==Phrack Magazine== Volume Four, Issue Forty-Four, File 6 of 27 Conference News Part I **************************************************************************** [Official Announcement / Call For Participation] (Distribute Freely) dFx, Phrack Magazine and cDc - Cult Of The Dead Cow proudly present : The Fourth Annual H O H O C O N "Cliff Stoll My K0DEZ!@$#!" Who: All Hackers, Journalists, Security Personnel, Federal Agents, Lawyers, Authors, Cypherpunks, Virtual Realists, Modem Geeks, Telco Employees, and Other Interested Parties. Where: Austin North Hilton & Towers and Super 8 Motel 6000 Middle Fiskville Road Austin, Texas 78752 U.S.A. Hilton : (800) 347-0330 / (512) 451-5757 Super 8: (800) 800-8000 / (512) 467-8163 When: Friday December 17 through Sunday December 19, 1993 What is HoHoCon? ---------------- HoHoCon is the largest annual gathering of those in, related to, or wishing to know more about the computer underground. Attendees generally include some of the most notable members of the "hacking" and "telecom" community, journalists, authors, security professionals, lawyers, and a host of others. Previous speakers include John Draper (Cap'n Crunch), Ray Kaplan, Chris Goggans (Erik Bloodaxe), Bruce Sterling, and many more. The conference is also one of the very few that is completely open to the public and we encourage anyone who is interested to attend. Hotel Information ----------------- The Austin North Hilton recently split its complex into two separate hotels; the Hilton and the newly added Super 8. HoHoCon guests have the choice of staying in either hotel. Group rates are as followed : Super 8: Single - $46.50, Double - $49.50, Triple - $52.50, Quad - $55.50 Hilton : Single - $69.00, Double - $79.00, Triple - $89.00, Quad - $99.00 Once again, the hotel has set aside a block of rooms for the conference and we recommend making your reservations as early as possible to guarantee a room within the block, if not to just guarantee a room period. Rooms for the handicapped are available upon request. To make your reservations, call the number listed above that corresponds with where you are and where you want to stay and make sure you tell them you are with the HoHoCon conference or else you'll end up throwing more money away. The hotel accepts American Express, Visa, Master Card, Discover, Diner's Club, and Carte Blanche credit cards. Check-in is 3:00 p.m. and check-out is 12:00 noon. Earlier check-in is available if there are unoccupied rooms available. Please note that in order for the hotel to hold a room past 6:00 p.m. on the date of arrival, the individual reservation must be secured by a deposit or guaranteed with one of the credit cards listed above. Also, any cancellations of guaranteed reservations must be made prior to 6:00 p.m. on the date of arrival. You will be responsible for full payment of any guaranteed reservations which are not cancelled by this time. The hotel provides transportation to and from the airport and will give you full information when you make your reservations. Directions ---------- For those of you who will be driving to the conference, the following is a list of directions provided by the hotel (so, if they're wrong, don't blame me): Dallas : Take IH 35 south to exit 238-B, the Houston exit. At the first stop light, turn right on to 2222. Turn off of 2222 onto Clayton Lane (by the Greyhound Station). At the stop sign, turn right onto Middle Fiskville, the hotel is on the left. San Antonio : Take IH 35 north to exit 238-B, the Houston exit. At the second stop light, turn left onto 2222. Turn off 2222 onto Clayton Lane (by the Greyhound Station). At the stop sign, turn right onto Middle Fiskville, the hotel is on the left. Houston (on 290) : Take 290 west into Austin. Exit off of 290 at the IH35 exit (do not get on 35). Stay on the access road heading west, you will pass two stop lights. Turn off the access road onto Clayton Lane (by the Greyhound Station). At the stop sign, turn right onto Middle Fiskville, the hotel is on the left. Houston (on 71) : Take 71 west into Austin. Exit onto 183 north. Take 183 north to 290 west. Take 290 west to the IH 35 exit. Exit off of 290 at the IH 35 exit (do not get on 35). Stay on the access road heading west, you will pass two stop lights. Turn off the access road onto Clayton Lane (by the Greyhound Station). At the stop sign, turn right onto Middle Fiskville, the hotel in on the left. Airport : Exit the airport parking lot and turn right onto Manor Road. Take Manor Road to Airport Boulevard and turn right. Take Airport Boulevard to IH 35 north. Take IH 35 to exit 238-B. At the second stop light, turn left onto 2222. Turn off of 2222 onto Clayton Lane (by the Greyhound Station). At the stop sign, turn right onto Middle Fiskville, the hotel is on the left. Call the hotel if these directions aren't complete enough or if you need additional information. Conference Details __________________ HoHoCon will last 3 days, with the actual conference being held on Saturday, December 18 starting at 11:00 a.m. and continuing until 5 p.m. or earlier depending on the number of speakers. Although a few speakers have confirmed their attendance, we are still in the planning stages and will wait until the next update to release a speaking schedule. We welcome any speaker or topic recommendations you might have (except for, say, "Why I Luv Baked Potatos On A Stik!"), or, if you would like to speak yourself, please contact us as soon as possible and let us know who you are, who you represent (if anyone), the topic you wish to speak on, a rough estimate of how long you will need, and whether or not you will be needing any audio-visual aids. We would like to have people bring interesting items and videos again this year. If you have anything you think people would enjoy having the chance to see, please let us know ahead of time, and tell us if you will need any help getting it to the conference. If all else fails, just bring it to the con and give it to us when you arrive. Any organization or individual that wants to bring flyers to distribute during the conference may do so. You may also send your flyers to us ahead of time if you can not make it to the conference and we will distribute them for you. Left over flyers are included with information packets and orders that we send out, so