest Wed Sep 29 1993 Volume 5 : Issue 76 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copie Editor: Etaoin Shrdlu, III CONTENTS, #5.76 (Sep 29 1993) File 1--Bruce Sterling on ABC/Australia's Attitude (excerpts) File 2--the Cyberspatial Copyright File 3--Forum for Research on Virtual Culture File 4--Computer-Mediated Comm Volume -- Call for Papers File 5--Question EFF yielding of crypto authority to NIST File 6--PGP/Zimmermann News Clippings Needed! File 7--EFF's Comments to NIST on Encryption/Escrow File 8--Three Cheers for Legal Action; Re: Mody Crypto File 9--PumpCon II Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) UNITED STATES: aql.gatech.edu (128.61.10.53) in /pub/eff/cud etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud ftp.eff.org (192.88.144.4) in /pub/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Mon, 27 Sep 1993 21:59:56 +0800 (WST) From: Stephen Hardman (Amiga files operator) <hardguy@GARION.IT.COM.AU> Subject: File 1--Bruce Sterling on ABC/Australia's Attitude (excerpts) This transcript from Attitude, ABC/Australia September 8 includes the parts by Bruce Sterling and an Australian federal police officer. Bruce Sterling (I think you all know who he is) "Law enforcement officers tell me that if they break into a teenagers home and he's got a computer and a modem and a copy of William Gibsons, Neuromancer, they just know he's trouble. It uses a new set of topics to think about, I mean, rather than thinking about rocket ships and robots and so forth, the things of the '50s and '60s, it thinks about matters like electronic networking and the impact of high technology media and genetic engineering and that sort of thing. I'm enough of a anarcho-individualist in a funny kind of way to think that I probably ought to be able to make up my own mind about what I think is interesting and I really shouldn't have the government spoon feeding me the kind of information they think is healthy for me to know. There are legitimate security interests, but that's not the same thing as living under general censorship. You know, my feeling is... it's my business to find stuff out and think about things, it's my business to imagine things, it's not my business to control what other people think. And I resent it when people try to stop me from finding things out that I feel I need to know, for whatever reason. People are afraid of hackers because they are frightened of computers. I mean that's the real basis of the sort of gut-level superstitious fear. They're afraid of computers and they're afraid of the power of computers, that's kind of a legitimate fear, I mean, power without responsibility is a terrible thing, and, you know, there are reasons to be upset by people that are computer literate or very skilled with computers, if they have no sense of social responsibility, these people can in fact do quite a bit of harm, you know, subtle ways that are hard to detect and prosecute." [..] Detective Seargent Ken Day of the Australian Federal Police.: "We have the capacity if we have sufficient evidence, for example and we consider it a serious crime to arrest. We have, for example, the capacity to obtain a warrant to search someone's house. But we don't decide we can go out and do that, we must answer all our actions before a judicial body such as a court. It is not a game, it's a criminal act. The legislation is not enacted, not on whim, legislation isn't acted in this country after extensive and serious consultation and computer crimes were identified as being criminal activity. They are anti-social. They are morally, and they are now illegally, wrong. It is not a game. The infrastructure that we work in now that we live in is by and large controlled or monitored by computer technology and examples are traffic lights, telephone systems, bank. all these that we relly upon are controlled by computer networks. Remove those networks from the loop, you don't have those services. That's why we must protect it. Some people might say, well, federal police don't know about me, I'm hacking away, they just don't know, they haven't busted my door down. Well the simple answer to that question is maybe we know about you but we're investigating more serious crimes." [..] There are more comments made by the ex Australian army security man and talks to hackers <sigh/grin>. ------------------------------ Date: Tue, 28 Sep 93 00:15:07 -0600 From: "L. Detweiler" <ld231782@LONGS.LANCE.COLOSTATE.EDU> Subject: File 2--the Cyberspatial Copyright ((MODERATORS' NOTE: L. Detweiler is a frequent contributor to Cypherpunks mailing