From lists@notatla.demon.co.uk Sat, 1 Apr 2000 02:36:37 +0100 Date: Sat, 1 Apr 2000 02:36:37 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: OpenPGP key revocations Nicholas Bohm : > At 02:54 AM 3/31/2000 +0100, Ian BROWN wrote: > >OpenPGP allows you to specify why youhave revoked a key using one of > >the following list: > > > > 0x00 - No reason specified (key revocations or cert revocations) > > 0x01 - Key is superceded (key revocations) > > 0x02 - Key material has been compromised (key revocations) > > 0x03 - Key is no longer used (key revocations) > > 0x20 - User id information is no longer valid (cert revocations) > > 0x02 is clearly correct but in asserting a compromise probably infringes a > "no tipping off" requirement, since the disclosure that effected the > compromise is what must be kept secret. Are you assuming that only one compromise of a given key is possible ? If you posted your key on your web page the day after disclosing it in response to a S36 notice you could then declare it compromised by the publication that was not ordered and is not secret. I once sent a mildly sensitive doc to the wrong email address when I fumbled my handling of temporary files. You might have an easier time legally if it appeared to be an accident, but isn't this action legal in any event ? From rabbi@quickie.net Fri, 31 Mar 2000 17:53:34 -0800 (PST) Date: Fri, 31 Mar 2000 17:53:34 -0800 (PST) From: L. Sassaman rabbi@quickie.net Subject: OpenPGP key revocations -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 1 Apr 2000 lists@notatla.demon.co.uk wrote: > Are you assuming that only one compromise of a given key is possible ? > If you posted your key on your web page the day after disclosing it in > response to a S36 notice you could then declare it compromised by the > publication that was not ordered and is not secret. > > I once sent a mildly sensitive doc to the wrong email address when I > fumbled my handling of temporary files. You might have an easier time legally > if it appeared to be an accident, but isn't this action legal in any event ? You probably wouldn't want to do something so public, given that you will most likely still have information encrypted with that key that you don't want anyone seeing (much less the entire world, even if the key is confiscated). Interesting thought, however. What if you "accidently" showed your key to someone who was looking over your shoulder? Could this be considered an additional compromise? __ L. Sassaman System Administrator | "All of the chaos Technology Consultant | Makes perfect sense..." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Joe Diffie -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1d (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE45VauPYrxsgmsCmoRArRFAKC1gj2Eut9clkKjdgvnrsNt8fvH1ACfaDsK EHGj4hukldr0F9y+iKhRdyM= =Dyyi -----END PGP SIGNATURE----- From proff@iq.org 01 Apr 2000 14:06:30 +1000 Date: 01 Apr 2000 14:06:30 +1000 From: Julian Assange proff@iq.org Subject: Jack Straw educational supplement I ran into this book the other day. It was written in early 1900s (1910 or something) and published in Canada. It is called "Babes of the Empire" and it is set up as an alphabet book for British kids. Each page has one letter and corresponding verse and the opposite page has a picture of what the verse is talking about. I am afraid I won't be able to replicate the pictures in this medium. I have provided notes at the bottom to clarify some terms that are not that common (in general, and in US in particular). I have put an asterisk next to the terms I have provided notes for. ====BEGIN BOOK==== A's an Australian, born in the bush, An A.1.* ally, when it comes to a push; He can ride, he can shoot; and his gun and his horse Are the flower of our Empire's irregular force. B is a baby once known as a Boer. He was troublesome then, but all troubles are o'er: Now his trekking and wrecking and fighting are all done. Britain welcomes in peace her recalcitrant son! C's a Canadian, hardy and bold: A warm-hearted baby who laughs at the cold. And the fields of his harvest, so golden and free, Find food for the Empire from sea unto sea. D is a Dervish* from sunny Soudan;* He dances no more his eccentric can-can,* But, trained to our manners, is eagerly fain, When Britain once calls him, to dance in her train. E is an English babe ready to take The yoke of the world for humanity's sake, So this life he knows, be it dreary or bright, When its England that leads him, the road must be right. F's a Fijian, her hair like a mop; Let others spin yarns, she can spin like a top! Now she's winning her way to a place in our nation By skipping from frenzy to civilization. G a Gurkha* -- a big little man -- With a lion-heart under his covering of tan. He's fond of his kukri*, his gun, and his rice, If the Empire requires him, it needn't call twice. H is Hong Kong, with a pig-tail yards long: They always wear pig-tails in distant Hong Kong! Though he laughs, he's not laughed at; he's old and yet new; There'll be no "Yellow Peril" while he is True Blue! I is an Irish babe -- sweet little Pat -- With shillelagh and shamrock to stick in his hat. He has fought in his time; now no truer friend's seen; We can our own colours while he wears the green. J is a Jew with a ringleted* head, Who's up and about while the rest are in bed. He's first on the steamer to sell you his wares, And he'll never be missed but at dinner and prayers! K is a sweet little, neat little Khan,* Who lives in a country called Beluchistan;* His head sports a turban, which looks a bit vain, But it covers a thoroughly competent brain. L is from Labrador -- wee Esquimaux* -- Who lives in an ice-house all covered with snow; She has sealskin for jackets, with nothing to pay, And is pleased with a land where's it night in the day! M's a Masai* baby, fierce, dark, and strong-- Who steals neighbours' cattle and thinks it no wrong! That's in East Africa, where they appear To have manners and customs quite different from here. N's a New Zealander, -- Maori child, -- Who hides in the bush, which is lonely and wild. His life's like a gipsy's; he lives upon snails! But he danced like a prince for the Princess of Wales! O is an Orange River Colony coon*, Who dances and sings by the light of the moon. She's a Kaffir* by birth, but our language she knows, And she always gets blacker the bigger she grows! P is a Parsee* babe, born in Bombay, Who is sure to be wealthy as Croesus* some day. For these cute little Parsees our merchants admire, And so copy their fashions, make coin, and retire. Q comes from Queensland, the land of the Queen, The cleverest riders that ever were seen! With a whip and a gun and a swinging lassoo They're as swift as the wind to the swift Kangaroo. R is a Rajput*, who's haughty and proud, And turns up his nose at the ignorant crowd: The horse that he rides is as proud as his master-- He will curvet and prance, but he won't gallop faster! S comes from Scotland, the land of the cake, He's a braw little laddie a soldier to make. And the sound of his bagpipes will draw us all forth, When he comes marching south to the "Cock of the North". T's a Tasmanian. The land where she dwells Is as full of ripe fruit as the sea's full of shells. It was once a dark prison, but now it's all free. And sends England sweet cargoes from over the sea. U's from Uganda, all woolly and black; His clothes are a belt round a shirt on his back. Now he's got a new railway from shore unto shore*, And the lions skulk off when the red engines roar! V's a Victorian! That's a good name! Preserving our honoured Victoria's fame. And the land's like her memory, so I've been told, With its jewels for setting, and heart of pure gold! W's a Welsh babe. Don't look at her hat! Though it's shaped like a witch's, she's nothing of that. She trips off to market, too keen to be late, And she sings once a year at a strange sort of fete! X is an extra babe: just what we need To complete our strong Empire in will and in deed! And we hope every year, as the centuries fade, More xcellent xtras will come to our aid. Y is a Yukon. -- a wee red papoose, In a snug blanket-coat, and smart moccassin shoes. He's a creature of summer, without any doubt, For in winter it's always too cold to go out. Z is a Zulu, with fierce assagai:* Do you think he could hurt you? I'd rather not try! But he won't, if he could, for our battles are o'er. And now we're all friends -- Briton, Zulu and Boer! Babes of the Empire, from A down to Z, Peace be the law where your banner's unfurled! Happy of heart and contented of head -- Babes of the Empire that governs the world! Babes of the Empire where sun never sets, Yours is the manfullest banner unfurled! Yours is the proudest of all alphabets, Babes of an Empire as wide as the world! Follow the sun from the east to the west: Follow the birds from the north to the south; Peace be the law where your faith is confessed, Love be the gospel that lives in your mouth. Babes of Great Britain from sea unto sea, Happy the land where your monarch has sway! King of conentment, and Lord of the Free, Yours be a empire that fades not away! ====END BOOK==== A.1.: top-notch; first-rate. Dervish: name given to Muslim mystics, particularly those who engaged in whirling dances and other bodily movements to express their devotion Soudan: Alternative spelling of Sudan can-can: a dance of French origin Gurkha: a clan that dominated Nepal before they were defeated by British. Later Gurkhas were heavily recruited in British forces because of their fighting prowess. After British left, Gurkhas have formed an important minority within Indian armed forces. kukri: a short stabbing knife, often used by Gurkha soldiers. ringleted: having ringlets (that is, small curls). refers to the curls in the side hair that Orthodox Jews keep. Khan: a common surname in India and Pakistan. Some people were given this surname during the British rule for their service for the British crown, although the name orginally had existed in the area. 'Khan' comes from Turkic languages and means "ruler". For example, Genghis Khan. Beluchistan: region in western South Asia. Inhabitants are called Balochis and they speak the Balochi language. Currently the region is split between Pakistan and Iran. Esquimaux: variant spelling of Eskimo Masai: an ethno-linguistic group inhabiting southern Kenya and northern Tanzania. They are nomads and reputed for their strength, courage and endurance in the wild. Orange River Colony coon: coon is an offensive term meaning "black". Orange River Colony was the name given to the Boer territory Orange Free State after the Boers were defeated and their state incorporated into British controlled South Africa. Kaffir: The term comes from Arabic where it means "infidel". The British applied this term to the Xhosa and other Bantu peoples in South Africa. It is no longer used officially, but is used in an insulting way to refer to any black person in South Africa. Parsee: In India and Pakistan, local Zoroastrians are called Parsees, in reference to Persia (birth place of Zoroastrianism). Parsees have a reputation for being shrewd and successful merchants. Croesus: Last king of Lydia before his kingdom was subjugated by the Persians. Reputed to have enormous wealth, his name is often used to mean a very wealthy person. The Lydians are believed to be the first ones to invent metallic coins. Rajput: people inhabiting Western India, bordering southern Pakistan. 'Rajput' means "son of king", and these people are proud of their descent from local area kings in early Indian history. shore unto shore (Uganda): this is perplexing. Uganda is landlocked, so I don't know what 'shore to shore' refers to here. maybe it refers to Lake Victoria. assagai: a spear tipped with iron and used in southern Africa From ben@algroup.co.uk Sat, 01 Apr 2000 09:34:27 +0100 Date: Sat, 01 Apr 2000 09:34:27 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Irish view and public/private keys "J.T.Bradley" wrote: > > > > the public key from my Irish ISP and I encrypt a session key and give > > > said-session key to my ISP - we now maintain a 2-way encrypted > > > conversation via IP say - until renegotiating session keys, maybe every 5 > > > minutes. > > > > Like an IPsec connection, you mean... > > Indeed - I believe ssh does somethiong similar and I think ssl can > renegotiate session keys throughout a connection too. It can. > > > > In the above, the private key cannot be obtained from the foreign ISP > > > because they are not subject to UK law - this also applies to gaining > > > session keys or plaintext decrypts from the ISP. Does the UK-based company > > > have to record all the session keys it negotiates? > > > > No, since you are not "in possession" of the (session) key. Software acting > > on your behalf is, and that software destroys its session keys (if it is > > properly written). I don't know what session keys my IKE daemon generates, > > and I would have to recompile it to make me aware of them; I think the prosecution > > would have a hard time establishing that I have or have had the session > > key. > > OK... Charles Lindsey was suggesting writing a proglet for PGP that > allowed you to extract a session key, I presume so that you could present > an LEA with a session key _rather_ than a private key. > > I suspect saying I don't have the (session) key because my program > 'forgets' it - is as bad as saying that you had forgotten it, given that > the program was acting as an agent on your behalf. The court might well > say that you should have used software which escrowed the key so as not to > forget - and since you did not you are guilty under the act. > > Maybe... but I hope not! Surely not. > > > I abandon all the session key nonsense > > > (which was only really needed when asymmetric cryptography was considered > > > too slow to encrypt anything other than a 128 bit number) - and now I > > > obtain the public key and I use that to encrypt asymmetrically the > > > entirety of the data stream to my foreign service provider. > > > > Hell's bells! Patent that public key algorithm quickly. Anything that fast > > is worth a fortune! In fairness, you wouldn't want to do this anyway. You > > might want to generate a Diffie-Hellman keypair, sign it with your long > > term private key, then use the DH keypair to do continuous El Gamal > > encryption on the line (Good luck!). In this way the "session key" is your > > DH keypair. > > I understand this is not practical (using asymmetric encryption > throughout) - but as a thought experiment, it would mean that you at no > stage possessed a private key for decrypting the message. The idea is that > I may be immune from an S.46 if I never possess a private key (and > therefore only conduct a one-way conversation). The other party in the > conversation (being a foreign CSP) and therefore the party that would > possess the relevant private key - would also be immune because they were > not UK-based - that's the idea anyway - I don't know if it has holes in. But you are _always_ immune if you are the sender, because you never have the private key in that case (which is, of course, why this stuff is so objectionable: the wrong person gets criminalised), so there's no need to jump through hoops to achieve this effect. > > This is the way that the TLS ciphers using Ephemeral Diffie Hellman work, > > although they use the DH pairs to perform symmetric key exchange. I > > don't know if the defence "But I've only used to keys to sign data" would > > hold up in court. The judge may decide that the signature has "aided and > > abetted" the encryption process, and is therefore seizable under S.46. > > There is no actual difference between a signature key pair and an > encryption key pair... both are used to encrypt data (in one case only a > hash admittedly). But if you outlaw one and not the other - > people/programs will only start slipping snippets of non-hash information > into the sig - and all of a sudden it becomes an encryption key-pair. Well, that's the whole point of chaffing and winnowing, of course. Cheers, Ben. -- http://www.apache-ssl.org/ben.html From ben@algroup.co.uk Sat, 01 Apr 2000 09:43:48 +0100 Date: Sat, 01 Apr 2000 09:43:48 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Proceedings of RIP standing committee (28/3 AM) Charles Lindsey wrote: > I am less convinced that they have any right to require an ISP to > put together several packet streams coming in on different lines. I > would have thought they would have to identify specific points in the > "telecommunication system" and ask to see all packets with certain > ISP addresses passing that point. They can, however, expect the ISP > to explain the topology of the netwrok to them fully, I should think. > Perhaps Richard Clayton could comment further. The problem is that any significantly large IP network involves switching (or, indeed, routing). This means that there is _no_ single point which all packets can be expected to traverse. So, the whole thing becomes incredibly expensive and unwieldy because you have to tap at a large number of points. This applies to small networks, too, but at least for small networks switching is optional. It isn't for big ones. Cheers, Ben. -- http://www.apache-ssl.org/ben.html From graham@barnowl.demon.co.uk 01 Apr 2000 09:11:15 +0000 Date: 01 Apr 2000 09:11:15 +0000 From: Graham Murray graham@barnowl.demon.co.uk Subject: Proceedings of RIP standing committee (28/3 AM) Roland Perry writes: > By going to the ISP they can get all the email on its way to the subject Unless the sending is sending the mail directly to the recipient while they are both online. I know that senders should follow the MX records, but I sometimes receive connections on port 25 from sites other than those listed in the MX records for my host. Whether or not such connections should be blocked is a different question, but it shows that it is possible to send email without going through the ISP's mail servers. From graham@barnowl.demon.co.uk 01 Apr 2000 09:14:00 +0000 Date: 01 Apr 2000 09:14:00 +0000 From: Graham Murray graham@barnowl.demon.co.uk Subject: OpenPGP key revocations Nicholas Bohm writes: > 0x02 is clearly correct but in asserting a compromise probably infringes a > "no tipping off" requirement, since the disclosure that effected the > compromise is what must be kept secret. Why can 0x02 not be used. All this indicates is that the key has been compromised, it does not indicate *how* it was compromised. There are many other possibilities other than the warrant. From ben@algroup.co.uk Sat, 01 Apr 2000 10:38:46 +0100 Date: Sat, 01 Apr 2000 10:38:46 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Jack Straw educational supplement Julian Assange wrote: > kukri: a short stabbing knife, often used by Gurkha soldiers. Actually, it is more like a small, slightly hooked machete. You slash with it, not stab. Only one side (the inside) is sharp. The tip isn't, particularly. Quite heavy. Vicious! Cheers, Ben. -- http://www.apache-ssl.org/ben.html From roland@linx.net Sat, 1 Apr 2000 08:44:50 +0100 Date: Sat, 1 Apr 2000 08:44:50 +0100 From: Roland Perry roland@linx.net Subject: Home Office question on wiped rather than encrypted data. In article , David Hamilton writes >The policeman could claim that you had kept a file (I'll call it 'fred' in >order >to avoid confusion with any other files) that when XORed or ORed or >ANDed (or something like that) against hex E5 would produce the >'protected information' (ie an encrypted file that you were claiming was >wiped - and then overwritten with hex E5s). You encrypt 'fred' and then >used steganography to hide it. I'm sorry but this makes no sense to me, I can't understand the process involved. Are you saying that: [something I want to hide] -> [coding process] = [lots of E5, and nothing but E5] and thus [same lot of E5] -> [decoding process] = [The hidden thing] ? Other than one in a trillion chance, or only the possibility of one different hideable thing per formatted disk block [1], I can't see any mathematical possibilities here. [1] How big are they these days - 4k bytes perhaps? -- Roland Perry From roland@linx.net Sat, 1 Apr 2000 08:47:18 +0100 Date: Sat, 1 Apr 2000 08:47:18 +0100 From: Roland Perry roland@linx.net Subject: =?iso-8859-1?q?GTAC_to_cost_=A325m_-_Home_Office_27/3/_2000?= In article <3.0.5.32.20000331225326.00c2e3d0@mail.netkonect.co.uk>, Nicholas Bohm writes >We have had our dogs microchipped. I can't at present see the threat to >our privacy, confidentiality, etc, that this entails. Am I missing something? Well, does your dog have privacy rights? And can we assume that where the dog goes, you go too? So when there are devices in the street that track your dog where-ever he goes, does anyone care? "Oh look -- Nick's dog has just got on the 8.45 to Kings Cross, we can make a good guess that Nick has too." -- Roland Perry From richard@turnpike.com Sat, 1 Apr 2000 10:55:09 +0100 Date: Sat, 1 Apr 2000 10:55:09 +0100 From: Richard Clayton richard@turnpike.com Subject: Proceedings of RIP standing committee (28/3 AM) -----BEGIN PGP SIGNED MESSAGE----- In article <200003311847.TAA10064@clw.cs.man.ac.uk>, Charles Lindsey writes > On Fri, 31 Mar 2000 15:22:07 +0100 > Richard Lamont said... > >> Perhaps Simon Watkin would care to tell us: Why does HMG need >> to intercept anything anywhere other than at the physical layer, >> the 'last mile' of which is (by definition) always provided by a >> PTO? What traffic can they get from ISPs that is not already >> available via a conventional 'phone tap'? One of the reasons for tapping at ISPs rather than on the "last mile" would be if the person they wished to intercept was moving around - from hotel to hotel perhaps. You would not know, until they called in, which local loop you wished to intercept. As was discussed a few days ago, there are similar scenarios with the use of mobile phones -- if the mobile is only used once for ISP access (not cheap, but possible) then again you'd not be able to set up the intercept beforehand. One could speculate about the use of computers in exchanges to set up an intercept very rapidly ... but I don't know whether it is practical to intercept a V90 call in "the middle" ... you may need to listen to the initial negotiation between the modems. The point I was making at SFS2000 was not that there _never_ any need to intercept at the ISP ... but that targets who would require that capability would be the *unusual* cases. Requiring pre-positioning of kit at all (major) ISPs in order to handle these unusual cases does not look like value for money to me :( The value for money may be particularly poor when one considers that the bad guys who are moving around for security reasons may be taking steps to ensure that, even if intercepted, their traffic is of limited value to the authorities. One might note, and I haven't seen this observation before, that since POP3 mailboxes can usually be accessed from anywhere the serious evader of interception might change ISP for each call... Of course many of the "virtual" ISPs (VISPs) share the same infrastructure (eg a BCS system uses the same kit as demon.co.uk) but if well-informed then one could certainly make a few dozen calls to the Net before re-using the same companies kit. Since a lot of ISPs are free to join, one doesn't even have to assume the bad guys have the cash for this approach ... perhaps we should start to lock up anyone with more than 5 "joining offer" CDs ? conspiracy to evade interception :) >Mainly because they can get a sight of your POP mailbox (with the right >kind of warrant). Intercepting email (one would do it just before it went into the POP mailbox) is straightforward. Since not everyone runs a bog standard sendmail it won't be quite the same straightforward "spell" in every ISP but I think it unlikely that people would have to recode the MTA to provide the facility - it would just require some config/scripting changes. ie: it would be pretty cheap. Of course, if your POP3 mailbox is in another jurisdiction then it may not be possible to look at it. If so, then intercepting the IP stream is necessary to see the traffic. However, if the data stream is secured (and everyone should surely have downloaded their 128 bit encryption by now) then seeing the traffic may do you no good. >Also because the point at which the kilostream enters >the ISP (if that's where it goes) is probably a good place to do the tap >(nice comfortable premises, and all that). The kilostream will arrive with 29 others in the same cable (but would be relatively straightforward to pick out). Once that wire has been plugged into the kit at the ISP the problems begin... the other side of that box may be IP or it may be IP over ATM. Whatever it is, the traffic will now be mixed in with hundreds if not thousands of other customers. It may well be leaving the box by more than one interface ... and of course if the destination is another kilostream then it will never leave the box at all, but will be sent straight out of the ISP again. >I am less convinced that they have any right to require an ISP to >put together several packet streams coming in on different lines. If it is "reasonably practical" then they can -- however, they may do this themselves rather than asking the ISP to do it. The only difference would be the bandwidth required from the ISP to Thames House (or Cheltenham or wherever). >I >would have thought they would have to identify specific points in the >"telecommunication system" and ask to see all packets with certain >ISP addresses passing that point. If the Secretary of State serves a section 12 notice specifying some specific actions and/or capability, then you will be assumed to have taken that action, deployed that kit or whatever - and the "reasonably practical" will be judged on the basis that you have done that. >They can, however, expect the ISP >to explain the topology of the netwrok to them fully, I cannot see anything on the face of the Bill that requires this. The ISP being public spirited may wish to co-operate -- or indeed may wish to labour the complexity of their individual circumstances in order to ensure that the section 12 notice is not unreasonably phrased -- but I can see nothing that requires what may well be commercially sensitive information to be shared with the Secretary of State. My impression has been that there was a feeling that all ISPs were alike and that a "one size fits all" solution would be available. This misapprehension has, I think, begun to be dispelled. There is little commonality between the networks and infrastructure of the large ISPs. >I should think. >Perhaps Richard Clayton could comment further. you tempted me :) but it's longer than I intended - -- richard writing to inform and not as company policy fewer than 20 MPs still need adopting: http://www.stand.org.uk/ "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQCVAwUBOOXHfalbUjjcq7SFAQFngAP9FNqKUbKlJBPiudZ/viJdEiPY32eFgzZb 2/cCWMK44wWPfYADGwMEUU2ITJzy4DuaWZg3sEAb56wzyzE1gOKfCRxfV8+n23/3 NTftT7EoyNSYQMLT7/lzOy8rMBYfFwhllDCYHotjOoAbSGD0S8x0L2GPIJcaHsmb +vpV+Tytv+M= =PhJE -----END PGP SIGNATURE----- From cb@fipr.org Sat, 1 Apr 2000 11:22:19 +0100 Date: Sat, 1 Apr 2000 11:22:19 +0100 From: Caspar Bowden cb@fipr.org Subject: Response from E-Envoy to RIP from today's Guardian http://www.newsunlimited.co.uk/uk_news/story/0,3604,154423,00.html E-envoy has sundry strings to his mandolin ....It is easy to see, when he talks about controversial policies, what made him so attractive to politicians. What he says, written down, sounds pure Sir Humphrey. But discussing the government's bill to regularise the tapping of email and compel access to encrypted