if you want to send extras, go ahead. Cost ---- Unlike smaller, less informative conferences, we do not ask you to shell out hundreds of dollars just to get in the door, nor do we take your money and then make you sleep in a tent. We are maintaining the motto of "give $5 if you can", but due to the incredibly high conference room rate this year, we may step up to "$5 minimum required donation" or "give us $5 or we'll smash your head in". Five dollars is an outrageously low price compared to the suit infested industry conferences or even the new "Cons are k00l and trendy, I gotta do one too!" conferences that are charging up to $50 for admission alone. To encourage people to donate, we will once again be having our wonderless "Raffle For The Elite" during the conference. We will issue a prize list in a future update, but we can guarantee that this year there will be a lot more (and better) prizes than last year, including a full system (and, no, it's not a c64 or 286). Anyone who wishes to donate worthwhile items to the raffle, please let us know ahead of time, or if it's a last minute acquirement, just bring it to the conference. Miscellaneous Notes ------------------- To save myself some time by mailing responses to a lot of the same questions I expect to get, I'll answer a few of them here. Although I have not talked to him myself yet, Steve Ryan has told me that Bruce Sterling will indeed be in attendance and may say a few words. As far as I know, there will not be any visitors from any other planets at the conference. Scot Chasin is still on Earth and will be making an appearance. Video cameras will *not* be allowed inside the conference room without prior consent due to previous agreements made with speakers who do not wish for certain parts of their speech to be rebroadcast. Still cameras and Etch-A-Sketch's are fine and tape recorders are too easily hidden for us to be able to control. Videos and T-Shirts from last year's conference are still available, and will also be on hand during the conference. We do not handle the LoD World Tour shirts, but I can tell you that the old ones are gone and a *new* LoD shirt will be unveiled at the conference. The HoHoCon shirts are $15 plus $3 shipping ($4.00 for two shirts). At this time, they only come in extra large. We may add additional sizes if there is a demand for them. The front of the shirt has the following in a white strip across the chest: I LOVE FEDS (Where LOVE = a red heart, very similar to the I LOVE NY logo) And this on the back: dFx & cDc Present HOHOCON '92 December 18-20 Allen Park Inn Houston, Texas There is another version of the shirt available with the following: I LOVE WAREZ The video includes footage from all three days, is six hours long and costs $18 plus $3 shipping ($4.00 if purchasing another item also). Please note that if you are purchasing multiple items, you only need to pay one shipping charge of $4.00, not a charge for each item. If you wish to send an order in now, make all checks or money orders payable to O.I.S., include your phone number and mail it to the street address listed below. Allow a few weeks for arrival. There will be new HoHoCon '93 shirts available at the conference and a video of the festivities will be out early next year. Correspondence -------------- If anyone requires any additional information, needs to ask any questions, wants to RSVP, wants to order anything, or would like to be added to the mailing list to receive the HoHoCon updates, you may mail us at: hohocon@cypher.com drunkfux@cypher.com cDc@cypher.com drunkfux@crimelab.com dfx@nuchat.sccsi.com drunkfux@5285 (WWIV Net) or via sluggo mail at: HoHoCon 1310 Tulane, Box 2 Houston, Texas 77008-4106 We also have a VMB which includes all the conference information and is probably the fastest way to get updated reports. The number is: 713-867-9544 You can download any of the conference announcements and related materials by calling Metalland Southwest at 713-468-5802, which is the offical HoHoCon BBS. The board is up 24 hours a day and all baud rates are supported. Those of you with net access can ftp to cypher.com and find all the HoHoCon information available in /pub/hohocon. The .gifs from previous cons are *not* currently online. Conference information and updates will most likely also be found in most computer underground related publications and mailing lists, including CuD, CSP, Mondo 2000, 2600, Phrack, TUC, phn0rd, cypherpunks, etc. They should also appear in a number of newsgroups including comp.dcom.telecom, alt.security, comp.org.eff.talk, and sci.crypt. We completely encourage people to use, reprint, and distribute any information in this file. Same stupid ending statement from last year to make us look good ---------------------------------------------------------------- HoHoCon '93 will be a priceless learning experience for professionals and gives journalists a chance to gather information and ideas direct from the source. It is also one of the very few times when all the members of the computer underground can come together for a realistic purpose. We urge people not to miss out on an event of this caliber, which doesn't happen very often. If you've ever wanted to meet some of the most famous people from the hacking community, this may be your one and only chance. Don't wait to read about it in all the magazines and then wish you had been there, make your plans to attend now! Be a part of what we hope to be our largest and greatest conference ever. ------------------------------------------------------------------------------- COMPUTERS, FREEDOM, AND PRIVACY '94 Conference Announcement Scholarships, Writing Competition Notice 23-26 March 1994, Chicago, Il. The fourth annual conference, "Computers, Freedom, and Privacy," (CFP'94) will be held in Chicago, Il., March 23-26, 1994. The conference is hosted by The John Marshall Law School; George B. Trubow, professor of law and director of the Center for Informatics Law at John Marshall, is general chair of the conference. The program is sponsored jointly by these Association for Computing Machinery (ACM) Special Interest Groups: Communications (SIGCOMM); Computers and Society (SIGCAS); Security, Audit and Control (SIGSAC). The advance of computer and communications technologies holds great promise for individuals and society. From