list, editor & writer of various FAQs, such as Identity, Privacy, and Anonymity on the Internet, and the Anonymity on the Internet FAQ Treatise. cryptography FAQ janitor. These can be obtained at rtfm.mit.edu:/pub/usenet/news.answers/net-privacy/ or net-anonymity/ or cryptography-faq/ respectively). In CuD #5.75 File 3 ("Raising the Issue of Copyright on the Nets") gray@ANTAIRE.COM (Gray Watson), objecting to the inclusion of a copyrighted article, writes >I don't think CUD should have allowed this. I send out a standard >message when I see such posts and it is applicable here: > > >For your information, including a significant amount of text > >from copyright publications in posts is a breach of > >copyright law. The publishing industry will *never* adopt > >digital distribution if the net does not honor the copyright > >laws. I have been tracking the `cyberspatial copyright issue' with a great deal of interest for some time, and Mr. Watson's complaint is pretty standard fare in the debate. Since it appears in a journal and my response might be posted, I'm taking the time to write this. I think Mr. Watson and everyone else who claims that digital publications will not arrive until the Net respects copyright law in its present form are fundamentally mistaken. First of all, what the heck *does* copyright law say about cyberspace? absolutely nothing specifically. There are many *interpretations* of copyright law that attempt to promote one view or another based on the current classifications of various forms and distributions, but they are all mostly nebulous. Is an FTP site a library or what? What constitutes `redistribution'? It seems to me that the fundamental issues behind a copyright are one or more of the following: the author desires to (1) control the distribution of a work exclusively, (2) make money therefrom, (3) guarantee the writing is not `corrupted', i.e. it does not credit someone else and is not mixed with other people's material. In particular, if (1) can be guaranteed than (2) and (3) can be derived therefrom. Now, suppose that future cyberspatial authors give up or sacrifice (1) if (2) and (3) are more closely adhered to. I believe most authors would prefer this system. I imagine the following scenario. An author creates the text for unlimited distribution, with an email address that indicates where `digital cash' can be sent to compensate him, including a suggested donation or whatever. Under this scheme, the author gives up `exclusive distribution' to maximize actual dissemination and thereby exposure and potential personal profit. Under this system, the reader of the articles are required to (1) send digital cash when they have benefited from the article, where appropriate, and (2) not alter the text of an article when they redistribute it. Note that under this scheme we don't need the silly taboo that people are to be criticized for redistribution of articles -- to the contrary, they should be recognized for their selfless public service, whereby they are causing benefit to the author of the article by their efforts, with no personal profit therefrom. I imagine other interesting distributions systems that will arise with the advent of digital cash. For example, the email addresses of all intermediate distributors may be appended to the beginning of an article in reverse order. The original author would be free to specify the system: send me money and the distribution list that was the header of the article *you* received, and I will redistribute the money among the redistributors. We should always recognize that the ultimate author has the ultimate right to the digital cash, however, because otherwise the writing would not have existed. This is what might be called a `shareware copyright' for text, and I think it is an extremely workable system, and I believe it will evolve to become the norm. Certainly, some people will object to the system, but I suspect they are mostly `middlemen' in the current system that generally derive an undue profit from mere redistribution. However, there are systems where complete control of redistribution is desirable. For example, an author might wish to track directly every place in cyberspace his article has been received. Under this scenario, we can imagine a sort of `toll gopher' system, wherein the traversal of a hypertext link in a text system causes an automatic toll to be applied between receiver and provider. Again, digital cash forms a fundamental basis for this system. In this system, the `copyright' implies that anyone that passes on an article passes on the *address* of the hypertext location, so that the next person does not retrieve a `dissociated' article but instead accesses the `official' version. Again, people must agree not to alter digital cash addresses associated with articles. And in fact a taboo similar to that associated with redistribution in the current system will arise against `piracy' or `tampering' of the digital cash addresses. Finally, I must note that under all these scenarios a vast, ubiquitous, and instantaneous cyberspatial infrastructure is intrinsic to the overall system. However, at the current pace, this should not be an overwhelming difficulty. It is the ultimate goal of everyone currently inhabiting Cyberspace anyway. Under the above schemes, I imagine that future cyberspace will become extremely hospitable to all future writers and editors, who are freed to focus on the absolute essentials of their craft, unchained from burdensome and irrelevant constraints associated with costly, complicated, and imperfect distribution systems. In fact, we will find that in future cyberspace *everyone* will be seen as acting as writers and editors. It will become a fundamental aspect of cyberspatial living, recognized as natural and fundamental as word processing is today. ------------------------------ Date: Sun, 26 Sep 1993 22:00:32 CDT From: Ermel Stepp <M034050@MARSHALL.BITNET> Subject: File 3--Forum for Research on Virtual Culture The Institute for Research on Virtual culture (IRVC) aims to foster, encourage, advance, and communicate research and scholarly inquiry on virtual culture. IRVC-L is a virtual forum of IRVC to conduct substantive discourse on research and scholarly inquiry to create and develop knowledge about virtual culture. Substantive discourse is encouraged on topics such as: 1. Conceptualization of virtual culture (alternative philosophic, metatheoretical, and theoretical paradigms, principles, assumptions, propositions, and problems) 2. Alternative futures orientation, change, transformation, reform, and restructuring: conservative, liberal, or radical 3. Review and critique of literature, including articles in refereed scholarly journals 4. Alternative designs and methodologies for research and scholarly inquiry on virtual culture 5. Findings, conclusions and implications for education, 6. Research in progress on virtual culture 7. Collaborative research by subscribers 8. Setting the research agenda on virtual culture 9. Institute for Research on Virtual Culture 10. Relevant announcements, events, and issues <<< Subscription to IRVC-L >>> Subscription to IRVC-L is open, but the list is private and subscription is required to post messages to the forum and access listserv archives. To subscribe to IRVC-L send a message to listserv@byrd.mu.wvnet.edu with the line of text: subscribe IRVC-L Yourfirstname Yourlastname Example: subscribe IRVC-L Thomas Jefferson <<< Sending a Message to IRVC-L >>> Messages sent to the forum will be automatically distributed to all subscribers. Such messages should be within the scope of the purposes of the forum: Substantive discourse of virtual culture, related research issues (e.g., design and/or methodology) relevant announcements, and other messages pertinent to the forum. To send a message to the forum, address the message to IRVC-L@byrd.mu.wvnet.edu. [Do not send a message intended for the forum to the listserv.] <<< IRVC-L Archive >>> Messages are automatically archived in monthly digests with filenames IRVC-L.mmm.yy, where mmm is the first three letters of the month and yy last two numerals of the year. Other files will be archived as well. All messages sent to IRVC-L are archived at byrd.mu.wvnet.edu. To get an index of the archive of files and digests of messages send a message to listserv@byrd.mu.wvnet.edu with the line of text: index IRVC-L <<< UNIX-listserver >>> IRVC-L is on a unix listserver. To receive a list of commands that may be used on this listserver send a message to listserv@byrd.mu.wvnet.edu with the line of text: help Other commands may be included on separate lines in the message, such as: review IRVC-L (to get a list of unconcealed subscribers to IRVC-L) get IRVC-L irvc-l.aug.93 (to get the archived messages to IRVC-L for August 1993) <<< Anonymous FTP Archive >>> IRVC maintains archives, including research papers and reports, dissertations, conference proceedings, journals, and other information about IRVC and virtual culture. The archive may be accessed by anonymous FTP to byrd.mu.wvnet.edu in /pub/estepp/IRVC in various subdirectories. Research scholars and writers may submit documents