From: Peter Coffin Area: Public Key Encryption To: Jeff Hancock 17 Sep 94 15:36:58 Subject: There goes more freedom! UpdReq Discussing There goes more freedom! with *.*, Jeff Hancock remarked: [...] JH> The practice portion of the examination is likely to be the most JH> controversial. Reportedly, all candidates must pass a typing skills JH> examination and achieve no less than 40 words per minute to obtain a JH> (temporary) novice license. This must be raised to 80 words per minute JH> before a regular-status license will be issued. Novices will JH> restricted to operating networked computers having speeds of less than JH> 5 Mhz or operation of SLIP or dial-up connections of no greater than JH> 2400 baud. (It is rumored that the FCC will make 5 Mhz replacement JH> crystals available at a nominal charge to temporarily slow computers JH> of novice operators). [...] I haven't laughed this hard in weeks. Thank you. 201434369420143436942014343694201434369420143436942014343694718 From: Jim Bell Area: Public Key Encryption To: All 18 Sep 94 23:41:00 Subject: RC4 Revealed! UpdReq "Private computer code revealed." by John Markoff New York Times News Service. San Francisco-- In an act of business espionage whose effects are nto yet clear, someone has anonymously circulated the underlying formula of one of the most popular coding systems used to protect information sent over computer networks. The formula, which has been a closely guarded trade secret, belongs to RSA Data Security Inc. a small, privately held software company in Redwood City, Calif. It sells encrytpion software to the nation's largest computer and softare companies, including Apple Computer, IBM, Lotus Development, Microsoft and Sun Microsystems. In recent days, on or more people anonymously posted the formula on electronic bulletin boards on computer networks around the world. Disclosure of the formula does not necessarily allow eavesdroppers to intercept and unscramble coded messages sent with the RSA encryption software. But widespread dissemination could compromise the long-term effectiveness of the system, software experts said. And disclosure does throw into question a 2-year-old agreement in which the government has allowed computer and software companies to export products incorporating the RSA system. Also unclear is the financial effect that disclosure of the formula couold have on RSA, the leading maker of encryption software, with revenues estimated at $5 million to $10 million a year. Executives from RSA said in a statemet released Friday: "RSA considers this misappropriation to be most serious. Not only is this act a violation of the law, but its publication is a gross abuse of the Internet." The Internet is the global web of computer networks on which the formula has been circulated. The formula, which is known as RC4, has become the de facto coding standard for many popular software programs. It is also the only software-based formula that the National Security Agency, the govenrment's electronic spy agency, will permit to be easily exported under and agreement the agency reached two years ago with the Software Publishers Association, an industry trade association. ++++++end of article++++ ... The rest of this tagline is encryp*&l#1E0+=|>fcd}85^7@jowxz*7"[=- ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: Jerry Boggs Area: Public Key Encryption To: Bill Brown 18 Sep 94 16:29:38 Subject: PGP-related filename conventions UpdReq Saturday September 17 1994 04:22, Bill Brown wrote to Christopher Baker: CB>> PGPOS2 for OS/2 version of PGP. BB> CB>> PGPUNIX for Unix version [if there ever is one] BB> CB>> PGPVAX for Vax version [likewise] BB> CB>> [send them the source if they request a Unix or VAX version!] BB> BB> Reading between the lines, this implies that there IS an OS/2 native BB> version of PGP. Is that so? I'd certainly like it, not just to add to my BB> magic file list, ;) but also to USE. Have I missed something? There is an OS/2 version. It can be freq'ed from me (1:265/5456) as magicname PGPOS2.