computer files, he says wonderful things like: "I think the fuss is overstated. I think that the wilder allegations that nobody will come and do business in the UK are over the top. "I think it reassuring that the Home Office is interested in finding a reasonable and practical solution. Some of the wilder statements have actually been unhelpful. The power to require keys or plaintext material only arises when something has been lawfully intercepted. "Secondly, in all normal circumstances a company is required to hand over plain text rather than hand over keys. It's absolutely clear that nobody who is a legitimate, innocent person is going to have anything to fear." From freddied@compuserve.com Sat, 1 Apr 2000 05:32:22 -0500 Date: Sat, 1 Apr 2000 05:32:22 -0500 From: Freddie Dawkins freddied@compuserve.com Subject: Response from E-Envoy to RIP Jeremy/all here - I don't know much about the detail of Anchor Key but as I understand: IBM came up with the idea to get around export controls from the US. They went to various govts in Europe/the world and suggested: = Get someone you trust - like GCHQ? - to generate a unique key for the UK etc etc. = This key would be embedded in every user's device/transport? (not sure about how this could work) in that country. So govts would only hold thei= r own National Anchor Key. No-one else's. It would be a case of: 1. Do you trust your govt? 2. How secure is any national key? But there will be others here who know far more - so perhaps they could share their knowledge. It really brings the debate full circle - will we have to accept Key Escr= ow in some shape of other - or will we try to build an e-commerce world without adequate powers to investigate. I sat in the Echelon hearings in Bxls a few weeks back and have tracked i= t and other similar stories for a few years now. My only problem with all o= f this is the fear that any govt could use it's military capability to eavesdrop on legal commercial messages, and then leak them to a competito= r favoured by the that govt. Duncan Campbell's evidence to STOA and EuroPar= l certainly suggests this has happened - with US industry being the beneficiaries. This brings us back to Safe Harbor of course. I don't believe the US will= win the day. The technical annexes have still to be drafted and the devil= will be in the detail. The Article 29 Group are not going to roll-over an= d give a blanket exemption to US companies to break every privacy regulatio= n we now have in the EU. = Don't beleive everything that has been released on Reuters (highly misleadingl early reports from the Echelon and Safe Harbor hearings in EuroParl) and elsewhere. This has mostly been US-inspired briefings to th= e media to intimidate the EU. It has not worked. rgds Freddie From nbohm@ernest.net Sat, 01 Apr 2000 11:06:32 +0100 Date: Sat, 01 Apr 2000 11:06:32 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: HOME OFFICE RESPONDS AGAIN At 07:33 PM 3/29/2000 +0100, Roland Perry wrote: >In article <3.0.5.32.20000329175347.00c6e100@mail.netkonect.co.uk>, >Nicholas Bohm writes >>It will decrypt >>past traffic, but you do not need it to do that, as you can compel >>decryption of past traffic directly, and it would not be proportionate to >>demand a key (which gives access to a wide range of traffic) when a notice >>to decrypt specific traffic would do the job. > >If you sent/received something in the past (using the now revoked key), >and which was lawfully obtained (either by a long standing intercept, or >some kind of document seizure process) and which now requires you to >provide a key (assuming all the tests for producing plaintext have >failed)... > >Presumably one of the above doesn't apply? Sorry, but I don't understand what you're asking. Nor do I understand what you have in mind by "tests for producing plaintext". My point is that the purpose of the Bill is to enable the authorities to understand what they obtain by interception, seizure, luck, etc. If they need my help to enable them to understand it, they can compel that help. But if I can give that help by decrypting it, that fulfils their need. They do not in that case need to be given the means to decrypt in order to understand the material. They bring it to me and I decrypt it. If they need evidence that ciphertext and plaintext correspond, I can tell them (or give them) the algorithm and a session key limited to that text. Why do they need a general purpose key? Only if they cannot give me the ciphertext. When is that the case? When they have not yet obtained it. But that means it is future material; and that cannot be what they want the key for, since they concede I am free to revoke the key so as to ensure that future material is not encrypted under it. So when is a general purpose key justifiably demanded? Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Sat, 01 Apr 2000 11:27:38 +0100 Date: Sat, 01 Apr 2000 11:27:38 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Irish view and public/private keys At 10:01 AM 3/31/2000 +0100, Charles Lindsey wrote: > On Thu, 30 Mar 2000 21:39:45 +0100 (BST) > "J.T.Bradley" said... > >> >> A few questions and scernarios: >> >> + What exactly is the onus on a person with the private key for an >> asymmetrically encrypted message, if served with an S46? >> >> Is it just the private key, or the session key, or the plaintext of the >> message or all 3 or at the discretion of the issuing LEA > >Certainly not the plaintext (that is at your discretion). Private vs >session will depend on how the bill gets amended. At present it just >doesn't say. It requires you to provide a key. If something converts a ciphertext to a plaintext, it is a key and satisfies the statutory obligation in relation to that ciphertext (whether or not it is capable of decrypting any other ciphertext). So a session key satisfies the Bill's requirements whenever you can provide one, which is whenever you have the ciphertext to extract it from. The case where you cannot provide a session key, namely where you haven't got the ciphertext, is the awkward one. Where the authorities have the ciphertext they should be obliged to provide it to you so that you can comply by using or providing a session key. Where they do not have the ciphertext, it must be because it is future ciphertext. But they have disclaimed the intention of preventing you revoking your key, and revoking your key should ensure that future ciphertext is not encrypted under it, so that case should not arise and does not justify a demand for a key. So we need two things: production of ciphertext in electronic form as a condition of an obligation to provide a key to it; and removal of any obligation to provide a key to future ciphertext. [snip] Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ben@algroup.co.uk Sat, 01 Apr 2000 12:03:06 +0100 Date: Sat, 01 Apr 2000 12:03:06 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Proceedings of RIP standing committee (28/3 AM) Richard Clayton wrote: > Since a lot of ISPs are free to join, one doesn't even have to assume > the bad guys have the cash for this approach ... perhaps we should start > to lock up anyone with more than 5 "joining offer" CDs ? conspiracy to > evade interception :) Is evading interception going to be a crime? Or perhaps I should say "avoiding"? Cheers, Ben. -- http://www.apache-ssl.org/ben.html From fm@espace.net Sat, 1 Apr 2000 12:42:18 +0100 Date: Sat, 1 Apr 2000 12:42:18 +0100 From: Fearghas McKay fm@espace.net Subject: Proceedings of RIP standing committee (28/3 AM) At 9:11 AM +0000 1/4/00, Graham Murray wrote: >connections should be blocked is a different question, but it shows >that it is possible to send email without going through the ISP's mail >servers. Another more common scenario may be when the ISP is only used for connectivity - the mail servers being elsewhere ie company mail servers/offshore/etc. I have several dialup accounts that I use for access, but I don't use any of their mail servers for outgoing mail, everything goes to my mailserver on another network altogether. f From nbohm@ernest.net Sat, 01 Apr 2000 12:31:59 +0100 Date: Sat, 01 Apr 2000 12:31:59 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: OpenPGP key revocations At 02:36 AM 4/1/2000 +0100, lists@notatla.demon.co.uk wrote: >Nicholas Bohm : > >> At 02:54 AM 3/31/2000 +0100, Ian BROWN wrote: >> >OpenPGP allows you to specify why youhave revoked a key using one of >> >the following list: >> > >> > 0x00 - No reason specified (key revocations or cert revocations) >> > 0x01 - Key is superceded (key revocations) >> > 0x02 - Key material has been compromised (key revocations) >> > 0x03 - Key is no longer used (key revocations) >> > 0x20 - User id information is no longer valid (cert revocations) >> >> 0x02 is clearly correct but in asserting a compromise probably infringes a >> "no tipping off" requirement, since the disclosure that effected the >> compromise is what must be kept secret. > >Are you assuming that only one compromise of a given key is possible ? I think I must have been. >If you posted your key on your web page the day after disclosing it in >response to a S36 notice you could then declare it compromised by the >publication that was not ordered and is not secret. Yes. >I once sent a mildly sensitive doc to the wrong email address when I >fumbled my handling of temporary files. You might have an easier time legally >if it appeared to be an accident, but isn't this action legal in any event ? Yes, quite right. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Sat, 01 Apr 2000 12:38:48 +0100 Date: Sat, 01 Apr 2000 12:38:48 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: OpenPGP key revocations At 09:14 AM 4/1/2000 +0000, Graham Murray wrote: >Nicholas Bohm writes: > >> 0x02 is clearly correct but in asserting a compromise probably infringes a >> "no tipping off" requirement, since the disclosure that effected the >> compromise is what must be kept secret. > >Why can 0x02 not be used. All this indicates is that the key has been >compromised, it does not indicate *how* it was compromised. There are >many other possibilities other than the warrant. Yes, I agree; my point was wrong. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Sat, 01 Apr 2000 12:41:06 +0100 Date: Sat, 01 Apr 2000 12:41:06 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: =?iso-8859-1?Q?Re:_GTAC_to_cost_£25m_-_Home_Office_27/3/_?= 2000 At 08:47 AM 4/1/2000 +0100, Roland Perry wrote: >In article <3.0.5.32.20000331225326.00c2e3d0@mail.netkonect.co.uk>, >Nicholas Bohm writes >>We have had our dogs microchipped. I can't at present see the threat to >>our privacy, confidentiality, etc, that this entails. Am I missing something? > >Well, does your dog have privacy rights? Not yet, I think. >And can we assume that where >the dog goes, you go too? No. >So when there are devices in the street that >track your dog where-ever he goes, does anyone care? > >"Oh look -- Nick's dog has just got on the 8.45 to Kings Cross, we can >make a good guess that Nick has too." But I see the point, if chipping is like carrying a live mobile phone. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Sat, 01 Apr 2000 12:52:17 +0100 Date: Sat, 01 Apr 2000 12:52:17 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Response from E-Envoy to RIP At 05:32 AM 4/1/2000 -0500, Freddie Dawkins wrote: [snip] >I sat in the Echelon hearings in Bxls a few weeks back and have tracked it >and other similar stories for a few years now. My only problem with all of >this is the fear that any govt could use it's military capability to >eavesdrop on legal commercial messages, and then leak them to a competitor >favoured by the that govt. Duncan Campbell's evidence to STOA and EuroParl >certainly suggests this has happened - with US industry being the >beneficiaries. There are other fears too. International email is and will increasingly be used when companies are discussing tax planning, for example. This activity, while perfectly legitimate, can have adverse impacts on government revenues (or "economic well-being", as they like to call it when justifying interception warrants): how confident are you about the Chinese wall between GCHQ and the Inland Revenue? And what about emails between lawyer and client in the course of litigation - like the Spycatcher case, for example. How private would they have been? Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Sat, 01 Apr 2000 13:21:52 +0100 Date: Sat, 01 Apr 2000 13:21:52 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: UK Friendly for e-commerce? At 02:59 PM 3/21/2000 +0000, Ian Miller wrote: >On Tue, 21 Mar 2000, Owen Blacker wrote: >> IANAL, but I seem to recall someone who was (sorry for forgetting >> who :o) saying that statutory obligations overrule contractual ones, so >> presumably, as the keys were divulged under statutory obligation, there >> would be no liability. >Does this apply in all jurisdictions? A lot of civil contracts specify >the law of some US state applies to interpretation. For example, this is >true of a lot of non-disclosure agreements. This is a serious problem, and causes real practical difficulties from time to time. An American bank with a UK branch, for example, may be required by the US courts to provide information to US regulators about the customers of the UK branch which involves the commission of criminal offences under UK law. In the long run this sort of thing gets ironed out by bilateral oir multilateral trade negotiations, but in the short run it may be a choice of which country will impose the lower fine or shorter jail sentence (or have the most civilised jails). In the case of a non-disclosure agreement, I think most courts would regard there as being an implied exception to the duty of non-disclosure where disclosure was compelled by the order of a court (or other effective legal power) prevailing in the country of residence of the discloser. Many such agreements provide for this expressly, and it is always wise to do so. There will be awkward cases, and you may have to decide which risk is the worse. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From midgley@mednetics.org Sat, 1 Apr 2000 14:01:28 +0100 Date: Sat, 1 Apr 2000 14:01:28 +0100 From: Adrian Midgley midgley@mednetics.org Subject: Re(4): Proceedings of RIP standing committee (28/3 AM) >Unless the sending is sending the mail directly >to the recipient while they are both online. >I know that senders should follow the MX >records >... but it shows that it is possible to send email without >going through the ISP's mail servers. SMTP Direct is a feature supported in VPOP3 certainly, and there doesn't seem to be anything to stop it in sendmail although I havn't mastered that yet. One of the canards spread about by the NHSIA about SMTP, to persuade people to adopt X.400 which for some odd reason they love, is that SMTP messages are simply thrown into the Internet with no control on where they are relayed, whereas X.400 relays them through a chain... Actually of course each SMTP server has a list of other sites to relay to, and one depends upon the operators to pick people they turst and sites that stay up - no differently from X.400 that I can see. However, I did look at it and note that if there really was a problem then one could choose to use direct transmission - after which I heard nothing more... -- Midgley From roland@linx.net Sat, 1 Apr 2000 11:01:20 +0100 Date: Sat, 1 Apr 2000 11:01:20 +0100 From: Roland Perry roland@linx.net Subject: Proceedings of RIP standing committee (28/3 AM) In article , Graham Murray writes >Unless the sending is sending the mail directly to the recipient while >they are both online. I know that senders should follow the MX >records, but I sometimes receive connections on port 25 from sites >other than those listed in the MX records for my host. Perhaps you are blessed with a static IP number. Few users are. > Whether or not such >connections should be blocked is a different question, but it shows >that it is possible to send email without going through the ISP's mail >servers. Richard Clayton has advised us that 99% of email does in fact go through the ISPs servers. People seem happy to cook up the most convoluted scenarios to show how Part III won't work, it's rather easier to find scenarios from Richard's 1% . The question might then be: if you absolutely need an email in that 1%, is it easier to tap the v90 or the ISP's NAS? -- Roland Perry From Ross.Anderson@cl.cam.ac.uk Sat, 01 Apr 2000 14:50:57 +0100 Date: Sat, 01 Apr 2000 14:50:57 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Irish view and public/private keys Nick: > a session key satisfies the Bill's requirements whenever you can > provide one, which is whenever you have the ciphertext to extract it > from. > > The case where you cannot provide a session key, namely where you haven't > got the ciphertext, is the awkward one. Where the authorities have the > ciphertext they should be obliged to provide it to you so that you can > comply by using or providing a session key. In practice I expect they won't provide the ciphertext as they won't want you to know which of your correspondents is being watched. Logically Plod should be satisfied if he can send you a key packet (the session key encrypted under your public key) and get back the clear session key. But this is almost as unsatisfactory for him: you might have kept a list of one-way hashes of session keys, so you can identify the messages of interest. It's much less satisfactory for you too. If you don't have such a list then Plod can get you to decrypt keys for all sorts of stuff he has no right to - such as emails from your lawyer. If you do have such a list, there are other problems (e.g. he demands it and then serves further notices). If you look for protocol level fixes, you might end up having to replace PGP with a product that had RIPstop built in (e.g. DMS). But that's not viable for the usual compatibility reasons. And so far, the foreign domicile of the market leading suppliers has been on balance a good things for liberty, so we should think twice before trying to undermine them. The more I think of this the more I believe that the solution lies in tamper-resistant processes. If you implement your crypto in a high-end secure processor such as an IBM 4758 then you can program it so that it just won't decrypt key packets twice. If your application has reliable timestamps, program it to reject anything over a week old. Putting the same functionality in a large messy piece of software, whose source code was kept outwith the grasp of Her Majesty's judges, might be enough in most cases. Using tamper-resistance, you have a chance to build RIPstop systems that are compatible with market leading products such as PGP, and without having to persuade NAI to change their spec in ways of which their largest client (the NSA) would vociferously disapprove. Ross From donald@ramsbottom.co.uk Sat, 01 Apr 2000 15:52:23 +0100 Date: Sat, 01 Apr 2000 15:52:23 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Self-incrimination At 19:03 31/03/00 +0100, you wrote: >A few legal questions I hope a lawyer won't mind answering. (Sorry to have >stuffed people's inbox's so much today.) Makes a change from me stuffing everyones! The answers to your queries are not as clear cut as they used to be, but I'll have a go, though it's sometime since I did my basic eveidence so I may be rusty! > >Do you have the right to remain silent as a witness, or is it a contempt >of court not to answer the court's questions? In the court itself you can be compelled to answer if so directed by the judge. If you do not you may be held in contempt. However you do not, and cannot be compelled to give evidence as a whole (if you are the accused), so if you elect not to go into the box at all then you cannot be compelled to answer questions. > >Do I have the right not to incriminate somebody else? (spouse, friend, >etc. Someone who I believe to be not guilty). So far as a spouse is concerned you are a competant but not compellable witness, what this means is if you choose not to give evidence against your spouse you cannot be forced to. If you choose to, that evidence is acceptable to the court (in the past a spouse was neither competant or compellable). So far as any other party is concerned you are both competant and compellable (assuming full age and capacity). > >Does the right not to self-incriminate only apply to testimony/facts in my >head? No it applies to any evidence, but is now qualified by if you do not comment on something on which you later rely in court then adverse inferences may be drawn. Also you can be compelled to give bodily samples for testing which is a form of self incrimination. > >What are my chances if I respond to a decryption notice stating that I >assert my right not to incriminate myself? Or can I only do this after >I've been arrested? Tough, the reversal of the burden of proof puts the onus on you and therefor if you do nothing then you are guilty. You can do it at anytime but the result will be the same your arrest and if you continue formal charge. No doubt David and/or Nicholas will correct any obvious (or not so) errors in the above, as I said I'm a bit rusty on these things. Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Sat, 01 Apr 2000 16:36:33 +0100 Date: Sat, 01 Apr 2000 16:36:33 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Home Office question on wiped rather than encrypted data. SNIP >Plod probably cannot tell, and you probably cannot prove either way. This >should not concern you, however, as you *cannot be found guilty* unless >Plod can prove you had a key. I repeat, Plod must provide evidence to >prove beyond a reasonable doubt that you have or have had a key, otherwise >there is no offence. You *do not* have to prove the information is truely >random, though you may wish to state this in order to increase doubt in >the mind of the judge/jury. So if I have 200 encrypted emails on my HDD and deny to LEA that I have a key or ever had one, (note I do not say I have forgotten it or make any other admission ) I cannot be guilty of the offence? Surely if this is so then RIP has no teeth and we are all barking up the wrong tree. If what you say is true then we have nothing to worry about as they can never prove you had a key. 46(2) just says they have to have reasonable grounds and uses the word "believes". It goes onto say "by notice on the person whom he believes to have possession of the key" If what you say is true then bare denial will suffice to thwart the bill. I suppose they could use the traffic logs to show messages to-ing and fro-ing, but would this be enough to prove beyond reasonable doubt you had a key, probably not. Am I missing something major here? Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From freddied@compuserve.com Sat, 1 Apr 2000 11:07:07 -0500 Date: Sat, 1 Apr 2000 11:07:07 -0500 From: Freddie Dawkins freddied@compuserve.com Subject: Response from E-Envoy to RIP Nicholas - Good ?'s. Trouble is, do we trust no-one, anytime? There's no such thing = as a perfect law. = I suppose what we have to decide is: what do we send electronically over public networks and what goes by other, more secure, means? To me, the only really secure way to transmit anything written is face-to-face, handing over documents rather than entrusting them to, say,= a courier or the Post Office. Might sound like a backwoods approach, but if something's so sensitive we= fear any interception, than that's the way it is. Court's/lawyers are always asking for documents to be produced by, is it, "discovery"? I suppose, being a layman in this area, I tend to think of RIP et al in muc= h the same way. rgds Freddie From DrunkAsFuck@bun.com Sat, 1 Apr 2000 17:10:09 +0100 Date: Sat, 1 Apr 2000 17:10:09 +0100 From: Beer Monster DrunkAsFuck@bun.com Subject: ukcrypto / scramdisk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See below. Carbon life-form, London - ----- Original Message ----- From: Camilo Mesias To: Beer Monster Sent: Thursday, March 30, 2000 4:28 PM Subject: Re: ukcrypto / scramdisk > Beer Monster > > > > > Yes I have, and I quiet like it. > > > > The problem IS the very fact that it's known... > > Surely you're not advocating security through obscurity? ;-) Part of the battle is proving you're using encryption devices. > I understand that scramdisk leaves no signature on a scrambled > partition, > so you could have a floppy with the encryption software, without > which your PC seems innocuous. > > If you have a LS120 drive then you'll be surprised how much > software/ keys you can put on it. Add a PDA of some kind to act as > a portable keyring-server, that should suit even the most > paranoid. > > I've thought it all over but I'm not paranoid enough to do it. > Besides, I don't fancy losing my HD contents if my PDA gets > stolen/broken. I don't think you understand quiet how ScramDisk works. Because of the way it sets up a ring 0 threading system and hooks into the file system, the VxD MUST be in the \\windows\system\iosubsys directory. The calldowns and hooks are installed installed during the windoze start-up. Don't believe me ? Try a logged boot. When you open the bootlog.txt file and so a search for sd.vxd you'll find it initialize's in a couple of places. It intercepts all dcbconfig changes and sets up an asynchronous event every 0.5 seconds. I'm afraid there's no real way you could hide the fact you're using it even if you do have the executable on the floppy short of removing the vxd when it's not in use. (And then securely wiping of course... =-;O) A simple trace of opened VxDs would show it and checking the directory would show it. It also creates a scramdisk.ini file... erm... The source code is available, but it's the manner in which it works that gives it away. It would be more than possible that write a tool that detects it's use in a weekend. Now, I'm sure you see the problem here... > > Cheers > > -Cam > > cxm@altavista.net > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use iQA/AwUBOOYfXylTJQwq2TFMEQJnwACcDICt2Repj8o09dzXUAkuyPDU4poAoKqA UHo8HpO0P2oTE1+g23mNjwqs =3YUp -----END PGP SIGNATURE----- From chl@clw.cs.man.ac.uk Sat, 1 Apr 2000 12:33:44 +0100 (BST) Date: Sat, 1 Apr 2000 12:33:44 +0100 (BST) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Proceedings of RIP standing committee (28/3 PM) On Fri, 31 Mar 2000 18:15:40 +0100 Martin Cooper said... > The minister commended other parts of the bill which provide > statutory defences for disclosure within ones own organisation. Eh? Which parts would those be? Charles H. Lindsey ---------At Home, doing my own thing------------------------ Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From chl@clw.cs.man.ac.uk Sat, 1 Apr 2000 16:11:37 +0100 (BST) Date: Sat, 1 Apr 2000 16:11:37 +0100 (BST) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Irish view and public/private keys On Sat, 01 Apr 2000 11:27:38 +0100 Nicholas Bohm said... > It requires you to provide a key. If something converts a ciphertext to a > plaintext, it is a key and satisfies the statutory obligation in relation > to that ciphertext (whether or not it is capable of decrypting any other > ciphertext). So a session key satisfies the Bill's requirements whenever > you can provide one, which is whenever you have the ciphertext to extract > it from. Not so. It requires you to provide "the" key. But nowhere does it define which key is "the" key when there is more than one. It will be great fun litigating that one when the time comes. See Charles H. Lindsey ---------At Home, doing my own thing------------------------ Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From s.simpson@mia.co.uk Sat, 1 Apr 2000 17:27:17 +0100 