to be archived. Retrieve file archive.submission from /pub/estepp/IRVC and follow the instructions in it. The _Electronic Journal on Virtual Culture_ (EJVC) is a refereed, scholarly journal published by Arachnet, with the cooperation of the Kent State University and the Institute for Research on Virtual Culture, Marshall University. The EJVC is archived at byrd.mu.wvnet.edu in /pub/ejvc, and it is retrievable via anonymous FTP. Get EJVC.ARCHIVES from the archives via FTP. Articles published in the EJVC will be discussed on IRVC-L. To subscribe to the EJVC, send email to listserv@KENTVM.BITNET or listserv@KENTVM.KENT.EDU with the sole line of text: subscribe EJVC Firstname Lastname using your real name, of course. <<< Listowner >>> Questions about IRVC, IRVC-L, EJVC and related issues may be directed to the listowner: Dr. Ermel Stepp Executive Director Institute for Research on Virtual Culture Marshall University Huntington WV 25755-2440 Internet estepp@byrd.mu.wvnet.edu BITNET M034050@MARSHALL finger M034050@MARSHALL.MU.WVNET.EDU ------------------------------ Date: Sun, 26 Sep 1993 14:15:38 CDT From: Susan Herring <sherring@WILEY.CSUSB.EDU> Subject: File 4--Computer-Mediated Comm Volume -- Call for Papers CALL FOR CONTRIBUTORS: VOLUME ON COMPUTER-MEDIATED COMMUNICATION As an outgrowth of a panel presented at the 4th International Pragmatics Conference in Kobe, Japan on "Cultural and Linguistic Aspects of Computer-Mediated Communication", a volume is being prepared for publication in the _Pragmatics goal of the volume is to bring together the best in current research on CMC as a social, cultural and linguistic phenomenon. Contributions should be empirically-oriented (that is, based on observation of actual CMC) and focused primarily on language and communication (rather than on technological aspects or secondary applications of the medium). A partial list of suggested topics is included below: - the linguistic description of CMC -- spoken-like? graphic representation, discourse, register, style - CMC genres -- e-mail, bulletin boards (BBS), discussion lists, interactive relay chat (IRC), 'talk' modes, multi-user dungeons (MUDs), etc. - CMC and social interaction -- dynamics of on-line communities, politeness/rudeness, humor, harassment, computer sex - CMC use by dominant and non-dominant groups -- gender, ethnicity, status, special interests - CMC in countries outside the U.S.; cross-cultural CMC - CMC in institutional settings -- business, government, education - children's CMC Papers surveying a topic or reporting on a large-scale ongoing project are also welcome. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ To be considered for inclusion in the volume, prospective authors should submit to the volume editor the following: 1) A 300-500 word abstract clearly outlining the problem, data, methodology, and conclusions of the research to be reported on in the paper, and 2) A short biographical statement (no longer than 300 words) indicating previous CMC research and/or relevant experience. (An abridged curriculum vita may be substituted for the biographical statement.) Submissions can be sent via e-mail, snail-mail or fax to the volume editor, Susan Herring, at the address below: Susan Herring Program in Linguistics University of Texas Arlington, TX 76019 USA fax: (817) 273-2731 e-mail: susan@utafll.uta.edu The deadline for receipt of abstracts and biographical statements is November 1, 1993. However, earlier submissions are welcomed. After the abstracts have been reviewed, the author of each abstract selected will be issued an invitation to contribute a full-length article to the volume, along with a set of guidelines for its preparation. The tentative deadline for the receipt of completed camera-ready manuscripts will be February 1, 1994, with an anticipated publication date early in 1995. Feel free to address any questions, comments, or suggestions to Susan Herring (susan@utafll.uta.edu). ------------------------------ Date: Tue, 28 Sep 93 23:53:38 PDT From: jkreznar@ININX.COM(John E. Kreznar) Subject: File 5--Question EFF yielding of crypto authority to NIST > Below is the text of the comments that EFF filed with NIST today. > ... > When the Clinton Administration announced the Clipper Chip, it > assured the public that this would be a purely voluntary system. We must > have legal guarantees that Clipper is not the first step toward prohibition > against un-escrowed encryption. Yet the Administration has not offered any > such guarantees, either in the form of proposed legislation or even agency > rules. > ... Actually, they