(Zone 1 only of course). BB> BTW, a while back, while I was out-of-state, you wrote and said something BB> about freqing my key, "once I'm back." Well, I have been for a while, but BB> neglected to mention it. "Oops." My key can also be freq'd with the magicname PGPKEY. If you sign it and return it to me I will do the same for you. Jerry Boggs 1024/F7983445 Key fingerprint = D1 A1 41 39 04 66 AA 2E 8D 88 C5 26 06 46 38 CB Fidonet-1:265/5456|SYN NET-151:703/14|PODSnet-93:9800/5 ALTNET-370:3530/0|Medieval Net-180:234/9|Mysticnet-101:508/0 IBMNET 40:4370/5456 ...We're the Clintons from Arkansas: Hill & Billy. --- GoldED 2.50.B0822+ 1626US3 201434369420143436942014343694201434369420143436942014343694718 From: Raymond Paquin Area: Public Key Encryption To: Jim Bell 18 Sep 94 19:31:08 Subject: RSA Broken UpdReq TB> Um, I am given to understand that the TB> particular "family" of *RSA* keys TB> that can be broken are a specific, easy-to-crack TB> subset containing a high TB> number of redundant zeroes. Odds against a key from TB> that subset in an ACTUAL TB> *PGP* key are quite low, and fairly easy to avoid -- Um ... not quite. But you are right: there is such a thing as a weak prime number: i.e. not all prime numbers are created equal. Unfortunately, PGP does not check for weak prime numbers. Pity ... BTW, the 129 digit key that was broken recently was not only small, but weak, in the sense that p and q were much too close one to another. A little knowledge is a dangerous thing ... Ciao... 201434369420143436942014343694201434369420143436942014343694718 From: Ron Pritchett Area: Public Key Encryption To: All 19 Sep 94 14:55:06 Subject: Key Change? UpdReq I just added a new User ID to my trusty old key & was wondering it that would cause problems if someone happened to encode something on my "old" public key.... thanks Ron Pritchett - 512/3DF7B37D Team OS/2 FingerPrint = D6 29 03 7A 26 3E 98 42 E7 5E CB F2 D6 7B BE 79 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Bill Brown 18 Sep 94 23:41:40 Subject: Re: PGP-related filename conventions UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 17 Sep 94, Bill Brown was quoted as saying: BB> Reading between the lines, this implies that there IS an OS/2 BB> native version of PGP. Is that so? there have been in the past. there is not at this time to my knowledge. there is an alternate compile for OS/2 available here as PGPOS2. BB> list, ;) but also to USE. Have I missed something? only that the currently available OS/2 compile here is of 2.61a. if MIT ever gets around to issuing an OS/2 of 2.6.1, then that will be available here under that magic name. BB> BTW, a while back, while I was out-of-state, you wrote and said BB> something about freqing my key, "once I'm back." Well, I have been BB> for a while, but neglected to mention it. "Oops." well, i'll try it then. i'll be freqing the standard PGPKEY. there are still folks out there that have not activated this conventional magicname for their public-keys. TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.61 Comment: PGP 2.6.1 is LEGAL in Zone 1! So USE it! [grin] iQCVAwUBLn0IkcsQPBL4miT5AQFD5wP5ARsm7Ka89rPUAgAoCOj8GK2urLdhBx2V X4PdQEkMHz/w1HEJGxjDhB+qF3u4t1Tbd2pDEoxd/MqGXORuVYdFfMLo5HRJP/eF I9psZLi298sVwHRrPu27yqlmbk5chXeZGPH7xWkXoBccm3C+qaa3Wt2nbh5xbGKs Cxfdz+nhv8o= =zeWs -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: All 20 Sep 94 00:38:46 Subject: Berman Testimony 1/6 UpdReq * Original Message Posted via BBSLAW * Date: 17 Sep 94 19:25:00 * From: Bruce Bozarth @ 1:374/98 * To: All * Forwarded by: Christopher Baker @ 1:374/14 * Message text was not edited! From: Stanton McCandlish Newsgroups: houston.efh.talk Subject: 09/13/94 HR Testimony on DigTel bill by EFF Policy Dir. Jerry Berman Date: 16 Sep 1994 10:41:22 -0500 Organization: Electronic Frontier Foundation Message-Id: <35ch8q$ovm@larry.rice.edu> Electronic Frontier Foundation Testimony of Jerry J. Berman, Policy Director Electronic Frontier Foundation before the United States House Of Representatives Committee on Energy and Commerce Subcommittee On Telecommunications and Finance Hearing on Digital Telephony Legislation (H.R. 4922) September 13, 1994 Chairman Markey and Members of the Subcommittee: I want to thank you for the opportunity to testify today on the recently introduced Digital Telephony bill (H.R. 4922, S. 2375). Over the past several years under the leadership of Chairman Markey, Representatives Fields, Boucher, and others, the Subcommittee has demonstrated knowledge, sensitivity, and vision in crafting our nation's telecommunications policy. I am pleased that the Subcommittee has chosen to apply its experience and expertise to the extraordinarily complex issues posed by the Digital Telephony legislation. The Electronic Frontier Foundation (EFF) is a public interest membership organization dedicated to achieving the democratic potential of new communications and computer technology and works to protect civil liberties in new digital environments. EFF also coordinates the Digital Privacy and Security Working Group (DPSWG), a coalition of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues. I am testifying today, however, only on behalf of EFF. Since 1992, the Electronic Frontier Foundation has opposed a series of FBI Digital Telephony proposals, each of which would have forced communications companies to install wiretap capability into every communications