1994-06-30 - Feb 11 Transcript part 2

Header Data

From: rarachel@photon.poly.edu (Arsen Ray Arachelian)
To: cypherpunks@toad.com
Message Hash: 6bba753c2a59f57fd055cc0388165fef0e7c094714398be1ae560de5db2bb03c
Message ID: <9406300158.AA14295@photon.poly.edu>
Reply To: N/A
UTC Datetime: 1994-06-30 01:56:55 UTC
Raw Date: Wed, 29 Jun 94 18:56:55 PDT

Raw message

From: rarachel@photon.poly.edu (Arsen Ray Arachelian)
Date: Wed, 29 Jun 94 18:56:55 PDT
To: cypherpunks@toad.com
Subject: Feb 11 Transcript part 2
Message-ID: <9406300158.AA14295@photon.poly.edu>
MIME-Version: 1.0
Content-Type: text



          Atlantic was largely not a complete disaster because of signals
          intelligence work?  A few people know.  

          What is signals intelligence?  Why does the government care so 
          much about this?  Signals intelligence, put simply, is the busi-
          ness of reading other peoples' mail. That's it, most baldly.  
          It's the interception of communications, whatever form those
          communications take.   And it's a very, very big thing with the 
          government. The National Security Agency basically has two 
          jobs. One of them is to be this gigantic ear out there 
          that listens to all the communications that it can unearth. 
          Period.  Now one of the problems is that lots of foreign 
          governments don't like having all their communications listened 
          to.  I don't know why.  [LAUGHTER] And lots of private 
          individuals don't like having all their communications 
          intercepted.  So they tend to use cryptography.  So one of the 
          other big things that the National Security Agency spends
          billions of dollars a year on is research in code breaking 
          -- how to break cryptographically protected messages.
            
          The other half of what the N.S.A. is try to keep foreign 
          governments from doing the same thing to us. They're also in the 
          business of developing codes and trying to protect the United 
          States government and government contractors from having their 
          communications intercepted.  Naturally there's a small conflict
          here, because the people who spend their days trying to break 
          other countries' codes and foreign companies' codes and American
          citizens' codes, they're not supposed to do that anymore.  At 
          the Congressional hearings in the Seventies they promised to 
          stop doing that.

          Anyway, the people who spend their days monitoring, you know, 
          cellular telephone calls in Moscow would prefer that the 
          technology developed by the people who are developing ways to 
          keep the United States government's communications secure not 
          get into the hands of the people who are trying to make cellular
          telephone calls in Moscow, because they want to be able to listen
          to all of this stuff.
          
          So we've got this conflict between the two halves of the National 
          Security Agency, and the side that wins is almost always the 
          people that slurp up traffic.  They never talk about any of the
          techniques they use, and they try to keep them as secret as 
          possible.  And until the early 1970s there was almost no private 
          sector research on cryptography done in the world.  The National 
          Security Agency had a monopoly on information about cryptography,
          and to this day they never have said -- they still have a great 
          reluctance to declassify things from the Second World War.  Put 
          it that way.
          
          By the way, the National Security Agency is truly huge.  They 
          have at least ninety thousand employees that we know of.  They 
          occupy the entire Ft. Meade military base just outside of 
          Washington.  It really is bigger than all the other intelligence 
          agencies put together.  It's of course an agency that's extremely
          secretive, and until the 1970s they did not even admit that the 
          N.S.A. existed.  N.S.A. was said to stand for "No Such Agency."
          
          Something rather interesting happened, however, in the early 
          Seventies, which is that a few computer scientists and 
          mathematicians, specifically Whitfield Diffy, Ralph Merkel and 
          Martin Helman, came up with the first major discovery in 
          cryptography outside of the government sector in about fifty or 
          sixty years, which was this notion called "public key 
          cryptography."  It's an idea that was so feared by the National
          Security Agency that they actually attempted to quash all open 
          research and publication on the subject.  They discovered that 
          it was not possible to do so, much to their chagrin. This little 
          thing called the First Amendment gets in the way.  But to this 
          day they attempt with every means possible that they can to try
          to deter research in the public sector.
            