have issued such legal guarantees. They're in the form of the administration's vow to uphold the US Constitution. That document's 9th and 10th amendments preclude US Government denial or disparagement of the people's right to use cryptography (and a whole lot of others). The fact that these legal guarantees are being ignored simply illustrates that their tyranny is unbridled. By engaging NIST on this subject, the EFF is implicitly yielding to them authority which is not theirs to begin with. ------------------------------ Date: Wed, 29 Sep 1993 06:50:04 GMT From: hugh@GARGOYLE.UCHICAGO.EDU(Hugh Miller) Subject: File 6--PGP/Zimmermann News Clippings Needed! ((MODERATORS' NOTE: Hugh Miller's request for reprints of articles related to PGP/Phil Zimmermann is one way everybody can help. Peruse your local papers and if you find anything, you can send him the pointers and he can take it from there)). I am interested in collecting all citations in newspapers, magazines, etc. of the subpoenas and investigation by Customs of Phil Zimmermann. To that end I'd like to ask readers of CUD to help me out. If you spot an article would you please take a moment to jot down the citation (author, title, publication, vol/issue, date, page numbers)? You don't need to type in the article, but blessings on your head if you do. I will conduct a weekly NEXIS scan anyway, but I'm sure I'll miss something. I will collect the stuff and pass it on to Phil and the legal defense team. Thanks, folks. Send the info to ME, not to Phil, whose bank account is empty but whose e-mailbox is packed. You can mail to me here (Hugh@gargoyle.uchicago.edu) but it will just be automatically forwarded to my true address, hmiller@orion.it.luc.edu. Thanks for your help. And give to Phil's legal defense fund. ------------------------------ Date: Tue, 28 Sep 1993 16:15:42 -0400 From: ssimpson@EFF.ORG(Sarah L Simpson) Subject: File 7--EFF's Comments to NIST on Encryption/Escrow I'm happy to say that there were 225 letters offering comments on the proposed key escrow system sent to the cryptnow@eff.org address. They were printed out and delivered today. Many thanks to all who responded to the call for action. I've gotten really positive responses to the post and our electronic mail mechanism. If you think that this sort of notice helped you to be informed and participate in policy, please drop me a note at ssimpson@eff.org. Let me know if you think that this is an important service that EFF can provide for the online community. Below is the text of the comments that EFF filed with NIST today. ================================ September 27, 1993 National Institute for Standards and Technology ATTN: Proposed FIPS for Escrowed Encryption Standard Technology Building, Room B-154 Gaithersburg, MD 20899 To The Director: The Electronic Frontier Foundation (EFF) writes in strong opposition to the Proposed Federal Information Processing Standard (FIPS) for an Escrowed Encryption Standard, docket # 930659-3159. We believe that NIST's guidance in setting technical standards for security and privacy protection is a critical part of the growth of the National Information Infrastructure, but any action on the proposed escrow technical standards must await the resolution of several fundamental policy issues. Thus, at this time, we oppose the proposed FIPS in all of its parts. Well over 200 EFF members are also critical of the Proposed FIPS. We believe this demonstrates the depth of public concern about the implementation of key escrow systems. EFF is a nonprofit, public interest organization whose public policy mission is to ensure that the new electronic highways emerging from the convergence of telephone, cable, broadcast, and other communications technologies enhance free speech and privacy rights and are open and accessible to all segments of society. Introduction Widespread, affordable cryptography is vital for the protection of individual privacy in the Information Age. As more and more personal information flows around electronic networks, we all need strong encryption to safeguard information from unwanted intrusion. Personal information, such as health care records, private communications among friends and families, and personal financial transactions, will also travel over this information infrastructure. The business community can only make full use of the infrastructure if it is assured that the data it transmits is secure from unauthorized interception. In short, if communications in the new infrastructure are vulnerable, all of our lives and businesses would be subject