network. However, earlier this year, when it became apparent that some version of the bill would pass the Congress, Senator Patrick Leahy and Representative Don Edwards asked EFF, along with computer and communications industry groups, to participate in a process that would yield a narrow bill that both met law enforcement needs and had strong privacy protections. The result of that process is the bill before us today. EFF remains deeply troubled by the prospect of the federal government requiring communications networks to be made "wiretap ready," but we believe that this legislation is substantially less intrusive that the original FBI proposals. If Congress is going to act in this area, it should work to improve and pass this version of the legislation. As I testified to before a joint hearing of the House Subcommittee on Civil and Constitutional Rights and the Senate Subcommittee on Technology and the Law on August 11, 1994, we have worked diligently on this legislation with all interested parties in an effort to strike a careful balance between law enforcement's ability to conduct electronic surveillance and the more important public good -- the right to privacy guaranteed by the 4th amendment. The bill strikes this balance in a number of critical areas: * Law enforcement gains no additional authority to conduct electronic surveillance. The warrant requirements specified under current law remain unchanged * The standard for law enforcement access to online transactional records is raised to require a court order instead of a mere subpoena (Continued Next Message> ... WinQwk 2.0b#0 @ Origin: Aardvark Park - 713-664-7799 - (1:106/7799.0) @PATH: 106/7799 357 449 116 170/400 280/1 396/1 3615/50 374/1 98 @PATH: 374/14 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: All 20 Sep 94 00:38:56 Subject: Berman Testimony 2/6 UpdReq * Original Message Posted via BBSLAW * Date: 17 Sep 94 19:26:00 * From: Bruce Bozarth @ 1:374/98 * To: All * Forwarded by: Christopher Baker @ 1:374/14 * Message text was not edited! * Information gleaned from pen register devices is limited to dialed number information only. Law enforcement may not receive location-specific information * The bill does not preclude a citizen's right to use encryption * Privacy must be maintained in making new technologies conform to the requirements of the bill and privacy groups may intervene in the administrative standard-setting process. However, Mr. Chairman, the effectiveness of these privacy protections, as well as the future of technological innovation and the deployment of advanced telecommunications services to the American public, turn on one critical issue which remains to be addressed: Who assumes the risk and pays the cost of complying with the bill's requirements? The government or industry? EFF believes that allocating the risk and cost to industry will place privacy and security at risk if industry is required to foot the bill for unnecessary or unwarranted surveillance capabilities. Similarly, privacy may be shortchanged if industry takes short cuts to save costs in meeting the legislation's requirements. Industry may also be discouraged from deploying new and innovative technologies because of the costs of law enforcement compliance features. Finally, public accountability is undermined by making potentially significant law enforcement costs without public scrutiny and debate. In our view, the public interest can only be served if government assumes the risk and pays the costs of compliance. While effective law enforcement may be in the public interest, it should not come at the expense of other public goods -- privacy, public accountability, and technological innovation. To resolve this issue, we believe that the legislation should be amended to require government to pay all reasonable costs incurred to meet the statute's requirements on an ongoing basis. A. Linkage of cost to compliance requirements in the first four years -- the FBI gets what it pays for and no more The bill authorizes, but does not appropriate, $500 million to be spent by the government in reimbursing telecommunications carriers for bringing their networks into compliance with the bill within the first four years of enactment. The FBI maintains that this is enough money to cover all reasonable expenses of retrofitting. The industry, however, has consistently maintained that the costs are five to ten times higher. Given the FBI's confidence in their cost estimate, we believe that telecommunications carriers should only be required to comply to the extent that they have been reimbursed. In his testimony before a joint hearing of the House Subcommittee on Civil and Constitutional Rights and the Senate Subcommittee