conveniences for consumers and efficiencies in commerce to improved public health and safety and increased participation in government and community, these technologies are fundamentally transforming our environment and our lives. At the same time, these technologies present challenges to the idea of a free and open society. Personal privacy and corporate security is at risk from invasions by high-tech surveillance and monitoring; a myriad of personal information data bases expose private life to constant scrutiny; new forms of illegal activity may threaten the traditional barriers between citizen and state and present new tests of Constitutional protection; geographic boundaries of state and nation may be recast by information exchange that knows no boundaries in global data networks. CFP'94 will assemble experts, advocates and interest groups from diverse perspectives and disciplines to consider freedom and privacy in today's "information society. Tutorials will be offered on March 23, 1994, from 9:00 a.m. - noon and 2:00 - 500 p.m. The conference program is Thursday, March 24, through Saturday, March 26, 1994, and will examine the potential benefits and burdens of new information and communications technologies and consider ways in which society can enjoy the benefits while minimizing negative implications. STUDENT PAPER COMPETITION Full time college or graduate students may enter the student paper competition. Papers must not exceed 3000 words and should address the impact of computer and telecommunications technologies on freedom and privacy in society. Winners will receive financial support to attend the conference and present their papers. All papers should be submitted by December 15, 1993, (either as straight text via e-mail or 6 printed copies) to: Prof. Eugene Spafford, Department of Computer Science, Purdue University, West Lafeyette, IN 47907-2004. E-Mail: spaf@cs.purdue.edu; Voice: 317-494-7825 CONFERENCE REGISTRATION INFORMATION Registration fees are as follows: If paid by: 1/31/94 3/15/94 4/23/94 Early Regular Late Tutorial $145 $175 $210 Conference 315 370 420 NOTE: ACM members (give membership number) and John Marshall Alumni (give graduation date) receive a $10 discount from Tutorial and $15 discount from Conference fees. CONFERENCE REGISTRATION: Inquiries regarding registration should be directed to RoseMarie Knight, Registration Chair, at the JMLS address above; her voice number is 312-987-1420; E-mail, 6rknight@jmls.edu. CONFERENCE INFORMATION: Communications regarding the conference should be sent to: CFP'94, The John Marshall Law School, 315 S. Plymouth Ct., Chicago, IL 60604-3907 (Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu) ROOM RESERVATIONS: The Palmer House Hilton, located in Chicago's "loop," and only about a block from The John Marshall Law School, is the conference headquarters. Room reservations only should be made directly with the hotel, mentioning "CFP'94" to get the special conference rate of $99.00, plus tax. (17 E. Monroe., Chicago, Il., 60603, Tel: 312-726-7500; 1-800-HILTONS; Fax 312-263-2556) NOTE: More specific information about conference program content will be available December 1, 1993. *********** George B. Trubow, Professor of Law Director, Center for Informatics Law The John Marshall Law School 315 S. Plymouth Ct. Chicago, IL 60604-3907 Fax: 312-427-8307; Voice: 312-987-1445 E-mail: 7trubow@jmls.edu ......SCHOLARSHIPS The Conference on Computers, Freedom & Privacy (CFP'94) is pleased to announce that it will once again provide a number of full tuition scholarships for attendance at the conference. The conference will be held in Chicago, IL from March 23rd through March 26th, 1995 and will be hosted by the John Marshall Law School under the chairmanship of George Trubow. The conference traditionally attracts an extremely diverse group of persons concerned with issues relating to the rapid development of the "information society"; civil libertarians, information providers, law enforcement personnel, privacy advocates, "hackers", sociologists, educators and students, computer professionals, cryptography advocates, government policy makers and other interested parties have all played major roles in the three previous conference. Speakers at previous conferences have included Electronic Frontier Foundation (EFF) co-founders John Perry Barlow and Mitch Kapor, FBI Deputy Director William A. "Al" Bayse, writer Bruce Sterling, privacy advocate Simon Davies, Harvard University law professor Lawrence Tribe, hacker "Phiber Optik", Georgetown University's Dorothy Denning, "Cuckoo's Egg" author Clifford Stoll, Prodigy counsel George Perry, USA Today founder Al Neuwith, former FCC Chairman Nicholas Johnson, Computer Professionals for Social Responsibility (CPSR)'s Marc Rotenberg, Arizona prosecutor Gail Thackeray, and Bay Area Women in Computing's Judi Clark. The scholarships are intended to provide access to the conference to those that would like to attend the conference but are unable to afford the tuition. They are available to undergraduate and graduate students in any discipline (previous student attendees have come from computer science, law, sociology, liberal arts, journalism, and womens' studies backgrounds), law enforcement personnel, hackers, social scientists, and others interested in the future of the information society. Persons interested in a scholarship should send the following information (e-mail greatly preferred) to: John F. McMullen Perry Street Jefferson Valley, NY 10535 mcmullen@panix.com (914) 245-2734 (voice) (914) 245-8464 (fax) 1. Personal Information -- Name, Addresses (including e-mail), Phone Numbers, School and/or Business Affiliation 2. Short Statement explaining what the applicant helps to get from CFP'94 and what impact that attendance may have in the applicant's community or future work. 3. Stipulation that the applicant understands that he/she is responsible for transportation and lodging expenses related to the conference. The scholarship includes tuition and those meals included with the conference. 4. Stipulation that the applicant would not be able to attend the conference if a scholarship is not granted. The applicant stipulates that, if granted a scholarship, he /she will attend the conference. 