From: rarachel@photon.poly.edu (Arsen Ray Arachelian)
To: cypherpunks@toad.com
Message Hash: 6bba753c2a59f57fd055cc0388165fef0e7c094714398be1ae560de5db2bb03c
Message ID: <9406300158.AA14295@photon.poly.edu>
Reply To: N/A
UTC Datetime: 1994-06-30 01:56:55 UTC
Raw Date: Wed, 29 Jun 94 18:56:55 PDT
From: rarachel@photon.poly.edu (Arsen Ray Arachelian)
Date: Wed, 29 Jun 94 18:56:55 PDT
To: cypherpunks@toad.com
Subject: Feb 11 Transcript part 2
Message-ID: <9406300158.AA14295@photon.poly.edu>
MIME-Version: 1.0
Content-Type: text
Atlantic was largely not a complete disaster because of signals
intelligence work? A few people know.
What is signals intelligence? Why does the government care so
much about this? Signals intelligence, put simply, is the busi-
ness of reading other peoples' mail. That's it, most baldly.
It's the interception of communications, whatever form those
communications take. And it's a very, very big thing with the
government. The National Security Agency basically has two
jobs. One of them is to be this gigantic ear out there
that listens to all the communications that it can unearth.
Period. Now one of the problems is that lots of foreign
governments don't like having all their communications listened
to. I don't know why. [LAUGHTER] And lots of private
individuals don't like having all their communications
intercepted. So they tend to use cryptography. So one of the
other big things that the National Security Agency spends
billions of dollars a year on is research in code breaking
-- how to break cryptographically protected messages.
The other half of what the N.S.A. is try to keep foreign
governments from doing the same thing to us. They're also in the
business of developing codes and trying to protect the United
States government and government contractors from having their
communications intercepted. Naturally there's a small conflict
here, because the people who spend their days trying to break
other countries' codes and foreign companies' codes and American
citizens' codes, they're not supposed to do that anymore. At
the Congressional hearings in the Seventies they promised to
stop doing that.
Anyway, the people who spend their days monitoring, you know,
cellular telephone calls in Moscow would prefer that the
technology developed by the people who are developing ways to
keep the United States government's communications secure not
get into the hands of the people who are trying to make cellular
telephone calls in Moscow, because they want to be able to listen
to all of this stuff.
So we've got this conflict between the two halves of the National
Security Agency, and the side that wins is almost always the
people that slurp up traffic. They never talk about any of the
techniques they use, and they try to keep them as secret as
possible. And until the early 1970s there was almost no private
sector research on cryptography done in the world. The National
Security Agency had a monopoly on information about cryptography,
and to this day they never have said -- they still have a great
reluctance to declassify things from the Second World War. Put
it that way.
By the way, the National Security Agency is truly huge. They
have at least ninety thousand employees that we know of. They
occupy the entire Ft. Meade military base just outside of
Washington. It really is bigger than all the other intelligence
agencies put together. It's of course an agency that's extremely
secretive, and until the 1970s they did not even admit that the
N.S.A. existed. N.S.A. was said to stand for "No Such Agency."
Something rather interesting happened, however, in the early
Seventies, which is that a few computer scientists and
mathematicians, specifically Whitfield Diffy, Ralph Merkel and
Martin Helman, came up with the first major discovery in
cryptography outside of the government sector in about fifty or
sixty years, which was this notion called "public key
cryptography." It's an idea that was so feared by the National
Security Agency that they actually attempted to quash all open
research and publication on the subject. They discovered that
it was not possible to do so, much to their chagrin. This little
thing called the First Amendment gets in the way. But to this
day they attempt with every means possible that they can to try
to deter research in the public sector.
Now what was it that Diffy, Helman and Merkel came up with that
they considered to be so dangerous? I have to explain a little
bit more about cryptography than I like to in order to explain
this. The reason it's more than I'd like to is because frankly
unless you're really interested on an intimate level cryptography
gets rather boring. It's like discussing the details of auto
mechanics. It doesn't make for interesting talks. But I'll talk
about it for a minute anyway.
All modern cryptosystems have two components to them. There is
an algorithm and there is a key. The algorithm is basically
your recipe for saying how you're going to take your message in
on one end, scramble it up and spit it out the other end. But
the algorithm is not a complete recipe. It's missing a portion.
That portion is the key. The idea is that by having this thing
called a key, that's -- it's just like a key to a lock in a door.