on Technology and the Law on August 11, 1994, the FBI director stated that "I think it would be [...] extremely unlikely for a district court judge in the process which is contemplated by this legislation to force compliance or use of any sanctions when compliance is impossible because of the non-reimbursement which is the predicate in the legislation". Based on the Director's previous testimony and other discussions with the FBI, EFF believes that the bill should include a provision to directly link telecommunications carriers liability with government reimbursement for retrofitting. B. Government reimbursement for compliance costs after four years -- public accountability necessary The problem, Mr. Chairman, is that under the current bill, the government is not responsible for paying the cost of meeting the mandated capability requirements after four years, particularly with respect to new services. The FBI has repeatedly argued that the costs for incorporating surveillance capabilities in new services at the design stage will be de minimis, a contention which most industry representatives and EFF believe may not be correct. As this Subcommittee is aware, it is impossible to estimate compliance costs for technologies which are not even on the drawing boards. The way to resolve the issue is to have the government assume the risks. ... WinQwk 2.0b#0 @ Origin: Aardvark Park - 713-664-7799 - (1:106/7799.0) @PATH: 106/7799 357 449 116 170/400 280/1 396/1 3615/50 374/1 98 @PATH: 374/14 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: All 20 Sep 94 00:39:04 Subject: Berman Testimony 3/6 UpdReq * Original Message Posted via BBSLAW * Date: 17 Sep 94 19:26:00 * From: Bruce Bozarth @ 1:374/98 * To: All * Forwarded by: Christopher Baker @ 1:374/14 * Message text was not edited! If costs for compliance after four years are truly de minimis, then the expenses born by the taxpayers will be minimal. If, however, costs are substantial, the government should pay. This will insure that the government, on a case-by-case basis and with an opportunity for public oversight, determines if compliance is significant enough to pay for out of taxpayers' funds. This will also ensure that the government sets law enforcement priorities. As I stated earlier, if the telecommunications industry is responsible for all future compliance costs, it may be forced to accept solutions which short-cut the privacy and security of telecommunications networks, or be forced to leave advanced features on the shelf, slowing technological innovation and the development of the NII. Linking compliance to government reimbursement in the out years also has the added benefit of providing public oversight and accountability for law enforcement surveillance capability. The drafters of this legislation have wisely included public oversight of government surveillance expenditures in the first four years. This same principal should be applied to out year compliance costs. C. Ensure the right to deploy untappable services The enforcement provisions of the bill suggest, but do not state explicitly, that services which are untappable may be deployed. Having worked for many years towards the goal of promoting the development of the NII, the members of this Subcommittee are clearly aware that its promise and potential rest on the deployment of advanced technologies and services. EFF remains deeply concerned that technological innovation and the deployment of advanced telecommunications services to the public may be stifled if telecommunications carriers are forced to incur huge costs for compliance, or if the Government is allowed to prohibit a new feature or service from being deployed. Although EFF believes that the bill intends to allow carriers to deploy untappable features or services, the bill must clearly state that if it is technically and economically unreasonable to make a service tappable, or if the government has failed to reimburse a carrier for compliance costs, then it may be deployed, without interference by a court. Making the government responsible for all reasonable costs of having new services comply with the legislation will go a long way to insuring that this legislation will not be a drag on innovation. D. Additional areas where strengthening is necessary In addition to our concerns about compliance costs, EFF believes that the bill requires strengthening in the following areas before final passage: 1. Strengthened public process In the first four years of the bill's implementation, most of the requests that law enforcement makes to carriers are required to be recorded in the public record. However, additional demands for compliance after that time are only required to be made by written notice to the carrier. To facilitate public scrutiny, the bill should require all compliance requirements, whether initial requests or subsequent modification, must be recorded in the Federal Register. 