6. Stipulation that the applicant, if granted a scholarship, will provide a contact John McMullen at the above e-mail address or phone numbers with any questions. The number of available scholarships will be determined by funding available. ------------------------------------------------------------------------------- Notes from the Austin Crypto Conference, September 22, 1993 by Gregory W. Kamen --- Dinosaur Warning --- Disclaimer: A lot of people here noted disclaimed what they said as "not legal advice". In addition, this was prepared from notes which were not necessarily legible or complete, therefore I disclaim any responsibility for misquoting or mistranscribing this information. (If you don't like it, you try typing "cypherpunks" over and over again :P). Please note that in Q & A sessions, the answers were relevant, though not always responsive to the questions. In addition, I state that this information does not represent legal advice from me or solicitation of legal representation, and does not necessarily represent the position of EFH, EFF, EFF-Austin, the individual conference participants, or any living person. ----------- The room was set up to seat approximately 180 people. It was essentially full, and there were a few people standing--not bad for a Wednesday afternoon. There was a large (about 14 people) contingent from EFH present. Steve Jackson opened the meeting with a few introductory remarks, among which were that a subpoena had been served on Austin Code Works, a publisher of cryptographic software. We can expect to hear about the case in news magazines of general circulation in about two months. Bruce Sterling delivered the keynote address. He began by establishing a context by defining cryptography: -- as secret coding to avoid the scrutiny of a long list of entities, -- as a way to confine knowledge to those initiated and trusted, -- as a means to ensure the privacy of digital communication, and -- as a new form of information economics Sterling then noted that crypto is "out of the closet" -- it is heard of on the streets -- the government acknowledges it by bringing forth its Clipper chip -- it is in the hands of the people -- public key crypto is out there and commercially available -- the typical time to market from first publication of a new idea is 20 years. Diffie published the first public key crypto algorithm in 1975, thus the target date for mass crypto would be 1995. Bringing it to market will require bringing of political pressure, lawsuits, and money. Next, Sterling moved to the subject of the grand jury proceedings in San Jose on 9/22. -- Export law violations have been alleged. Whatever the outcome, this proceeding is certainly not the end of the subject. Finally, before closing by noting that EFF-Austin is not EFF, Sterling shared a brief background of the panelists: -- they are people who can tell us about the future -- they are directors of national EFF and can share information Panelists on First Panel -- Mitch Kapor - co-founder of EFF, software designer, entrepreneur, journalist, philanthropist, activist. He spoke out on obscure issues in the beginning and made them seem less obscure. He has done good deeds for the public. -- Jerry Berman - President of EFF, activist background, published widely on security and privacy issues, formerly active with ACLU, and is on Clinton administration's National Information Infrastructure team. Panelists on Second Panel -- Esther Dyson - journalist, has widely read project "Release 1.0", is a guru in Europe. -- Mike Godwin - lawyer for EFF, veteran public speaker, attended UT- Austin, on the board of EFF-Austin as well as EFF. Panelists on Third Panel -- Eric Hughes - not EFF member, started cypherpunks mailing list, from California -- John Gilmore - 20 year programmer, pioneer at Sun, civil libertarian -- John Perry Barlow - co-founder of EFF, media junkie, and author. PANEL #1: POLICY Kapor - Opening remarks: Framing the issue a. Series of conferences in Washington, briefed EFF on how laws are made, at a technical level of the process. Berman was instrumental in passing the ECPA, which was later used successfully in Steve Jackson Games case. b. ECPA is a good thing: it says Email should be as private as postal mail. However, it doesn't go far enough because it is easy to listen in on cell phones. c. Kapor felt need technology to protect privacy. Laws alone are not enough. Berman stated view (at that time. He has since changed his mind) widely held within the Beltway that laws were sufficient. d. Survey: 20 percent of those present use PGP. 80 percent have heard of PGP. Berman - a. Following on Kapor's point that ECPA was soft, Berman says the politicians will remain clueless until we educate them. If it is knowledge that can alter the political process, it must be done. b. EFF established a Washington presence because policy is being made to design and govern the electronic frontier by the big commercial players. The public and the consumer are not represented. c. We're working on a goal that the national information infrastructure serve the public interest. For example, if the big players are allowed to dominate the process, they will control access and the NII will look like 500 cable channels rather than a point-to-point switched network like Internet. d. There's a big battle coming: computers and communication are in abundance such that everyone can be a publisher. This raises at the very least a First Amendment issue. e. The Clipper Chip -- has great potential for the net; however, government agencies are not sure of control -- privacy and security are essential for development of the national information infrastructure. This is a threat to the law enforcement community. -- the response of the law enforcement community has been to attempt to throttle the technology. -- in order to capture the future, they want to develop the technology themselves. -- EFF's role has been to say that we shouldn't go ahead with the Clipper chip proposal. -- the ultimate big question: What to do when all communications are encrypted. -- Clinton led off with a study of cryptography policy and introduced the Clipper chip at the same time, which demonstrates that the policy was already determined in the opinions of many. It was introduced not as something being studied, but as a fait accompli. -- Clipper proposal is bad because it is