From: "Peter Trei" <trei@process.com>
Date: Wed, 13 Sep 95 07:34:42 PDT
To: cypherpunks@toad.com
Subject: CYPHERPUNK considered harmful.
Message-ID: <9509131434.AA23717@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


I mailed this yesterday, but it never showed up on the list.

-----BEGIN PGP SIGNED MESSAGE-----


V Z Nuri has actually stolen my thunder a bit here, with his post on
'crypto confrontation', but I've been working on this stuff since
Friday. I have a somewhat different approach, and I'd like to see
some comment.


                  "CYPHERPUNK" considered harmful

     I would like to propose that we, the 'cypherpunks', are making a
strategic error, which will make it far more difficult to achieve the
goal we share.

     I realize that many will bridle at the notion that we have a common
goal, but I think that most of the participants in  this list will agree
with the following:

     "Strong cryptography is a powerful new technology, of which the
widespread and unfettered use should be encouraged."

     Our error lies in our approach to encouraging the widespread use of
crypto. It is an error of hubris - overweening pride.

     We too often think of ourselves as an elite - smarter and better in
various ways to our non-cpunk neighbours. We refer to these others as
'Joe Sixpack" and other such derogatary terms. 

     The problem is that in doing so we are marginalizing ourselves. 

     We call ourselves 'cypherpunks'. While this is derived from the SF
term 'cyberpunk', consider the image we are creating for ourselves:

     A 'punk' is a marginalized young adult, one who rejects the norms
of his or her society, and takes delight in irking those around him with
his or her rejection. The older of us will think of James Dean in 'Rebel
Without a Cause', or Brando in 'The Wild One'. Later, you get images
such as Peter Fonda in 'Easy Rider', and more recently, Sid Vicious and
other icons of the 'punk rock' movement.

    These punks are often romantic figures, but in reality they started
marginalized, remained marginalized, and died marginalized. They were
ineffective in changing the core values of the society in which they
lived (yes, I know that most the examples I've given are fictional 
characters, but I'm talking about the type of people they are modeled
on).

    We, the 'cypherpunks' have embraced this label, taking pride in our
technical abilities, and acting as if we can institute 'cryptoanarchy'
without getting a majority of the population to support us.

    This is a bad approach. The overwhelming majority of the US
population is not alienated from the US government, and regards with
suspicion those who are.

     I suggest that we drop the term 'cypherpunk' - it has the wrong
connotations to get our ideas into the mainstream. I don't have a 
perfect replacement yet:

1. I want to get away from the strings 'crypt' and c[iy]pher- they sound
too cloak-and-dagger.

2. It should imply that the labelees are level-headed, responsible
citizens, not longhaired weirdos.

3. It should make itself difficult to invert - the classic example
is the pro-choice/pro-life dichotomy, where each side refuses to
acknowledge the other's terminology.

4. A cute and apropos acronym would help.

     Many on this list have been advocating cryptography primarily as a
means of liberating ourselves from an intrusive and overcontrolling
state. This is a goal that leaves most Americans cold - they correctly
regard their country as one of the most free in the world, and are
alarmed by people who want major changes in the status quo.

     To get crypto accepted into the mainstream, we need to make it
something the average person expects and wants to use, for goals
that make mainstream sense - not for some distant, idealist utopian
cryptoanarchic libertarian dream.

     Crime is a major political hot button these days. Advocating 
crypto for preventing crime is probably the best approach we have
to getting the meme into the mainstream's ear that "I need good
crypto".


- --------------------------------------------------------------

     Towards this goal, I have written a short Q&A that could be
used as a model when discussing cryptography with non-cypherpunks.
These are UNFINISHED DRAFTS. I would welcome additions, corrections,
completions, and modifications. Please do NOT repost to other 
locations until they are finished.

     I'm trying to avoid wild anti-state tirades, giving mainstream
reasons for people to take pro-cryptography positions.

- -------------------------------------------------------------


Q: Why should I use cryptography?

A: To protect yourself against crime. Criminals have already been
caught installing "sniffers" on the Internet, and capturing passwords
and other data. Cryptography will protect you from this. It will also
protect your company against industrial espionage, and reduce fraud by
providing unforgeable and undeniable digital signatures. 

Cell phone companies currently pay $XXXX million every year due to
cellular fraud. This vast level of crime could be reduced to near zero
by cryptography, with a corrosponding reduction in cellular rates. On
top of this, a great deal of crime is committed by tapping cell phone
conversations - something that can be done by any teenager (or gangster)
with a simple scanner. Even the British royal family have had their 
privacy invaded by this method. Encryption can protect your phone
conversations, and make them as private as regular phones. Finally,
strong encryption can make the Internet safe for commerce and trade.

[We need more data on the 'sniffer' attacks which have occurred - I know
there was one on BARRNET about a year ago, and I understand that there
have been others].


Q: Won't criminals be able to evade wiretaps by encryption?

A: In theory they could. However, the FBI has not reported a single case
where cryptography has been a barrier to wiretaps [I think this is
correct - any counters?]. It turns out that criminals have not been
using strong cryptography. Even if they did start to do so, audio and
data bugs can still be planted.

Criminals *have* been tapping the unencrypted data that flows through
and is stored on the Internet, and tapping cell phone transmissions to
commit cellular fraud. Encrypting your data and communications will help
protect you against them.


Q: Aren't LEAs worried that strong encryption will make it more
difficult for them to catch crooks?

A: There's an old saying that's apropos here: "When you're up to your
ass in alligators, it's easy to forget that you're trying to drain the
swamp."

