1997-09-14 - Notes from the Cypherpunks September Bay Area Meeting

Header Data

From: Martin Minow <minow@apple.com>
To: cypherpunks@cyberpass.net
Message Hash: 0eb06b7a3fdc242bbe8af7b41565bc4bf753d9fde7e722009c5838cbb3955359
Message ID: <v03102800b041d75dec10@[]>
Reply To: N/A
UTC Datetime: 1997-09-14 19:43:33 UTC
Raw Date: Mon, 15 Sep 1997 03:43:33 +0800

Raw message

From: Martin Minow <minow@apple.com>
Date: Mon, 15 Sep 1997 03:43:33 +0800
To: cypherpunks@cyberpass.net
Subject: Notes from the Cypherpunks September Bay Area Meeting
Message-ID: <v03102800b041d75dec10@[]>
MIME-Version: 1.0
Content-Type: text/plain

Here are some notes I took at the Cypherpunks September Bay Area Meeting
on September 13 at "PGP World Headquarters" in San Mateo. Quotes are
summaries and interpretations, but hopefullfy fair and accurate.
My interpolations enclosed in square brackets.

Cypherpunks meetings are not particularly formal, but more like a
dialog between a number of people, punctuated with slightly more
formal presentations.

Introductory discussion of the recent crypto-gutting legislative

Eric Hughes (EH): This is the fifth anniversary of Cypherpunks. At
the first meeting, we demonstrated a number of the technologies that
are now becoming widespread, including remailers, and breaking weak
(i.e., exportable) cryphograph.

Tim May (Tim): What we feared five years ago is worse than Clipper --
it's an absolute disaster. The government has declared war on privacy.
The only survivor is likely to be Trusted Information Systems, which
has very close connection to the NSA.

EH: The government now desires access to all plaintext communication.

Tim: The British, and OECD, trusted third party proposal is a nightmare:
even if you have access to software such as PGP and Explorer that provides
strong privacy, the British now regard the keys you need to use that
technology as "crypto material" -- and it will be illegal to distribute
unbreakable keys [presumably without license or escrow capabilities].

Vinnie Moscaritalo (Vinnie): Black market?

EH: No: there will be an underground market [the distinction is important]
what we need are legitimate distribution of keys and crypto. Social pressure
will otherwise keep crypto unused.

Tim: Quoting Whitfield Diffie: this is like the war on drugs. Ban grypto
and companies will dpeutize themselves to assist the government just
as they did by requiring urine tests.

EH: [The computer industry is moving to] remote policy enforcement --
copyright enforcement [to prevent you from using software if you
don't have a license to it, or to prevent you from viewing a
copy of a movie]. The same mechanisms can be used to enforce crypto

You can characterize GAK/ATP (Government access to keys, access to
plaintext) as possession with the intent to communicate.

Tim: The intelligence community wants to be your supplier of big-brother
crypto. They are not fascists; they just don't have a clue. Intel's
next [next plus one?] generation processors will devote 3-4% of
their chip area to functions that facilitate encryption. All processors
will be serial-numbered. [This makes it very simple to "seal" a
program so it can only be used on a single, specific, processor. This
capability has been used for a decade in the minicomputer world.]

Tim/EH: The battle must be fought in [the context of] the First
Amendment. Qooting Don Hayes: "Nothing good can come out of crypto."
[I think Hayes was referring to crypto legislation.]

Jeremy of Blue Money Software briefly described their electronic
cash programming interface.

Someone (Jeremey?) described an "onion routing" electronic mail
protocol that conceals all information. This lets two people
communicate without any external party either reading the mail or
determining the sender or receiver. This was developed by the U.S.
Naval Research Laboratories. They need ths because they otherwise
cannot conceal sensitive communications within public traffic.

Kelly Blough, PGP's Government Relations representative discussed
the recent legislation initiatives.

The Pro Code bill is dead. Stuck in a senate committee.

The McCane Kerry bill passed commerce, but was not reported out:
McCain doesn't like it. This is good news.

The SAFE bill (in the House) passed the [which?] committee in a way
that we like. The bill removes export control on public code. It
allows Americans full access to strong crypo. It was referred to
National Security, Commerce, and [International Relations?] committees.

National Security gutted the bill. Intelligence added FBI-requested
access to plaintext. This was done in an unusual closed-door markup.
[These are usually only done for military and intelligence funding
bills.] "The intelligence community wants to set policy."