based on a secret algorithm which has not been subjected to adequate scrutiny, it is counterintuitive to interoperability because stronger crypto is being developed outside the United States, and it includes a key escrow provision that includes only "insiders" who developed the technology. -- We don't prescreen the content of communications. The law enforcement community needs a warrant. That is fundamental to the First, Fourth, and Fifth Amendments. f. We oppose the Clipper/Skipjack chip -- there's no evidence showing that law enforcement will be unduly hampered in its efforts to stop crime if crypto is available. -- the positive and negative implications of widespread crypto have not been considered. -- law enforcement may have a problem, but if they have a warrant they should be able to get access. -- as long as Clipper is not mandated, people can use other types of crypto. g. Conclusions -- if Clipper is voluntary, it doesn't work, because people who want to encrypt safely will use other products. -- if Clipper is mandated, there are serious constitutional issues. -- Even if the Clipper chip proposal fails, we still lose under the current scheme, because the export control laws guarantee that we will not have crypto interoperable with the rest of the world. h. EFF chairs a large coalition including representatives of Microsoft, IBM, and ACLU to work against this. i. Congress only needs one bad case, like a terrorist attack, to go the other way. Q & A - Q. Is the key in the hardware or software with Clipper? A. It's in the hardware, therefore the instrument is permanently compromised once the keys are released from escrow. The law enforcement arguments are really fronts for NSA and their religious commitment to prevent the spread of crypto. It's NSA's mission to make sure it "busts" every communication in the world, therefore why would they propose any encryption without a "back door" through which they could decipher all transmissions. Q. What is the current state of the law between NIST and NSA? A. NSA was selling "secure" phones. They wanted a new classification of information. Responsibility for classified systems rests with NSA. NIST is brought in to handle domestic crypto. In terms of budget and experience, however, NSA is dominant, and NIST relies on them. Q. How does GATT relate to the Clipper proposal A. It's not dealt with in GATT. There's no agreement on an international standard. Q. What's going on with PGP? A. Pretty Good Privacy is the people's crypto. It was independently developed, and has been widely distributed for our information and security. There are two current controversies regarding PGP. First is whether it is subject to export controls, and second is its intellectual property status. Q. What facts do we have regarding the history of Clipper? A. The project began during the Bush administration after AT&T introduced phones implementing DES, the Data Encryption Standard. Clinton looked at it early in his administration. NSA pushed the program, and the staff wanted to "do something". A worst-case scenario about the introduction of Clipper is that it was leaked to the press, and the story about a study was cooked up to cover the leak. People might be surprised about how little expertise and thought about issues goes on. Policy makers operate under severe time constraints, handling the crisis of the moment. Most of them are reasonable people trying to do the best thing under the circumstances. If we push certain ideas long enough and hard enough we can affect the outcome. Q. Following the _AMD v. Intel_ case, there's nothing stating you cannot clone the Clipper chips to circumvent the law enforcement field, correct? A. It's difficult to say. The chips have not yet been delivered. There have been technical problems with the chip. At NIST hearing a couple weeks ago, Dorothy Denning revealed that she had reviewed the Skipjack algorithm alone because the other four cryptographers selected to review the algorithm were on vacation. There's a certain degree of cynicism because the government has said it will twist people's arms using its purchasing power and the threat of prosecution to establish Skipjack as a de facto standard. EFF is trying to get AT&T and Motorola to do something. Maybe the chip cannot easily be cloned. John Gilmore wants to see how easy it is to reverse engineer. Q. What are specific steps that can be taken? A. Send Email to the White House, and cc to EFF. Also, focus on the debate concerning ownership and leasing of the national information infrastructure. Southwestern Bell wants authority to own and lease the net and isn't quite sure whether government should be involved. This is the other longest-running EFF policy concern: the owner of the electronic highways shouldn't be able to control content. Bandwidth should be provided based on the principles of common carriage and universal access. Construction of the NII should be done by the private sector because government doesn't have the resources available. We can't allow ourselves to be limited to upstream bandwidth. The net should retain those of its characteristics equivalent to BBS's. Q. If NIST is to be an escrow agent, why are they not secure? A. This is a source of moral outrage, but moral outrage only goes so far. We need to swallow our distaste for dealing with the government to compromise. It is worthwhile to get involved in the decision-making _process_. Q. What is the position of the ACLU and Republican think tanks on Clipper? A. A lot of organizations have bumped into NII. ACLU is fighting the Clipper chip. For other organizations, it's not a top priority item. Q. With regard to DES: Export restrictions apply to scramblers, but they are exported anyway. Why this policy of selective enforcement? A. Don't look for consistency. SPA has recognized that there are 231 DES- equivalent products. The genie is out of the bottle. DES source is widely available, but more so inside the US than outside. Q. If the government has their way, what good products are out there for us? A. The government can only have its way by mandating use of Skipjack. If it holds up, legally and politically, there _is_ no alternative. The government is saying that it is considering banning the use of crypto other than Skipjack, but has not yet adopted such a policy. Q. If crypto