to both damaging and costly privacy and security losses. Resolve Policy Issues and Objectives Before Promulgating Technical Standards EFF has been in ongoing dialogue with NIST, the White House, and Congress regarding the very complex public policy choices raised by cryptography policy. We are hopeful that this dialogue will result in a positive, comprehensive set of cryptography and privacy policies. But until these issues are resolved, we believe any approval of technical standards is premature. Among the public policy issues to be resolved are the following: 1. Guaranteed Continued Legal Use of All Forms of Encryption When the Clinton Administration announced the Clipper Chip, it assured the public that this would be a purely voluntary system. We must have legal guarantees that Clipper is not the first step toward prohibition against un-escrowed encryption. Yet the Administration has not offered any such guarantees, either in the form of proposed legislation or even agency rules. 2. Identity of Escrow Agents When Clipper was first proposed, some in the Administration suggested that one of the two escrow agents would be a government agency and the other a private, non-governmental organization. Now it appears that plans for a private escrow agent have been dropped in favor of NIST and the Department of Treasury, though there is still no final designation of agents. We are unable to comment on the security or reliability of escrow procedures proposed here when we do not know who will be administering the escrow databases. We also note that there is active consideration of having more than two escrow agents. This option should be explored from a policy perspective before a technical standard is adopted. 3. Legal Rights of Escrow Users If individuals do choose to deposit their keys with the government, or any other escrow agent, they must have some legal recourse in the event that those keys are improperly released. However, the most recent draft of escrow procedures specifically states: "These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompliance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully acquired." Leaving users with no recourse will discourage use of the system and provides little disincentive against unscrupulous government behavior. In the Proposed FIPS, NIST also suggests an unusual and, we believe, incorrect notion of what an escrow agent is. The Proposed FIPS adopts the incomplete definition of an escrow system found in Webster's Dictionary. The Proposed FIPS states: To escrow something (e.g., a document, an encryption key) means that it is "delivered to a third person to be given to the grantee only upon the fulfillment of a condition." (Webster's Seventh New Collegiate Dictionary). This definition omits the very basic notion that an escrow agent has responsibilities to those who deposit things of value in the escrow account. Black's Law Dictionary, which we believe may be a more appropriate source of information about escrow relationships, states that an escrow contract is an: Agreement between buyer, seller, and escrow holder setting forth rights and responsibilities of each. It is the general legal rule that one who deposits value with an escrow agent is entitled to recover damages from the escrow agent in the event of a breach of the agent's duty of care: Depositor is entitled to recover damages sustained because of escrow agent's unwarranted act, and where grantee participates in wrongful delivery he also may be liable, but recovery is limited to damages actually attributable to wrongful delivery. Collier v Smith (Mo App) 308 SW2d 779. (See ANNOTATION: Who must bear loss resulting from defaults or peculations of escrow holder. 15 A.L.R.2d 870.) The notion of an escrow agent who is insulated from all liability to the depositor is wholly alien to American law and custom. The government may, of course, seek to establish escrow agents free of legal liability, but this is fundamentally a policy choice, not a matter of technical standards. Until there is some agreement on the real responsibilities of the escrow agents, NIST is not in a position to set technical and operating standards. 