          Now what was it that Diffy, Helman and Merkel came up with that 
          they considered to be so dangerous?  I have to explain a little 
          bit more about cryptography than I like to in order to explain 
          this.  The reason it's more than I'd like to is because frankly 
          unless you're really interested on an intimate level cryptography
          gets rather boring.  It's like discussing the details of auto
          mechanics.  It doesn't make for interesting talks.  But I'll talk
          about it for a minute anyway.
          
          All modern cryptosystems have two components to them.  There is 
          an algorithm and there is a key.  The algorithm is basically 
          your recipe for saying how you're going to take your message in 
          on one end, scramble it up and spit it out the other end.  But 
          the algorithm is not a complete recipe.  It's missing a portion.
          That portion is the key.  The idea is that by having this thing
          called a key, that's -- it's just like a key to a lock in a door.
          
          Thousands of people can own exactly the same model of Yale lock 
          all over this city, but because each of them uses a different 
          key on their lock two people who own the same brand of lock can't
          open each other's doors.  Well, it's exactly the same idea.  By 
          separating out this small piece of information -- it's usually a
          large number these days -- two users of a system can -- different
          people can communicate using the same cryptographic system without
          being able to read each other's messages, and indeed one of the 
          rules for designing cryptosystems is that the cryptosystem should
          only depend on the key for secrecy. 
          
          You should be able to tell people exactly how you're encrypting 
          things, but just not tell them what the key is.  And they should 
          be unable to decipher your traffic no matter how hard they try.
          
          Now most people know that -- you know, your ordinary door, you 
          walk up to it, you unlock it, use a key, you lock it again, you 
          use the same key.  This is actually the way that most 
          cryptosystems used to be before Diffy, Helman and Merkel.  Now
          this causes a problem.  Let's say that I want to communicate with
          Dave.  Okay.  Now we have to exchange a key securely.  I can't 
          just call him up on the phone and say, "Hey, Dave. This is the 
          key we're going to use," because someone can be tapping the 
          phone line.  I have to actually go up to Dave, you know, hand
          him the key, and then go off -- or send a courier and then go 
          off and later on communicate with it.  But let's say that I want
          to then communicate with, say, you.  I can't use the same key I'm
          using with Dave, because then you could read the traffic and I
          wouldn't necessarily want you to be able to read the traffic.  
          
          So okay, now I have two sets of keys.  Well, let's say I'm 
          communicating with several hundred people regularly.  Well, 
          I have to exchange keys with all of them.  This is an enormous 
          pain in the ass.  What Merkel, Helman and Diffy came up with was 
          something called the public key concept.  It's a really neat idea.
          
          Imagine for a moment -- imagine a mailbox for a moment that has a 
          mail slot in it.  Okay? And once something's been stuck in the 
          mail slot it's inside the mailbox and the only way to open the 
          mailbox is with this key.  But anyone can stuff things into the 
          mail slot.  Anyone can put things in, but only the owner of the 
          key to open the mailbox can get things out.  The idea that they
          had was this.  Let's say that we had cryptography systems in which
          there were two keys, two keys that cannot be determined from each
          other.  I cannot figure out what one of the keys is based on what
          the other key is.  One of the keys encrypts things:  takes them, 
          scrambles them up, makes them look like gibberish. You cannot, 
          however, unscramble things with that key. You need the second 
          key in order to descramble things. 
          
          The scrambling key is the encryption key, or the public key.  It's
          called a public key because I can give it away.  I can put in the
          phonebook or in an ad in the New York Times or anywhere else I 
          want, "this is my public key."  Anyone on earth can use that, 
          because you cannot determine from that key what the decryption 
          or private key is, the key that I keep to myself, that I don't 
          tell anyone, and which is the only way to read things that have 
          been scrambled up with the public key.  Now this is a real 
          revolution.
            