is a munition, is it protected under the Second Amendment? A. The Second Amendment probably doesn't affect the export question. Q. Are there any legal weaknesses in the public key cryptography patents? A. EFF has its hands full with other issues and hasn't really formulated an answer to this, but believes there's a fatal weakness as to all software patents. However, it would be prohibitively expensive to make such a case at this time. Q. Do we need different copyright laws because of encryption? A. Recognize that without changes in the copyright law, it will be difficult to get a true net economy going. Producers want a way to make money from the net. Consumers want the equivalent of home taping. It's tough to cover all the bases. Q. How do law enforcement issues in civil cases relate? A. This is an interesting point because the line between a commercial dispute and a criminal act are fuzzy. There are dangers in obtaining a wiretap. The law enforcement community shouldn't have a case to tap a line in the event of a two-party dispute. There is a danger of misuse for traffic analysis of calls. Q. ECPA could have been used to regulate access to the airwaves. Has it been tested against the First Amendment? A. This demonstrates that technological security measures, rather than merely laws, are needed. People have listened to cell phone calls with scanners, and they made scanners illegal to manufacture, but cell phones can be modified to act as scanners. Experimentation of privacy with encryption shifts the balance. RSA is available outside the US. RICO is being overused. PANEL #2: INDUSTRIAL AND LEGAL ISSUES Dyson - Beyond commercial people being citizens, there are three big issues: 1. Protection of trade secrets 2. Intellectual property protection for net businesses and database information 3. Exporting encryption devices: US businesses like to do business overseas. It is cost ineffective to develop a US-only standard. There is better encryption available in Russia and Bulgaria on BBS's. Godwin - Talking about law enforcement arguments government makes. There are general issues regarding computers, communication, and privacy greater than just Clipper. -- Godwin is the first person people talk to when they call EFF in trouble. In addition to giving a lot of general information regarding liability, he monitors the intake of cases for EFF. He talks at conventions about criminal and constitutional issues. -- This effort has produced at least one change already: law enforcement personnel are no longer completely incompetent and clueless about computers. -- the most interesting are issues dealing with hackers and crypto. FBI's involvement with digital telephony: they wanted to make it more wiretap friendly. They discovered it is worthless without a restriction on encryption, and Clipper was introduced a short time later. Legal History The right to communications privacy is a fairly new thing. The Supreme Court faced it in the 1928 _Olmstead_ case, and held that there was no Fourth Amendment interest to be protected at all because there was no physical intrusion on the property. The doctrine has bee reveisited a number of times since then. -- a suction cup mike next door to the defendant's apartment produced the same holding. -- In a later case of a "spike mike" penetrating the heating duct of the defendant's apartment, the Court held that the Fourth Amendment applied but did not extend general Fourth Amendment protection. Finally in the _Katz_ case in the late 60's the Court formulated its present doctrine in holding that the defendant has a reasonable expectation of privacy in a phone booth. The Court said that the Fourth Amendment protects people, not places. Justice Brandeis, in dissent, cited Olmstead, but also noted that "The right most prized by civilized men is the right to be let alone." Arguments regularly advanced by law enforcement types in favor of Clipper: 1. Wiretapping has been essential in making many cases. -- this argument seems reasonable. 2. Even if they can't point to a case now, they are taking a proactive approach, trying to anticipate problems rather than reacting. -- Dorothy Denning was involved early on in framing the issues. Now she's in favor of the government line. Point is that an attitude of "us vs. them" is counterproductive. 3) There are nuclear terrorists out there -- this argument is the result of false reasoning. Like Pascal's wager, the price of guessing wrong is so high that the rational person chooses to be a believer, even where the probability is very low. -- the problem with it is that you can't live that way. There's not necessarily one single right answer. Also there is a substantial opportunity cost. Whenever you empower individual rights, there's a tradeoff against government efficiency. As an example, take the case of compelled confession. It would be very efficient for the government to be able to compel a confession, but the cost in individual rights is too high. There is no constitutional precedent on which to base the outlawing of encryption. The way it ought to be, the law enforcement types should have the right to try to intercept communications under certain circumstances, but they should have no guarantee of success. 4) Wiretapping has created an entitlement to have access to the communications: this argument is blatantly ridiculous. Q & A Q. Before the A-bomb was built, proponents said that it would cost $1 million to build. The eventual cost was $1 billion. Congress asked what was the probability that it could work, and was told 1 in 10. Thus the nuclear terrorist argument works, right? A. Terrorists won't use Clipper Q. NSA has had scramblers working. Why does it hurt for us to have the devices? A. We're not opening Pandora's Box. Encryption is already out there. They think the majority of communications are not encrypted now. Encryption will create a bottleneck, which will change the way law enforcement does its job. Q. What about the Davis case in Oklahoma? If convicted is there any chance for parole? A. Davis was a BBS owner prosecuted because he allegedly had obscene material on his board. I don't know about Oklahoma parole law. Q. What is the current legal status of PGP? A. That will be answered later. Q. If "only outlaws will have crypto", how effectively can the clamp down? A. It will