4. Open, Trusted Standards: A key goal of the Clipper Proposal is to promote widespread encryption in the marketplace. Yet people will not use encryption unless they trust it. Secret standards such as Clipper cannot be evaluated by independent experts and do not deserve the public trust. Other parties, including Whitfield Diffie of Sun Microsystems, have commented extensively on this issue. EFF fully subscribes to those remarks. Insufficient Technical and Operating Information Available for Comments Even aside from the major policy issues left unanswered, the Proposed FIPS itself lacks the detail necessary to allow full public comment. First, the full operating procedures for the escrow agents has yet to be issued. Public comment must be sought on the complete procedures, not just the outline presented in the draft FIPS. Even the government-selected algorithm review group has declared that it needs more information on the escrow process. Second, asking for comments on an algorithm that is classified makes a mockery of citizen participation in government decision-making. Action on the Proposed FIPS Must Be Delayed to Allow Completion of Public-Private Consultation Mandated by Presidential Decision Directive President Clinton's announcement of the Clipper initiative made very clear that there should be "early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed" (April 16, 1993 Press Statement). EFF and other organizations have invested significant effort in dialogue and policy review with the Administration. We have made some progress, but many issues remain unresolved. EFF believes that for NIST to rush forward with a FIPS in advance of resolving the fundamental policy issues cited above would prematurely curtail the dialogue that the President ordered. Finally, NIST will be involved in making many critical decisions regarding the National Information Infrastructure. The next time NIST solicits public comments, it should be ready to accept reply by electronic mail in addition to paper-based media. Over 200 of EFF's members e-mailed comments to our offices, which we then printed and hand-delivered to NIST. We hope that in the near future, NIST and other federal agencies will be prepared to accept comments directly via the Internet. Respectfully Submitted, Jerry J. Berman Daniel J. Weitzner Executive Director Senior Staff Counsel ****************************** Sarah L. Simpson Membership Coordinator Electronic Frontier Foundation 1001 G Street, NW Suite 950 East Washington, DC 20001 202/347-5400 tel 202/393-5509 fax ------------------------------ Date: Mon, 27 Sep 93 11:56:57 EDT From: Jerry Leichter <leichter@LRW.COM> Subject: File 8--Three Cheers for Legal Action; Re: Moby Crypto In all the concern about the grand jury subpoenas to ViaCrypt and Austin CodeWorks, a very important point is being missed: This is the way the law is *supposed* to work! The law is not supposed to work by FUD (Fear, Uncertainty and Doubt), by poorly drafted regulations whose coverage no one can determine, by threats and insinuations from government spokesmen that some action is illegal (though no one's ever taken it to court so no one can really say yes or no). That's exactly what "casts a chill" over people's actions: When they can't determine what the law says or what its limits are, so that they are forced to stay away from entire areas of activity that may not be illegal and may even be Constitutionally protected. Our system of law has many "inconvenient" little features to it. People who are clearly guilty avoid punishment every day because of errors by the prosecution or simply because the evidence against them as it is accepted by the courts is not quite at a high enough level. We accept that because "it's better that a hundred guilty men go free than that one innocent man be pun-ished." Conversely, the law is what's on the books until the courts say otherwise. The concurrence of every single law professor in the United States that some statute is unconstitutional means nothing until the Supreme Court rules. The ITAR regulations are presumptively valid until found otherwise by a competent court of law. Since they can only be examined by a court when the government actually tries to use them, they can remain on the books indefinitely as a looming threat - constitutional or not, a prosecution under these regulations is expensive to defend against, so expensive that most people and all large corporations will simply act as if they are valid. This may be as "inconvenient" in some cases as letting murderers go free, but it's just as essential a part of the legal system. While I don't envy Phil Zimmerman or ViaCrypt or Austin CodeWorks the position they find themselves in, or the legal bills they will be facing, they went into this with open eyes. (If they didn't, they are fools who won't get my sympathy.) The only way to challenge a law you think is unconstitutional is to violate it and let the government come to you. I wish them luck in their