Dave Del Torto (DDT): A friend says that the military intelligence
personnell are swarming on the Hill.

Kelly: thinks that this is mostly driven by domestic law enforcement,
not the military

Commerce added a gutting amendment, but now waiting two weeks.

Tim: Declan McCullogh said that Louis Freeh said that, if a
Congressman votes against gutting crypto, the FBI will blame the
next Oklahoma City bombing on that Congressman.

Kelly: This is good in one way: the cards are now on the table. The
regional telephone companies, auto manufacturers, are all on PGP's
side: "How can we help?" Banks and other financial institutions are
not on PGP's side: because of the export exception.. Maybe this will
change when the impact of domestic restrictions sink in.

John Gilmore (JohnG): sens a fax to his respresentative, Nancy Pelosi.
Asked whether this law should be passed without review. Her chief
of staff replied that Pelosi brought up issues, but didn't change
the consensus. Also brought up the lack of law enforcement tracking
and notification. Tom Lantos, who sits on both the National Security
and International Relations committees (and who is the representative
for PGP's district) -- for someone who is strong on on human rights,
he is voting against strong crypto.

Tim: Why does PGP participate in export committees.

Kelly: Industry group to lobby: Microsoft, etc. Big companies: trying
to demonstrate that it's not just software.

DDT: Electronic Freedom Foundation?

JohnG: We got out of lobbying. Focussing on the Bernstein appeal. John
is talking to Pelosi individually. She will write a minority report
of disagreement with the National Security committee decision.

EH: PGP needs support from cypherpunks.

Kelly: Lobbying media. Gutting crypto gives government access to reporters'
notes, to communication with anonymous sources. [Also lawyer, client.]

The SAFE bill will probably go to the floor as written. Amendments must
be voted upon. Pro Code is dead.

DDT: Political liability: Gore was thought to be a friend to Silicon
Valley -- maybe not now. But, maybe he doesn't think that Silicon
Valley helped Clinton in 1996.

JohnG: The "one time review" proposal lets "NSA read your source code"
Lets them find holes in your product. Pelosi's chief of staff said to
John that it will be illegal to sell strong crypto immediately after
the law passes. But distribution will be allowed until 2000. This was
put in for PGP: human rights workers are using it -- this will let
PGP spread around for three years.

Tim [?]: WIPO (world intellectual property agreement) will ban all forms
of code cracking. Pushed by content providers to secure their intellectual

Kelly, with PGP former president Tom Steddings, wrote the recent California
legislature resolution.

JohnG: Trusted Information Systems has three patents on key recovery.

EH: Why do the Fed's want access to plaintext? The motivation has not
been made clear. Policy goals are stated in technological terms, not
in policy terms.

Other notes (more technical)

Don't use a hardware black-box to generate private keys: they can
leak private key information in the public key. Use a mix of software
and hardware: do final generation in auditable software.

Ian Goldberg: Move crypto to Palm Pilot. Demonstarted secure e-mail
and web browsing on a Palm Pilot connected (through a bizarre collection
of cables) to a Metricom radio modem.

Dave Lainer [??] discussed cell phone privacy. There are three kinds
of information that needs to be secured: the voice message, the number
that you are calling, and the cell-phone identification. None of
this is secure on analog phones. The phone companies don't care about
user privacy: only about call setup privacy. NSA lied to telecom
committees about call security. Voice privacy is trivial.

PGP is trying to get their PGP phone technology into digital cell phones.
This can do end-to-end encryption between PDP-enhanced phones.

There are several kinds of information that need to be secured:
voice, billing information, dialed numbers, and the caller's physical
location.  The government likes secure billing information -- if they
don't know who made the call, they can't use it as evidence against
an accused.

JohnG: the cell phone authentication algorithm was recently cracked.

EH: New Japanese phenonemon: tiny PKS cell phones. Teen-agers (who are
driving lifestyle changes) all use them.

DDT: Discussed Open PGP: a non-proprietary standard presented to
IETF: This includes a public-key infrastructure, trust model, message
format, MIME (content format), and meta-certificate technology.

Proposed to the Vatican (Papal representatives must communicate
with Rome). Big battle in Rome between Netscape and Microsoft
to be the "official browser of the Vatican." Big is an underestimate:
Microsoft is offerring "eternal" licenses.

My notes end here. Apologies for any errors in transcription or

Martin Minow