          Now I can just give thousands of people the same key to send mail
          to me or to have phone conversations with me or what have you, 
          and all I have to do is keep one key private and I'm secure.  
          I no longer have any problem with key distribution.  Now this 
          might not sound terribly revolutionary, but consider that we live
          in the modern age and we've got lots of computers and computerized
          telephone systems and things like that. Because of public key 
          cryptography -- and this is not practical without public key 
          cryptography -- I can build a telephone system where, every pair
          of phones in the country have public keys associated with them
          and the public keys are published off somewhere and when you pick
          up the telephone and dial a number, your telephone asks a 
          database somewhere what the public key is for the number I'm 
          calling, finds it out and scrambles the entire telephone conver-
          sation using that public key.  
          
          So instead of having to worry about and sweat over distributing 
          keys to everyone I talk to, I can afford to encrypt my conver-
          sations with the corner store, or the pizza parlor that I'm 
          calling to give an order to.  I can encrypt absolutely everything.
          This wasn't practical before public key cryptography was invented.
          
          Public key cryptography makes cryptography really cheap and easy 
          to use.  This is something that the N.S.A. doesn't like, obviously,
          and that's why they tried to keep this information from being 
          published to the point that N.S.A. officials who were apparently 
          not acting under official orders sent letters to lots of 
          publications telling them that if they published any information 
          on this they'd be violating acts about the publication of 
          classified information, and they tried to contend that all 
          research in cryptography was born secret and that once you wrote
          a paper you couldn't read it again unless you had a security 
          clearance.  
          
          Unfortunately, as I mentioned, they were forced to back off of 
          this.  There were lots of reasons for this, one of which is that 
          the courts didn't agree with them.  One of them is that lots of 
          the research goes on in foreign countries, which, believe it or 
          not, are not run by the U.S. government, at least not all of them,
          not yet.  
          
          But anyway, what happened was that in the early Seventies these 
          people came up with this new concept.  This spurred an interesting
          revolution, because suddenly lots of people in academia saw that 
          there was interesting research to be done in cryptography and that
          they could do it outside of the N.S.A.  Before the early 1970s all
          the cryptographers in the United States for the most part who had
          any degree of serious interest in the subject worked for the 
          N.S.A.   That was it.  That was your only career path.  Now there
          are thousands of people who work on cryptography in academia in 
          this country and in countries around the world, and it's a real 
          serious subject of study.  There are conferences several times a 
          year, people publish this stuff in the open literature. 
          
          So there is now this thriving field of study, which the N.S.A. 
          really doesn't like -- because as I mentioned, the people who are
          basically that big ear trying to listen to all the conversations 
          around the world -- and by the way, when I say they try to, I 
          really mean it.  They've got listening posts all over the world 
          to try to intercept every possible radio transmission, 
          microwave-transmitted telephone call, every satellite-based 
          communication, everything they can get they tap-- you know, 
          cables going between foreign countries -- everything they can
          possibly do to listen to as many conversations as they can.
          

MALE:     Supposedly they monitor every overseas phone call in 
          this country.

PM:       Yeah.  Whether or not they actually do is a matter of speculation,
          but it's thought by many that they do.

FEMALE:   Well, they do sample.

DM:       We don't know what they do for sure.

FEMALE:   No, trust me.

DM:       Okay.

FEMALE:   So if you say, "Bomb the World Trade Center," they pick 
          up on those words.

DM:       Possibly.  Anyway -- while all of this was happening in the mid-
          Seventies and early Eighties with cryptography developing as a 
          field of study, at the same time the computer revolution was 
          happening.  Now computers -- I know that everyone on earth by 
          now has heard about -- has seen their People Magazine or Time 
          Magazine or Schlock Magazine No. 525th article on the Information
          Superhighway, and the Internet and how wonderful it all is -- and
          you probably all want to fall over and gag when you hear any more
          hype from people who don't know what they're talking about.  
          
          Well, I'm going to give you some more hype, but at least I do know
          what I'm talking about.  The Internet is a really amazing thing.
          I can sit in my office in New York and I can collaborate with an-
          other person who's working in Australia and I can send mail to 
          friends of mine that gets there instantaneously who happen to be 
          in Finland -- or communicate with tens of thousands of people 
          that I've never met.  If it wasn't for the Internet, I never would
          have met Dave.  In fact if it wasn't for the Internet the 
          Cypherpunks Movement would never have started, because all the 
          people involved in it found each other over the Net.  Now in the 
          future, whether you like it or not, the Net's going to be where 
          you do your catalog shopping ...