2. Clarify definition of call identifying information The definition of call identifying information in the bill is too broad. Whether intentionally or not, the term now covers network signaling information of networks which are beyond the scope of the bill. As drafted, the definition would appear to require telecommunications carriers to deliver not only the signaling information generated by their own services, but also the signaling information generated by information services and electronic communication services that travel over the facilities of the telecommunication carrier. In many cases this may be technically impractical. Moreover, it is contrary to the policy adopted by the bill to maintain a narrow scope. 3. Review of minimization requirements in view of commingled communications (Continued Next Message) ... WinQwk 2.0b#0 @ Origin: Aardvark Park - 713-664-7799 - (1:106/7799.0) @PATH: 106/7799 357 449 116 170/400 280/1 396/1 3615/50 374/1 98 @PATH: 374/14 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: All 20 Sep 94 00:39:12 Subject: Berman Testimony 4/6 UpdReq * Original Message Posted via BBSLAW * Date: 17 Sep 94 19:26:00 * From: Bruce Bozarth @ 1:374/98 * To: All * Forwarded by: Christopher Baker @ 1:374/14 * Message text was not edited! The bill implicitly contemplates that law enforcement, in some cases, will intercept large bundles of communications, some of which are from subscribers who are not subject of wiretap orders. For example, when tapping a single individual whose calls are handled by a PBX, law enforcement may sweep in calls of other individuals as well. Currently the Constitution and Title III requires "minimization" procedures in all wiretaps, to minimize the intrusion on the privacy of conversations not covered by a court's wiretap order. In the world of 1968, when the original Wiretap Act was passed, most subscribers telecommunications facilities carried single conversations on single lines. But today, many conversations are co-mingled on one broadband communications facility. In order to ensure that constitutionally-mandated minimization is maintained, the bill should recognize that stronger minimization procedures may be required. E. New privacy protections The Digital Telephony legislation before us includes significant recognition that new communication technologies, and new patterns of technology use, require new privacy protections. Thanks to the work of Senator Leahy and Representative Edwards and Senator Biden, the bill contains a number of significant privacy advances, including enhanced protection for the detailed transactional information records generated by online information services, email systems, and the Internet. These protections should remain in the legislation. 1. Expanded protection for transactional records sought by law enforcement Chief among these new protections is an enhanced protection for transactional records from indiscriminate law enforcement access. For purposes of maintenance and billing, most online communication and information systems create detailed records of users' communication activities as well as lists of the information that they have accessed. Provisions in the bill recognize that this transactional information created by new digital communications systems is extremely sensitive and deserves a high degree of protection from casual law enforcement access which is currently possible without any independent judicial supervision. EFF commends the authors of this legislation for recognizing that law enforcement access to transactional records in online communication systems (everything from the Internet to America OnLine to hobbyist BBSs) threatens privacy rights. Indiscriminate access to transactional records implicates privacy interests because: * the records are personally identifiable, * they reveal the content of people's communications, and, * the compilation of such records makes it easy for law enforcement to create a detailed picture of people's lives online. Based on this recognition, the draft bill contains the following provisions: * Court order required for access to transactional records instead of mere subpoena In order to gain access to transactional records, such as a list of to whom a subject sent email, which online discussion group one subscribes to, or which movies a subject requested on a pay-per view channel, law enforcement will have to prove to a court, by the showing of "specific and articulable facts" that the records requested are relevant to an ongoing