Thousands of people can own exactly the same model of Yale lock
all over this city, but because each of them uses a different
key on their lock two people who own the same brand of lock can't
open each other's doors. Well, it's exactly the same idea. By
separating out this small piece of information -- it's usually a
large number these days -- two users of a system can -- different
people can communicate using the same cryptographic system without
being able to read each other's messages, and indeed one of the
rules for designing cryptosystems is that the cryptosystem should
only depend on the key for secrecy.
You should be able to tell people exactly how you're encrypting
things, but just not tell them what the key is. And they should
be unable to decipher your traffic no matter how hard they try.
Now most people know that -- you know, your ordinary door, you
walk up to it, you unlock it, use a key, you lock it again, you
use the same key. This is actually the way that most
cryptosystems used to be before Diffy, Helman and Merkel. Now
this causes a problem. Let's say that I want to communicate with
Dave. Okay. Now we have to exchange a key securely. I can't
just call him up on the phone and say, "Hey, Dave. This is the
key we're going to use," because someone can be tapping the
phone line. I have to actually go up to Dave, you know, hand
him the key, and then go off -- or send a courier and then go
off and later on communicate with it. But let's say that I want
to then communicate with, say, you. I can't use the same key I'm
using with Dave, because then you could read the traffic and I
wouldn't necessarily want you to be able to read the traffic.
So okay, now I have two sets of keys. Well, let's say I'm
communicating with several hundred people regularly. Well,
I have to exchange keys with all of them. This is an enormous
pain in the ass. What Merkel, Helman and Diffy came up with was
something called the public key concept. It's a really neat idea.
Imagine for a moment -- imagine a mailbox for a moment that has a
mail slot in it. Okay? And once something's been stuck in the
mail slot it's inside the mailbox and the only way to open the
mailbox is with this key. But anyone can stuff things into the
mail slot. Anyone can put things in, but only the owner of the
key to open the mailbox can get things out. The idea that they
had was this. Let's say that we had cryptography systems in which
there were two keys, two keys that cannot be determined from each
other. I cannot figure out what one of the keys is based on what
the other key is. One of the keys encrypts things: takes them,
scrambles them up, makes them look like gibberish. You cannot,
however, unscramble things with that key. You need the second
key in order to descramble things.
The scrambling key is the encryption key, or the public key. It's
called a public key because I can give it away. I can put in the
phonebook or in an ad in the New York Times or anywhere else I
want, "this is my public key." Anyone on earth can use that,
because you cannot determine from that key what the decryption
or private key is, the key that I keep to myself, that I don't
tell anyone, and which is the only way to read things that have
been scrambled up with the public key. Now this is a real
revolution.
Now I can just give thousands of people the same key to send mail
to me or to have phone conversations with me or what have you,
and all I have to do is keep one key private and I'm secure.
I no longer have any problem with key distribution. Now this
might not sound terribly revolutionary, but consider that we live
in the modern age and we've got lots of computers and computerized
telephone systems and things like that. Because of public key
cryptography -- and this is not practical without public key
cryptography -- I can build a telephone system where, every pair
of phones in the country have public keys associated with them
and the public keys are published off somewhere and when you pick
up the telephone and dial a number, your telephone asks a
database somewhere what the public key is for the number I'm
calling, finds it out and scrambles the entire telephone conver-
sation using that public key.
So instead of having to worry about and sweat over distributing
keys to everyone I talk to, I can afford to encrypt my conver-
sations with the corner store, or the pizza parlor that I'm
calling to give an order to. I can encrypt absolutely everything.
This wasn't practical before public key cryptography was invented.
Public key cryptography makes cryptography really cheap and easy
to use. This is something that the N.S.A. doesn't like, obviously,
and that's why they tried to keep this information from being
published to the point that N.S.A. officials who were apparently
not acting under official orders sent letters to lots of
publications telling them that if they published any information
on this they'd be violating acts about the publication of
classified information, and they tried to contend that all
research in cryptography was born secret and that once you wrote
a paper you couldn't read it again unless you had a security
clearance.
Unfortunately, as I mentioned, they were forced to back off of
this. There were lots of reasons for this, one of which is that
the courts didn't agree with them. One of them is that lots of
the research goes on in foreign countries, which, believe it or
not, are not run by the U.S. government, at least not all of them,
not yet.
