From: nospam-seesignature@ceddec.com
Date: Tue, 14 Oct 1997 06:03:20 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Attitude and Assumptions
In-Reply-To: <3.0.3.32.19971010180024.00ad8ce0@mail.pgp.com>
Message-ID: <97Oct13.175129edt.32259@brickwall.ceddec.com>
MIME-Version: 1.0
Content-Type: text/plain



On Fri, 10 Oct 1997, Jon Callas wrote:

> In the course of all the discussion here, I have seen a number of implicit
> attitudes and assumptions that irritate me. This is a short rant to air my
> irritation.

I would hate to see your *long* rants ...................:^)

> The first thing that bugs me is what I'm calling Crypto-Correctness. I
> don't know a single person on cypherpunks who is against privacy, or is
> against the notion that in the information society, keeping and bearing
> crypto is an inalienable human right. Politically, I'm a Lockeian, and put
> privacy up there with Locke's basic trio of life, liberty, and property. As
> part of this, I fight the stupid notion that because there are bad people
> out there, rights should be abridged. 

I express it as private information is my property and I should have
whatever means necessary to protect it.  And as crypto can be directly
used only as a shield and not a sword, there are no reasonable arguments
against me using it.

> I believe that the central thesis of crypto-freedom is that it doesn't
> matter if a document is on paper or in a text file; it doesn't matter if a
> conversation is on the phone or in a restaurant. The medium doesn't matter.
> My papers and effects have the same protection on a disk as on paper itself.

This is really unexplored.  I would extend rights in the physical world
into cyberspace.  And you are right [in an elided section] that
corporations or businesses aren't thought of.  Most of the arguments
against intellectual property is toward releasing it where it is free, but
there is an equal or greater threat of charging for the information
without paying royalties.  There are vandals, but there are also thieves.

> We all know that deployment is the key. But real deployment means deploying
> to people who don't know how their toaster works, too. If we don't solve
> this problem, we'll get hit with the backlash. Just you wait, once crypto
> becomes trendy, there will be a Time cover story with some headline like,
> "How Much Privacy is Enough? Who's Really After You, Anyway?" and in it
> will be sob stories about how people lost their passphrases, were
> blackmailed by employees (ask me, I have real-world tales of this), or
> can't decrypt their backups. Congress will have hearings, and they aren't
> going to be fun to watch. Is trying to head this eventuality off (yes, I
> believe it's inevitable) really the work of Satan?

No, but I don't know if your solutions are real.  Does PGP 5.5 prevent
encrypting non-CAK, then reencrypting CAK to pass through the mailers?
GAK/CAK has lots of technical problems, and I don't know that you have
solved them.  You assume that someone like the boss in the Dilbert cartoon
is going to make this all work (or will they write the corporate
passphrase on their deskpad)?

I tend to be neutral to CAK, except that I can't think of an easy way to
create something that is not snake-oil (i.e. that is easy, doesn't
compromise security if the CAKeepers are dunces, and insures that data
encrypted is accessible by the TTPs).

> The last thing that really, really bugs me is the hostility that's directed
> towards PGP Inc. because now we're an Inc.

> We put out a freeware product, hoping people will upgrade to the for-pay
> version. If you're thinking of your own startup, let me give you some
> investment advice: the crowd who thinks the X-files is a documentary
> doesn't upgrade to the for-pay version.

The windows versions I have seen don't allow me to select algorithms (they
default to CAST, so how do I get 3DES or IDEA), and neither did the Linux
version - the beta segfaulted on at least one combination of algorithms. 
Are all these little problems fixed?  And if so, you had to modify the
source, so is there a diff file you are going to publish much less a press
release saying what is or is not fixed (I see the part about
batch-friendly, but is that there yet, and how would I use that - you
could put your manuals online). 

I can't even buy a license for the scanned version which I can at least
fix these problems.  I would pay the $49 for the license to use a working
Linux version.  Maybe you should add a license issuing page to your server
so I can click and get an digitally signed HTML license (with a physical
one to be mailed later if needed). 

But for now my choice is to take a chance on the $49 downloadable version
(will it be another $49 for a half-fixed version, and another $49 when
the IETF finishes with the spec and 6.0 meets it?).  Does anything happen
differently if it has problems and I report them?

By the way, I can't even download it - your server requires switching to a
port our firewall doesn't let through (9999) which I emailed your
webmaster about three months ago.  There are other common alternate ports
that are allowed.  So I can't even really get the $49 version, I must pay
$79 (or spend an hour creating an IP tunnel to a recognized US DNS-IP
address which is what I did last time - I might do that for the freeware
version but not to purchase something). 

So I don't know if any of the problems in the freeware or betas are fixed,
and I can't even download it from your website.  Some hostility to the
"Inc." might be from your consumer relations more than your philosophy.

--- reply to tzeruch - at - ceddec - dot - com ---