probably be very easy for them to chill nonstandard crypto if -- they investigate for another crime and find it, or -- it may itself be probable cause for a search. Q. Doesn't a lot of this boil down to "you wouldn't be encrypting if you had nothing to hide"? A. There's not any probable cause for law enforcement taking that position. Business likes crypto. In a scenario where only certain types of crypto are allowed, there could presumably arise a presumption from nonstandard crypto. The more people who encrypt, the more will say it is all right. Q. Do you get the sense that there is a political will to protect privacy in this country? A. It is not clear that is the case. There is a real education hurdle to teach the importance of technology. Q. The law enforcement aspect is not important to NSA, right? A. The Russians and the Japanese have done more theoretical work. Read "The Puzzle Palace" Q. Virtual communities and net businesses need crypto on all systems to validate digital signatures. A. It is not required universally. It will become cheaper as digital signatures take off. The Clipper proposal does not address digital signatures. NIST is also talking to IRS about helping implement Clipper by extending the ability to file tax returns electronically to those using Clipper. Q. What restrictions are there right now on the IMPORT of crypto? A. None right now. Q. Is law enforcement misuse of commercial information anticipated? A. It is a wash. There are laws available to protect against such things, like the Electronic Funds Transfer laws, and also that the wiretap law requires eventual notification of the tap. That's why they have called for two escrow agents. The weakness is that people can be compromised. The answer to law enforcement is that you could have more than two escrow agents to make the bribe prohibitively expensive. Also the problem of human weakness is not unique to the Clipper chip or key escrow systems. Q. There's no mapping between the chip and the phone, correct? A. The only link is the word of the officer seeking a warrant. There is no provision right now for a database containing identities of all chips. Q. Can the President or Congress outlaw encryption by Executive Order? A. The president cannot by Executive Order. It's not clear whether Congress could constitutionally. Q. What about steganography? A. Steganography is defined as a message appearing to be unencrypted but containing a code. There's a constant competition between the law enforcement community and the criminal element to stay ahead on the technology. Q. Are one time pads illegal, or covered by export regulations? A. No. Few policymakers have ever heard of them. Q. What's a vision of what we would like to see? A. Try to give people a technological means to protect their own privacy. Freedom to exchange information. Communities conforming to a standard without oversight, so that we can export. Godwin - more mystical approach. In person, you can be sure of someone's identity. This creates intimacy. Technology has the potential to free intimacy from the accident of geography. With crypto, you know the identity of the other person, and that you're not being overheard. Q. Who are the law enforcement people you've been dealing with? Do they represent the highest levels of their organizations? A. (Godwin) I don't claim to know what NSA thinks. I have talked to FBI, state and local law enforcement authorities, and they all say the same things. PANEL #3: CYPHERPUNKS Barlow - Doesn't have the I/O bandwidth to be a cypherpunk. Doesn't know how they do it. The net is the biggest technological development since fire. There's a very difficult choice to be made, and it may already be made: Either anything is visible to anyone who is curious, or nothing is visible. Barlow comes from a small town. He's not bothered by privacy invasions at that level. But there's a difference between locals and the possessors of a database. The problem of giving up privacy (which without encryption will happen), is that it allows "them" to protect us from ourselves. Also, no matter how benevolent the current government may be, there will always be a corrupt one down the road. Hidden crypto economies could break most governments. It's not necessarily good to have no government either. What drives the cypherpunks is a law of nature: Anarchy is breaking out, and Barlow is one. However, the libertarian impulse begs a few questions about crypto: What are we trying to hide, from whom, and why? There are a lot of victimless crimes out there for which no one wants to take responsibility. Barlow wants crypto to create trust in identity. The real cypherpunk question is: The war is over, and we have won. How do we make the transition of power graceful? Human nature is to acquire some power structure of some kind. It is critical to acquaint friends and those who could care less with crypto. Gilmore - There are too many laws, and they make the wrong things illegal; We need to explain. In the existing system, the natural outgrowth has been for cypherpunks to be labeled as "them". Gilmore's vision is unprecedented mobility by creating privacy and authenticity at a distance. Thus you don't have to live near work, or play near home. By focusing on conspirators, the law enforcement community loses the focus on business use. The formal topic of the panel is cypherpunks. -- Crypto is not all that hard. Denning's book shows how to implement DES and RSA. -- Cypherpunks push the limits - taking cryptography from theory into the realm of the practical. -- Trying to put crypto in the hands of the people, so that the government cannot take it back. That's why PGP is freely distributed. -- Also working on anonymity and digital money schemes. The areas the cypherpunk group has worked on are: 1) Anonymity - anonymous Email. What is the impact on how we communicate? Most of the debate has been relatively uninformed. The Supreme Court thinks there is a right of anonymity. A Los Angeles law requiring that demonstrators who handed out flyers put their name and address on the flyers was overturned on the grounds that it chilled free speech. In other media, telephones are anonymous. There has been a big ruckus with Caller ID. The postal service does not enforce return address requirements. Telegrams and radio are similarly anonymous. 