criminal investigation. This means that the government may not request volumes of transactional records merely to see what it can find through traffic analysis. Rather, law enforcement will have to prove to a court that it has reason to believe that it will find specific information relevant to an ongoing criminal investigation in the records it requests. With these provisions, we have achieved for all online systems a significantly greater level of protection than exists today for records such as email logs, and greater protection than currently exists for telephone toll records. The lists of telephone calls that are kept by local and long distance phone companies are available to law enforcement without any judicial intervention at all. Law enforcement gains access to hundreds of thousands of such telephone records each year, without a warrant and without even notice to the citizens involved. Court order protection will make it much more difficult for law enforcement to go on "fishing expeditions" through online transactional records, hoping to find evidence of a crime by accident. We have also submitted a detailed memorandum on the importance of protection and would ask that this document be included in the record of these proceedings along with this testimony. (Continued Next Message) ... WinQwk 2.0b#0 @ Origin: Aardvark Park - 713-664-7799 - (1:106/7799.0) @PATH: 106/7799 357 449 116 170/400 280/1 396/1 3615/50 374/1 98 @PATH: 374/14 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: All 20 Sep 94 00:39:22 Subject: Berman Testimony 5/6 UpdReq * Original Message Posted via BBSLAW * Date: 17 Sep 94 19:27:00 * From: Bruce Bozarth @ 1:374/98 * To: All * Forwarded by: Christopher Baker @ 1:374/14 * Message text was not edited! * Standard of proof much greater than for telephone toll records, but below that for content The most important change that these new provisions offer is that law enforcement will: (a) have to convince a judge that there is reason to look at a particular set of records, and; (b) have to expend the time and energy necessary to have a United States Attorney or District Attorney actually present a case before a court. However, the burden of proof to be met by the government in such a proceeding is lower than required for access to the content of a communication. 2. New protection for location-specific information available in cellular, PCS and other advanced networks Much of the electronic surveillance conducted by law enforcement today involves gathering telephone dialing information through a device known as a pen register. Authority to attach pen registers is obtained merely by asserting that the information would be relevant to a criminal investigation. Under current law, courts must approve pen register requests without any substantive review of the basis for law enforcement's request. This legislation offers significant new limits on the use of pen register data. Under this bill, when law enforcement seeks pen register information from a telecommunications carrier, the carrier is forbidden to deliver to law enforcement any information which would disclose the location or movement of the calling or called party. Cellular phone networks, PCS systems, and so-called "follow-me" services all store location information in their networks. This new limitation is a major safeguard which will prevent law enforcement from casually using mobile and intelligent communications services as nation-wide tracking systems. 3. New limitations on "pen register" authority Contemporary uses of pen registers also involve substantial privacy invasion, even aside from location information. Currently, law enforcement is able to use pen registers to capture not only the telephone number dialed, but also any other touch-tone digits dialed which reflect the user's interaction with an automated information service on the other end of the line, such as an automatic banking system or a voice-mail password. If this bill is enacted, law enforcement would be required to use "technology reasonably available" to limit pen registers to the collection of calling number information only. We are aware that new pen register devices are now on the market which automatically screen out all dialed digits except for the actual telephone numbers. Just as this bill would require telecommunications carriers to deploy technology which facilitates taps, we believe that law enforcement should be required to deploy technology which shields users communications from unauthorized invasion. 