challenge. One way or another, we are likely to finally end the silly debates about secret decoder rings and decide what the law is. As for Grady Ward's call on everyone to secrete away and widely distribute copies of PGP and related software: All I can say is, he'd better hope that the courts don't decide that the ITAR regulations aren't constitutional as applied to PGP after all. Calling on people to break the law, especially cooperating with them to do it on a large scale, could open him up to much more severe penalties than Zimmerman, ViaCrypt, and Austin face. Those three are testing the law. Ward is deliberately flaunting it. Stupid, dangerous idea. Being a revolutionary, putting yourself in direct opposition to the power of the State, isn't fun and games. People get hurt that way. ------------------------------ Subject: File 9--PumpCon II From: pumpcon@PHANTOM.COM(PumpCon) Date: Wed, 29 Sep 93 13:41:15 EDT You are hereby cordially invited to attend the Second Annual PumpCon II conference. Just mail your name/handle, group (if any), home state to: pumpcon@phantom.com It is necessary that you do mail this account so we know you are coming! PumpCon FAQs (Frequently Asked Questions) This file is being written in response to all of the questions that I have been bombarded with. Hopefully it will clear up any confusions that obviously must exist. 1. When is PumpCon? PumpCon II will be held Halloween Weekend 1993, October 29, 30, 31. 2. Where is PumpCon? PumpCon II will be at the Airport Comfort Inn, in Filadelfia, Pencilvania. Get the PumpCon information file for further details. 3. Can I bring my computer? Of course you can bring your computer (Computers are not illegal!), until such time as owning/possessing a computer is illegal. 4. How much are hotel rooms? Hotel rooms range from around $50/night to $100/night in the hotels that have been selected for this years PumpCon. The PumpCon information file gives further details about the hotels. 5. Who is going? This is a question that really can't be answered until PumpCon. 6. Who is going to speak? This is also going to remain sekret until the event for security reasons. 7. Why go to PumpCon? I don't know, if you asked or even thought of that question, don't bother to show. You obviously can't add to the conference. 8. What should I bring? Why/How should I know, again to ask such a question shows you obviously aren't needed. 9. Is Law Enforcement going to be there? This answer is not known at this time, but they are welcome, with an admittance fee double that of civilian attendees. 10. Is there going to be alcohol/drugs? These substances will not be provided by the conference or any of the organizers, does that answer your question? PumpCon II -- The Woodstock of Computer Conferences -- WHO: Anyone interested in the Computer Underground except IIRG Members :OHW WHAT: A weekend of Telephony & Computer Seminars, and PARTYING! :TAHW WHEN: October 29, 30, and 31 (Fri, Sat, Sun) Halloween Weekend 1993 :NEHW WHY: To meet all of those people you have spoken to, but never met. :YHW WHERE: Airport Comfort Inn, Filadelfia, Pencilvania :EREHW DESCRIPTION A gathering of computer enthusiasts for a weekend of FUN! Guest speakers will also be present to speak about the latest in computer security developments. Come join us for our second annual Halloween Party. COST Your $20.00 admission fee will cover all of the conference functions and a name badge with your Handle, Group Affiliation, and home state. This is a non-profit conference, any proceeds above the conference costs will be used to help the victims of last years conference. HOW TO GET THERE The convention will be located just 3 miles from the Philadelphia International Airport at the Airport Comfort Inn. Two other hotels are available within the same area. Knights Inn Red Roof Inn Comfort Inn 43 Industrial Highway 49 Industrial Highway 53 Industrial Highway Essington, PA 19029 Essington, PA 19029 Essington, PA 19029 Phone: (215) 521-6650 Phone: (215) 521-5090 Phone: (215) 521-9800 Fax : (215) 521-8846 Fax : Ext. 444 Fax : (215) 521-4847 I-95 North or South The hotels are located off I-95 exit 9A on Route 291 (Industrial Highway). From north or south at the traffic signal turn right and continue for about 500 yards, the hotels are on the right side of the road. Airport There is a FREE shuttle available to all of the hotels. FOR MORE INFORMATION Mail: PumpCon II P.O. Box 617 Plantsville, CT 06479 E-Mail: pumpcon@mindvox.phantom.com ------------------------------ End of Computer Underground Digest #5.76 ************************************