But anyway, what happened was that in the early Seventies these
people came up with this new concept. This spurred an interesting
revolution, because suddenly lots of people in academia saw that
there was interesting research to be done in cryptography and that
they could do it outside of the N.S.A. Before the early 1970s all
the cryptographers in the United States for the most part who had
any degree of serious interest in the subject worked for the
N.S.A. That was it. That was your only career path. Now there
are thousands of people who work on cryptography in academia in
this country and in countries around the world, and it's a real
serious subject of study. There are conferences several times a
year, people publish this stuff in the open literature.
So there is now this thriving field of study, which the N.S.A.
really doesn't like -- because as I mentioned, the people who are
basically that big ear trying to listen to all the conversations
around the world -- and by the way, when I say they try to, I
really mean it. They've got listening posts all over the world
to try to intercept every possible radio transmission,
microwave-transmitted telephone call, every satellite-based
communication, everything they can get they tap-- you know,
cables going between foreign countries -- everything they can
possibly do to listen to as many conversations as they can.
MALE: Supposedly they monitor every overseas phone call in
this country.
PM: Yeah. Whether or not they actually do is a matter of speculation,
but it's thought by many that they do.
FEMALE: Well, they do sample.
DM: We don't know what they do for sure.
FEMALE: No, trust me.
DM: Okay.
FEMALE: So if you say, "Bomb the World Trade Center," they pick
up on those words.
DM: Possibly. Anyway -- while all of this was happening in the mid-
Seventies and early Eighties with cryptography developing as a
field of study, at the same time the computer revolution was
happening. Now computers -- I know that everyone on earth by
now has heard about -- has seen their People Magazine or Time
Magazine or Schlock Magazine No. 525th article on the Information
Superhighway, and the Internet and how wonderful it all is -- and
you probably all want to fall over and gag when you hear any more
hype from people who don't know what they're talking about.
Well, I'm going to give you some more hype, but at least I do know
what I'm talking about. The Internet is a really amazing thing.
I can sit in my office in New York and I can collaborate with an-
other person who's working in Australia and I can send mail to
friends of mine that gets there instantaneously who happen to be
in Finland -- or communicate with tens of thousands of people
that I've never met. If it wasn't for the Internet, I never would
have met Dave. In fact if it wasn't for the Internet the
Cypherpunks Movement would never have started, because all the
people involved in it found each other over the Net. Now in the
future, whether you like it or not, the Net's going to be where
you do your catalog shopping ...
DM: Perry, I just have to mention. There are about 700 plus
Cypherpunks today. I've met I think three of them in the flesh
in a year and a half.
PM: I've met more, but it's amazing how many people you get to know
and be friends with and you've never seen. But you know, I --
in the future it's possible for many kinds of work to be done
remotely thanks to these technologies. If you're a writer you
don't need to be anywhere in particular, do you? I mean you can
write your books in Fiji for all you care.
And if you're a reporter, unless you're a beat reporter and you
go out to interview the fireman at the fire or what have you, if
you're someone who, say, covers wider issues you can do your
business from almost anywhere that you've got a telephone and a
computer.
The Internet makes that an even bigger thing. In the future I'm
probably going to be able to send a little message down to the
pizza parlor around the corner and have a pizza delivered over
the Internet. Everything you do is going to be done over the Net.
MALE: Isn't it going to taste a little funny sucking through that wire?
PM: Well, no.
MALE: No worse than Domino's, I guess.
PM: It tastes fine once you encrypt the pizza. Anyway -- the thing
is that the Internet -- now when Dave said that the Internet is
an anarchic thing, this is not a lie. This is literally the
truth. The Internet has no central control, no central planning.
It's operated basically on the premise of, "Okay. I've got a
connection. Oh, you want to connect up? Okay. Connect up to
me." There is no such thing as a central Internet management
office. There is -- yes?
Q: What's the Internet Naming Authority?
PM: The I.A.N.A. is -- to the extent that there is any sort of central
organization, that can be said to be it. But what do they do?
They give out Internet numbers. If they stopped doing it, people
would probably start routing in NBGP domains, you know, on their
own and assigning their own numbers. It's not like you can exert
control over the Net that way. But never mind. I don't want
to...
COMMENT: It fits most people's definition of God. The circle whose center
is everywhere, whose circumfrence cannot be found.
PM: The Net is organized basically without any -- the Net has no
knowledge of what borders are. Okay? I can communicate with a
machine in Finland as easily as I can communicate with a machine
in New York. One of the results of this is that when people in
one country are told, "Oh, you can't put this sort of information
up on your computer," well, generally speaking someone in another
country will offer to put the information up for them. And at that
point the attempt to control the flow of information is completely
meaningless.