Date: Sat, 1 Apr 2000 17:27:17 +0100 From: Simpson, Sam s.simpson@mia.co.uk Subject: ukcrypto / scramdisk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (Sorry for dragging the list off-topic on this thread, I'll take follow-ups off list, honest!) Actually, you can load the .vxd dynamically without first placing it in \\windows\system\iosubsys on boot-up. It's not recommended (or mentioned...) in the manual because of several obscure restrictions this imposes, but it still works none the less. RE the scramdisk.ini file, I understand that v3 will have the feature to not use an INI file. Once a Scramdisk container has been created and the passphrase changed, it is infeasible (without the passphrase...) to prove that it's not just random data. Again, apologies for the off-topic post. Regards, Sam Simpson IT Operations Manager, MIA Ltd - -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site. > -----Original Message----- > From: Beer Monster [mailto:DrunkAsFuck@bun.com] > Sent: 01 April 2000 17:09 > To: ukcrypto@maillist.ox.ac.uk > Subject: ukcrypto / scramdisk > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > See below. > > > Carbon life-form, > London > > - ----- Original Message ----- > From: Camilo Mesias > To: Beer Monster > Sent: Thursday, March 30, 2000 4:28 PM > Subject: Re: ukcrypto / scramdisk > > > > Beer Monster > > > > > > > > Yes I have, and I quiet like it. > > > > > > The problem IS the very fact that it's known... > > > > Surely you're not advocating security through obscurity? ;-) > Part of the battle is proving you're using encryption devices. > > > I understand that scramdisk leaves no signature on a scrambled > > partition, > > so you could have a floppy with the encryption software, without > > which your PC seems innocuous. > > > > If you have a LS120 drive then you'll be surprised how much > > software/ keys you can put on it. Add a PDA of some kind to act as > > a portable keyring-server, that should suit even the most > > paranoid. > > > > I've thought it all over but I'm not paranoid enough to do it. > > Besides, I don't fancy losing my HD contents if my PDA gets > > stolen/broken. > I don't think you understand quiet how ScramDisk works. > Because of the way it sets up a ring 0 threading system and hooks > into the file system, the VxD MUST be in the > \\windows\system\iosubsys directory. > The calldowns and hooks are installed installed during the windoze > start-up. > Don't believe me ? > Try a logged boot. When you open the bootlog.txt file and so a search > for sd.vxd you'll find it initialize's in a couple of places. > It intercepts all dcbconfig changes and sets up an asynchronous event > every 0.5 seconds. > > I'm afraid there's no real way you could hide the fact you're using > it even if you do have the executable on the floppy short of removing > the vxd when it's not in use. (And then securely wiping of course... > =-;O) > > A simple trace of opened VxDs would show it and checking the > directory would show it. > It also creates a scramdisk.ini file... erm... > > The source code is available, but it's the manner in which it works > that gives it away. > It would be more than possible that write a tool that detects it's > use in a weekend. > > Now, I'm sure you see the problem here... > > > > > Cheers > > > > -Cam > > > > cxm@altavista.net > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.3 for non-commercial use > > iQA/AwUBOOYfXylTJQwq2TFMEQJnwACcDICt2Repj8o09dzXUAkuyPDU4poAoKqA > UHo8HpO0P2oTE1+g23mNjwqs > =3YUp > -----END PGP SIGNATURE----- > > > -----BEGIN PGP SIGNATURE----- Version: 6.0.2ckt http://members.tripod.com/IRFaiad/ iQA/AwUBOOYlLe0ty8FDP9tPEQI0+ACgldf9M3c91Oi1OERz1ZHC7HU1LCUAn1so 9cC7Yn7bJpcZm8XeRKIlEu6X =WIZu -----END PGP SIGNATURE----- From alloneword@dial.pipex.com Sat, 1 Apr 2000 14:45:28 +0100 Date: Sat, 1 Apr 2000 14:45:28 +0100 From: Andrew Brown alloneword@dial.pipex.com Subject: Re[2]: Jack Straw educational supplement On Saturday, April 01, 2000, at 10:38:46 AM, Ben Laurie wrote: BL> Julian Assange wrote: >> kukri: a short stabbing knife, often used by Gurkha soldiers. BL> Actually, it is more like a small, slightly hooked machete. You slash BL> with it, not stab. Only one side (the inside) is sharp. The tip isn't, BL> particularly. Quite heavy. Vicious! And I think that the shore to shore railway in Uganda is indeed the one that runs from the lake to the Indian Ocean -- can't remember exactly where. -- Andrew mailto:alloneword@dial.pipex.com From David.Hamilton1@btinternet.com Sat, 1 Apr 2000 19:07:51 +0100 Date: Sat, 1 Apr 2000 19:07:51 +0100 From: David Hamilton David.Hamilton1@btinternet.com Subject: Home Office question on wiped rather than encrypted data. Roland Perry > In article , David Hamilton > writes > >The policeman could claim that you had kept a file (I'll call it 'fred' in > >order > >to avoid confusion with any other files) that when XORed or ORed or > >ANDed (or something like that) against hex E5 would produce the > >'protected information' (ie an encrypted file that you were claiming was > >wiped - and then overwritten with hex E5s). You encrypt 'fred' and then > >used steganography to hide it. > I'm sorry but this makes no sense to me, I can't understand the process > involved. That might well be my fault. What I meant was; 1) File A is plaintext. 2) Encrypt File A to give File B. 3) We are going to overwrite File B with hex E5s to give File D (nb NOT File C) but not yet. 4) Before overwriting File B with hex E5s, we need to do create another file (File C) that can be applied to File D (all hex E5s) in order to recreate File B. 5) Create File C. I know this is a bit of a cop out - I can't think exactly how to do it ... but I'm sure somebody out there can (if need be). At it's simplest, byte 1 of File C plus byte 1 of File B = hex E5 (byte 1 of File D) etc. File C was 'fred' in my original posting. 6) Overwrite File B with hex E5s to give File D. 7) Encrypt File C to give File E . 8) Hide File E using steganography. (snip) David Hamilton Only I give the right to read what I write and PGP allows me to make that choice. Use PGP now. From midgley@mednetics.org Sat, 1 Apr 2000 14:01:28 +0100 Date: Sat, 1 Apr 2000 14:01:28 +0100 From: Adrian Midgley midgley@mednetics.org Subject: Re(4): Proceedings of RIP standing committee (28/3 AM) >Unless the sending is sending the mail directly >to the recipient while they are both online. >I know that senders should follow the MX >records >... but it shows that it is possible to send email without >going through the ISP's mail servers. SMTP Direct is a feature supported in VPOP3 certainly, and there doesn't seem to be anything to stop it in sendmail although I havn't mastered that yet. One of the canards spread about by the NHSIA about SMTP, to persuade people to adopt X.400 which for some odd reason they love, is that SMTP messages are simply thrown into the Internet with no control on where they are relayed, whereas X.400 relays them through a chain... Actually of course each SMTP server has a list of other sites to relay to, and one depends upon the operators to pick people they turst and sites that stay up - no differently from X.400 that I can see. However, I did look at it and note that if there really was a problem then one could choose to use direct transmission - after which I heard nothing more... -- Midgley From nbohm@ernest.net Sat, 01 Apr 2000 20:03:48 +0100 Date: Sat, 01 Apr 2000 20:03:48 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Home Office question on wiped rather than encrypted data. At 04:36 PM 4/1/2000 +0100, Donald Ramsbottom wrote: >SNIP >>Plod probably cannot tell, and you probably cannot prove either way. This >>should not concern you, however, as you *cannot be found guilty* unless >>Plod can prove you had a key. I repeat, Plod must provide evidence to >>prove beyond a reasonable doubt that you have or have had a key, otherwise >>there is no offence. You *do not* have to prove the information is truely >>random, though you may wish to state this in order to increase doubt in >>the mind of the judge/jury. > >So if I have 200 encrypted emails on my HDD and deny to LEA that I have a >key or ever had one, (note I do not say I have forgotten it or make any >other admission ) I cannot be guilty of the offence? Surely if this is so >then RIP has no teeth and we are all barking up the wrong tree. If what you >say is true then we have nothing to worry about as they can never prove you >had a key. > >46(2) just says they have to have reasonable grounds and uses the word >"believes". It goes onto say "by notice on the person whom he believes to >have possession of the key" > >If what you say is true then bare denial will suffice to thwart the bill. > >I suppose they could use the traffic logs to show messages to-ing and >fro-ing, but would this be enough to prove beyond reasonable doubt you had a >key, probably not. > >Am I missing something major here? I would think receipt of many encrypted messages with no replies saying "Sorry I can't read this" and perhaps encrypted replies would lead to a convincing inference you had had a key. This assumes interception as well as seizure of HDD, though. Regards, Nicholas Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Sat, 01 Apr 2000 20:12:32 +0100 Date: Sat, 01 Apr 2000 20:12:32 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Response from E-Envoy to RIP At 11:07 AM 4/1/2000 -0500, Freddie Dawkins wrote: >Good ?'s. Trouble is, do we trust no-one, anytime? There's no such thing as >a perfect law. > >I suppose what we have to decide is: what do we send electronically over >public networks and what goes by other, more secure, means? > >To me, the only really secure way to transmit anything written is >face-to-face, handing over documents rather than entrusting them to, say, a >courier or the Post Office. > >Might sound like a backwoods approach, but if something's so sensitive we >fear any interception, than that's the way it is. Court's/lawyers are >always asking for documents to be produced by, is it, "discovery"? I >suppose, being a layman in this area, I tend to think of RIP et al in much >the same way. I think the critical point is that RIP demands keys, not specific documents (I have no problem with discovery in litigation, which is relatively specific and excludes legally privileged materials). The demand for keys turns all past communications over insecure networks from securely encrypted to open. We suspect ECHELON hoovers everything, so cannot get the real benefit of the Internet and are forced back to personally couriered paper. Not a good Bill. Regards, Nicholas Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From dave@xemu.demon.co.uk Sat, 1 Apr 2000 15:48:15 +0100 Date: Sat, 1 Apr 2000 15:48:15 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: HOME OFFICE RESPONDS AGAIN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <3.0.5.32.20000401110632.00938780@mail.netkonect.co.uk>, Nicholas Bohm writes >Why do they need a general purpose key? Only if they cannot give me the >ciphertext. When is that the case? When they have not yet obtained it. When they have received it unlawfully, dishonestly, or through a source they do not wish to compromise by disclosing they have the ciphertext. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOYML38v/Y5zkfRPEQL6tQCgthUoxy8z3ru3htd7JLGGQGeGPy4AniKH 9BGolXKGw0vDiXgrL5UPY+JH =5/gD -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sat, 1 Apr 2000 15:57:33 +0100 Date: Sat, 1 Apr 2000 15:57:33 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Irish view and public/private keys -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Ross Anderson writes >The more I think of this the more I believe that the solution lies in >tamper-resistant processes. If you implement your crypto in a high-end >secure processor such as an IBM 4758 then you can program it so that >it just won't decrypt key packets twice. If your application has >reliable timestamps, program it to reject anything over a week old. >Putting the same functionality in a large messy piece of software, >whose source code was kept outwith the grasp of Her Majesty's judges, >might be enough in most cases. With due respect to your expertise, I have a suspicion that few pieces of software are proof against tampering to the extent of effort needed that a chip is (you'd have to reverse engineer it and duplicate with the safeguards wired out: not impossible if a state is attacking the means of privacy for thousands of dissident groups). And there is a logical contradiction that open source is a really nice protection against hidden backdoors, so obscure material can be turned back-at-cha by hiding backdoors in the same obscurity. If they even get their hands on the executable version, they'll reverse engineer it. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOYOXX8v/Y5zkfRPEQIfegCfRxg4Wo0fYVY+9w/Vi5DCXa7L/U0An3MD QlQ8vwn/eEcLP+FBFZKQJOS3 =kM/4 -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sat, 1 Apr 2000 15:45:30 +0100 Date: Sat, 1 Apr 2000 15:45:30 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Home Office question on wiped rather than encrypted data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <9xSyuvAyja54EwUN@netcomuk.co.uk>, Roland Perry writes >In article , David Hamilton > writes >>The policeman could claim that you had kept a file (I'll call it 'fred' in >>order >>to avoid confusion with any other files) that when XORed or ORed or >>ANDed (or something like that) against hex E5 would produce the >>'protected information' (ie an encrypted file that you were claiming was >>wiped - and then overwritten with hex E5s). You encrypt 'fred' and then >>used steganography to hide it. > >I'm sorry but this makes no sense to me, I can't understand the process >involved. > >Are you saying that: >[something I want to hide] -> [coding process] = [lots of E5, and >nothing but E5] >and thus >[same lot of E5] -> [decoding process] = [The hidden thing] ? Dave Hamilton is wrong because he is missing the idea of information, variability, or entropy as a NUMERICAL MEASURE. The file cannot contain more coded information essential to the message than it contains information at all. If I want a medium to send a message of ten arbitrarily chosen letters, I need a medium with enough variation to convey (26)^10 possible different messages. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOYLin8v/Y5zkfRPEQKHagCg+0DTmR7JRNxGO6Ra43xZyfujGKkAoOio zX0MVZ4GLjL9i7MyDPMc3mpO =sfIx -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sat, 1 Apr 2000 16:10:23 +0100 Date: Sat, 1 Apr 2000 16:10:23 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Response from E-Envoy to RIP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <200004010532_MC2-9F7E-6F9F@compuserve.com>, Freddie Dawkins writes >This key would be embedded in every user's device/transport? (not sure >about how this could work) in that country. So govts would only hold their >own National Anchor Key. No-one else's. It would be a case of: > >1. Do you trust your govt? > >2. How secure is any national key? Bugger me, don't do this at all costs!!!! Nothing is absolutely secure but one judges whether we have made breaking it require so much effort THAT IT'S NOT WORTH THE CANDLE FOR THE VALUE PROTECTED. Part of this equation is reducing the value protected per security measure i.e. dispersing different protected materials among different secure systems, so that not too much is lost if/when any single one is compromised. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOYRX38v/Y5zkfRPEQJypwCfSniVEkd8ThqURDtcuXDOxyLB6m8An0KQ Wqb2XpP01uM0Dh6jphDw6X2G =upD6 -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sat, 1 Apr 2000 16:00:50 +0100 Date: Sat, 1 Apr 2000 16:00:50 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Proceedings of RIP standing committee (28/3 AM) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Graham Murray writes >Roland Perry writes: > >> By going to the ISP they can get all the email on its way to the subject > >Unless the sending is sending the mail directly to the recipient while >they are both online. I know that senders should follow the MX >records, but I sometimes receive connections on port 25 from sites >other than those listed in the MX records for my host. Whether or not such >connections should be blocked is a different question, but it shows >that it is possible to send email without going through the ISP's mail >servers. It is realistic if the person has a continuous connection to the Net e.g. via a cable system, and if you can get their current IP number. If the cable provider says "no servers" and gives only dynamic IP viz not full connectivity to the Net, then you're still stuck. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOYPIn8v/Y5zkfRPEQK5pwCcDi69Slci+XXNXGiugX1ioQiYKScAoPEj cZucshFpwhO4jmP8AxZGSaRD =DrYe -----END PGP SIGNATURE----- From phr@doc.ic.ac.uk Sat, 01 Apr 2000 21:16:36 +0100 Date: Sat, 01 Apr 2000 21:16:36 +0100 From: Philip Rowlands phr@doc.ic.ac.uk Subject: Burden of Proof Dave Bird wrote: > > I think perhaps what the Home Office meant to say was: > "anyone who, at the time the become aware such a notice is being served, > has possession of the key......." No, they mean what the Bill says, but provide the defence. > Is destroying a key instead of giving access meant to be an offence? Certainly. You meet both criteria of the offence, and you can't use the "no key" defence (S49(2)-a), which is phrased as follows: (2)(a) ... it shall be a defence ... to show ...that the key was not in his possession after the giving of the notice ... If you have the key at the instant you are served the notice, this defence cannot apply. (When I say have, I mean have practical access to.) Phil From phr@doc.ic.ac.uk Sat, 01 Apr 2000 21:56:48 +0100 Date: Sat, 01 Apr 2000 21:56:48 +0100 From: Philip Rowlands phr@doc.ic.ac.uk Subject: Home Office question on wiped rather than encrypted data. Donald Ramsbottom wrote: > > So if I have 200 encrypted emails on my HDD and deny to LEA that I have a > key or ever had one, (note I do not say I have forgotten it or make any > other admission ) I cannot be guilty of the offence? We were talking about secure wiping, but in this case I think Plod might have enough circumstantial evidence to prove you did have a key. > Surely if this is so then RIP has no teeth and we are all barking up the > wrong tree. If what you say is true then we have nothing to worry about > as they can never prove you had a key. Unless you're an innocent, law-abiding honest person, and admit you've forgotten your password. I don't think we're barking up the wrong tree; I think there has been some misunderstanding and over-generalisation about the cirsumstances that burden of proof is reversed. > 46(2) just says they have to have reasonable grounds and uses the word > "believes". It goes onto say "by notice on the person whom he believes to > have possession of the key" Yes; Plod should have good cause to serve a notice on you. > If what you say is true then bare denial will suffice to thwart the bill. A criminal who uses the "random number" defence (as we might call it) will have an advantage over Plod who must prove he [the criminal] has a key. > I suppose they could use the traffic logs to show messages to-ing and > fro-ing, but would this be enough to prove beyond reasonable doubt you had a > key, probably not. > > Am I missing something major here? No, if I read your words correctly you have concluded that the Bill is Not Very Good, which is bang on target. Phil From midgley@mednetics.org Sun, 2 Apr 2000 00:07:05 +0100 Date: Sun, 2 Apr 2000 00:07:05 +0100 From: Adrian Midgley midgley@mednetics.org Subject: Home Office question on wiped rather than encrypted data. >I would think receipt of many encrypted messages with no replies saying >"Sorry I can't read this" and perhaps encrypted replies would lead to a >convincing inference you had had a key. This assumes interception as >well as seizure of HDD, though. So the exact manner of the reply that this could not be read would be suspected of containing a coded message confirming receipt and/or action.....if there were many of them. This way lies madness. No, madness lay a little way back along this path. I sent my MP some encrypted text, I am not prepared to say that he does not have the key to it, nor that it does not contain material of significance. I _am_ aware he has a sense of humour. From hopwood@zetnet.co.uk Sun, 02 Apr 2000 06:52:03 +0100 Date: Sun, 02 Apr 2000 06:52:03 +0100 From: David Hopwood hopwood@zetnet.co.uk Subject: Non-interactive forward secrecy (was Response from E-Envoy to RIP) -----BEGIN PGP SIGNED MESSAGE----- Nicholas Bohm wrote: > I think the critical point is that RIP demands keys, not specific documents > (I have no problem with discovery in litigation, which is relatively > specific and excludes legally privileged materials). > > The demand for keys turns all past communications over insecure networks > from securely encrypted to open. I'm currently working on developing encryption schemes with "non-interactive forward secrecy", i.e. a way to prevent previous encrypted data from being exposed when a private key is compromised, in cases where an interactive protocol can't be used. Techniques for achieving forward secrecy in key agreement algorithms are well known, and it's possible to do something similar for non-interactive encryption by updating public keys frequently, but that would involve significant extra overhead in key management. The aim of a non-interactive forward-secret encryption algorithm is to remove this overhead. Basically this works as follows: - a single (quite small) public key can correspond to many private keys, - each private key is designated for use in a specific time period, - when a message is encrypted, the current time period is an input to the encryption function, - private keys are deleted as the corresponding time periods expire (alternatively, there is a one-way function that can be used to go forwards in the list of private keys, but not backwards). There is no lower limit on the length of a time period, so in practice keys only need to be retained for long enough to make sure that a key will not be deleted while messages that can be decrypted by it are still in transit. For example, if email to Bob is typically in transit for no more than 24 hours end-to-end (that would in practice require that Bob checks for email at least twice a day), then it would be possible to prevent the exposure of emails sent more than (24 hours plus a small fudge factor) before Bob's remaining private keys are compromised. A message that takes longer than this to be transmitted cannot be read by anyone, and would have to be re-sent in a later period. A related property is "backward secrecy", which allows the information needed to reconstruct "future" private keys to be kept off-line (and therefore potentially more secure). Without going into technical details that would be off-topic for this list, the status of this research at the moment is that there is a scheme based on the Diffie-Hellman problem, which is practical in all respects except possibly key generation. Suppose for example that key generation takes O(n) operations; then the cost for an attacker who has compromised at least one of the keys to find a key for a different time period (or decrypt messages for that other time period), is O(n^2). This is probably not enough for the truly paranoid, but it would be enough to foil attackers with moderate funding and resources, if the keygen was chosen to take about 2^30 steps. The cost to an attacker who has *none* of the private keys is completely infeasible; in that case the scheme can be proven as secure as DHAES (an existing encryption algorithm based on the Diffie-Hellman problem, similar to Elgamal). Apart from key generation and the amount of private key information that needs to be stored, the scheme is about as efficient as DHAES or Elgamal. It's interesting to note that the O(n) vs O(n^2) advantage against an attacker is the same as for Merkle's puzzle system, which was an early attempt to show the feasibility of public key systems. I'm also working on another scheme with a much better advantage against attackers, if it works. And yes, this research was inspired fairly directly by part III of the E-commerce bill and RIP :-) - -- David Hopwood PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOObf8TkCAxeYt5gVAQGbTQgAtWW6pef8zqLs/ah3r9OiNV4g5uT8POo8 aBXBwUZ1sPGRXzMxWVzX3LP9bi9qcKKtvPv9IgkgIAS4SaGyGmT8Czb+Xo9jZltZ oFg0BuFfBoL1/sVQAXtP0Q+hkLiwRlkflSHRu259sU2PjKR3i0A1sQskgM3PhRRP kaR/CGyGegIdiZmXS7x3/9GlzaGXvCMJAhkAiwTkXR57Y9ZZMSajZl1OBxM+EV9k 5hd7lfd9AZo0i866KjzzrMkVz9DcTPK2y9OQrstGzqHfnRzizhmMOMo+J7hYlaxM g8/wHzSZ+zl8jqMNv3ghckCK0zorhLEoj8IPyP/98/Hu3L7w5R9GiA== =Owxl -----END PGP SIGNATURE----- From ben@algroup.co.uk Sun, 02 Apr 2000 12:18:00 +0100 Date: Sun, 02 Apr 2000 12:18:00 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Non-interactive forward secrecy (was Response from E-Envoy to RIP) David Hopwood wrote: > - private keys are deleted as the corresponding time periods expire > (alternatively, there is a one-way function that can be used to go > forwards in the list of private keys, but not backwards). This would be a bad idea, coz once an attacker had a single private key, they would have all future ones. The private keys need to be independent, which would suggest, on information-theoretic grounds, that the public key would necessarily be large. Indeed, I can't see any practical difference between this and simply publishing a large set of public keys with validity periods. But I may be missing something. Cheers, Ben. -- http://www.apache-ssl.org/ben.html From David.Hamilton1@btinternet.com Sun, 2 Apr 2000 12:24:44 +0100 Date: Sun, 2 Apr 2000 12:24:44 +0100 From: David Hamilton David.Hamilton1@btinternet.com Subject: Home Office question on wiped rather than encrypted data. Dave Bird wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In article <9xSyuvAyja54EwUN@netcomuk.co.uk>, Roland Perry > writes > >In article , David Hamilton > > writes > >>The policeman could claim that you had kept a file (I'll call it 'fred' in > >>order > >>to avoid confusion with any other files) that when XORed or ORed or > >>ANDed (or something like that) against hex E5 would produce the > >>'protected information' (ie an encrypted file that you were claiming was > >>wiped - and then overwritten with hex E5s). You encrypt 'fred' and then > >>used steganography to hide it. > > > >I'm sorry but this makes no sense to me, I can't understand the process > >involved. > > > >Are you saying that: > >[something I want to hide] -> [coding process] = [lots of E5, and > >nothing but E5] > >and thus > >[same lot of E5] -> [decoding process] = [The hidden thing] ? > > Dave Hamilton is wrong (snip) Wince. This started from talking about a final wipe of hex E5 over an already wiped area of disk. I said "Then hopefully RIP will be changed to accept a string of hex E5s as proof that secure wiping has taken place and that the data isn't encrypted ... but I doubt it." And Roland Perry then commented "It does this already. In what circumstances could a policeman claim that a not-file consisting entirely of E5's was 'protected information'?" Well, on the surface (get it?) a string of hex E5s is a string of hex E5s. But I then talked about logical operations being carried out on the file before the final hex E5 wipe in order to be able to recreate the file before the final hex E5 wipe. In addition, (something I've only just thought of) presumably it is possible to 'look under' the final hex E5 wipe to see what was there before? So, I think my original point of a string of hex E5s NOT being taken as proof of secure wiping is accurate - any LEA would be idiotic to assume this. But Roland's point of 'protected information' (given its definition?) is probably not covered by what I've previously written. I'm struggling. Unless anyone wants to see me publicly flogged, I think I'll drop this point! David Hamilton Only I give the right to read what I write and PGP allows me to make that choice. Use PGP now. From lists@notatla.demon.co.uk Sun, 2 Apr 2000 13:14:52 +0100 Date: Sun, 2 Apr 2000 13:14:52 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: Home Office question on wiped rather than encrypted data. "David Hamilton" : > Well, on the surface (get it?) a string of hex E5s is a string > of hex E5s. But I then talked about logical operations being > carried out on the file before the final hex E5 wipe in > order to be able to recreate the file before the final hex > E5 wipe. In addition, (something I've only just thought of) > presumably it is possible to 'look under' the final hex E5 > wipe to see what was there before? It is possible to read what was under the final hex E5 wipe, but not merely using software. See Stefek Zaba's post of 24 March; Re: BBC Online 24/3/2000: "MI5 laptop snatched". http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Bill Frantz wrote in 1996, apparently working from that paper: The analysis techniques for disks examined were Magnetic Force Microscopy (MFM) and its close cousin, Magnetic Force Scanning Tunneling Microscopy (STM). "It is possible to build a reasonably capable SPM for about US$1400, using a PC as a controller." (See http://www.skypoint.com/~members/jrice/STMWebPage.html) This cost is conceivably within the range of a high school student. > So, I think my original point of a string of hex E5s NOT being > taken as proof of secure wiping is accurate - any LEA would > be idiotic to assume this. If Plod believes you have the above microscope gear and intend to check for previous contents of your disks after he has left then he's assuming a high tech attempt at hiding - much higher tech than burying a box of floppies at night somewhere other than your garden. The E5 chars referred to are not really relevant to this - they hold no data. From davidh@spidacom.co.uk Sun, 2 Apr 2000 14:26:10 +0100 Date: Sun, 2 Apr 2000 14:26:10 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Response from E-Envoy to RIP On 1 Apr 00, at 11:22, Caspar Bowden wrote: > he says wonderful things like: "I think the fuss is > overstated. I think that the wilder allegations that nobody will come > and do business in the UK are over the top. I don't recall someone making such a claim. Exaggerating opponents claims and then criticising them is a well known diversionary tactic. > The power to require keys or plaintext > material only arises when something has been lawfully intercepted. This is something that can only be sorted out in court, by which time it is too late. > "Secondly, in all normal circumstances a company is required to hand > over plain text rather than hand over keys. Then this should be specified in the Act, together with the circumstances in which a key will be stolen instead. > It's absolutely clear that > nobody who is a legitimate, innocent person is going to have anything > to fear." This is patronising and stupid nonsense. Judith Ward and Stefan Kiszko are two examples of people who had nothing to fear. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From dave@xemu.demon.co.uk Sun, 2 Apr 2000 12:55:52 +0100 Date: Sun, 2 Apr 2000 12:55:52 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Home Office question on wiped rather than encrypted data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , David Hamilton writes >Wince. This started from talking about a final wipe of hex E5 over an >already wiped area of disk. I said "Then hopefully RIP will be changed to >accept a string of hex E5s as proof that secure wiping has taken place and >that the data isn't encrypted ... but I doubt it." >And Roland Perry then commented "It does this already. In what >circumstances could a policeman claim that a not-file consisting entirely of >E5's was 'protected information'?" >Well, on the surface (get it?) a string of hex E5s is a string of hex E5s. But >I then talked about logical operations being carried out on the file before the >final hex E5 wipe in order to be able to recreate the file before the final hex >E5 wipe. In addition, (something I've only just thought of) presumably it is >possible to 'look under' the final hex E5 wipe to see what was there before? I think I'm with you. If the equipment just reads a string of E5s than you have only a string of E5s which contains very little information other than the number of E5s. But the government (and you) might take the drive away and mess with it using special amplifiers to say "what bits do you think lay here before the E5s". I wouldn't recommend this as a routine measure, as the recovery late is likely to be < 100%. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOc1SH8v/Y5zkfRPEQIM0ACfetjCWBjn97dZdvuXadhed1RnBNEAn0uX IAurCCjAsnqggBYD2dyDMOgj =VsYj -----END PGP SIGNATURE----- From davidh@spidacom.co.uk Sun, 2 Apr 2000 18:36:15 +0100 Date: Sun, 2 Apr 2000 18:36:15 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Stolen Enigma The BBC is reporting that an Enigma has been stolen from Bletchley Park when it was open yesterday. They say it is only one of three in the world, but this may because it is an Abwehr Enigma. Presumably stolen to order, though any collector wouldn't be able to do much with it except look at it in a locked room. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From dave@xemu.demon.co.uk Sun, 2 Apr 2000 19:30:37 +0100 Date: Sun, 2 Apr 2000 19:30:37 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: SFS2000 short (biased, personal) write-up, part two -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Dave Bird writes: >SCRAMBLING FOR SAFETY 2000. at the London School of Economics, on Weds >2000/mar/21 [I have 15 pages of handwritten notes so this report is >likely incomplete, personal & biased - DB, mar2000]. Enter 10mins late (5)Oliver Heald MP, opposition spokesman [Tory]. The only other country I know introducing such powers is Zimbabwe. We need proportionate powers to invest-igate crime without putting excessive burdens on individual liberty or wealth-creating industry. The bill has been hard going, we are now on the interception powers in clause 12. Packet switching is not easy to intercept and some forms of access are particularly hard to: adding more than minimal effectiveness soars rapidly in cost. We don't want anything made law unless the govt know the technical means, the cost, and how it will be paid; we want any related orders to be fully debated. Notices should be checked for technical competence before they are issued, if disproportionate or burdensome they should have recourse to the courts [possibly in closed session]. Too many people even down to local councils can apply for warrants. Data about communications should be narrowed down to address & traffic information, be only used in serious cases, and recognise that not everyone is technically set up to provide it. Decryption should be narrowed to such key or plaintext as is needed to open the specified document(s) only, again limiting the period and the people who can apply. Clause 49 definitely does reverse the burden of proof AND establish an absolute offence without need of "guilty mind". It should need proof of "an intention to prevent access to the data" for which past dishonesty or concealment would be relevant. [as they are to establish knowingly handling stolen goods]. The bill is a complete mish- mash with the who, how and why all wildly different between traffic, and content, and decryption - as if done by 3 teams of people who didn't talk to each other. It really should be unified. (6)Richard Allan MP, LibDem spokesman. I appr-oach this as a shameless Liberal, and don't take kindly to being called a friend of the pedophile whenever I defend individual liberties. At least this puts all inter-ception on a statutory footing meant to comply with the ECHR, which can be quite complicated to comply with. Warrants should be issued by judges not ministers, with full accountability, and we should consider what a government of evil intent might do with the powers we create. "Safeguarding the UK's economic interests" is an odd pretext, does this allow almost any industrial espionage? Apparently yes. The police don't under-stand technology, they what the world as it was not as it is and merely say "make it happen", and the H.O. say "yes". Business and comms are mobile, E-Commerce will flourish... just not in backward dumps like Zimb-abwe and Britain. Liability of directors is pushing for key escrow by the back door. Traffic of itself can do harm e.g. "minister's phone called sex chat-line" Is anything sent by email "merely email content" e.g. all my banking transactions? What if the data is overseas, what if the main key is not even at the client machine? Generally a real crime involves real actions i.e. a drug deal with them and the drugs in a physical place, and we should go after that rather than communications. (7) ISP TECHNICAL. Richard Clayton from Demon Internet / THUS [formerly Scottish Telecom]. ISPs are not affected by Part2 on non-telecomms snooping, or part 3 on making users decrypt material. The system will be end to end encryption, we couldn't afford the insurance to hold users' keys. In clause 53 we need a proper defence. In part III we need permission to tell the people whose work is needed to get the data. ISPs are worried about Part I, chapter 1, interception, S(12), and S(12) notices, chapter 2, comms data, S(21), and S(21) notices. You have to co-operate with the minister, you do not have to do what is impracticable, but that excludes capabilities he has instructed you to get which he may - not must - pay for. And is it value for money? Police need to read email but end up demanding the whole IP stream. There is a further "opportunity cost" to the company, and ultimately to the country, that the limited supply of techies are tied up doing this rubbish rather than things useful to commercial growth. There is noth- ing that restricts what is seized to what is necessary; no time limit; no test of practicability; no guarantee of payment; no standard form of notice. And a huge list of trivial grounds for notices. On chapter 1, we await the arrival of the regulations, and we need two rounds of consultation to get them into shape. On ch2 frankly we await the arrival of some common-sense. (8) Ian Walden, alliance for electronic business. [this is a federation of CBI, Computer Software and Services Association, etc]. We welcome the framework for inter-nal interception i.e. businesses legitimately supervising employees, legitimately monitoring traffic against syst-em mis-use, exclusion of signature keys, & a tort of wrongful inter- ception. Consultation is required for new orders under the bill. In the USA the press-ganged policing is paid for in full, estimate $500M: if the cost is not paid the order should not be allowed. The scope of comms data [in USA "call identifying information"] should be greatly reduced. We need guarantees on disclosed keys. And we want E-Commerce to work; but this bill is seen as key escrow by the back door. (9) ISP LEGAL. Paul Renney, of Theodore-Goddard. ISPs have asked us for guidance on how they can co-operate with legitimate law enforcement needs, without completely throwing away privacy. Is the minister going to require interception capacity from everyone? It is useful that the opposition want users represented in the supervision. The govt should cover all costs of training etc they impose, but they offer only to make an "appropriate contribution". Penalties for not complying with orders to do work at your own expense include orders for performance and even "any other appropriate relief". Anyone receiving a Notice has to comply, though they do not have to do the impractical. (10) PANEL DISCUSSION. Nigel Hickson, DTI ; John Wadham, NCCL; Steve Thomas APACS; Danny O'Brien Stand website; Chris Bayliss APC. (a) John Wadham [Liberty]: we welcome the bringing of all interception under specific, human rights compliant, statute rather than unregulated "informal cooperation", as we have been demanding for some time. That said, we oppose many of the details of the bill, and are drafting a lot of the amendments. The govt have been compelled by the HRAct to do this, or they would face chaos defending actions case-by-case with no law in place. However, since 1985 no complaint has been upheld by the present tribunals, so there must be something badly defective either in all the complaints or in the tribunals. Part3 reversing the burden of proof needs complete re-writing. But the bill is progress of a sort, because ten years ago when I took office nobody in the mainstream would even talk to me about phone-taps. This bill is not the answer, but it is a beginning. (b)Richard Riley & Charles Faraman[H.O.Civil Servants] To date comm- ittee is at clause six. Chair It will be a while to 71 then! Riley Your concerns are being taken up in parliament, there are amendments to 12 and 20-24, you can observe committee on Tuesdays & Thursdays. M.Hutty: we don't deny the requirement for some sort of interception, but we need to protect operational inte-grity and have the maximum transparency compatible with that. Dermott: any criminal will keep keys close and proving possession is a real problem. Voice: possessing most other things requires delivering up the thing. Ross Anderson: the precedent could be a Turkish lorry driver who did not give up the PIN number to his mobile phone but was repeatedly seen to have used it. Wadham I represent Mr. Tomlinson, he has a Psion organiser, when this was brought to him some time later in prison he was unable to recall the password despite several attempts. Brian: ...perhaps we should announce it to taxpayers that people are paying to have their own communications intercepted: justify Government Access to Keys in terms of costbenefit. Riley: Producing plain-text material will be sufficient, compare asking the bank for account records -- we trust we get true answers. Q: when is it appropriate to ask for keys? Riley: If you can't provide decrypted plain-text in a timely way then it may be proportionate to ask for key. Q: Is it clearly seen that keys will be held, not by large businesses, but by ordinary members of the public? Riley: . Stefan: Can you compel me to do things overseas? Riley: . Stefan: then you are driving people to take their businesses overseas. Q: . Wadham it was only possible then because there was no enforceable right to privacy. Caspar: My suspicion is they'll "only prosecute you if you are guilty". Then they would know where the key was. But it is easier to grab the key. They can use GAK to access the key, to cover up their use of intrusive surveillance methods. Riley: But then the minister would not say in almost all cases production of plain-text should be sufficient. Caspar: provided he knew what he was talking about, Pete Chown: if they say they want your key because you're disreputable, how can I prove the text was the right plain-text. Q: A session key is sufficient? Riley: Yes. The bill will be under-pinned, on which there will be public cons- ultation... during the summer. Q: How will the Government Technical Advice Centre provide security for keys they hold, and how will they cover liability when it fails? Riley: I'm not sure, as the Cabinet Office is in process of setting up GTAC [&its separate encryption unit]. Chris Green: The Internet helped bring down the Multi-lateral Agreement on Investment, can people overseas trust sometimes even their lives on being in touch with the UK? Chris Bayliss. It's not just a technical point, the bill ignores the global context. [Top of page14; one and a half pages of notes remain]. Et cetera. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOeRzX8v/Y5zkfRPEQLKgACeIjxZSulPIOjfqaIp5XCUCoWO5F4AnA9d 2KidGmwq9wgQn8gVgjsNSDSC =xxqO -----END PGP SIGNATURE----- From J.Goldberg@Cranfield.ac.uk Sun, 2 Apr 2000 11:46:36 -0700 (Pacific Daylight Time) Date: Sun, 2 Apr 2000 11:46:36 -0700 (Pacific Daylight Time) From: Jeffrey Goldberg J.Goldberg@Cranfield.ac.uk Subject: Stolen Enigma On Sun, 2 Apr 2000, David Hansen wrote: > The BBC is reporting that an Enigma has been stolen from Bletchley > Park when it was open yesterday. They say it is only one of three in > the world, but this may because it is an Abwehr Enigma. > > Presumably stolen to order, though any collector wouldn't be able to > do much with it except look at it in a locked room. Seriel numbers (on machine and rotors) as well as pointers to detailed descirptions and photos have been posted on the bletchley park email list. (see http://www.cranfield.ac.uk/ccc/bpark/ and follow link for discussion list) This will be a very difficult item to sell. While there are various sorts of Enigma machines being sold, if anyone comes across something new on the market, please get in touch with the Bletchley Park Trust immediately. -j From freddied@compuserve.com Sun, 2 Apr 2000 15:10:34 -0400 Date: Sun, 2 Apr 2000 15:10:34 -0400 From: Freddie Dawkins freddied@compuserve.com Subject: Response from E-Envoy to RIP David - I think your attack here on Caspar is completely unwarranted. = I've followed Caspar's work for some years now and he's one of the few wh= o has been prepared to work and travel - at his own expense - to open these= debates up and fight for the citizen's rights. He has real experience of fighting injustice. = If Caspar and supporters had not lobbied so hard against the Key Escrow provisions in the original E-commerce Bill, we would have had a whole bun= ch of stuff dumped on us and your criticism is ill-founded. Sorry - but Caspar's one of the good guys and deserves better than your message. Freddie Dawkins From cb@fipr.org Sun, 2 Apr 2000 20:30:52 +0100 Date: Sun, 2 Apr 2000 20:30:52 +0100 From: Caspar Bowden cb@fipr.org Subject: Response from E-Envoy to RIP Thanks for the tribute Freddie, but to avoid horrendous confusion, worth pointing out that the remarks David Hansen criticized were not mine, but taken from the interview with the e-envoy in Guardian yesterday (I'm sure he realized, but the attribution URL was chopped in his response) -- Caspar Bowden Tel: +44(0)171 354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media > -----Original Message----- > From: owner-ukcrypto@maillist.ox.ac.uk > [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of Freddie Dawkins > Sent: 02 April 2000 20:11 > To: INTERNET:ukcrypto@maillist.ox.ac.uk > Subject: RE: Response from E-Envoy to RIP > > > David - > > I think your attack here on Caspar is completely unwarranted. > > I've followed Caspar's work for some years now and he's one > of the few who > has been prepared to work and travel - at his own expense - > to open these > debates up and fight for the citizen's rights. > > He has real experience of fighting injustice. > > If Caspar and supporters had not lobbied so hard against the > Key Escrow > provisions in the original E-commerce Bill, we would have had > a whole bunch > of stuff dumped on us and your criticism is ill-founded. > > Sorry - but Caspar's one of the good guys and deserves better > than your > message. > > Freddie Dawkins > From midgley@mednetics.org Sun, 2 Apr 2000 00:07:05 +0100 Date: Sun, 2 Apr 2000 00:07:05 +0100 From: Adrian Midgley midgley@mednetics.org Subject: Home Office question on wiped rather than encrypted data. >I would think receipt of many encrypted messages with no replies saying >"Sorry I can't read this" and perhaps encrypted replies would lead to a >convincing inference you had had a key. This assumes interception as >well as seizure of HDD, though. So the exact manner of the reply that this could not be read would be suspected of containing a coded message confirming receipt and/or action.....if there were many of them. This way lies madness. No, madness lay a little way back along this path. I sent my MP some encrypted text, I am not prepared to say that he does not have the key to it, nor that it does not contain material of significance. I _am_ aware he has a sense of humour. From phr@doc.ic.ac.uk Sun, 02 Apr 2000 20:34:19 +0100 Date: Sun, 02 Apr 2000 20:34:19 +0100 From: Philip Rowlands phr@doc.ic.ac.uk Subject: Response from E-Envoy to RIP Freddie Dawkins wrote: > > David - > > I think your attack here on Caspar is completely unwarranted. [snip] > Sorry - but Caspar's one of the good guys and deserves better than your > message. Before everyone descends into personal attacks; I think you have mistaken a quoted reply. David Hansen wrote: > > On 1 Apr 00, at 11:22, Caspar Bowden wrote: > >> It's absolutely clear that nobody who is a legitimate, innocent >> person is going to have anything to fear." > > This is patronising and stupid nonsense. Judith Ward and Stefan > Kiszko are two examples of people who had nothing to fear. The "It's absolutely clear..." quote was made by Alex Allan in the Guardian, not by Casper. Phil From cxm@totalise.co.uk Sun, 02 Apr 2000 21:08:22 +0100 Date: Sun, 02 Apr 2000 21:08:22 +0100 From: Cam cxm@totalise.co.uk Subject: Stolen Enigma David Hansen wrote: > > The BBC is reporting that an Enigma has been stolen... hopefully an elaborate ploy to draw attention to the RIP bill? ;-) -Cam cxm@altavista.net From M.Wells@leeds.ac.uk Sun, 2 Apr 2000 21:34:33 +0100 Date: Sun, 2 Apr 2000 21:34:33 +0100 From: M.Wells@leeds.ac.uk M.Wells@leeds.ac.uk Subject: UK Friendly for e-commerce? Nichilas Bohm wrote: > At 02:59 PM 3/21/2000 +0000, Ian Miller wrote: > > >On Tue, 21 Mar 2000, Owen Blacker wrote: > >> IANAL, but I seem to recall someone who was (sorry for forgetting > >> who :o) saying that statutory obligations overrule contractual ones, so > >> presumably, as the keys were divulged under statutory obligation, there > >> would be no liability. > > >Does this apply in all jurisdictions? A lot of civil contracts specify > >the law of some US state applies to interpretation. For example, this is > >true of a lot of non-disclosure agreements. > > This is a serious problem, and causes real practical difficulties from time > to time. An American bank with a UK branch, for example, may be required > by the US courts to provide information to US regulators about the > customers of the UK branch which involves the commission of criminal > offences under UK law. In the long run this sort of thing gets ironed out > by bilateral oir multilateral trade negotiations, but in the short run it > may be a choice of which country will impose the lower fine or shorter jail > sentence (or have the most civilised jails). > > In the case of a non-disclosure agreement, I think most courts would regard > there as being an implied exception to the duty of non-disclosure where > disclosure was compelled by the order of a court (or other effective legal > power) prevailing in the country of residence of the discloser. Many such > agreements provide for this expressly, and it is always wise to do so. > There will be awkward cases, and you may have to decide which risk is the > worse. > > Regards, > > Nicholas Bohm IANAL as well, but I seem to recollect that many of the contracts I signed when I was working, included clauses relating to 'Force Majeure' (I may have spelled that wrongly; I am not a good speller either!). In those days, this tended to be code for ' industrial action by a trade union', but I assume that it is still around, and what we have here is another example of that. Mike Wells From nbohm@ernest.net Sun, 02 Apr 2000 22:44:59 +0100 Date: Sun, 02 Apr 2000 22:44:59 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: UK Friendly for e-commerce? At 09:34 PM 4/2/2000 +0100, M.Wells@leeds.ac.uk wrote: >Nichilas Bohm wrote: >> At 02:59 PM 3/21/2000 +0000, Ian Miller wrote: >> >> >On Tue, 21 Mar 2000, Owen Blacker wrote: >> >> IANAL, but I seem to recall someone who was (sorry for forgetting >> >> who :o) saying that statutory obligations overrule contractual ones, so >> >> presumably, as the keys were divulged under statutory obligation, there >> >> would be no liability. >> >> >Does this apply in all jurisdictions? A lot of civil contracts specify >> >the law of some US state applies to interpretation. For example, this is >> >true of a lot of non-disclosure agreements. >> >> This is a serious problem, and causes real practical difficulties from time >> to time. An American bank with a UK branch, for example, may be required >> by the US courts to provide information to US regulators about the >> customers of the UK branch which involves the commission of criminal >> offences under UK law. In the long run this sort of thing gets ironed out >> by bilateral oir multilateral trade negotiations, but in the short run it >> may be a choice of which country will impose the lower fine or shorter jail >> sentence (or have the most civilised jails). >> >> In the case of a non-disclosure agreement, I think most courts would regard >> there as being an implied exception to the duty of non-disclosure where >> disclosure was compelled by the order of a court (or other effective legal >> power) prevailing in the country of residence of the discloser. Many such >> agreements provide for this expressly, and it is always wise to do so. >> There will be awkward cases, and you may have to decide which risk is the >> worse. >> >> Regards, >> >> Nicholas Bohm > >IANAL as well, but I seem to recollect that many of the contracts I >signed when I was working, included clauses relating to 'Force >Majeure' (I may have spelled that wrongly; I am not a good speller >either!). In those days, this tended to be code for ' industrial action >by a trade union', but I assume that it is still around, and what we >have here is another example of that. > >Mike Wells It is certainly still around, but I cannot remember ever seeing it in a non-disclosure agreement. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From freddied@compuserve.com Sun, 2 Apr 2000 18:50:12 -0400 Date: Sun, 2 Apr 2000 18:50:12 -0400 From: Freddie Dawkins freddied@compuserve.com Subject: Response from E-Envoy to RIP Hi, Caspar - And Phil just told me the same, so apologies to David. I was a bit surprised that you might say such a thing! brgds Freddie From freddied@compuserve.com Sun, 2 Apr 2000 18:50:14 -0400 Date: Sun, 2 Apr 2000 18:50:14 -0400 From: Freddie Dawkins freddied@compuserve.com Subject: Response from E-Envoy to RIP Apologies then to David. Thx for putting me straight Phil. rgds Freddie From ybanrab@hotmail.com Mon, 03 Apr 2000 00:05:17 BST Date: Mon, 03 Apr 2000 00:05:17 BST From: Barnaby Prendergast ybanrab@hotmail.com Subject: UK Friendly for e-commerce? >From: Nicholas Bohm >Reply-To: ukcrypto@maillist.ox.ac.uk >To: ukcrypto@maillist.ox.ac.uk >Subject: Re: UK Friendly for e-commerce? >Date: Sun, 02 Apr 2000 22:44:59 +0100 > >At 09:34 PM 4/2/2000 +0100, M.Wells@leeds.ac.uk wrote: > >Nichilas Bohm wrote: > >> At 02:59 PM 3/21/2000 +0000, Ian Miller wrote: > >> > >> >On Tue, 21 Mar 2000, Owen Blacker wrote: > >> >> IANAL, but I seem to recall someone who was (sorry for forgetting > >> >> who :o) saying that statutory obligations overrule contractual >ones, so > >> >> presumably, as the keys were divulged under statutory obligation, >there > >> >> would be no liability. > >> > >> >Does this apply in all jurisdictions? A lot of civil contracts >specify > >> >the law of some US state applies to interpretation. For example, >this is > >> >true of a lot of non-disclosure agreements. > >> > >> This is a serious problem, and causes real practical difficulties from >time > >> to time. An American bank with a UK branch, for example, may be >required > >> by the US courts to provide information to US regulators about the > >> customers of the UK branch which involves the commission of criminal > >> offences under UK law. In the long run this sort of thing gets ironed >out > >> by bilateral oir multilateral trade negotiations, but in the short run >it > >> may be a choice of which country will impose the lower fine or shorter >jail > >> sentence (or have the most civilised jails). > >> > >> In the case of a non-disclosure agreement, I think most courts would >regard > >> there as being an implied exception to the duty of non-disclosure where > >> disclosure was compelled by the order of a court (or other effective >legal > >> power) prevailing in the country of residence of the discloser. Many >such > >> agreements provide for this expressly, and it is always wise to do so. > >> There will be awkward cases, and you may have to decide which risk is >the > >> worse. > >> > >> Regards, > >> > >> Nicholas Bohm > > > >IANAL as well, but I seem to recollect that many of the contracts I > >signed when I was working, included clauses relating to 'Force > >Majeure' (I may have spelled that wrongly; I am not a good speller > >either!). In those days, this tended to be code for ' industrial action > >by a trade union', but I assume that it is still around, and what we > >have here is another example of that. > > > >Mike Wells > >It is certainly still around, but I cannot remember ever seeing it in a >non-disclosure agreement. > >Regards, > >Nicholas Bohm > >Salkyns, Great Canfield, >Takeley, Bishop's Stortford CM22 6SX, UK > >Phone 01279 871272 (+44 1279 871272) >Fax 01279 870215 (+44 1279 870215) >Mobile 07715 419728 (+44 7715 419728) > >PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: >9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 >PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: >5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF > > As a (very) lowly student of law I'd suggest that situation above would act as a frustrating event for the parties involved in most common law jurisdictions,i.e. the contract becomes impossible to perform, and is probably void (Chitty on Contracts, Sweet & Maxwell). Quite how one conveys this information if one is bound to secrecy though... There may be other more complicated "conflict of laws" issues to be dealt with, though, and the legal effects will vary from jurisdiction to jurisdiction. Potential fun for lawyers (far more qualified than myself), not for the parties involved. :o) ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From dave@xemu.demon.co.uk Sun, 2 Apr 2000 23:32:59 +0100 Date: Sun, 2 Apr 2000 23:32:59 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Response from E-Envoy to RIP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <200004021510_MC2-9F7D-D2C6@compuserve.com>, Freddie Dawkins writes >David - > >I think your attack here on Caspar is completely unwarranted. What the heck? I agree that Caspar is a very useful guy but (a) your article does not quote anything of what it is replying to and (b) when I check the threading manually it is a reply to someone called *J* T Bradley. When I finally figured out who David was, I saw he was criticising material QUOTED by Caspar as being a load of waffle [which indeed it was]. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOfKm38v/Y5zkfRPEQKNOQCg1CVI14s+dSS0TpZqRqvP5+D2qGsAmwUU ZllO+XhWEEakfH9fPjM8rX+U =x96K -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sun, 2 Apr 2000 23:49:44 +0100 Date: Sun, 2 Apr 2000 23:49:44 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Stolen Enigma -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Jeffrey Goldberg writes >On Sun, 2 Apr 2000, David Hansen wrote: > >> The BBC is reporting that an Enigma has been stolen from Bletchley >> Park when it was open yesterday. They say it is only one of three in >> the world, but this may because it is an Abwehr Enigma. >> >> Presumably stolen to order, though any collector wouldn't be able to >> do much with it except look at it in a locked room. > >Seriel numbers (on machine and rotors) as well as pointers to detailed >descirptions and photos have been posted on the bletchley park email list. >(see http://www.cranfield.ac.uk/ccc/bpark/ and follow link for discussion >list) > >This will be a very difficult item to sell. Odds on the buggers won't sell it: it was stolen for a particular person - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOfOiH8v/Y5zkfRPEQKcbACfRF/to2v4YqF/y7Ymbq1rkcu8NOQAn0RD slgDthY/1rvVm3bRU2Sz6tzp =e/ZZ -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sun, 2 Apr 2000 23:48:07 +0100 Date: Sun, 2 Apr 2000 23:48:07 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: UK Friendly for e-commerce? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In<200004022037.VAA19566@mps2.leeds.ac.uk>, M.Wells@leeds.ac.uk writes: >> In the case of a non-disclosure agreement, I think most courts would regard >> there as being an implied exception to the duty of non-disclosure where >> disclosure was compelled by the order of a court (or other effective legal >> power) prevailing in the country of residence of the discloser. Many such >> agreements provide for this expressly, and it is always wise to do so. >> There will be awkward cases, and you may have to decide which risk is the >> worse. >> >> Nicholas Bohm > >IANAL as well, but I seem to recollect that many of the contracts I >signed when I was working, included clauses relating to 'Force >Majeure' (I may have spelled that wrongly; I am not a good speller >either!). In those days, this tended to be code for ' industrial action >by a trade union', but I assume that it is still around, and what we >have here is another example of that. > >Mike Wells Hmmm. Suppose someone abroad says "if you want to trade with me, you trade under the laws of my country and take complete liability for any disclosure by your government or otherwise. We guarantee security, do you?" People will trade with sellers in nations they trust. Not Britain. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOfOJ38v/Y5zkfRPEQKG9wCgwmHwT1yaIUgO3N01bmbAeTD93g8An0cG OPvJ4iykYf6YJbiOLzj3HEy0 =KomY -----END PGP SIGNATURE----- From donald@ramsbottom.co.uk Mon, 03 Apr 2000 07:32:55 +0100 Date: Mon, 03 Apr 2000 07:32:55 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Home Office question on wiped rather than encrypted data. SNIP ME & PHIL ROWLANDS >> >> So if I have 200 encrypted emails on my HDD and deny to LEA that I have a >> key or ever had one, (note I do not say I have forgotten it or make any >> other admission ) I cannot be guilty of the offence? >We were talking about secure wiping, but in this case I think Plod might >have enough circumstantial evidence to prove you did have a key. Circumstantial evidence is not enough to prove "beyond reasonable doubt" Anyone of those emails may be opened by one or more keys, if what you say is true then they have to prove that you have the specific key to the specific email/encrypted file which they cannot do without actually having it. If the burden to prove the offence is a you say, then they will rarely be able to prove it without some admission that you have a key or have forgotten or lost it. > >> Surely if this is so then RIP has no teeth and we are all barking up the >> wrong tree. If what you say is true then we have nothing to worry about >> as they can never prove you had a key. >Unless you're an innocent, law-abiding honest person, and admit you've >forgotten your password. I don't think we're barking up the wrong tree; I >think there has been some misunderstanding and over-generalisation about >the cirsumstances that burden of proof is reversed. > >> 46(2) just says they have to have reasonable grounds and uses the word >> "believes". It goes onto say "by notice on the person whom he believes to >> have possession of the key" >Yes; Plod should have good cause to serve a notice on you. True, conceded. > >> If what you say is true then bare denial will suffice to thwart the bill. >A criminal who uses the "random number" defence (as we might call it) will >have an advantage over Plod who must prove he [the criminal] has a key. You do not have to have a random number defence, just a bare denial. > >> I suppose they could use the traffic logs to show messages to-ing and >> fro-ing, but would this be enough to prove beyond reasonable doubt you had a >> key, probably not. >> >> Am I missing something major here? >No, if I read your words correctly you have concluded that the Bill is Not >Very Good, which is bang on target. Having said all I have before looking at the offence in isolation you are correct, there are two limbs to the offence, the second being actual possession, which is something which has been overlooked by everyone on both sides so far. What the bill as drafted actually does if this train of thought is correct, is make it easy for criminals to deny having a key or simply not say anything. The prosecution in this scenario then have to prove their case. The law abiding who have forgotten keys or do not have them can be convicted by their honesty, and industry who are hardly likely to deny the existence of the keys (if they exist), will be disadvantaged because of the lack of trust engendered by the fact the keys may be revealed to third parties. So as drafted (in Phil's interpretaion) the criminals have the best defence (they will be prepared to lie) and the prosecution is in no different position (effectively) than it is now, and the law abiding can go to jail on a reversal of BOP because they admit to loss! I have to admit that Phil's arguement is compelling and that actual possession has to be proved beyond reasonable doubt, in which case the bill fails in it's primary task of targetting criminals. This is not limited the random number defence but applies generally to the bill. This could get very interesting. My SETI data may be useful afterall!! Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Mon, 03 Apr 2000 08:14:23 +0100 Date: Mon, 03 Apr 2000 08:14:23 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: DVD- litigation FYI John Young Has been served with another cease & desist letter from Weil, Gotshal & Manges lawyers for DVDCCA/MPAA (don't lawyers have great names, [yes I know about mine]). Details can be found at Cryptome. I think JY is resident in NY (not sure) and they are quoting a Ca injunction at him, I do not know what the interealtionship is between the States on this sort of thing, but it does seem as he was just a listed defendant in a seperate jurisdiction, that it could all be more hot air. no doubt his lawyers will advise. So MPAA, are continuing their action despite the DeCSS code being one of the most widely distributed pieces of software on the net, it does seem kind of vidictive. Good luck John. Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From nbohm@ernest.net Mon, 03 Apr 2000 09:13:41 +0100 Date: Mon, 03 Apr 2000 09:13:41 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: UK Friendly for e-commerce? At 12:05 AM 4/3/2000 BST, Barnaby Prendergast wrote: > > >>From: Nicholas Bohm >>Reply-To: ukcrypto@maillist.ox.ac.uk >>To: ukcrypto@maillist.ox.ac.uk >>Subject: Re: UK Friendly for e-commerce? >>Date: Sun, 02 Apr 2000 22:44:59 +0100 >> >>At 09:34 PM 4/2/2000 +0100, M.Wells@leeds.ac.uk wrote: >> >Nichilas Bohm wrote: >> >> At 02:59 PM 3/21/2000 +0000, Ian Miller wrote: >> >> >> >> >On Tue, 21 Mar 2000, Owen Blacker wrote: >> >> >> IANAL, but I seem to recall someone who was (sorry for forgetting >> >> >> who :o) saying that statutory obligations overrule contractual >>ones, so >> >> >> presumably, as the keys were divulged under statutory obligation, >>there >> >> >> would be no liability. >> >> >> >> >Does this apply in all jurisdictions? A lot of civil contracts >>specify >> >> >the law of some US state applies to interpretation. For example, >>this is >> >> >true of a lot of non-disclosure agreements. >> >> >> >> This is a serious problem, and causes real practical difficulties from >>time >> >> to time. An American bank with a UK branch, for example, may be >>required >> >> by the US courts to provide information to US regulators about the >> >> customers of the UK branch which involves the commission of criminal >> >> offences under UK law. In the long run this sort of thing gets ironed >>out >> >> by bilateral oir multilateral trade negotiations, but in the short run >>it >> >> may be a choice of which country will impose the lower fine or shorter >>jail >> >> sentence (or have the most civilised jails). >> >> >> >> In the case of a non-disclosure agreement, I think most courts would >>regard >> >> there as being an implied exception to the duty of non-disclosure where >> >> disclosure was compelled by the order of a court (or other effective >>legal >> >> power) prevailing in the country of residence of the discloser. Many >>such >> >> agreements provide for this expressly, and it is always wise to do so. >> >> There will be awkward cases, and you may have to decide which risk is >>the >> >> worse. >> >> >> >> Regards, >> >> >> >> Nicholas Bohm >> > >> >IANAL as well, but I seem to recollect that many of the contracts I >> >signed when I was working, included clauses relating to 'Force >> >Majeure' (I may have spelled that wrongly; I am not a good speller >> >either!). In those days, this tended to be code for ' industrial action >> >by a trade union', but I assume that it is still around, and what we >> >have here is another example of that. >> > >> >Mike Wells >> >>It is certainly still around, but I cannot remember ever seeing it in a >>non-disclosure agreement. >> >>Regards, >> >>Nicholas Bohm >> >>Salkyns, Great Canfield, >>Takeley, Bishop's Stortford CM22 6SX, UK >> >>Phone 01279 871272 (+44 1279 871272) >>Fax 01279 870215 (+44 1279 870215) >>Mobile 07715 419728 (+44 7715 419728) >> >>PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: >>9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 >>PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: >>5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF >> >> >As a (very) lowly student of law I'd suggest that situation above would act >as a frustrating event for the parties involved in most common law >jurisdictions,i.e. the contract becomes impossible to perform, and is >probably void (Chitty on Contracts, Sweet & Maxwell). Quite how one conveys >this information if one is bound to secrecy though... > >There may be other more complicated "conflict of laws" issues to be dealt >with, though, and the legal effects will vary from jurisdiction to >jurisdiction. Potential fun for lawyers (far more qualified than myself), >not for the parties involved. >:o) Obligations of secrecy under an English law contract would be directly overridden by a duty imposed by a UK statute, and there is no need to resort to force majeure clauses or the doctrine of frustration of contracts (which relieves someone of liability who would otherwise be liable for failing to do something that has either become impossible or radically different from what was originally contemplated). Obligations of secrecy under a foreign law contract would probably not be treated as directly overridden by a UK statute, and it would be necessary to see whether the contract provided an exception for disclosures compelled by the law of a jurisdiction to which the discloser was subject (not an unusual clause in practice) or an exception for force majeure (which, as I said, would be very unusual in my experience). Whether something like the doctrine of frustration could be invoked would be a question for the relevant foreign law. If that were the same as English law (and these rules commonly vary quite a lot), there is certainly a good argument to say that keeping a secret by not letting it out is one thing, but keeping it at the cost of a substantial term of imprisonment is so radically different a "cost of compliance" that the secrecy obligation should be regarded as frustrated. The moral is to think carefully about accepting contractual obligations of absolute secrecy over keys if you are subject to UK jurisdiction. Perhaps an uncomfortable moral. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From cxm@totalise.co.uk Sun, 02 Apr 2000 21:08:22 +0100 Date: Sun, 02 Apr 2000 21:08:22 +0100 From: Cam cxm@totalise.co.uk Subject: Stolen Enigma David Hansen wrote: > > The BBC is reporting that an Enigma has been stolen... hopefully an elaborate ploy to draw attention to the RIP bill? ;-) -Cam cxm@altavista.net From ben@algroup.co.uk Mon, 03 Apr 2000 10:51:35 +0100 Date: Mon, 03 Apr 2000 10:51:35 +0100 From: Ben Laurie ben@algroup.co.uk Subject: UK Friendly for e-commerce? Nicholas Bohm wrote: > The moral is to think carefully about accepting contractual obligations of > absolute secrecy over keys if you are subject to UK jurisdiction. Perhaps > an uncomfortable moral. Regardless of law, it is unwise to manage keys for someone else in any case, and unwise to ask someone else to manage your keys. I can think of very few cases where it would be necessary. Err, except as an employee - a company being inherently unable to manage its own keys. Cheers, Ben. -- http://www.apache-ssl.org/ben.html From sjmz@hplb.hpl.hp.com Mon, 03 Apr 2000 11:16:45 +0100 Date: Mon, 03 Apr 2000 11:16:45 +0100 From: Stefek Zaba sjmz@hplb.hpl.hp.com Subject: HOME OFFICE RESPONDS AGAIN Nicholas Bohm writes: > Why do they need a general purpose key? Only if they cannot give me the > ciphertext. When is that the case? When they have not yet obtained it. > But that means it is future material; and that cannot be what they want the > key for, since they concede I am free to revoke the key so as to ensure > that future material is not encrypted under it. > > So when is a general purpose key justifiably demanded? > Let me read "justifiably" as "usefully (to law enforcement)". Then the short answer becomes, "when it's held by someone other than the suspect" - either a third-party key-aware encryption service provider, or the IT department of a suspect's employing organisation. As Nicholas' postings have made clear, treating key revocation as "normal" and inoffensive on receipt of an S.46 order means that suspects in receipt of such orders can (almost) immediately cause their correspondents to cease producting further traffic encrypted under that key; the key-disclosure (rather than plaintext-disclosure) and possible associated secrecy requirement only makes some sort of sense where some party other than the suspect is the one being served with the order. Whether anyone at large will want to *use* third-party services where the provider is in a position to yield a key - let alone whether any of the four info-horsemen would - has been rehearsed to death on this list... Stefek From nd@hplb.hpl.hp.com Mon, 03 Apr 2000 11:38:54 +0100 Date: Mon, 03 Apr 2000 11:38:54 +0100 From: Neil Dunbar nd@hplb.hpl.hp.com Subject: HOME OFFICE RESPONDS AGAIN This is a multi-part message in MIME format. --------------B78B8E6120D6383940834933 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stefek Zaba wrote: > the key-disclosure (rather than plaintext-disclosure) and possible > associated secrecy requirement only makes some sort of sense where some party > other than the suspect is the one being served with the order. Which leads to the question: If this provision is only sensible within a key escrow/KR-aware TTP environment, and such arrangements are explicitly off the gov't agenda; is the main purpose for such apparently worthless provisions to lay the groundwork for the imposition of such unpleasant environments afterwards? If the answer to this one remains that the government has no such agenda, then we really do need a coherent justification for these powers. And "just-in-case" is in no way coherent or a justification. Neil --------------B78B8E6120D6383940834933 Content-Type: text/x-vcard; charset=us-ascii; name="nd.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Neil Dunbar Content-Disposition: attachment; filename="nd.vcf" begin:vcard n:Dunbar;Neil tel;fax:+44 (0) 117 312 9901 tel;home:+44 (0) 1454 856684 tel;work:+44 (0) 117 312 9471 x-mozilla-html:FALSE org:Hewlett Packard Laboratories version:2.1 email;internet:nd@hplb.hpl.hp.com title:Technology Engineer adr;quoted-printable:;;Filton Road=0D=0AStoke Gifford;Bristol;England;BS34 6QZ;United Kingdom x-mozilla-cpt:;-9632 fn:Neil Dunbar end:vcard --------------B78B8E6120D6383940834933-- From Pete.Chown@skygate.co.uk Mon, 3 Apr 2000 11:59:39 +0100 Date: Mon, 3 Apr 2000 11:59:39 +0100 From: Pete.Chown@skygate.co.uk Pete.Chown@skygate.co.uk Subject: Irish view and public/private keys Ross Anderson wrote: > Logically Plod should be satisfied if he can send you a key packet > (the session key encrypted under your public key) and get back the > clear session key. But this is almost as unsatisfactory for him: you > might have kept a list of one-way hashes of session keys, so you can > identify the messages of interest. With RSA couldn't he do Chaum blinding on the session key packet? In fact, he doesn't even need to tell you that the packet you receive has been blinded -- all you will know is that you have not seen the packet before. With ElGamal I'm not sure... Is there an equivalent of Chaum blinding that works with discrete log systems? > It's much less satisfactory for you > too. If you don't have such a list then Plod can get you to decrypt > keys for all sorts of stuff he has no right to - such as emails from > your lawyer. But he could do that anyway -- give you a blinded session key and tell you that it just relates to a message you haven't seen before. > The more I think of this the more I believe that the solution lies in > tamper-resistant processes. If you implement your crypto in a high-end > secure processor such as an IBM 4758 then you can program it so that > it just won't decrypt key packets twice. If your application has > reliable timestamps, program it to reject anything over a week old. This sounds good but I'm not quite sure how you see it working. I can understand that you could refuse to decrypt the same OpenPGP message twice, but the secure device then has to maintain a "blacklist" of all session keys that have been decrypted. Over time the blacklist would become unreasonably large. Obviously if you have reliable timestamps you could throw away blacklist entries that are more than a week old, but how could you do reliable timestamps with PGP? Also, of course, you have to be careful that the secure device is not being given a blinded version of something that it has already decrypted. ---------------------------------------------------------------------- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ From sjmz@hplb.hpl.hp.com Mon, 03 Apr 2000 11:57:58 +0100 Date: Mon, 03 Apr 2000 11:57:58 +0100 From: Stefek Zaba sjmz@hplb.hpl.hp.com Subject: HOME OFFICE RESPONDS AGAIN (Yes, Neil and I could have this conversation over the cubicle walls rather than in UKcrypto, but it does seem relevant to the list!) Neil Dunbar writes: > Which leads to the question: If this provision is only sensible > within a key escrow/KR-aware TTP environment, and such arrangements > are explicitly off the gov't agenda; is the main purpose for such apparently > worthless provisions to lay the groundwork for the imposition of such > unpleasant environments afterwards? > Well, it could be that the Home Office drafters are advised that some of the plausible scenarios for suspect-primary-keyholder-unaware recovery are likely enough to occur in practice that it's worth having the provisions in place. F'r example, a Serious Fraud Office investigation into financial misdealings (although that one feels like it would be adequately handled by plaintext provision rather than key surrender); or maybe some "provided to the public at large" messaging services where key ownership lies with the provider, i.e. not "PGP for all" but rather, say, SMS messaging. (I noted with some amusement in my new Vodafone Corporate User's Pack that it talked up the confidentiality of SMS messaging. In a relative sense I suppose that's true - compared with text pagers where there's *no* on-air confidentiality. But I wouldn't advise any corporate user to rely on the confidentiality of an SMS message in delicate business negotiations...) Stefek From nbohm@ernest.net Mon, 03 Apr 2000 12:29:45 +0100 Date: Mon, 03 Apr 2000 12:29:45 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: HOME OFFICE RESPONDS AGAIN At 11:16 AM 4/3/2000 +0100, Stefek Zaba wrote: >Nicholas Bohm writes: > >> Why do they need a general purpose key? Only if they cannot give me the >> ciphertext. When is that the case? When they have not yet obtained it. >> But that means it is future material; and that cannot be what they want the >> key for, since they concede I am free to revoke the key so as to ensure >> that future material is not encrypted under it. >> >> So when is a general purpose key justifiably demanded? >> >Let me read "justifiably" as "usefully (to law enforcement)". I meant "giving law enforcement a legitimate advantage", which is not very different from your approach. >Then the short >answer becomes, "when it's held by someone other than the suspect" - either >a third-party key-aware encryption service provider, or the IT department of >a suspect's employing organisation. As Nicholas' postings have made clear, >treating key revocation as "normal" and inoffensive on receipt of an S.46 >order means that suspects in receipt of such orders can (almost) immediately >cause their correspondents to cease producting further traffic encrypted under >that key; the key-disclosure (rather than plaintext-disclosure) and possible >associated secrecy requirement only makes some sort of sense where some party >other than the suspect is the one being served with the order. I am doubtful about this. If a third party holds the suspect's keys (as you say, perhaps implausible), law enforcement can still get the plaintext message by message. This may be less convenient than having a key, but with electronic communications the difference should be small, and it is hard to see how the difference justifies key compromise. But this is a rare case (I agree with your comment quoted below). Take the alternative case where police find that a suspect terrorist makes travel bookings by encrypted email with an innocent travel agent. (By way of background colour, assume the agent also takes bookings from business people who do not want their arrangements monitored by governments for commercial secrecy reasons.) If the police can justify monitoring the suspect's travel bookings, then what they need is a power to require the agent to provide plaintext of the messages. If they demand a key so as to facilitate "real time" message reading of future material, revocation will foul them up (as well as the agent and its other clients) - would they demand key after key as each is revoked? But if they want the key for reading past messages, this gives them no legitimate advantage as compared with decrypted plaintext; and it gives them the illegitimate advantage of being able to read past traffic from all the other customers of the agent. I still want to see a coherent justification (i.e. the specification of a legitimate advantage not outweighed by counter-vailing disadvantages) for requiring disclosure of a general purpose key (I can see the "verification" argument, but this is met by providing a session key for a message). Let's hear it from you, Home Office! >Whether anyone at large will want to *use* third-party services where the >provider is in a position to yield a key - let alone whether any of the >four info-horsemen would - has been rehearsed to death on this list... Too right! Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From alloneword@dial.pipex.com Mon, 3 Apr 2000 11:28:05 +0100 Date: Mon, 3 Apr 2000 11:28:05 +0100 From: Andrew Brown alloneword@dial.pipex.com Subject: Re[2]: Response from E-Envoy to RIP On Sunday, April 02, 2000, at 8:30:52 PM, Caspar Bowden wrote: CB> Thanks for the tribute Freddie, but to avoid horrendous confusion, worth CB> pointing out that the remarks David Hansen criticized were not mine, but CB> taken from the interview with the e-envoy in Guardian yesterday (I'm sure he CB> realized, but the attribution URL was chopped in his response) Absolutely. As the man who actually typed in the quote for which Caspar was atacked, I am certain that it came for Alex Allan, or someone sitting in his chair with his press officer's tape recorder running. Thoe whole interview is easily enough found on te Guardina's site. -- Andrew mailto:alloneword@dial.pipex.com From ben@algroup.co.uk Mon, 03 Apr 2000 13:49:34 +0100 Date: Mon, 03 Apr 2000 13:49:34 +0100 From: Ben Laurie ben@algroup.co.uk Subject: HOME OFFICE RESPONDS AGAIN Nicholas Bohm wrote: > I am doubtful about this. If a third party holds the suspect's keys (as > you say, perhaps implausible), law enforcement can still get the plaintext > message by message. This may be less convenient than having a key, but > with electronic communications the difference should be small, and it is > hard to see how the difference justifies key compromise. But this is a > rare case (I agree with your comment quoted below). Presumably a message-by-message approach is _better_ for LEAs, because it doesn't force an instant key revocation (which, when done by all someone's correspondents simultaneously, is bound to arouse suspicions). Cheers, ben. -- http://www.apache-ssl.org/ben.html From Ross.Anderson@cl.cam.ac.uk Mon, 03 Apr 2000 13:54:56 +0100 Date: Mon, 03 Apr 2000 13:54:56 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Irish view and public/private keys > With RSA couldn't he do Chaum blinding on the session key packet? I'm assuming that you won't hand over anything that just looks like a random string, but there is a secondary problem here of how do you persuade plod that you're telling the truth when you say that the key packet he supplied you was bogus. Doing security in an environment of complete mutual mistrust is surprisingly hard. Read Simmons' papers on nuclear arms control treaty verification for a taste of what's involved. Probably the closes I've come myself is working on prepayment electricity meters, where none of the power companies, token vendors etc trust each other. In the end, all the solutions seem to come down to trusted hardware. That was also true of the nuclear business, and of metering. Maths just isn't expressive enough; you need metal Ross From cb@fipr.org Mon, 3 Apr 2000 14:09:48 +0100 Date: Mon, 3 Apr 2000 14:09:48 +0100 From: Caspar Bowden cb@fipr.org Subject: Round-up of RIP bill media coverage (www.fipr.org/rip#media) In case of interest, here's a roundup of media coverage of RIP. The first dozen or so are hooked on reports of Scrambling for Safety 2000. Nearly all can be perused from live links at http://www.fipr.org/rip#media and see further details at http://www.fipr.org/rip/burdenproof.html (contributions appreciated: ripnews@fipr.org) Guardian 30/3/00: 3 exchanges of letters between Caspar Bowden and Charles Clarke MP Independent 2/4/00: "E-mails that could return to haunt you" BBC Online 31/3/00: "Website campaign to derail legislation" Computing 30/3/00: "New law opens up private data to MI5" Silicon.com 30/3/00: "Government accused of 'hopelessly underestimating' RIP costs" Computer Weekly 30/3/00: "FEI warns Government RIP faces huge hurdles" Sunday People 26/3/00: "FORGET YOUR PASSWORD... END UP IN JAIL" Observer 26/3/00: "It's RIP basic human rights as 'worst UK legislation ever' looms" Irish Times 25/3/00: "British bill may 'drive' e-commerce to Republic" BBC Radio 4 'PM' 24/3/00: Branwen Jeffreys reports on RIP (5m 13s) Financial Times 24/3/00:"Legal fears over e-mail tapping" NTK 24/3/00: Minister in charge of Not Being Scared by The Crypto Freaks KableNET.com 24/3/00: E-bugging bill gets a slating VNUNet 24/3/00: "Snooping powers could harm cheap net access" The Register 23/3/00: "RIP: even Big Brother is confused" Wired.com 23/3/00: "Ripping into U.K. Privacy Bill" ComputerWeekly 23/3/00: "Banks snub bill to spy on IT data" VNUNet 23/3/00: "UK government answers snooping bill critics" Silicon.com 23/3/00: "Internet 'Snooping Bill' fails human rights audit" ZDNet News 22/3/00: "RIP Bill comes under fresh attack" VNUNet 22/3/00: "Industry tackles UK government over snooping bill" Network News 22/3/00: "Industry insiders challenge RIP Bill" Financial Times 21/3/00: Letter from Charles Clarke MP ZDNet 21/3/00: "RIP bill gets buried under fax mountain" Communications Week International 20/3/00: "ISPs condemn expensive 'spy tax' proposal" NTK 17/3/00: RIP Bill and "external" communications, Freedom servers Computer Weekly 16/3/00: "Why the RIP Bill should R.I.P." Computer Weekly 16/3/00: "City banks urged to air grievances over Bill" Computer Weekly 16/3/00: "WAKE UP CALL: the RIP Bill, what is it ?" Business & Technology (March): "Big Brother demands keys to e-mail doors" Daily Telegraph 16/3/00: "Regulation Bill carries 'tipping off' offence" Guardian 15/3/00: Letter from Caspar Bowden in reply to Charles Clarke MP Register 14/3/00: "What the hell is... the UK's RIP Bill" Financial Times 14/3/00: "LETTERS: Threat to internet ambitions", Tom Wills-Sandford (FEI) Independent 14/3/00: "Investigatory Powers Bill is `Big Brother charter', warn objectors" The Register 13/3/00: "Big Brother Bill faces Select Committee storm" Open Letter 13/3/00 from Charles Clarke MP and ukcrypto reply thread Observer 12/3/00: "Encryption bill has to be last straw Guardian 10/3/00: Letter from Charles Clarke MP Daily Telegraph 9/3/00: "LEADER:...@intrusion-newlab.com" Financial Times 7/3/00: "LEADER: Spies in the web Guardian 7/3/00: "LEADER: RIP for basic liberties" BBC Online 7/3/00: "Computer crime plans attacked" Times 7/3/00: "How secure is your e-mail?" Times: Changing world of the snoopers, March 7, 2000. Wired.com 7/3/00: "U.K. Crypto Law a Key Issue" vnunet.com 7/3/00: "UK email interception bill stumbles" The Register 6/3/00: "Opposition mounts against UK's Big Brother Bill" Financial Times 6/3/00: "Bill could affect cost of accessing the internet" Irish Times 5/3/00: UK RIP Bill Is Killer Blow To E-Commerce NTK 3/3/00: RIPping yarns Guardian Online 1/3/00: "Government surveillance bill arouses alarm" Radio 4 'Today' 6/3/00: interview with Caspar Bowden Sunday Times 5/3/00:"Fighting for online privacy" ZDNetUK 1/3/00: Government Snooping will cost taxpayers millions Network News 28/2/00: "Encryption at the mercy of the law" BBC World Service radio "Insight" (26/2/00, 13m 53s) BBC Radio 5 Live 26/2/00: Interview with Nicholas Bohm Daily Telegraph 24/2/00: "Bill revives attack on privacy" Computer Weekly 24/2/00: "LEADER: Folly of draconian law on decryption" Irish Times 18/2/00:"UK RIP BILL IS KILLER BLOW TO E-COMMERCE" Wired 16/2/00: Irish, UK Crypto Regs Far Apart Guardian 11/2/00:"Leader: All eyes and ears" Financial Times 11/2/00: BIG BROTHER: Government unveils e-mail surveillance law Guardian 11/2/00: Ministers seek wide bugging powers TechWeb 10/2/00: "E-Spying Bill Called 'Escrow By Intimidation'" ZDNet UK 10/2/00: "New surveillance bill comes under fire" BBC Online 10/2/00: "Surveillance bill under fire" ZDNet 17/1/00: "IT Week: Decryption centre mooted" Financial Times 11/1/00: "LAW: Ministers rush through e-mail powers" Financial Times 21/12/99: "Caspar Bowden (personal view): Decrypt with care" -- Caspar Bowden Tel: +44(0)171 354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media From mjc@cooper.org.uk Mon, 03 Apr 2000 14:16:47 +0100 Date: Mon, 03 Apr 2000 14:16:47 +0100 From: Martin Cooper mjc@cooper.org.uk Subject: Proceedings of RIP standing committee (30/3 AM) * The main focus of the debate was 'intrusive' vs. 'directed' surveillance. * Urgent use of surveillance, and the problems of getting it authorised in advance were discussed, with a frame of reference of following a person or people around who might move from areas that would cause surveillance to be intrusive, and others than would not. * Concern was raised about the lesser degree of authorisation required for directed surveillance, given that with modern technology, material collected from mechanisms of directed surveillance may be of an intrusive nature. An example of CCTV technology being used to zoom in on the screen of a laptop was given as an example. Use of the 'affirmative resolution procedure' was requested, but declined by the minister, on the grounds that directed surveillance was intrusive to a significantly lower degree than intrusive surveillance. * The issue that led to the judgement of UK vs. Halford was raised in the context of an expectation of privacy rather than a precise location (e.g. an office in someone's home). * A historical perspective on the use of the terms was given which suggested that they grew up over time based on the idea of protecting citizens from trespass or damage to property caused by law officers entering it for the purposes of some sort of surveillance or intelligence gathering. It was noted that the bill does have a degree of proportionality in this regard rather than just a blanket test based on location in that it is concerned with places where one has an expection of privacy. * Following on from this, the question arose of whether the recording of telephone conversations where at least one of the parties was aware of the fact (i.e. was in cooperation with the Police) should be treated as intrusive, rather than directed surveillance, as it is in the bill at present, given the possible sensitivity of private telephone conversations. The minister was satisfied with the way the bill deals with the issue. * Concern was again expressed about 'software bugs' introduced by CSPs or others onto the personal hardware/software config- urations situated in a person's home or somewhere where they would have the expectation of privacy. The minister sought clarifications from his officials, and returned the view that this kind of procedure would normally be an offence under the Computer Misuse Act 1990, and its legitimate use would have to be sanctioned at a high-level under the Police Act 1997 or the Intelligence Services Act 1994. * A member suggested that with the increasing use of encryption, the authorities might increasingly turn to covert forms of directed or intrusive surveillance to collect information. * A 'catch-all' condition appearing in the section dealing with authorisation of directed and intrusive surveillance, and the bodies and purposes permitted to be involved was raised. The member wondered what the government had in mind for this, since most important things had been explicitly listed (the only thing left was 'the protection of public morals'). An example of food hygiene was given, to illustrate the dangers of high- powered legistlation being exploited by executive agencies of the state to meddle more in the affairs of the individual. A member joked that the opposition was particularly concerned to prevent Alastair Campbell from appearing on the list. The minister listed quite a few agencies that the govt might want to consider in future, simply because they already use surveillance, and they might need to be listed explicitly to comply with the ECHR. The list is expected to appear in a schedule to the bill at some future time. * The investigation of telecommunications fraud was raised as a concern, with a fear that the increased control on who may use directed surveillance may hamper telco security operations (e.g. payphone fraud, vandalism etc.) because the authorities did not usually class such things as serious crime, and would probably be unwilling to devote the necessary resources to it. The minister reassured the member by stating that anything not specifically declared to be illegal in the bill would be legal. * The use of the word 'disorder' in the context of good reasons for using directed surveillance provoked a reaction about peaceful political/other forms of protest. As the word was not clearly defined in the bill, might it not be used in such circumstances? An example of the demonstrations during the visit of the president of China to the UK recently was given to illustrate the point. The minister gave an assurance that the government did not intend the purpose of 'disorder' to include peaceful protests, etc. * The minister replied to an earlier question about who would authorise the use of investigations, saying that it would be the investigating officer, or deputy investigating officer. He noted that these do not appear in the bill because they are not formal/legal titles. * Serious concern was raised about a wide-open dispensation for the home-secretary to redefine which types of activity fall into which of the two categories, 'directed' and 'intrusive' surveillance, albeit under the 'affirmative resolution procedure'. The minister stated that this was necessary to allow practical adherence to the ECHR, but the member was not pacified, and said that the government had been caught out in this case, and hoped that it would do better at the report stage. From mjc@cooper.org.uk Mon, 03 Apr 2000 14:16:47 +0100 Date: Mon, 03 Apr 2000 14:16:47 +0100 From: Martin Cooper mjc@cooper.org.uk Subject: Proceedings of RIP standing committee (30/3 AM) * The main focus of the debate was 'intrusive' vs. 'directed' surveillance. * Urgent use of surveillance, and the problems of getting it authorised in advance were discussed, with a frame of reference of following a person or people around who might move from areas that would cause surveillance to be intrusive, and others than would not. * Concern was raised about the lesser degree of authorisation required for directed surveillance, given that with modern technology, material collected from mechanisms of directed surveillance may be of an intrusive nature. An example of CCTV technology being used to zoom in on the screen of a laptop was given as an example. Use of the 'affirmative resolution procedure' was requested, but declined by the minister, on the grounds that directed surveillance was intrusive to a significantly lower degree than intrusive surveillance. * The issue that led to the judgement of UK vs. Halford was raised in the context of an expectation of privacy rather than a precise location (e.g. an office in someone's home). * A historical perspective on the use of the terms was given which suggested that they grew up over time based on the idea of protecting citizens from trespass or damage to property caused by law officers entering it for the purposes of some sort of surveillance or intelligence gathering. It was noted that the bill does have a degree of proportionality in this regard rather than just a blanket test based on location in that it is concerned with places where one has an expection of privacy. * Following on from this, the question arose of whether the recording of telephone conversations where at least one of the parties was aware of the fact (i.e. was in cooperation with the Police) should be treated as intrusive, rather than directed surveillance, as it is in the bill at present, given the possible sensitivity of private telephone conversations. The minister was satisfied with the way the bill deals with the issue. * Concern was again expressed about 'software bugs' introduced by CSPs or others onto the personal hardware/software config- urations situated in a person's home or somewhere where they would have the expectation of privacy. The minister sought clarifications from his officials, and returned the view that this kind of procedure would normally be an offence under the Computer Misuse Act 1990, and its legitimate use would have to be sanctioned at a high-level under the Police Act 1997 or the Intelligence Services Act 1994. * A member suggested that with the increasing use of encryption, the authorities might increasingly turn to covert forms of directed or intrusive surveillance to collect information. * A 'catch-all' condition appearing in the section dealing with authorisation of directed and intrusive surveillance, and the bodies and purposes permitted to be involved was raised. The member wondered what the government had in mind for this, since most important things had been explicitly listed (the only thing left was 'the protection of public morals'). An example of food hygiene was given, to illustrate the dangers of high- powered legistlation being exploited by executive agencies of the state to meddle more in the affairs of the individual. A member joked that the opposition was particularly concerned to prevent Alastair Campbell from appearing on the list. The minister listed quite a few agencies that the govt might want to consider in future, simply because they already use surveillance, and they might need to be listed explicitly to comply with the ECHR. The list is expected to appear in a schedule to the bill at some future time. * The investigation of telecommunications fraud was raised as a concern, with a fear that the increased control on who may use directed surveillance may hamper telco security operations (e.g. payphone fraud, vandalism etc.) because the authorities did not usually class such things as serious crime, and would probably be unwilling to devote the necessary resources to it. The minister reassured the member by stating that anything not specifically declared to be illegal in the bill would be legal. * The use of the word 'disorder' in the context of good reasons for using directed surveillance provoked a reaction about peaceful political/other forms of protest. As the word was not clearly defined in the bill, might it not be used in such circumstances? An example of the demonstrations during the visit of the president of China to the UK recently was given to illustrate the point. The minister gave an assurance that the government did not intend the purpose of 'disorder' to include peaceful protests, etc. * The minister replied to an earlier question about who would authorise the use of investigations, saying that it would be the investigating officer, or deputy investigating officer. He noted that these do not appear in the bill because they are not formal/legal titles. * Serious concern was raised about a wide-open dispensation for the home-secretary to redefine which types of activity fall into which of the two categories, 'directed' and 'intrusive' surveillance, albeit under the 'affirmative resolution procedure'. The minister stated that this was necessary to allow practical adherence to the ECHR, but the member was not pacified, and said that the government had been caught out in this case, and hoped that it would do better at the report stage. From ian@scientia.com Mon, 3 Apr 2000 12:45:51 +0000 Date: Mon, 3 Apr 2000 12:45:51 +0000 From: Ian Miller ian@scientia.com Subject: Home Office question on wiped rather than encrypted data. On Sat, 01 Apr 2000, Nicholas Bohm wrote: > I would think receipt of many encrypted messages with no replies saying > "Sorry I can't read this" and perhaps encrypted replies would lead to a > convincing inference you had had a key. =20 Not necessarily; it implies that you had access to a decryption engine that contained the key. That is not same as having practical access to the key itself. A suitably programmed tamper-resistant decryption-engine could be designed to never given anyone the key under any circumstances and to destroy it in the case of detecting anything that could be an attempt to access it. =20 I don't believe that there are currently any generally available systems of this type. I fully expect there to be before the end of the year. =20 I must say the RIP is doing wonders for the roll-out of secure solutions, even before it is law. Ian --=20 Ian Miller Scientia Ltd. From ijackson@chiark.greenend.org.uk Mon, 3 Apr 2000 15:14:56 +0100 (BST) Date: Mon, 3 Apr 2000 15:14:56 +0100 (BST) From: Ian Jackson ijackson@chiark.greenend.org.uk Subject: Burden of Proof Philip Rowlands writes ("Re: Burden of Proof"): > (2)(a) ... it shall be a defence ... to show ...that the key was not in > his possession after the giving of the notice ... > > If you have the key at the instant you are served the notice, this defence > cannot apply. (When I say have, I mean have practical access to.) This is interesting. Does that mean that if I accidentally lose or destroy the key after receiving the notice I'm shafted ? For example, supposing I'm intimidated by Plod into trying to break the tamper-proofing on my HSM, and accidentally trigger zeroisation ? Ian. From C.R.Ritson@newcastle.ac.uk Mon, 3 Apr 2000 15:29:00 +0100 Date: Mon, 3 Apr 2000 15:29:00 +0100 From: Chris Ritson C.R.Ritson@newcastle.ac.uk Subject: HOME OFFICE RESPONDS AGAIN >Date: Mon, 03 Apr 2000 13:49:34 +0100 >From: Ben Laurie >Organization: A.L. Group plc > >Presumably a message-by-message approach is _better_ for LEAs, because >it doesn't force an instant key revocation (which, when done by all >someone's correspondents simultaneously, is bound to arouse suspicions). So although using a mail tool which automatically discloses a key surrender is alowed for in the RIP Bill, creating one becomes conspiracy to ... Seriously, this is the first argument in favour of decryption and against key surrender that I think LEAs might accept. Having been scanning the committee proceedings, and with an MP who is not on the RIP committee, I think the next step for me is a follow up to my previous letter after clauses 48-50 have been discussed in committee and in plenty of time for the third reading. Chris Ritson -- EMAIL: C.R.Ritson@newcastle.ac.uk POST: Chris Ritson, PHONE: +44 191 222 8175 Department of Computing Science, FAX : +44 191 222 8232 University of Newcastle upon Tyne, ROOM : 618 Claremont Bridge (the Mill) United Kingdom NE1 7RU. From alecm@coyote.uk.sun.com Mon, 03 Apr 2000 15:45:03 +0100 Date: Mon, 03 Apr 2000 15:45:03 +0100 From: Alec Muffett alecm@coyote.uk.sun.com Subject: Newsflash: Stolen Enigma Twist Breaking-news twist on the story: | | From: Mike | Subject: Thieves steal WW2 Enigma Machine from Bletchley Park | | Presume you've seen the news. | | http://uk.news.yahoo.com/000402/2/a2sgv.html | | Apparently, Milton Keynes Police have received the following ransom note. | | XJFDL EDPQW SXZAR TOKDR SNBVF PLVMR NCHFE POHDV AWETR SERTG | | Mike | ...sorry, I know it's too late for April 1, but I couldn't resist reposting it. - alec -- alec muffett - sun professional services - alec.muffett @ uk.sun.com [your free random numbers for today are: 52846 71] puritanism: the fear that somebody, somewhere, might be having fun From ian@scientia.com Mon, 3 Apr 2000 12:45:51 +0000 Date: Mon, 3 Apr 2000 12:45:51 +0000 From: Ian Miller ian@scientia.com Subject: Home Office question on wiped rather than encrypted data. On Sat, 01 Apr 2000, Nicholas Bohm wrote: > I would think receipt of many encrypted messages with no replies saying > "Sorry I can't read this" and perhaps encrypted replies would lead to a > convincing inference you had had a key. =20 Not necessarily; it implies that you had access to a decryption engine that contained the key. That is not same as having practical access to the key itself. A suitably programmed tamper-resistant decryption-engine could be designed to never given anyone the key under any circumstances and to destroy it in the case of detecting anything that could be an attempt to access it. =20 I don't believe that there are currently any generally available systems of this type. I fully expect there to be before the end of the year. =20 I must say the RIP is doing wonders for the roll-out of secure solutions, even before it is law. Ian --=20 Ian Miller Scientia Ltd. From ijackson@chiark.greenend.org.uk Mon, 3 Apr 2000 15:14:56 +0100 (BST) Date: Mon, 3 Apr 2000 15:14:56 +0100 (BST) From: Ian Jackson ijackson@chiark.greenend.org.uk Subject: Burden of Proof Philip Rowlands writes ("Re: Burden of Proof"): > (2)(a) ... it shall be a defence ... to show ...that the key was not in > his possession after the giving of the notice ... > > If you have the key at the instant you are served the notice, this defence > cannot apply. (When I say have, I mean have practical access to.) This is interesting. Does that mean that if I accidentally lose or destroy the key after receiving the notice I'm shafted ? For example, supposing I'm intimidated by Plod into trying to break the tamper-proofing on my HSM, and accidentally trigger zeroisation ? Ian. From mjc@cooper.org.uk Mon, 03 Apr 2000 17:17:17 +0100 Date: Mon, 03 Apr 2000 17:17:17 +0100 From: Martin Cooper mjc@cooper.org.uk Subject: Proceedings of RIP standing committee (28/3 PM) Charles Lindsey wrote: > > The minister commended other parts of the bill which provide > > statutory defences for disclosure within ones own organisation. > > > Eh? Which parts would those be? [ Insert Neil Kinnock pre-1992 general election rant to James Naughtie about not being responsible for things that happen owing to not being in government here... :-) ] I don't know, but I definitely remember she said that the purpose of them was to allow suits presented with s.10 notices with secrecy provisions to speak to their techies in order to comply with it - so in fact, it is entirely orthoganal to the concept of whistle blowing, as the minister pointed out at the time. M. From mjc@cooper.org.uk Mon, 03 Apr 2000 17:17:17 +0100 Date: Mon, 03 Apr 2000 17:17:17 +0100 From: Martin Cooper mjc@cooper.org.uk Subject: Proceedings of RIP standing committee (28/3 PM) Charles Lindsey wrote: > > The minister commended other parts of the bill which provide > > statutory defences for disclosure within ones own organisation. > > > Eh? Which parts would those be? [ Insert Neil Kinnock pre-1992 general election rant to James Naughtie about not being responsible for things that happen owing to not being in government here... :-) ] I don't know, but I definitely remember she said that the purpose of them was to allow suits presented with s.10 notices with secrecy provisions to speak to their techies in order to comply with it - so in fact, it is entirely orthoganal to the concept of whistle blowing, as the minister pointed out at the time. M. From lists@notatla.demon.co.uk Mon, 3 Apr 2000 18:23:55 +0100 Date: Mon, 3 Apr 2000 18:23:55 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: Home Office question on wiped rather than encrypted data. From: Ian Miller > Not necessarily; it implies that you had access to a decryption engine > that contained the key. That is not same as having practical access to > the key itself. A suitably programmed tamper-resistant decryption-engine > could be designed to never given anyone the key under any circumstances > and to destroy it in the case of detecting anything that could be an > attempt to access it. The Bill appears to count such a thing as possession of a key. The plus side is that handing over the device may meet all your obligations under RIP as it is all you can do. The HO has not answered my question from a while ago about what happens when you get 2 notices demanding the same key. In the case of a physical device you can't part with it a second time and they have proof that you have had it in the past. This "have had" stuff really needs to become "did have at the time the notice was