DM:       Perry, I just have to mention.  There are about 700 plus 
          Cypherpunks today.  I've met I think three of them in the flesh 
          in a year and a half.  

PM:       I've met more, but it's amazing how many people you get to know 
          and be friends with and you've never seen.  But you know, I -- 
          in the future it's possible for many kinds of work to be done 
          remotely thanks to these technologies. If you're a writer you
          don't need to be anywhere in particular, do you?  I mean you can
          write your books in Fiji for all you care.  

          And if you're a reporter, unless you're a beat reporter and you 
          go out to interview the fireman at the fire or what have you, if 
          you're someone who, say, covers wider issues you can do your 
          business from almost anywhere that you've got a telephone and a 
          computer.
            
          The Internet makes that an even bigger thing.  In the future I'm 
          probably going to be able to send a little message down to the 
          pizza parlor around the corner and have a pizza delivered over 
          the Internet.  Everything you do is going to be done over the Net.
          
MALE:     Isn't it going to taste a little funny sucking through that wire?

PM:       Well, no.

MALE:     No worse than Domino's, I guess.

PM:       It tastes fine once you encrypt the pizza.  Anyway -- the thing 
          is that the Internet -- now when Dave said that the Internet is 
          an anarchic thing, this is not a lie.  This is literally the 
          truth.  The Internet has no central control, no central planning.
          It's operated basically on the premise of, "Okay.  I've got a
          connection.  Oh, you want to connect up?  Okay.  Connect up to 
          me."  There is no such thing as a central Internet management 
          office. There is -- yes?

Q:        What's the Internet Naming Authority?

PM:       The I.A.N.A. is -- to the extent that there is any sort of central
          organization, that can be said to be it.  But what do they do?  
          They give out Internet numbers.  If they stopped doing it, people
          would probably start routing in NBGP domains, you know, on their
          own and assigning their own numbers.  It's not like you can exert
          control over the Net that way.  But never mind.  I don't want 
          to...

COMMENT:  It fits most people's definition of God.  The circle whose center
          is everywhere, whose circumfrence cannot be found.

PM:       The Net is organized basically without any -- the Net has no 
          knowledge of what borders are.  Okay?  I can communicate with a 
          machine in Finland as easily as I can communicate with a machine 
          in New York.  One of the results of this is that when people in 
          one country are told, "Oh, you can't put this sort of information
          up on your computer," well, generally speaking someone in another
          country will offer to put the information up for them. And at that
          point the attempt to control the flow of information is completely
          meaningless.  
          
          Does everyone know -- there's this court case now in Canada where
          the Canadian press has been forced not to say anything about the
          court case.  Well, of course anyone who's in Canada and is 
          connected to the Internet can read all the details that they want
          to.  Borders are completely meaningless. The U.S. government has 
          this interesting rule that you cannot export cryptographic 
          software from the United States.  I'll get into that more later.
          
          But one of the interesting results of this is that when people 
          have built large packages -- large pieces of software that 
          involve cryptography -- what they've generally done is to just 
          specify how the cryptographic pieces have to fit in, and people 
          in foreign countries have written a dozen or couple of dozen 
          lines of computer software to implement those things and put them
          up on computers in Finland. For some reason putting this stuff up
          on computers in Finland is really popular.  I don't know why. 
          [LAUGHTER]  Really, it is.  The Network traffic between the United
          States and France is dwarfed by a factor of five compared to the 
          traffic between the U.S. and Finland.  It doesn't make any sense,
          but that's the way it is.
          
          But, you know, the Internet has changed the way many people who 
          are computer professionals now live.  For instance, the chairman 
          of Autodesk, which is this very successful computer company, 
          decided that he didn't like living in the U.S.  So he moved to
          Switzerland, got an Internet connection and managed his company 
          from then on from there.  I think recently he decided he wanted 
          to retire and hired another manager, but never mind;  the point is
          that the Net really breaks down barriers to information.  You can
          not restrict information to one country, you cannot keep 
          information from flooding around the world almost instantaneously
          to any place that's on the Net.  
          