4. Bill does not preclude use of encryption Unlike previous Digital Telephony proposals, this bill places no obligation on telecommunication carriers to decipher encrypted messages, unless the carrier actually holds the key to the message as well. 5. Automated remote monitoring precluded Law enforcement is specifically precluded from having automated, remote surveillance capability. Any court-ordered electronic surveillance must be initiated by an employee of the telecommunications carrier, upon request by law enforcement. Maintaining operational separation between law enforcement agents and communication networks is an important privacy safeguard. 6. Privacy considerations essential to development of new technology One of the requirements that telecommunications carriers must meet to be in compliance with the bill is that the wiretap access methods adopted must protect the privacy and security of each user's communication. If this requirement is not met, anyone may petition the FCC to have the wiretap access requirements modified so that network security is maintained. This requirement, just like those designed to serve law enforcement's needs, must be carefully implemented and monitored so that the technology used to conduct wiretaps cannot also jeopardize the security of the network as a whole. If network-wide security problems arise because of wiretapping standards, then the standards should be overturned. (Continued Next Message) ... WinQwk 2.0b#0 @ Origin: Aardvark Park - 713-664-7799 - (1:106/7799.0) @PATH: 106/7799 357 449 116 170/400 280/1 396/1 3615/50 374/1 98 @PATH: 374/14 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: All 20 Sep 94 00:39:32 Subject: Berman Testimony 6/6 UpdReq * Original Message Posted via BBSLAW * Date: 17 Sep 94 19:24:00 * From: Bruce Bozarth @ 1:374/98 * To: All * Forwarded by: Christopher Baker @ 1:374/14 * Message text was not edited! F. Improvements over previous Administration proposals In addition to the privacy protections added to this bill, we also note that the surveillance requirements are not as far-reaching as the original FBI version. A number of procedural safeguards are added which seek to minimize the threatens to privacy, security, and innovation. Though the underlying premise of the bill is still cause for concern, these new limitations deserve attention: 1. Narrow Scope The bill explicitly excludes Internet providers, email systems, BBSs, and other online services. Unlike the bills previously proposed by the FBI, this bill is limited to local and long distance telephone companies, cellular and PCS providers, and other common carriers. 2. Open process with public right of intervention The public will have access to information about the implementation of the bill, including open access to all standards adopted in compliance with the bill, the details of how much wiretap capacity the government demands, and a detailed accounting of all federal money paid to carriers for modifications to their networks. Privacy groups, industry interests, and anyone else has a statutory right under this bill to challenge implementation steps taken by law enforcement if they threaten privacy or impede technology advancement. 3. Technical requirements standards developed by industry instead of the Attorney General All surveillance requirements are to be implemented according to standards developed by industry groups. The government is specifically precluded from forcing any particular technical standard, and all requirements are qualified by notions of economic and technical reasonableness. 4. Right to deploy untappable services Unlike the original FBI proposal, this bill recognizes that there may be services which are untappable, even with Herculean effort to accommodate surveillance needs. We understand that the bill intends to allow untappable services to be deployed if redesign is not economically or technically feasible. These provisions, however, should be clarified. G. Conclusion In closing, I would like to thank Chairman Markey and members of the Subcommittee, as well as others who have worked so hard on this legislation. The Electronic Frontier Foundation looks forward to working with all of you as the bill moves through the legislative process. -- HREF="http://www.eff.org/~mech/mech.html"> Stanton McCandlish HREF="mailto:mech@eff.org"> mech@eff.org HREF="http://www.eff.org/"> Electronic Frontier Fndtn. HREF="http://www.eff.org/~mech/a.html"> Online Activist ... WinQwk 2.0b#0 @ Origin: Aardvark Park - 713-664-7799 - (1:106/7799.0) @PATH: 106/7799 357 449 116 170/400 280/1 396/1 3615/50 374/1 98 @PATH: 374/14 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Carl Hudkins 20 Sep 94 00:43:16 Subject: Re: Intermail mangling... UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 17 Sep 94, Carl Hudkins was quoted as saying: CH> Hm. Do you mean my key wasn't found by your copy of PGP, CH> so it couldn't verify