served". > I don't believe that there are currently any generally available systems > of this type. I fully expect there to be before the end of the year. > I must say the RIP is doing wonders for the roll-out of secure solutions, > even before it is law. I've made a step in this direction. It has weaknesses in the area of electromagnetic and power observations and more direct attempts to measure bus traffic. Extensive physical measures might strengthen it quite a lot. To see my code announcement of 03Jan2000: echo get 200001032308.xaa02490@notatla.demon.co.uk | \ mail -s coderpunks arcbot@notatla.demon.co.uk I called it "volatile shared memory", which is a bit of a rough description. It's not quite like SysV shared memory to use. To see the code: http://www.notatla.demon.co.uk/SOFTWARE/vshm_lx_2.2.12_patch.asc Bill Stewart has suggested that something related to the key, rather than the key itself be stored in vshm to be less open to electromagnetic observation. Bugfixes and announcements of code that uses this are welcome ! From bradley@compsci.bristol.ac.uk Mon, 3 Apr 2000 18:38:38 +0100 (BST) Date: Mon, 3 Apr 2000 18:38:38 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Home Office question on wiped rather than encrypted data. On Fri, 31 Mar 2000, Charles Lindsey wrote: > If 22 people die of a heroin overdose when you visit them, you are > likely to get sent down for a long stretch. It's up to the jury to > decide. Absolutely, I feel this is a point that has been missed by a few posters... although the onus is usually on the CPS to prove guilt, the level of proof required is not in the same league as a formal logical proof... it is, as I'm sure everyone knows, "beyond reasonable doubt"... ...which is of course ill-defined and completely subjective. However it does mean that you should need a huge amount of circumstantial evidence to get a conviction on that alone... juries tend to be very uncomfortable convicting without a bit of hard evidence. This of course raises a related issue. How on earth does the Home Office expect 12 random members of the public of average intelligence who may only have had - passing experience with a computer (if lucky), with the internet (if very lucky) and with cryptography (not at all)... ...to understand the details of what is being discussed on this list, let alone make a educated decision. There will be many majority verdicts, and even more retrials - the cases will not be the usual 2 weekers, they will be 6 months+ for any kind of complication and will make the Guinness Fraud trial look like a walk in the park... (my prediction anyway). ...or maybe the HO plan on making these Magistrate-only cases? > Sure, there are all sorts of things you can do to get around this bill. > But we knew that. You don't have to prove on this list that the Bill is > stupid. But for two reasons this discussion should be encouraged... either to improve the quality of the legislation - or to enable victims of the inevitably poor legislation that will result to be able to have a fighting chance of defending themselves. --Jeremy. From bradley@compsci.bristol.ac.uk Mon, 3 Apr 2000 18:49:43 +0100 (BST) Date: Mon, 3 Apr 2000 18:49:43 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Irish view and public/private keys On Sat, 1 Apr 2000, Ben Laurie wrote: > > I suspect saying I don't have the (session) key because my program > > 'forgets' it - is as bad as saying that you had forgotten it, given that > > the program was acting as an agent on your behalf. The court might well > > say that you should have used software which escrowed the key so as not to > > forget - and since you did not you are guilty under the act. > > > > Maybe... but I hope not! > > Surely not. So do I, believe me. It is however an argument that might be used by the prosecution... it may also be a way of making voluntary key-escrow look like an attractive alternative to prosecution? > > I understand this is not practical (using asymmetric encryption > > throughout) - but as a thought experiment, it would mean that you at no > > stage possessed a private key for decrypting the message. The idea is that > > I may be immune from an S.46 if I never possess a private key (and > > therefore only conduct a one-way conversation). The other party in the > > conversation (being a foreign CSP) and therefore the party that would > > possess the relevant private key - would also be immune because they were > > not UK-based - that's the idea anyway - I don't know if it has holes in. > > But you are _always_ immune if you are the sender, because you never > have the private key in that case (which is, of course, why this stuff > is so objectionable: the wrong person gets criminalised), so there's no > need to jump through hoops to achieve this effect. Agreed - but it does try to exploit a major weekness of this (and any other internet-based) legislation - and that is that national law cannot apply globally. This is fundamental and should/will be exploited fully. Cheers, --Jeremy. From bradley@compsci.bristol.ac.uk Mon, 3 Apr 2000 19:17:42 +0100 (BST) Date: Mon, 3 Apr 2000 19:17:42 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Irish view and public/private keys > The prosecution have to prove > (a) That the information was "protected" (without that they can't even > get beyond S46:(1), so there can be no problem with those wiped disks). > (b) That you hold (or have held) something (i.e. a key) capable of > putting that information into "intelligible form". > > How they prove (a) is their problem, not yours. If they claim the public > key is sufficient, then give it to them. Is is they who will have to > factor that 1204 bit number, not you. I would not like to be a CPS lawyer - even 'beyond resonable doubt': a. is impossible - since random noise is indistinguishable from ciphertext (for any moderately competant encryption algorithm - and certainly all the popular ones are). b. is tricky but not hard if they have a signature on the same key from a previous message... No previous signature would be much harder - especially if there was no plaintext identifying key id on non signed messages (I don't know if PGP does this - it shouldn't have to). The existance of a PGP key in the public domain (eg on a key server) is no proof at all since anyone can generate a key-pair for anyone else. I've lost count of the number of fake Bruce Schneier public keys there are floating around! > Right, make sure you use a well-known and readily available technique - > Diffie-Helleman key exchange should do nicely in your scenario. The key > exists only transiently, and is automatically forgotten by the software > when the session ends. All you have to argue then is that it was never > in your "possession", and S52:(2) would _seem_ to be on your side here > - just make sure that the software provides no way for the key to be > output to you during use, even if you want it to. Ok this seems arguable. > > Scenario 2: > > > > Now presume that I am maintaining a 1-way conversation with my foreign > > service provider - so not IP! I abandon all the session key nonsense > > (which was only really needed when asymmetric cryptography was considered > > too slow to encrypt anything other than a 128 bit number) - and now I > > obtain the public key and I use that to encrypt asymmetrically the > > entirety of the data stream to my foreign service provider. > > I woujd say you are definitely in the clear here. Oh excellent! > > Observations: > > > > 3. The first scenario works equally well with SSL servers outside of the > > UK and VPNs for multi-national companies. > > I am not familiar with the details of SSL, but you may well be right. > > > > (Bear in mind that telephone charges to the US are ~2.5p per minute and > > set to fall - which is nearly better than local call charges within the > > UK. I can see UK->Eire phone charges falling considerably in the near > > future if this legislation goes through). > > But you don't even have to spend that much. Dial in to a UK ISP at > local rate, and telnet to your colleague in Ireland. In your scenarios, > there was no need for him to have been an ISP. The Irish office of your > company will do fine. Of course...!! :-) Well so much the better. --Jeremy. From ben@algroup.co.uk Mon, 03 Apr 2000 19:36:29 +0100 Date: Mon, 03 Apr 2000 19:36:29 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Home Office question on wiped rather than encrypted data. Ian Miller wrote: > > On Sat, 01 Apr 2000, Nicholas Bohm wrote: > > I would think receipt of many encrypted messages with no replies saying > > "Sorry I can't read this" and perhaps encrypted replies would lead to a > > convincing inference you had had a key. > > Not necessarily; it implies that you had access to a decryption engine > that contained the key. That is not same as having practical access to > the key itself. A suitably programmed tamper-resistant decryption-engine > could be designed to never given anyone the key under any circumstances > and to destroy it in the case of detecting anything that could be an > attempt to access it. > > I don't believe that there are currently any generally available systems > of this type. I fully expect there to be before the end of the year. > I must say the RIP is doing wonders for the roll-out of secure solutions, > even before it is law. Oh yes there are - its a standard feature on many crypto accelerators. I believe some dumbcards do it, too. Cheers, Ben. -- http://www.apache-ssl.org/ben.html From roland@linx.net Mon, 3 Apr 2000 20:53:32 +0100 Date: Mon, 3 Apr 2000 20:53:32 +0100 From: Roland Perry roland@linx.net Subject: Home Office question on wiped rather than encrypted data. In article , J.T.Bradley writes >> If 22 people die of a heroin overdose when you visit them, you are >> likely to get sent down for a long stretch. It's up to the jury to >> decide. > >Absolutely, I feel this is a point that has been missed by a few >posters... although the onus is usually on the CPS to prove guilt, the >level of proof required is not in the same league as a formal logical >proof... it is, as I'm sure everyone knows, "beyond reasonable doubt"... > >...which is of course ill-defined and completely subjective. However it >does mean that you should need a huge amount of circumstantial evidence to >get a conviction on that alone... juries tend to be very uncomfortable >convicting without a bit of hard evidence. > >This of course raises a related issue. How on earth does the Home Office >expect 12 random members of the public of average intelligence who may >only have had - passing experience with a computer (if lucky), with the >internet (if very lucky) and with cryptography (not at all)... >...to understand the details of what is being discussed on this list, let >alone make a educated decision. Why would they understand the forensic evidence of a corpse with heroin poisoning any more? Don't they get expert witnesses along to explain the situation? What has happened in the past with (say) cash dispenser Phantom Withdrawal cases, did the court have to learn enough to make their own decision about the computer science involved? -- Roland Perry From roland@linx.net Mon, 3 Apr 2000 20:50:01 +0100 Date: Mon, 3 Apr 2000 20:50:01 +0100 From: Roland Perry roland@linx.net Subject: Irish view and public/private keys In article , J.T.Bradley writes >I would not like to be a CPS lawyer - even 'beyond resonable >doubt': a. is impossible - since random noise is indistinguishable from >ciphertext (for any moderately competant encryption algorithm - and >certainly all the popular ones are). I know there's been a lot of discussion of how it might be proved that a lump of data is actually an encrypted message that you might want the key for, but how likely do people think it is that most of the time it will be pretty obvious because it's actually a PGP coded email with all the usual headers, or a Word document that asks you for a password before it will open? -- Roland Perry From ACR@als.co.uk Mon, 3 Apr 2000 21:41:35 +0100 Date: Mon, 3 Apr 2000 21:41:35 +0100 From: Alan Ramsbottom ACR@als.co.uk Subject: Off-topic: rfc2795 Has nothing to do with RIP[1], but I suspect some folk might enjoy it: ftp://ftp.isi.edu/in-notes/rfc2795.txt [1] But on the other hand.. -Alan- From bradley@compsci.bristol.ac.uk Mon, 3 Apr 2000 22:02:59 +0100 (BST) Date: Mon, 3 Apr 2000 22:02:59 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Irish view and public/private keys > I know there's been a lot of discussion of how it might be proved that a > lump of data is actually an encrypted message that you might want the > key for, but how likely do people think it is that most of the time it > will be pretty obvious because it's actually a PGP coded email with all > the usual headers, or a Word document that asks you for a password > before it will open? I was thinking about this on the way to lunch - obviously: ---BEGIN PGP MESSAGE--- ...is a fairly big clue to an encrypted message. So what you want for starters is a wrapper program which acts as a half-way-house stego program by removing obvious protocol indicators from the application layer. Obviously your correspondee would have to be running a similar wrapper to reinstate the various bits that had just been stripped out (and it might have to try several protocols before it found one that worked). The reason this is half-way-house stego is that you are trying to present the pure pseudo-random information of the encrypted message and nothing else - but you're not going as far as encoding that pseudo-random stream in another data set. Although if you're going to go that far, you might as well use stego software from the beginning. --Jeremy. From hopwood@zetnet.co.uk Mon, 03 Apr 2000 22:18:02 +0100 Date: Mon, 03 Apr 2000 22:18:02 +0100 From: David Hopwood hopwood@zetnet.co.uk Subject: Non-interactive forward secrecy -----BEGIN PGP SIGNED MESSAGE----- Ben Laurie wrote: > David Hopwood wrote: > > - private keys are deleted as the corresponding time periods expire > > (alternatively, there is a one-way function that can be used to go > > forwards in the list of private keys, but not backwards). > > This would be a bad idea, coz once an attacker had a single private key, > they would have all future ones. If the scheme only has forward secrecy, yes; if it has backward secrecy as well, not necessarily. If *all* of the user's private information is compromised, then recovery clearly isn't possible without generating a new public key. However, if only the on-line information is compromised, the attacker will only be able to decrypt messages for a short period of time. Also with or without backward secrecy, and even if all remaining private keys are compromised, the attacker won't be able to decrypt messages from previous time periods. (Note that a similar backward-security property can also be applied to long-term authentication keys for key agreement, signatures/time-stamping, and identification protocols.) The approach using a one-way function is more memory-efficient, but it only directly provides forward secrecy, not backward secrecy. One way to get backward secrecy as well, is to create another instance of the scheme where the mapping of key indexes to periods is inverted in time (i.e. applying the one-way function to a key yields the key for the previous time period), and store the private key with index 0 off-line. Then to encrypt a message for a given time period, use series encryption to ensure that two specific private keys from the normal and time-inverted key sequences are needed to decrypt. This is an existance proof that a scheme with both forward and backward secrecy is no more difficult to construct than one with only forward secrecy (in practice, it could probably be done more efficiently than this, without requiring series encryption). OTOH, I don't know of any way to create a suitable one-way function, and it seems to be quite difficult (which is why I've been concentrating on schemes that create all the private keys in advance, then delete them one by one). There is a signature scheme called FSIG [BM99] which uses the one-way function idea, but with Fiat-Shamir-type keys, which aren't usable for encryption. I don't think there's any reason to believe it is impossible to create such a function for encryption as well, though. > The private keys need to be independent, which would suggest, on > information-theoretic grounds, that the public key would necessarily > be large. No, the private keys don't need to be independent, and will not be independent in practice. It only needs to be computationally infeasible (rather than information-theoretically impossible) to derive an unknown private key when the other private keys are known. That can be achieved if the private keys are derived using trapdoor information which is deleted after key generation. > Indeed, I can't see any practical difference between this and simply > publishing a large set of public keys with validity periods. That makes the public key information much larger. For example if a time period is 12 hours (so that no more than one day's worth of information is compromised), and each public key is 1024 uncompressible bits, then a year's worth of public keys would require about 91K per user. For the Diffie-Hellman-based schemes I'm thinking of, OTOH, the public key information would take less space than two ordinary DH public keys. [BM99] Mihir Bellare, Sara K. Miner, "A Forward-Secure Digital Signature Scheme," July 13, 1999. [An extended abstract of this paper appears in Advances in Cryptology - Crypto '99 Proceedings, LNCS Vol. 1666, M. Wiener ed., Springer-Verlag, 1999. The full version is at http://www-cse.ucsd.edu/users/mihir/papers/fsig.html] - -- David Hopwood PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOOkKMjkCAxeYt5gVAQE9TAf/XNwq46kLHYfRmKObPOXzFwqURGuVOlA4 i6loO/3NuSCXboNfXhwS+KyxOfroL2ccX4HHXBjQIQmSW2uDIscwn5GGBvT2cbfY 1uzA5+YRIt46laJjmxNRrKvA2jE4Pt1VevrCAYD7jdn0+0uM0UeNIh1hpPjaJscp lH3EXFpkbSxg+hg+nQaeUU9/FKxR1fxckg+xr8ERE9Lneu7nX8C9hfPvywN37yIR Fq/w7cOV8Sp8kiOG7fN/nciiZldbvm0RfGEeuT8fHoqFXuh2i7kii7dTWU1EKBYC mx1qTxQmMFtZB27m1W1WSVUkoRyuPMddqfOi7OSveGq9MV/3REnXfA== =qFNd -----END PGP SIGNATURE----- From ACR@als.co.uk Mon, 3 Apr 2000 23:38:30 +0100 Date: Mon, 3 Apr 2000 23:38:30 +0100 From: Alan Ramsbottom ACR@als.co.uk Subject: "Cryptography and Liberty 2000" EPIC have just published Cryptography and Liberty 2000, An International Survey of Encryption Policy : http://www2.epic.org/reports/crypto2000/ From ben@algroup.co.uk Mon, 03 Apr 2000 23:55:23 +0100 Date: Mon, 03 Apr 2000 23:55:23 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Non-interactive forward secrecy David Hopwood wrote: > OTOH, I don't know of any way to create a suitable one-way function, > and it seems to be quite difficult (which is why I've been concentrating > on schemes that create all the private keys in advance, then delete them > one by one). There is a signature scheme called FSIG [BM99] which uses > the one-way function idea, but with Fiat-Shamir-type keys, which aren't > usable for encryption. I don't think there's any reason to believe it is > impossible to create such a function for encryption as well, though. Assuming you are using something that requires a prime (or two) to create the key, then it seems to me you can get a suitable one-way function by one-way-hashing your previous private key and using that to seed the PRNG for a prime generator, which you use to generate your next prime(s). Cheers, Ben. -- http://www.apache-ssl.org/ben.html From dave@xemu.demon.co.uk Tue, 4 Apr 2000 01:32:33 +0100 Date: Tue, 4 Apr 2000 01:32:33 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Home Office question on wiped rather than encrypted data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , J.T.Bradley writes: >On Fri, 31 Mar 2000, Charles Lindsey wrote: >> >> If 22 people die of a heroin overdose when you visit them, you are >> likely to get sent down for a long stretch. It's up to the jury to >> decide. > >Absolutely, I feel this is a point that has been missed by a few >posters... although the onus is usually on the CPS to prove guilt, the >level of proof required is not in the same league as a formal logical >proof... it is, as I'm sure everyone knows, "beyond reasonable doubt"... > >...which is of course ill-defined and completely subjective. However it >does mean that you should need a huge amount of circumstantial evidence to >get a conviction on that alone... juries tend to be very uncomfortable >convicting without a bit of hard evidence. Nevertheless there are some ways in which determined law enforcement could be pretty clear you had certain keys, basically boiling down to activity repeatedly demonstrated on your part in relation to the data concerned (replying to mail in that key or giving bits of the database) This could be backed up by breaking in and planting a vid bug as well as phonetap; and/or bugging the computer itself in some way to get the keystrokes. And there are matters of carelessness. For example, a bit of mail header for A to B left in a supposedly "deeply secret and anonymous" sending. It has happened before now to the best of us. > >This of course raises a related issue. How on earth does the Home Office >expect 12 random members of the public of average intelligence who may >only have had - passing experience with a computer (if lucky), with the >internet (if very lucky) and with cryptography (not at all)... >...to understand the details of what is being discussed on this list, let >alone make a educated decision. They decide many other complex issues. Even listening to forensics in a murder trial is not simple as ABC. > >There will be many majority verdicts, and even more retrials - the cases >will not be the usual 2 weekers, they will be 6 months+ for any kind of >complication and will make the Guinness Fraud trial look like a walk in >the park... (my prediction anyway). > >...or maybe the HO plan on making these Magistrate-only cases? Possibly > >> Sure, there are all sorts of things you can do to get around this bill. >> But we knew that. You don't have to prove on this list that the Bill is >> stupid. > >But for two reasons this discussion should be encouraged... either to >improve the quality of the legislation - or to enable victims of the >inevitably poor legislation that will result to be able to have a fighting >chance of defending themselves. Agreed. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOk4IX8v/Y5zkfRPEQJUqwCdHOHHlaKSv6hW4MzzCezjpT3+tHcAoIEs EI9MOjPxN5AIQFYHS2/TIPth =8aAv -----END PGP SIGNATURE----- From hopwood@zetnet.co.uk Tue, 04 Apr 2000 02:12:07 +0100 Date: Tue, 04 Apr 2000 02:12:07 +0100 From: David Hopwood hopwood@zetnet.co.uk Subject: Non-interactive forward secrecy -----BEGIN PGP SIGNED MESSAGE----- Ben Laurie wrote: > David Hopwood wrote: > > OTOH, I don't know of any way to create a suitable one-way function, > > and it seems to be quite difficult (which is why I've been concentrating > > on schemes that create all the private keys in advance, then delete them > > one by one). There is a signature scheme called FSIG [BM99] which uses > > the one-way function idea, but with Fiat-Shamir-type keys, which aren't > > usable for encryption. I don't think there's any reason to believe it is > > impossible to create such a function for encryption as well, though. > > Assuming you are using something that requires a prime (or two) to > create the key, then it seems to me you can get a suitable one-way > function by one-way-hashing your previous private key and using that to > seed the PRNG for a prime generator, which you use to generate your next > prime(s). A private key generated in that way would not have the required relation to the public key. The one-way function needs to preserve the relation that enables decryption to work, without requiring extra public information for each time period. See the thread about this that was on sci.crypt in January, entitled "Foward secrecy for public key encryption" (in particular Message-ID <38802625.15287058@zetnet.co.uk>). - -- David Hopwood PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOOlBJzkCAxeYt5gVAQEqPwf+MRvlLgqE7Js92Od1WIUygQflLp8HwLFf YOzs4GwbF26k8DCxjhZm8+vMyw1b7CbCGaiuJfNvorqRg4QZiH/9VzkkKOSXXREC Lp/8/bH8B7Ev1gD99sp7fIhfPtJav7dGIxRMM8TnB4XAGqQ0xrase1zmOU1IHaWA 1nhUFqemPJcsjarwDscA0LTr9uvZ3mjfNK63xsnQCq5Bm/EQYf3w/lbG+tF0tUdE 2eoRTA3Fawvv2DJqqra4S14WDYFaUzV4RBPjYkdEH/7VkPv0t8zAEvDtdovz8889 chN5rJM9O67bQ/2moUirdxnYV3wTWojSM00O7uPZZJM8rl312vQQGg== =Yggk -----END PGP SIGNATURE----- From I.G.Batten@ftel.co.uk Tue, 4 Apr 2000 09:39:23 +0100 (BST) Date: Tue, 4 Apr 2000 09:39:23 +0100 (BST) From: Ian G Batten I.G.Batten@ftel.co.uk Subject: Irish view and public/private keys This is a multi-part message in MIME format... ------------=_954837550-9967-0 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Md5: Y7EJSGZQ8a6TSwVz1LoFFQ== > The existance of a PGP key in the public domain (eg on a key server) is no > proof at all since anyone can generate a key-pair for anyone else. I've Of course, that defence (``that key may have my name of it, but it's not mine'') is such a handy one that it will act as a deterrent to having keys bound to individuals in any stronger way. ian ------------=_954837550-9967-0 Content-Type: application/pgp-signature Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Description: PGP Information -----BEGIN PGP MESSAGE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: 5PGE6tnvq1SMYpUk+AMj7zt4hau/MyJZ iQB1AwUBOOmqL8oy0yij3IvtAQET9AMA3klEKpU4wU+xSOaEHRitrV7Xipv1Ymgh m7adUS3mQKu/ZLreU7JuKgturvZD+0cZ0l/q/jUZOSXef0YrHRRftJ4uhvHjMC+v Nld+W/dTh2SUr4zRGJrE92GXMf/MQUyR =TGX0 -----END PGP MESSAGE----- ------------=_954837550-9967-0-- From cb@fipr.org Tue, 4 Apr 2000 09:45:44 +0100 Date: Tue, 4 Apr 2000 09:45:44 +0100 From: Caspar Bowden cb@fipr.org Subject: RIP Bill decryption powers debated TODAY in Parliament (Ctee Rm. 12) This is a multi-part message in MIME format. ------=_NextPart_000_002A_01BF9E1A.8CF5A3B0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Just a reminder to ukcrypto that the RIP Bill Pt.III is being scrutinized TODAY (and possibly today only if they sit late) in the House of Commons, Standing Committee F, Room 12 10:30-1pm and 4:30pm-late No need for accreditation, anyone can show up as Joe Public http://www.fipr.org/rip/parliament.html -- Caspar Bowden http://www.fipr.org Director, Foundation for Information Policy Research Tel: +44(0)171 354 2333 Fax: +44(0)171 827 6534 ------=_NextPart_000_002A_01BF9E1A.8CF5A3B0 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable
 Just a=20 reminder to  ukcrypto that=20 the RIP Bill Pt.III is being scrutinized TODAY (and possibly today only = if they=20 sit late) in the House of Commons, Standing Committee F, Room=20 12
 
10:30-1pm and 4:30pm-late
 
No need for accreditation, = anyone can show=20 up as Joe Public
 
http://www.fipr.org/rip/= parliament.html

--
Caspar=20 Bowden           &= nbsp;       =20 http://www.fipr.org
Director, Foundation for = Information=20 Policy Research
Tel: +44(0)171 354 2333      = Fax:=20 +44(0)171 827 6534   

------=_NextPart_000_002A_01BF9E1A.8CF5A3B0-- From ad058@dial.pipex.com Tue, 4 Apr 2000 10:34:52 +0100 Date: Tue, 4 Apr 2000 10:34:52 +0100 From: Louis Khan ad058@dial.pipex.com Subject: Stolen Enigma This is a multi-part message in MIME format. ------=_NextPart_000_0056_01BF9E21.697751C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable a very unique april fools joke i never open mail onthat date! regards=20 dr louis khan ------=_NextPart_000_0056_01BF9E21.697751C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
a very unique april fools joke
i never open mail onthat date!
