From: edgar@spectrx.saigon.com (Edgar W. Swank)
Date: Tue, 28 Dec 93 11:37:33 PST
To: Cypherpunks          <cypherpunks@toad.com>
Subject: Secure Drive Distribution
Message-ID: <0yo0ec6w165w@spectrx.saigon.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

After reading Mike Ingle's post of Dec 21, I withdraw my request for a
"public-spirited Cypherpunk (perhaps even an anonymous one) to place
Secure Drive on an FTP site or a site with an E-mail file server."

Mike said:

    If you do this [upload Secure Drive to an FTP or mailserver site],
    please make it a U.S./Canada only site.

If you mean a site -in- the USA/Canada, no problem.  If you mean a
site which will not send files outside the USA/Canada, I don't think
there is any such animal.  The only site even -attempting- to restrict
service I've heard of is RSA.com, which distributes RSAREF. And I
think it would be rather easy to spoof.

A foreigner can easily login to any public -domestic- internet BBS
with just an international phone call, giving him a domestic-looking
net address.

Even if you distribute every copy yourself, Mike, you are not immune
from this kind of "spoofing."

    >So far I still haven't heard from Eric. I did get two responses.
    >The first was anonymous and sent me a copy of Secure Drive with
    >a request for me to post it to foreign FTP site(s). The second
    >was a request from a foreign site for me to send them a copy.

    I'd like to see more about this, in private mail if you don't want
    to post it to the list.

Not much to tell. I didn't keep copies of either request. I think the
non-anon one was from Australia, maybe.

    The non-distribution of the beta was because I had no way to check
    it, and it could easily have eaten hard drives.  I did say in the
    ad that you were not to export, although I didn't make anyone send
    a statement.  Maybe I should have.

Perhaps. But the ad says:

    This program may be freely distributed within the U.S.  and
    Canada; do not export it.

and the docs say:

    Exporting this program.  This program is for use in the US and
    Canada only.  Cryptography is export controlled, and sending this
    program outside the country may be illegal.  Don't do it.

Fine.  But "freely distributed in the USA & Canada" would include
uploading it to domestic BBS's & anon. FTP sites by my interpretation
of English. If a foreigner enters the country and smuggles a copy home
with him, whether he does it physically or electronically, he is
committing the criminal act; not whoever uploaded SD and certainly not
Mike.

On the Hacker matter Mike said:

    They are going to attempt to break Secure Drive.  He asked me to
    write a program which will take a list of passphrases and test
    them quickly to run a passphrase attack.  I had a few qualms about
    writing a program to crack someone's data, but I don't think it
    really matters.  Unless the hacker chose a very lame key, they
    don't have a prayer in hell.

By all means, go ahead & write the program to their specs.!  Of
course, as a "forensic software consultant" you're entitled to a fee.
I would say a minimum of $100/hour is "fair."  After they try that
for a while, you can offer an improvement that will try "more keys
of a smaller possible set faster" by just trying the 2^128 keys
directly without bothering with a passphrase, along with a mod to
LOGIN which will insert a binary key directly rather than use MD5
on a passphrase.

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLR8uuN4nNf3ah8DHAQHQ1AP/ZXImvQO2XxKXi/k2CCMPgD12rYPAcfZp
ZabuyERUGW8UuKZJLS8Wy4i7q2EdWi1TT80dKhHVQgO6ec+ybKyirXN/N8Ahz3BF
zKqa+YKKgaroxv50Xg4RdQ3Cr/rfYQeQ0yiH1VdJOJj4dVwDMTnm+uC/Uph/wXJI
U53PBfQWR28=
=T2cH
-----END PGP SIGNATURE-----

--
edgar@spectrx.saigon.com (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005  Cupertino, Ca