From: Michael Wilson <0005514706@mcimail.com>
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: f01577530e0290505ede7ba3ca4f91b23bba1ee3d8b30b8acbab4fb2718c1bb5
Message ID: <61940702193416/0005514706NA3EM@mcimail.com>
Reply To: N/A
UTC Datetime: 1994-07-02 19:36:10 UTC
Raw Date: Sat, 2 Jul 94 12:36:10 PDT
From: Michael Wilson <0005514706@mcimail.com>
Date: Sat, 2 Jul 94 12:36:10 PDT
To: Cypherpunks <cypherpunks@toad.com>
Subject: Passwords, passphrases, etc.
Message-ID: <61940702193416/0005514706NA3EM@mcimail.com>
MIME-Version: 1.0
Content-Type: text/plain
Cypherpunks:
The evolution of the discussion here regarding passwords or passphrases is a
telling indicator, and one which people here should think about, because you are
reinventing the NSA.
You start with a desire for privacy/secrecy, and so you create a package as a
functional cryptosystem. The requirements of the cryptosystem, however, makes
memorization of the cryptographic key non-trivial (and nobody here suggests
offline storage, as the NSA primarily uses); this causes you to use an access
control mechanism that protects the key on a local basis. This then makes you
think about armoured operating systems, physical security of the site, biometric
security, signals emission, coersion methods, etc. It is a capsule history of
the enemy, and I hope it helps you understand what created them; the major
difference was that they had an available budget and potent adversaries.
Imagine the cypherpunks sitting around and attacking their own system and others
(Clipper, for instance), getting paid to write code, build hardware, whatever
necessary to attack/defend, and with operational support and infrastructure.
Quite educational, isn't it?
Another brief observation you might want to think about in regards to the
implications; the data in the public domain for cryptanalysis tends to be based
primarily in the English language (frequency tables, dictionary attacks, etc.).
Isn't it striking that so little of similar data has leaked out for what one can
assume were the real targets--Russian, Arabic, German, etc.? Seems to be quite
an effort to attack English-based systems. There also seems to be an unusual
silence on what one would consider to be important cryptanalysis data--if you
were NSA, wouldn't you be certain to suppress data that helped your adversary?
Just food for thought. Is this a true emphasis or a Potemkin village?
One benefit of being multilingual; all access codes that I need to remember are
obscure phrases in little known dialects. I imagine they would look like
gibberish to the uninitiated.
Michael Wilson
Managing Director, The Nemesis Group
[I hope that the record of purchases made through the Maryland Procurement group
are making their way from systems such as Mead Data and into private systems for
analysis; warning, access of such data is expensive.]
Return to July 1994
Return to “tcmay@netcom.com (Timothy C. May)”