2) Privacy - Have been implementing key exchange systems for PGP, experimenting with encrypted audio. Digital cash systems - so many businesses would pop up on the net if it was possible to spend electronic money. There are people working on the legal aspects of it now. 3) Outreach - a mailing list, contributing articles to Village Voice, Wired, Whole Earth News. 4) Government interaction - Sent a list of questions regarding Clipper to NIST. Made several requests under the Freedom of Information Act. Someone searched the dumpsters at Mykotronx. In a recent FOIA request to an Assistant Secretary of Defense, we learned that the law enforcement and intelligence communities advocate making Clipper mandatory. There's a FOIA request in now on Clipper. FBI returned a clipping file, but says it will take 3 1/2 years to process and release all the documents requested. 5) Future projects - Building encrypted phones using PGP. Real digital banking. Automating anonymity and making an easier to use interface for anonymized mail. Tightening security from machine to machine protocols - Right now they transmit cleartext. At Gilmore's home machine at Cygnus recently, a hacker monitored a session remotely, then installed a daemon to monitor the first 200 bytes of ethernet traffic from each connection. The daemon was removed, and the problem fixed using kerberos. Hughes - Cypherpunks was created by Hughes and Tim May. It's surprising how much media attention we have gotten. They knew what they were doing was significant, but not that so many people thought so. They are now shooting a pilot for a TV show based on cypherpunks, and Hughes has held himself out as a media expert. Here are a few obvious things that nonetheless need to be stated: 1) In order to have a private key, you need to have your own CPU. To put your key online where someone else has physical access is dumb. Therefore, one of the consequences is that digital privacy is only for the rich. 2) Cypherpunks is not a "hacker privacy league", but rather seeks to ensure privacy for all. Crypto must be easy to use. It is just now feasible to have an anonymous remailer. The user interface _must_ be easy. The layperson's concept of security is that if the computer is not networked, it is secure. They don't see how much of a disadvantage it is not to be networked. Gibson calls non-networked computers "dead silicon". Therefore, encryption needs to be transparent to the user. The cypherpunks mailing list reached critical mass about 2 months ago with enough people understanding the concepts to move forward. We're at a crossroads historically now. 3) If you're the only one using crypto, it must be you who sent the cryptographic message. Anonymity is a social construct, and it doesn't work unless many people do it. The government is good at suppressing small things, but bad at suppressing big things. Therefore the best course of action is to spread the word. In the end, most of us will be private or most will not. If encryption is available to you, use it. In response to Dyson on the question of copyright: Copyright is dead, or at least moribund. It will not exist as we know it in 100 years. It is a means of using the government's power to suppress expression. You still will be able to sell the timeliness of information, indexing, delivery, etc. Gilmore - If we decide to be private, the only limit to secrecy is individual conscience. Comments from the audience: -- As it becomes less possible to hold on to information, marketing shifts toward a relationship rather than a product. -- If we want to make encryption easy, put out a mailer which supports it. (Response: We're working on it) Q & A Q. Can public keys be made available through the Domain Name Servers? A. PGP developers are working on it. Internet is an information motel. Data checks in, but it doesn't check out. Q. Is it possible to keep secrets at all? A. The larger an organization is, the tougher it is to keep a secret. Secrecy and digital signatures are not exactly related. One thing we may see if pointers to specific documents which contain self-verifying information. These will change the balance of power. Q. Can we sell strong crypto to Clinton as part of his national ID card for health care program? A. There's a problem in dealing with the administration right now, because they are currently defending a position and it will be tough to change. A parallel development may make the difference. Congress is getting Email. Seven or eight congressmen have access. A push to implement crypto to determine who is from the districts represented should come soon. A lot of this type application is based on the blind signature work of David Chaum. Q. What's the status with the legality of PGP vs. RSA? A. It is unsettled. There are two issues: patent infringement and export. RIPEM uses RSAREF, which is a watered down version of RSA. They're working on PGP using RSAREF for noncommercial users. Q. Compare the strength and security of PGP and RIPEM? A. PGP uses a longer key. RIPEM uses DES, but will probably go to Triple- DES. Q. How are blind signatures used? A. Voter cards, digital signatures, digital money. The government won't do it if they feel it's not in their best interest. Push it. Q. Can NSA break DES & PGP? A. Of course. Q. How long must a key be to slow NSA down? A. We estimate they can break one 512 bit RSA modulus per day. Q. Is PGP illegal, and if so, how? A. Patent infringement issue is whether PGP infringes RSA. If you use a product that infringes, you are civilly liable. If they were to enforce against a random user, worst case is that the user might be tied up in the courts for a while. Worse is copyright - it is a felony to engage in software piracy, which means making over 10 copies with a value over $2500. This poses a potential problem for sysadmins, and now companies use the threat of criminal charges to force licensing. Kapor is willing to take the case of whether or not there could ever be a valid software patent to the Supreme Court. Godwin says prosecutors will use other laws: Wire fraud, conspiracy, RICO. Hughes - there should be a local cypherpunks chapter. It should meet on the second Saturday of the month. Hughes is pursuing the idea of teleconferencing. Hughes concludes: "There's plenty of arguing to do. I'll see you online."