The reason we have LEAs is not to catch crooks; their purpose is to
prevent crime. Catching crooks is simply one method of doing so.
Cryptography  provides a method of preventing crime before it happens,
and putting the crooks out of business. 

To give a couple of analogies: 

1. If your house was strongly built, and no one could enter without your
consent, you would not worry about burglery. If every house was
similarly robust, burglers would be out of a job.

2. Similarly, if your car could not be broken into, damaged, or moved in
any way without your cooperation, you would not worry about car theft,
or pay for theft insurance. If all cars were similarly protected, car
theft and carjacking would no longer exist as crimes.

LEAs tend to focus on the small number of investigations which may be
hampered by good cryptography, ignoring the vast number of crimes which
would be prevented by the same technology. This is a classic example of
failing to see the forest for the trees. The widespread use of
cryptography would reduce crime to a point where many LEA employees
could retire.


Q: What's this 'key escrow' thing? 

A: Some government agencies have been trying to figure out methods which
simultaneously permit US citizens to use strong cryptography against
criminal eavesdroppers, while retaining the ease with which LEAs can
currently tap your calls. The schemes generally involve something
mistitled 'key escrow', in which copies of cryptographic keys would be
stored at sites accessible by LEAs.

Q: Why do you object to it?

A: This is a bit as if your local police department ordered you to send
them copies of all of your house, car, and office keys, so that they
could enter whenever they felt it warranted, without your knowledge.

Even assuming no keys will be leaked to criminals from such a valuable
archive, it's an incredible boondoggle. The inital cost is tens of
millions of dollars per year, by the most conservative government
estimates. In reality, it's likely to be hundreds of millions a year,
all to enable LEAs to investigate a type of crime which does not yet
occur, and may never occur.

Q: But isn't escrow required only for export

[like I said, I haven't finished]

- ------------------------------------------------------
Cute signature quotes are needed.

example:

 I lock my house. Don't you? I lock my car. Don't you?
 I lock my data.  Do you?  Use cryptography to protect
 yourself against crime.

- ------------------------------------------------------
Up to this point, I've been an advocate of crypto
without using it for much of anything - a classical
case of 'I don't have anything that needs it'.

I'm going to start clearsigning my messages with PGP.
My new key is <ptrei@acm.org> is included here, and has been 
put on the MIT server. No signatures yet (sorry I didn't 
get together with Perry in Danvers).

Here's my key:

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzBST7QAAAEEAMs3b6h0lmwbELWbwoVwBVTInb3Gt0YWSamxbC/DJZ4YHqCh
2+aFZKGGlRfoaAeUeus/Vf0oLffwBMmXspSp86P1Nbk/jlR3TdwTqZA4BpcsylF9
68hJYQjrqQRoibXNyNc6O6/yyqm0MUkE1zcZAM3mW0dGV4d5+1QxhKXe9s8VAAUR
tB1QZXRlciBHLiBUcmVpIDxwdHJlaUBhY20ub3JnPokAlQMFEDBSUEJUMYSl3vbP
FQEB9Z4D/i2vJclQg4iCnHq1H02DR7az533GoRlxWIjOXd/Y1HrxSyFWcA6zTRM1
8FVFPJw4vL0qbynyCXKKTSmN4kzfSSN/Tt60UKy7i3DWZIL6J0kQIbNUxt6mMB76
4Qk3yFWebf14hg7w3e42Hngf6Nw0ZGjLdLieSlixFgg3CAFXmWVa
=DsOh
- -----END PGP PUBLIC KEY BLOCK-----

KeyId           = DEF6CF15
Key fingerprint =  07 4A 45 4E 09 F8 30 1F  78 97 AD 18 24 4E 19 E3

I'm signing this with 'pgp -sta' on a Windoze NT machine. Could 
someone check the sig and tell me if it computes?

Thanks,

Peter Trei

- -------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMFXLXFQxhKXe9s8VAQEhewP9GFus8GXNygG3rjQqrx1uIW6Cb2QxtMZG
igKwDaSZQpp3a9Q8oQfSCbK6da6TotOOSZhI9EYG6Es31eoDhyomn2HR/Bompocl
hmkQgMqasJW37Rs1/Vw4uBfdoq0o0FiC8jLkvSj7j+pDP6FB890pWzTtEJ+t+Hqd
au6NALhGo14=
=jTar
-----END PGP SIGNATURE-----

gah - pgp has munged the dashed lines for the pubkey. Here it is again:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzBST7QAAAEEAMs3b6h0lmwbELWbwoVwBVTInb3Gt0YWSamxbC/DJZ4YHqCh
2+aFZKGGlRfoaAeUeus/Vf0oLffwBMmXspSp86P1Nbk/jlR3TdwTqZA4BpcsylF9
68hJYQjrqQRoibXNyNc6O6/yyqm0MUkE1zcZAM3mW0dGV4d5+1QxhKXe9s8VAAUR
tB1QZXRlciBHLiBUcmVpIDxwdHJlaUBhY20ub3JnPokAlQMFEDBSUEJUMYSl3vbP
FQEB9Z4D/i2vJclQg4iCnHq1H02DR7az533GoRlxWIjOXd/Y1HrxSyFWcA6zTRM1
8FVFPJw4vL0qbynyCXKKTSmN4kzfSSN/Tt60UKy7i3DWZIL6J0kQIbNUxt6mMB76
4Qk3yFWebf14hg7w3e42Hngf6Nw0ZGjLdLieSlixFgg3CAFXmWVa
=DsOh
-----END PGP PUBLIC KEY BLOCK-----


Peter Trei
Senior Software Engineer
Purveyor Development Team                                
Process Software Corporation
http://www.process.com
trei@process.com