          Everyone is on the Net.  The Russians are on the Net.  People in 
          Singapore -- where the government of Singapore thinks that they're
          exerting control over what books can be sold in the country, I 
          have news for them.  Stuff going over the Net is far racier than 
          anything that they think that they're censoring at the border.
            
          So here we have this wonderful Internet, and the problem with it 
          is it's completely insecure.  The way it's been built right now, 
          anywhere I tap a line I get enormous amounts of traffic going by 
          and it's all conveniently already computerized so I can use 
          computers to listen in on it.  If the N.S.A. wanted to build a
          computer system to watch all the electronic mail going between 
          two countries, it would be nice, easy, feasible.  There'd be no 
          problem.  
          
          This is a problem.  Now the problem is of course easily solved 
          with cryptography.  If you encrypt all your communications, 
          suddenly it's impossible to tap them.  This is of course something
          that the National Security Agency doesn't like, so they try to 
          do things like restricting the export of cryptographic software 
          from the U.S.  
          
          Well, I have news for you. Software is just information.  Software
          is no different from any other kind of information, and if I put 
          software up on the Net suddenly it's in every country in the world
          within hours.  Mysterious how this happens.  This has happened 
          with cryptographic software several times. There's a fellow by 
          the name of Phil Zimmerman who wrote a nice public key 
          cryptography package called PGP, put it up on a machine in the 
          United States.  Well, wouldn't you know it -- available in Italy 
          -- oh.  By the way.  Duncan has about ten copies of PGP for 
          anyone who wants them.   [LAUGHTER]  We're having trouble 
          controlling the distribution of cryptography software here.
          [LAUGHTER]
     
          Anyway.  Sorry.  Flying disks.  Yes.  But seriously, that's as 
          easy as it is to get your hands on cryptography software these 
          days.  It's all over the Internet.  People can download it from
          Finland, from Italy, from France and England.  It's everywhere.  
          And the N.S.A. doesn't like this, either.
          
          Now stepping back from that for a moment, I'll mention that we've
          talked about ordinary applications for cryptography up to now:  
          how to keep your communications secret using cryptography. We 
          touched earlier on the fact that you can do banking using crypto-
          graphy.  Now why would this be particularly interesting?  Well, 
          this guy David Chaum, in Holland, came up with a system -- and 
          I'll just ask you to take this on faith -- you can read a book 
          like Bruce Schneider's book [Applied Cryptography] later if you 
          like and figure out why this would be so -- but it is possible
          to construct a money transfer system in which it is guaranteed
          that all parties are anonymous and no parties have to trust each
          other.  Now that's a really neat feature, isn't it? You don't have
          to trust the other parties, and you don't necessarily have to know
          who they are.
            
          Now remember that the Internet allows communications to go all
          over the world now.  So let me give you the following little 
          scenario.  Let's say that I had a little pocket computer in my 
          -- you have an Apple Newton, don't you?  Is it with you?  Let me 
          hold that for a minute. Now I don't know if people are aware, but,
          you know, this is as small as computers have gotten and in fact 
          this is large compared to the HP100.  There's a very powerful 
          computer here.  
          
          It even has a communication link so it can talk to other computers.
          Right here.  I can keep it with me.  Let's say that I'm sitting in
          a cafe in the East Village, say, and I'm going to meet up with 
          this guy who has promised to give me this contraband I've been
          really interested in -- nude pictures of Nancy Reagan.  Okay?
           
          So he shows up in the cafe.  You know, I've never seen the guy 
          before.  Never mind.  I look at the pictures. Yes, I want them.  
          We both get out our little computers, put them in front of each
          other.  Each of us presses a button and suddenly I've paid him
          $10,000 which I've extracted from my offshore bank account over
          the Internet, handed to him and lord knows what he's done with 
          it.  He might have sent it for all I know to the same bank or to
          one on the other side of the world.  No way to know.  No way to
          trace it. 
           