Does everyone know -- there's this court case now in Canada where
the Canadian press has been forced not to say anything about the
court case. Well, of course anyone who's in Canada and is
connected to the Internet can read all the details that they want
to. Borders are completely meaningless. The U.S. government has
this interesting rule that you cannot export cryptographic
software from the United States. I'll get into that more later.
But one of the interesting results of this is that when people
have built large packages -- large pieces of software that
involve cryptography -- what they've generally done is to just
specify how the cryptographic pieces have to fit in, and people
in foreign countries have written a dozen or couple of dozen
lines of computer software to implement those things and put them
up on computers in Finland. For some reason putting this stuff up
on computers in Finland is really popular. I don't know why.
[LAUGHTER] Really, it is. The Network traffic between the United
States and France is dwarfed by a factor of five compared to the
traffic between the U.S. and Finland. It doesn't make any sense,
but that's the way it is.
But, you know, the Internet has changed the way many people who
are computer professionals now live. For instance, the chairman
of Autodesk, which is this very successful computer company,
decided that he didn't like living in the U.S. So he moved to
Switzerland, got an Internet connection and managed his company
from then on from there. I think recently he decided he wanted
to retire and hired another manager, but never mind; the point is
that the Net really breaks down barriers to information. You can
not restrict information to one country, you cannot keep
information from flooding around the world almost instantaneously
to any place that's on the Net.
Everyone is on the Net. The Russians are on the Net. People in
Singapore -- where the government of Singapore thinks that they're
exerting control over what books can be sold in the country, I
have news for them. Stuff going over the Net is far racier than
anything that they think that they're censoring at the border.
So here we have this wonderful Internet, and the problem with it
is it's completely insecure. The way it's been built right now,
anywhere I tap a line I get enormous amounts of traffic going by
and it's all conveniently already computerized so I can use
computers to listen in on it. If the N.S.A. wanted to build a
computer system to watch all the electronic mail going between
two countries, it would be nice, easy, feasible. There'd be no
problem.
This is a problem. Now the problem is of course easily solved
with cryptography. If you encrypt all your communications,
suddenly it's impossible to tap them. This is of course something
that the National Security Agency doesn't like, so they try to
do things like restricting the export of cryptographic software
from the U.S.
Well, I have news for you. Software is just information. Software
is no different from any other kind of information, and if I put
software up on the Net suddenly it's in every country in the world
within hours. Mysterious how this happens. This has happened
with cryptographic software several times. There's a fellow by
the name of Phil Zimmerman who wrote a nice public key
cryptography package called PGP, put it up on a machine in the
United States. Well, wouldn't you know it -- available in Italy
-- oh. By the way. Duncan has about ten copies of PGP for
anyone who wants them. [LAUGHTER] We're having trouble
controlling the distribution of cryptography software here.
[LAUGHTER]
Anyway. Sorry. Flying disks. Yes. But seriously, that's as
easy as it is to get your hands on cryptography software these
days. It's all over the Internet. People can download it from
Finland, from Italy, from France and England. It's everywhere.
And the N.S.A. doesn't like this, either.
Now stepping back from that for a moment, I'll mention that we've
talked about ordinary applications for cryptography up to now:
how to keep your communications secret using cryptography. We
touched earlier on the fact that you can do banking using crypto-
graphy. Now why would this be particularly interesting? Well,
this guy David Chaum, in Holland, came up with a system -- and
I'll just ask you to take this on faith -- you can read a book
like Bruce Schneider's book [Applied Cryptography] later if you
like and figure out why this would be so -- but it is possible
to construct a money transfer system in which it is guaranteed
that all parties are anonymous and no parties have to trust each
other. Now that's a really neat feature, isn't it? You don't have
to trust the other parties, and you don't necessarily have to know
who they are.
Now remember that the Internet allows communications to go all
over the world now. So let me give you the following little
scenario. Let's say that I had a little pocket computer in my
-- you have an Apple Newton, don't you? Is it with you? Let me
hold that for a minute. Now I don't know if people are aware, but,
you know, this is as small as computers have gotten and in fact
this is large compared to the HP100. There's a very powerful
computer here.
It even has a communication link so it can talk to other computers.
Right here. I can keep it with me. Let's say that I'm sitting in
a cafe in the East Village, say, and I'm going to meet up with
this guy who has promised to give me this contraband I've been
really interested in -- nude pictures of Nancy Reagan. Okay?