the message? I don't think I signed those it was a signed msg and the key wasn't in my keyring. i thought i had obtained your public-key but maybe i haven't. did you ever get your Bossnode to make it available for freq? i may have been waiting for that. TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.61 Comment: PGP 2.6.1 is LEGAL in Zone 1! So USE it! [grin] iQCVAwUBLn5oacsQPBL4miT5AQF5vwP/VtEG/22/loHzqzlKJpbLQ1cZf2vdFObe Qi6TDAiygTLO8myZThwyd7ItNpXqchh2ST2FuRnq5MadUOmlNv9eeK9LbDTd4b1J G2apITbY9Od20TyTtvSvOvlUEQBCgXCexoGDEFyH+D8mgNto5jFXehVm6jXkT5z9 B7VbQejhXj0= =zPzx -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Brad Ems 20 Sep 94 00:54:30 Subject: Re: Getting Started w/PGP UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 18 Sep 94, Brad Ems was quoted as saying: BE> other encryption methods tends to be pretty esoteric, but I've got BE> to ask some questions to get up to speed. we take newbies. no problem. [grin] BE> 1: I have both PGP 2.3 and 2.6. I have learned that after a BE> certain date, PGP 2.6 will not work with keys generated by 2.3. Am BE> I correct in thinking this? no. 2.6+ can read anything produced by earlier models. anything from 2.3a back cannot read 2.6+ output starting 3 weeks ago. BE> 2. I have a number of friends that have PGP and we'd like to begin BE> using it for private e-mail. Where is a good message clearing house BE> where we can post (if there is one)? don't know what you mean by that. if you want private e-mail, you need to organize it locally if it's local. BE> 3. I have heard that give that MIT worked on PGP to legalize it in BE> the eyes of the Washington bureaucrats, it may not be entirely BE> robust. has anyone any info on 2.6's integrity? MIT is one of the PKPartners holding the 'patent' on the algorithm that makes PGP unique. they released a 'licensed' version for non-commercial use. it had nothing to do with 'Washington'. BE> 4. I have read and re-read the manuals that come with PGP, and I BE> believe I have a good idea of how it works and how to effectively BE> use it, but in reading the posts in this sub, I realize that I may BE> not know as much as I think. How much here is cryptographic finery BE> that a bumpkin like me does not need to know, and how much is BE> critical stuff that will have Janet Reno knocking on my door if I BE> don't? you have to know how to make and use a public-key. you have to know that your secret-key should never be anywhere it may be compromised. you need to know that a floppy backup of your PGP keys is critical in case of drive failure and that said floppy must be held securely to prevent compromise of your keys. you should know that you should generate a 1024 bit key with the name you normally use in Netmail/Echomail. making a smaller key is fine for practice but why bother? not having your Netmail name makes it harder to PGP stuff back to you. you can put several names in your key after you generate it. you also have to know that you MAY NOT EXPORT PGP executables or source outside the U.S. or Canada without an ITAR export license upon pain of massive fine and prison. other than that, you're on your own. [grin] TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.61 Comment: PGP 2.6.1 is LEGAL in Zone 1! So USE it! [grin] iQCVAwUBLn5rCMsQPBL4miT5AQHJWAP+LrTUbkOJADEqe41uAH3ilNgZHNwDF7CR zHPWWiffNWPG72RKU07New0SVcfLI39VcBdiHJUKPCeCXNyyvWyYWETTbpTFW0DY dV+GhIycN110z0lQ46mv3Avk+lePNp3faOe1sJNlA/NHVPCZ66G650Qjeq5g09fI 6sET0UYvajE= =Cih4 -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: John Nieder 20 Sep 94 01:00:42 Subject: Re: Who's This Ashworth? UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 18 Sep 94, John Nieder was quoted as saying: JN> What's going on here? Is Ashworth just some crank on a jihad or JN> has PGP policy changed that substantially on Fidonet since I last JN> looked? there are many misguided and/or paranoid and/or anal-retentive types in FidoNet. FidoNet Policy 4 does say routing encrypted mail is annoying if all routers have not agreed. please advise your friend to find the nearest SecureMail Routing Host and send all his encrypted traffic there. it will be routed without further incident. freq SECUREML.ZIP for the SecureMail Routing docs and topography map. [btw, it's SECUREMAIL not Securenet. we are not a net. we are FidoNet Nodes who believe in privacy.] TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.61 Comment: PGP 2.6.1 is LEGAL in Zone 1! So USE it! [grin] iQCVAwUBLn5sfssQPBL4miT5AQHPAgP/UXlNUXJL3tfIomXnWOO8wCT1w0KMhIma LdrdUewSN/khXYM8HMsZp5rjpGHAQ245Io/SDhmtFtzV5vnyZrjwKfbv324+GNEV QEUi1LLzzbLadGBPhbgYDSZtkUS4dohsKDVI62vWj6livEeb3Ni/9zlMkzAy1qEA JyZYZTfNMRc= =YcT7 -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718