          Now U.S. banking law says that I can't do business with foreign 
          banks inside the U.S., but it's very difficult in the presence of
          strong cryptography to know whether or not I am communicating with
          a foreign bank.   Or to regulate the transport of money.
            
          If you're living in the underground economy and you're dealing 
          with cash all the time it gets very cumbersome, you know?  You're
          carrying around $10,000 in cash.  It's a big wad of bills.  
          Keeping cash in your home is inconvenient, moving cash around is
          inconvenient.  It's dangerous.  You can't get interest paid on 
          your cash.  So what you really want is offshore banking, but 
          offshore banking has been inaccessible to people.  Well, this 
          might very well blow that wide open, and I'm certain that the 
          I.R.S. and the N.S.A. dislike this possibility.
            
          Imagine what happens if half the population finds itself able to 
          function in the underground economy with all the ease with which
          they can function in the above-ground economy right now.  They've
          got their bank, they've got -- you know, they can make investments
          if they want.  They can transfer money.  Hell, it's more conven-
          ient.  It's much more convenient than the way we do things right 
          now, and I can clear and transact -- right now if I wanted to, 
          say, a credit card transaction, you know, a merchant has to be 
          set up to do a credit card transaction and it's really risky.
          
          Someone can steal the credit card numbers, etc.  This is 
          extremely secure, and I can exchange information with anyone and I
          can do it using ordinary equipment that I can buy off the shelf.
            
          That's another thing that I want to point out here. Every computer
          is dangerous to them.  Every single computer in the world is an 
          extremely high quality cypher machine if it has the right 
          programs, and programs are really easy to copy.  They're as free
          as air.  They move very fast.  I can throw one -- pretty 
          inaccurately, but never mind.  Anyway -- flying software, faster
          than the internet... [OVERLAPPING COMMENTS AND LAUGHTER]
          
          The people in Fort Meade, you know, at the N.S.A. --their offices
          are known as the Puzzle Palace to some people, largely because to
          a large extent what they do is they spend their days worrying 
          about really intricate mathematical problems.  And there's -- I 
          suspect not much that makes the people in the Puzzle Palace more
          nervous than the notion that equipment that anyone in the world 
          can buy for a couple of hundred dollars can make it impossible for
          them to tap some communications.  

          It's incredibly cheap -- cryptography software is virtually free 
          right now.  Almost anyone can get software that's really good for
          free.  And computers are cheap.  And you can't keep the software 
          from moving around.  This is probably the stuff of their 
          nightmares.
            
          You know, remember that their mission is to listen in on every-
          thing, and they're faced with the threat that they may be able to
          listen in on nothing.  Compound that with the fact that then we
          have these science fiction scenarios of people able to conduct 
          untraceable, unwatchable transactions without the I.R.S.'s all-
          seeing eye being able to detect it -- or FINCEN's.  
          
          How many people here know what FINCEN is?  I'm curious.  Okay, we
          have two or three people who know what FINCEN is.  Do you know 
          what FINCEN is, sir?

MALE:     No, I don't.

PM:       FINCEN is the government agency that collects information on all
          of your large bank transfers and tries to note if you are engaging
          in a pattern of criminality with them. Right now it can only watch
          all of your transfers over $10,000, or things that are 
          suspiciously close to $10,000.  They would like to watch all of 
          your bank transactions.  This is all in the name of...
     
          Oh, by the way.  Does everyone knows what the Four Horsemen of the
          modern governmental Apocalypse are?  The excuses for virtually 
          every civil rights reduction that's happened in the last few 
          years.  The Four Horsemen are: terrorists, drug dealers, 
          pornographers and child molesters.  Okay.  Now all the time 
          you're told, "But what if terrorists got their hands on
          cryptography technology?"  
          
          By the way, the answer to this is that anyone who wants to get 
          their hands on it -- let's put it this way.  This book [Applied 
          Cryptography] can be purchased in any bookstore. Explains 
          everything about the state of the art in modern cryptography.  
          
          Any of you who knew enough about computers could pick this book
          up and write software probably good enough that the government
          could not listen in on your communications.  Trying to keep
          this stuff out of the hands of anyone is rather difficult.  The 
          horse is already long out of the barn. 




Thread