So he shows up in the cafe. You know, I've never seen the guy
before. Never mind. I look at the pictures. Yes, I want them.
We both get out our little computers, put them in front of each
other. Each of us presses a button and suddenly I've paid him
$10,000 which I've extracted from my offshore bank account over
the Internet, handed to him and lord knows what he's done with
it. He might have sent it for all I know to the same bank or to
one on the other side of the world. No way to know. No way to
trace it.
Now U.S. banking law says that I can't do business with foreign
banks inside the U.S., but it's very difficult in the presence of
strong cryptography to know whether or not I am communicating with
a foreign bank. Or to regulate the transport of money.
If you're living in the underground economy and you're dealing
with cash all the time it gets very cumbersome, you know? You're
carrying around $10,000 in cash. It's a big wad of bills.
Keeping cash in your home is inconvenient, moving cash around is
inconvenient. It's dangerous. You can't get interest paid on
your cash. So what you really want is offshore banking, but
offshore banking has been inaccessible to people. Well, this
might very well blow that wide open, and I'm certain that the
I.R.S. and the N.S.A. dislike this possibility.
Imagine what happens if half the population finds itself able to
function in the underground economy with all the ease with which
they can function in the above-ground economy right now. They've
got their bank, they've got -- you know, they can make investments
if they want. They can transfer money. Hell, it's more conven-
ient. It's much more convenient than the way we do things right
now, and I can clear and transact -- right now if I wanted to,
say, a credit card transaction, you know, a merchant has to be
set up to do a credit card transaction and it's really risky.
Someone can steal the credit card numbers, etc. This is
extremely secure, and I can exchange information with anyone and I
can do it using ordinary equipment that I can buy off the shelf.
That's another thing that I want to point out here. Every computer
is dangerous to them. Every single computer in the world is an
extremely high quality cypher machine if it has the right
programs, and programs are really easy to copy. They're as free
as air. They move very fast. I can throw one -- pretty
inaccurately, but never mind. Anyway -- flying software, faster
than the internet... [OVERLAPPING COMMENTS AND LAUGHTER]
The people in Fort Meade, you know, at the N.S.A. --their offices
are known as the Puzzle Palace to some people, largely because to
a large extent what they do is they spend their days worrying
about really intricate mathematical problems. And there's -- I
suspect not much that makes the people in the Puzzle Palace more
nervous than the notion that equipment that anyone in the world
can buy for a couple of hundred dollars can make it impossible for
them to tap some communications.
It's incredibly cheap -- cryptography software is virtually free
right now. Almost anyone can get software that's really good for
free. And computers are cheap. And you can't keep the software
from moving around. This is probably the stuff of their
nightmares.
You know, remember that their mission is to listen in on every-
thing, and they're faced with the threat that they may be able to
listen in on nothing. Compound that with the fact that then we
have these science fiction scenarios of people able to conduct
untraceable, unwatchable transactions without the I.R.S.'s all-
seeing eye being able to detect it -- or FINCEN's.
How many people here know what FINCEN is? I'm curious. Okay, we
have two or three people who know what FINCEN is. Do you know
what FINCEN is, sir?
MALE: No, I don't.
PM: FINCEN is the government agency that collects information on all
of your large bank transfers and tries to note if you are engaging
in a pattern of criminality with them. Right now it can only watch
all of your transfers over $10,000, or things that are
suspiciously close to $10,000. They would like to watch all of
your bank transactions. This is all in the name of...
Oh, by the way. Does everyone knows what the Four Horsemen of the
modern governmental Apocalypse are? The excuses for virtually
every civil rights reduction that's happened in the last few
years. The Four Horsemen are: terrorists, drug dealers,
pornographers and child molesters. Okay. Now all the time
you're told, "But what if terrorists got their hands on
cryptography technology?"
By the way, the answer to this is that anyone who wants to get
their hands on it -- let's put it this way. This book [Applied
Cryptography] can be purchased in any bookstore. Explains
everything about the state of the art in modern cryptography.
Any of you who knew enough about computers could pick this book
up and write software probably good enough that the government
could not listen in on your communications. Trying to keep
this stuff out of the hands of anyone is rather difficult. The
horse is already long out of the barn.
Return to June 1994
Return to “rarachel@photon.poly.edu (Arsen Ray Arachelian)”
1994-06-30 (Wed, 29 Jun 94 18:56:55 PDT) - Feb 11 Transcript part 2 - rarachel@photon.poly.edu (Arsen Ray Arachelian)