 
regards
 
dr louis khan
------=_NextPart_000_0056_01BF9E21.697751C0-- From owen@owens-place.org.uk Tue, 04 Apr 2000 14:16:42 +0100 Date: Tue, 04 Apr 2000 14:16:42 +0100 From: Owen Blacker owen@owens-place.org.uk Subject: "Cryptography and Liberty 2000" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quoting Alan Ramsbottom : > EPIC have just published Cryptography and Liberty 2000, An > International > Survey of Encryption Policy : > > http://www2.epic.org/reports/crypto2000/ United Kingdom 2000 YELLOW 1999 YELLOW/GREEN 1998 GREEN/YELLOW [deletia] In February 2000, the ``Regulation of Investigatory Powers'' Bill was introduced before Parliament. The bill gives the police or the security services the power to force individuals to hand over encryption keys or the plain text. If a person refuses or has lost the keys (or never had it to start with), they can be imprisoned for contempt. The burden is on the person to prove that they have lost the key or never held it. The bill also sets new rules on wiretapping and other investigatory techniques. Legal experts say that the bill may be incompatible with the Human Rights Act 1998 which implements the European Convention of Human Rights into UK law and have threatened to challenge the law in the domestic and European Courts if it is enacted. The Home Office has begun creating a ``Government Technical Assistance Centre (GTAC).'' According to the office, it ``will provide law enforcement with the ability to derive intelligible voice, text or data from lawfully acquired material.'' [deletia, followed by *lots* of links, including to FIPR and Stand :o) ] O x - ----- Owen Blacker Senior Internet Developer and Internet Security Consultant DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOOnrw8024CF+PI6rEQJIzQCfSbZqOab84/fqu/ggOVjurbtLXwUAoKrL H5DYsiWHVfBmRLS2/lZn34ix =aaDO -----END PGP SIGNATURE----- This message was sent by Easymail - http://www.easynet.co.uk/ From owenfb@easynet.co.uk Tue, 04 Apr 2000 14:28:09 +0100 Date: Tue, 04 Apr 2000 14:28:09 +0100 From: Owen Blacker owenfb@easynet.co.uk Subject: Fwd: Re: "Cryptography and Liberty 2000" ----- Forwarded message from Owen Blacker ----- Date: Tue, 04 Apr 2000 14:16:42 +0100 From: Owen Blacker Reply-To: Owen Blacker Subject: Re: "Cryptography and Liberty 2000" To: ukcrypto@maillist.ox.ac.uk Bugger! That address doesn't have posting rights! :o) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quoting Alan Ramsbottom : > EPIC have just published Cryptography and Liberty 2000, An > International > Survey of Encryption Policy : > > http://www2.epic.org/reports/crypto2000/ United Kingdom 2000 YELLOW 1999 YELLOW/GREEN 1998 GREEN/YELLOW [deletia] In February 2000, the ``Regulation of Investigatory Powers'' Bill was introduced before Parliament. The bill gives the police or the security services the power to force individuals to hand over encryption keys or the plain text. If a person refuses or has lost the keys (or never had it to start with), they can be imprisoned for contempt. The burden is on the person to prove that they have lost the key or never held it. The bill also sets new rules on wiretapping and other investigatory techniques. Legal experts say that the bill may be incompatible with the Human Rights Act 1998 which implements the European Convention of Human Rights into UK law and have threatened to challenge the law in the domestic and European Courts if it is enacted. The Home Office has begun creating a ``Government Technical Assistance Centre (GTAC).'' According to the office, it ``will provide law enforcement with the ability to derive intelligible voice, text or data from lawfully acquired material.'' [deletia, followed by *lots* of links, including to FIPR and Stand :o) ] O x - ----- Owen Blacker Senior Internet Developer and Internet Security Consultant DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOOnrw8024CF+PI6rEQJIzQCfSbZqOab84/fqu/ggOVjurbtLXwUAoKrL H5DYsiWHVfBmRLS2/lZn34ix ªDO -----END PGP SIGNATURE----- ----- End forwarded message ----- This message was sent by Easymail - http://www.easynet.co.uk/ From david@swarb.freeuk.com Tue, 4 Apr 2000 18:14:28 +0100 Date: Tue, 4 Apr 2000 18:14:28 +0100 From: David Swarbrick david@swarb.freeuk.com Subject: Response from E-Envoy to RIP In message <200004010532_MC2-9F7E-6F9F@compuserve.com>, Freddie Dawkins wrote: >This key would be embedded in every user's device/transport? (not sure >about how this could work) in that country. So govts would only hold their >own National Anchor Key. No-one else's. It would be a case of: > >1. Do you trust your govt? No. It would be unnatural and improper to do so. > >2. How secure is any national key? It couldn't be. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com http://www.swarb.co.uk law-index of 10,800+ uk case summaries & uk.legalFQA The Law Society regulates our investment business. IP/IT Law and Contracts. From Ross.Anderson@cl.cam.ac.uk Tue, 04 Apr 2000 19:28:44 +0100 Date: Tue, 04 Apr 2000 19:28:44 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Non-interactive forward secrecy > There is a signature scheme called FSIG [BM99] This is a development of an idea I put forward at the ACM conference in Zuerich in 1997 (?). There are public key and signature schemes called identity-based, in which your identity is your public key and your private key is computed for you by a TTP which knows some global secret. You can convert any identity-based scheme into a forward secure scheme by assuming the role of the TTP yourself, and letting your `identity' in the case of each key be the date. The obvious variant of Fiat-Shamir will provide forward secure signatures. For forward-secure public key encryption, you would want to use an identity-based key distribution system as the underlying substrate. Such things exist (the Maurer-Yacobi scheme, in DCC Nov 96 pp 305-316) but the deterrent to their use in the past has been the heavy computational load of key generation. Maybe now we have fairly fast computers, someone who knows his computational number theory should take another look Ross From phr@doc.ic.ac.uk Tue, 04 Apr 2000 20:16:40 +0100 Date: Tue, 04 Apr 2000 20:16:40 +0100 From: Philip Rowlands phr@doc.ic.ac.uk Subject: Home Office question on wiped rather than encrypted data. Dave Bird wrote: [snip] > Nevertheless there are some ways in which determined law enforcement > could be pretty clear you had certain keys, basically boiling down to > activity repeatedly demonstrated on your part in relation to the data > concerned (replying to mail in that key or giving bits of the database) I remember reading a description of a police operation which had been copied from an Al Pacino film. The police sent letters to suspected criminals informing them that they had won some fantastic prize, and all they need do was to show up at a certain time and place to collect it. When they went to collect, they were arrested. If I wanted to prove you were using a particular public/private key pair, I might send you such a letter. Phil From phr@doc.ic.ac.uk Tue, 04 Apr 2000 20:57:26 +0100 Date: Tue, 04 Apr 2000 20:57:26 +0100 From: Philip Rowlands phr@doc.ic.ac.uk Subject: Guide to RIP offence avoidance > Caspar Bowden wrote: > > Just a reminder to ukcrypto that the RIP Bill Pt.III is being > scrutinized TODAY (and possibly today only if they sit late) in the > House of Commons, Standing Committee F, Room 12 It'll all appear tomorrow in the official report, but I can report (since I attended) that the Section 49 offence was approved without amendment. Charles Clarke did not (to my satisfaction) address the points about burden of proof, except to deny them. Instead, he attempted to explain how a person might avoid conviction by explaining to a court the last time a key had been used, and what you usually did when you forgot a password. As this part of the Bill now has a good chance of becoming law, I offer a guide to RIP offence avoidance: 1. Have you been served with a S46 notice? YES: Proceed to 2. NO: To minimise chances of receiving a notice, stop using encryption. 2. Are you able and willing to comply with the notice? YES: Comply with the notice. NO, not able: Proceed to 3. NO, able but not willing: Proceed to 5. 3. Did you ever have the key/password being sought? YES: Proceed to 4. NO: You are safe from the S49 offence; S49(1)-b cannot be proved. 4. Are you willing to withhold information from the police? YES: State that you cannot comply with the notice, as you do not have the key. Caveat: If the prosecution can prove you did have the key, you may now fall foul of "It may harm your defence if you do not mention when questions facts which you later rely on in court". NO: Confess that you cannot comply, because you have lost/forgotten the password. Pray that the court believes you. To avoid conviction you also have to tell the police "all such information as was required ... to enable possession of the key to be obtained." 5. Are you willing to lie to the police? YES: Claim that you never had the key. Prosecution will have to prove S49(1)-b. If possible, destroy all physical evidence of the key ASAP, preferably before the police seize it. NO: You have committed a S49 offence. Go to jail. Phil From bradley@compsci.bristol.ac.uk Tue, 4 Apr 2000 21:22:51 +0100 (BST) Date: Tue, 4 Apr 2000 21:22:51 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Home Office question on wiped rather than encrypted data. > I remember reading a description of a police operation which had been > copied from an Al Pacino film. "Sea of Love". > The police sent letters to suspected > criminals informing them that they had won some fantastic prize, and all > they need do was to show up at a certain time and place to collect it. I get two of those every day :-) > If I wanted to prove you were using a particular public/private key > pair, I might send you such a letter. They would have had to have recorded at least one previous signed and not encrypted message originating from a particular address and line... then they could run your public key over it to check it... However when the FBI tried to do this to a member of the cypherpunks mailing list (who was "threatening federal officials in his postings") - mysteriously the private key was published on the mailing list. Then it could be claimed that anyone could have impersonated him. Although there's still the link to the phone line/IP/MAC address to explain... possibly. --Jeremy. From bradley@compsci.bristol.ac.uk Tue, 4 Apr 2000 22:53:39 +0100 (BST) Date: Tue, 4 Apr 2000 22:53:39 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Guide to RIP offence avoidance > Charles Clarke did not (to my satisfaction) address the points about > burden of proof, except to deny them. Instead, he attempted to explain > how a person might avoid conviction by explaining to a court the last > time a key had been used, and what you usually did when you forgot a > password. Well he's consistent - if completely closed-minded. > As this part of the Bill now has a good chance of becoming law, I offer > a guide to RIP offence avoidance: > > 1. Have you been served with a S46 notice? > YES: Proceed to 2. > NO: To minimise chances of receiving a notice, stop using encryption. or, NO: start sending out/receiving dummy encrypted messages (random noise) - as many as you can - as part of your company security policy. Then you can claim plausible deniability when presented with an S.46 - that whatever message may have been intercepted was not in fact encrypted. I believe they have to prove that it was encrypted before the act can apply. (The reason for having it as a security policy could be: if apparently very high entropy traffic is the norm, then it obscures the existance of the pseudo-random traffic generated by an encryption algorithm - without the need for explicit steganography) > 3. Did you ever have the key/password being sought? > YES: Proceed to 4. > NO: You are safe from the S49 offence; S49(1)-b cannot be proved. The definition of "have" in the first line will be very important. I suspect that there will be arguments about whether "having a key" - it is sufficient for an agent acting on your behalf (computer or human) to have had a key or passphrase. > 4. Are you willing to withhold information from the police? > YES: State that you cannot comply with the notice, as you do not have > the key. Caveat: If the prosecution can prove you did have the key, you > may now fall foul of "It may harm your defence if you do not mention > when questions facts which you later rely on in court". > NO: Confess that you cannot comply, because you have lost/forgotten the > password. Pray that the court believes you. To avoid conviction you also > have to tell the police "all such information as was required ... to > enable possession of the key to be obtained." AFAICS as long as you are careful about releasing signatures with the same key - ie don't - use a separate key for signing - this should be very hard for the prosecution if not impossible. All none-signed information can be duped or repudiated - and then the issue comes down to the point-of-interception. --Jeremy. From dave@xemu.demon.co.uk Wed, 5 Apr 2000 01:38:14 +0100 Date: Wed, 5 Apr 2000 01:38:14 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Home Office question on wiped rather than encrypted data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <38EA3F98.F1889866@doc.ic.ac.uk>, Philip Rowlands writes >Dave Bird wrote: >[snip] >> Nevertheless there are some ways in which determined law enforcement >> could be pretty clear you had certain keys, basically boiling down to >> activity repeatedly demonstrated on your part in relation to the data >> concerned (replying to mail in that key or giving bits of the database) >I remember reading a description of a police operation which had been >copied from an Al Pacino film. The police sent letters to suspected >criminals informing them that they had won some fantastic prize, and all >they need do was to show up at a certain time and place to collect it. >When they went to collect, they were arrested. > >If I wanted to prove you were using a particular public/private key >pair, I might send you such a letter. Well, you would certainly prove that I read that private key :-> but maybe I was so over-come with joy at my wind-fall that I felt no further need for secrecy and immediately broke that key...... Actually that is probably how I would react to an offer that seemed to good to be true sent under my old key: reply saying I had immediately revoked that decrypt subkey and broken the private key, but here was my new decrypt public key enclosed. In article , J.T.Bradley writes >However when the FBI tried to do this to a member of the cypherpunks >mailing list (who was "threatening federal officials in his postings") - >mysteriously the private key was published on the mailing list. Or do that and say THEREFORE I had repudiated my old key :-> :-> - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOOqK9n8v/Y5zkfRPEQINHQCg0vMvi16+gvoLnwqGxxCPHBkFdV4AoIEX 91YP8CipRxSMSpDfcTsZh2fI =Tx2W -----END PGP SIGNATURE----- From donald@ramsbottom.co.uk Wed, 05 Apr 2000 06:55:21 +0100 Date: Wed, 05 Apr 2000 06:55:21 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: JUNGER Junger judgement out. It can be found at URL below. Case to be remitted back to District Court for frther consideration of BXA regs http://cryptome.org/junger-ca-win.htm Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From ACR@als.co.uk Wed, 5 Apr 2000 08:35:46 +0100 Date: Wed, 5 Apr 2000 08:35:46 +0100 From: Alan Ramsbottom ACR@als.co.uk Subject: Home Office question on wiped rather than encrypted data. > From: J.T.Bradley [mailto:bradley@compsci.bristol.ac.uk] > However when the FBI tried to do this to a member of the cypherpunks > mailing list (who was "threatening federal officials in his > postings") - mysteriously the private key was published on the > mailing list. Then it could be claimed that anyone could have > impersonated him. Hmmm.. didn't that (plus other fun & games) get several cypherpunks subpoenaed by a Grand Jury looking into obstruction? -Alan- From Ross.Anderson@cl.cam.ac.uk Wed, 05 Apr 2000 09:08:14 +0100 Date: Wed, 05 Apr 2000 09:08:14 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Target selection I was on a panel yesterday at the protocols workshop, discussing GAK in general and RIP in particular. The conclusion to which I think we came is that the control of traffic selection is a central issue. Corporates have no problem handing over session keys for particular messages provided there's an opportunity to understand and object (`hang on, Mr Plod, you can't have the keys for our comms with Lazard as we're working on a takeover with them!'). In other words, they want to be in the targeting loop. The police seem to want discretion over whether they get you to do the targeting (`please filter out from this high speed link all the communications to or from Ross Anderson') or do it themselves (`give us your long term key as we want to snoop on one of your managers and aren't prepared to tell you which one'). Clearly the former is convenient in the average case, and the latter seems to be necessary if you're going to tap BMW's communications with its lawyers. It won't work, of course, and an insight into why it won't work came from a London manager of a US bank who manages security for all Europe, including Switzerland. He's in an impossible position once the bill is passed. If he fails to hand over a key, he commits a criminal offence under UK law. If he does hand it over, he commits a criminal offence under Swiss law. So the corporate key recovery function will move to Zuerich, and the guys there will be forbidden to recover keys at the request of London managers. This chap said his employer didn't want any publicity but had made representations to the UK government. Just thought list members might be interested, Ross From Q.G.Campbell@newcastle.ac.uk Wed, 5 Apr 2000 09:49:09 +0100 (GMT) Date: Wed, 5 Apr 2000 09:49:09 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Target selection On Wed, 5 Apr 2000, Ross Anderson wrote: [snip] > It won't work, of course, and an insight into why it won't work came > from a London manager of a US bank who manages security for all > Europe, including Switzerland. He's in an impossible position once the > bill is passed. If he fails to hand over a key, he commits a criminal > offence under UK law. If he does hand it over, he commits a criminal > offence under Swiss law. So the corporate key recovery function will > move to Zuerich, and the guys there will be forbidden to recover keys > at the request of London managers. This chap said his employer didn't > want any publicity but had made representations to the UK government. Ross How would the organisation react if, in response to this, the Government did a volte-face and required mandatory key escrow of all companies operating in the UK? Mandatory key escrow would be a farce if companies simply moved their key recovery function off shore and acted in the way this organisation is prepared to do. There is a cost though, since its UK operation would no longer be able to recover keys. Would this be so serious that it is forced to close down it UK business? It seems a bloody mess. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From Q.G.Campbell@newcastle.ac.uk Wed, 5 Apr 2000 10:16:20 +0100 (GMT) Date: Wed, 5 Apr 2000 10:16:20 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Target selection On Wed, 5 Apr 2000, Ross Anderson wrote: [snip] > It won't work, of course, and an insight into why it won't work came > from a London manager of a US bank who manages security for all > Europe, including Switzerland. He's in an impossible position once the > bill is passed. If he fails to hand over a key, he commits a criminal > offence under UK law. If he does hand it over, he commits a criminal > offence under Swiss law. So the corporate key recovery function will > move to Zuerich, and the guys there will be forbidden to recover keys > at the request of London managers. This chap said his employer didn't > want any publicity but had made representations to the UK government. [snip] On the face of it this would appear to be a major problem for LEAs. If the provisons of the RIP Bill are worth anything to crime prevention then it must be against high-value, predominantly off-shore, crime such as money laundering. There is a paradox here: If all banks take this sort of action it would appear that the RIP Bill may actually have the effect of reducing or stopping the ability of LEAs to lawfully monitor comms traffic to/from banks if they want to use the information so obatined in court. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From bdm@fenrir.demon.co.uk Wed, 05 Apr 2000 10:02:33 +0100 Date: Wed, 05 Apr 2000 10:02:33 +0100 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: Target selection On Wed, 5 Apr 2000 09:49:09 +0100 (GMT), Quentin Campbell wrote: >It seems a bloody mess. And on that, you're not wrong. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From roland@linx.net Wed, 5 Apr 2000 10:48:16 +0100 Date: Wed, 5 Apr 2000 10:48:16 +0100 From: Roland Perry roland@linx.net Subject: Target selection In article , Quentin Campbell writes >There is a cost though, since its UK operation would no longer be able to >recover keys. Would this be so serious that it is forced to close down it >UK business? How often do companies need to recover keys? What kinds of information might otherwise be lost that is not either held elsewhere, or on a recoverable backup? -- Roland Perry From roland@linx.net Wed, 5 Apr 2000 10:51:50 +0100 Date: Wed, 5 Apr 2000 10:51:50 +0100 From: Roland Perry roland@linx.net Subject: Target selection In article , Quentin Campbell writes >If all banks take this sort of action it would >appear that the RIP Bill may actually have the effect of reducing or >stopping the ability of LEAs to lawfully monitor comms traffic to/from >banks if they want to use the information so obatined in court. They can't use intercepted material in court already; nothing changes here. In what circumstances would it make more sense to collect the traffic in motion, decode it and not use it in evidence; rather than use existing procedures to ask the bank for the plaintext of stored information, which they could then use as evidence. -- Roland Perry From ben@algroup.co.uk Wed, 05 Apr 2000 11:25:11 +0100 Date: Wed, 05 Apr 2000 11:25:11 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Home Office question on wiped rather than encrypted data. Alan Ramsbottom wrote: > > > From: J.T.Bradley [mailto:bradley@compsci.bristol.ac.uk] > > > However when the FBI tried to do this to a member of the cypherpunks > > mailing list (who was "threatening federal officials in his > > postings") - mysteriously the private key was published on the > > mailing list. Then it could be claimed that anyone could have > > impersonated him. > > Hmmm.. didn't that (plus other fun & games) get several cypherpunks > subpoenaed by a Grand Jury looking into obstruction? Actually, wasn't it a forged key? Cheers, Ben. -- http://www.apache-ssl.org/ben.html From oml@eloka.demon.co.uk Mon, 3 Apr 2000 11:29:20 +0100 Date: Mon, 3 Apr 2000 11:29:20 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Target selection ----- Original Message ----- From: "Ross Anderson" To: Sent: 05 April 2000 09:08 Subject: Target selection > > It won't work, of course, and an insight into why it won't work came > from a London manager of a US bank who manages security for all > Europe, including Switzerland. He's in an impossible position once the > bill is passed. If he fails to hand over a key, he commits a criminal > offence under UK law. If he does hand it over, he commits a criminal > offence under Swiss law. So the corporate key recovery function will > move to Zuerich, and the guys there will be forbidden to recover keys > at the request of London managers. This chap said his employer didn't > want any publicity but had made representations to the UK government. Way to go :-) Switzerland voted to remain outside of the EU by a narrow margin some years back. It also has (for a Western country in this day and age) remarkably relaxed legislation in regard to the possession, use, import and export of cryptography. This far-seeing stance is likely to profit the Swiss exchequer greatly over the next few years. It would be nice to think that, over time, both the prosperity of the Swiss and the fact that their society can permit unqualified secrecy without collapsing into anarchy, would persuade at least the EU to adopt similar laissez faire policies. However, I really would not wish to back a horse at those odds. For similar reasons to the Swiss, the Channel Islands also voted to remain outside the EU and have profited by a manyfold increase in their banking business as a result. I do not know (but doubt) whether it is similarly placed to opt for nil controls on cryptography. For Switzerland at least then, so far so good. It remains to be seen whether the US and EU will tolerate in the long term the existence of such a haven of cryptofreedom in the heart of the developed world. My guess is 'no'. In recent years severe pressure has been brought to bear on the Swiss to moderate the absolute secrecy heretofore afforded by Swiss banks under Swiss law and the Swiss have partly yielded to that pressure (as they must). With that example already before them, expect to see the US and EU similarly pressure the Swiss in respect of the control of cryptography at some future point. Owen Lewis From oml@eloka.demon.co.uk Mon, 3 Apr 2000 11:45:47 +0100 Date: Mon, 3 Apr 2000 11:45:47 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Target selection ----- Original Message ----- From: "Quentin Campbell" To: Sent: 05 April 2000 09:49 Subject: Re: Target selection > How would the organisation react if, in response to this, the Government > did a volte-face and required mandatory key escrow of all companies > operating in the UK? > > Mandatory key escrow would be a farce if companies simply moved their key > recovery function off shore and acted in the way this organisation is > prepared to do. > > There is a cost though, since its UK operation would no longer be able to > recover keys. Would this be so serious that it is forced to close down it > UK business? The operations of an oversea company in the UK are entirely subject to UK law. If such a company organises its crypto management for the UK operation in a way that no UK based personnel have access to or knowledge of the crypto keys, then it would seem that would fall outside the proposed legislation. It it of course open to the UK to change its law so that such evasion is prohibited. For those affected by such a prohibition, it is then open to then to decide whether or not to continue operating in the UK under those conditions. Where the target of such legislation to be the US, it is virtually unthinkable that any such legislation would be introduced for the UK needs the business more that the US has need to do it here. However in the case of Switzerland..... In the case of Guernsey, as intimated elsewhere I do believe that any such exercise in independence would aborted even before it came into being. > It seems a bloody mess. Not really. We move toward a world in which true freedom is not tolerated and all actions private and commercial are done under licence. The movement to this is ragged and uneven but it is continuous. This is not the oppression of the people by some tyrant. It is the people who are determined to oppress themselves. Owen Lewis From bdm@fenrir.demon.co.uk Wed, 05 Apr 2000 13:03:43 +0100 Date: Wed, 05 Apr 2000 13:03:43 +0100 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: Target selection On Mon, 3 Apr 2000 11:29:20 +0100, Owen Lewis wrote: >It would be nice to think that, over time, both the prosperity of the Swiss >and the fact that their society can permit unqualified secrecy without >collapsing into anarchy, would persuade at least the EU to adopt similar >laissez faire policies. However, I really would not wish to back a horse at >those odds. Remember that this is the same society that allows its citizens to keep sub-machine guns in their homes without suffering from a rash of bloody massacres. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From brian.gladman@btinternet.com Wed, 5 Apr 2000 17:51:17 +0100 Date: Wed, 5 Apr 2000 17:51:17 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: RIP: Signature Keys Used for Confidentiality This is a multi-part message in MIME format. ------=_NextPart_000_0025_01BF9F27.8AC1A270 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have just had a private exchange with Nicholas Bohm on the use of the = public keys of signature key-pairs for encryption purposes. The RIP Bill states that a key will not be subject to seizure if (a) it = is intended only for making signatures, and (b) it has not been used for = any other purpose.=20 If the word 'key' here refers only to the private key of a key-pair then = sending someone an encrypted message using their public signature = verification key does not undermine their private signature key provided = that they have never used the latter for decrypting any encryted = messages that they have been sent. If, however, the word 'key' refers to = the key-pair and not just the private key, then sending someone an = encrypted message using their public signature verification key does = undermine their private signature key. In principle it may hence be possible to interpret the Bill in a way = that does not allow the malicious undermining of signature keys. But is = this the intent and is this sufficient to maintain trust in the = cryptographic signatures of UK citizens? I suspect the answer is 'no' = but it is worth considering since a point of some importance rests on a = very precise understanding of the scope of the word 'key'. If private signature keys are immune from seizure provided they have = never been used for decryption, this raises the issue of how the = immunity is actually obtained when the authorities turn up with a notice = to seize a signature key. When I say 'I am not giving you this key = because (a) it is a signature key, and (b) I have not used it for any = other purpose, what happens next? Can I assume that the authorities = would have to prove (to what level?) that I had used it for decryption = in order to obtain a conviction for witholding it? If all of this is correct it is also obvious what criminals should do to = communicate crtitical messages - they should all have both secrecy and = signature keys and send critical (but infrequent) messages using their = signature keys, making sure to remove all evidence of decryption using = them. Brian ------=_NextPart_000_0025_01BF9F27.8AC1A270 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have just had a private exchange with = Nicholas=20 Bohm on the use of the public keys of signature key-pairs for = encryption=20 purposes.
 
The RIP Bill states that a key will not be subject = to seizure=20 if (a) it is intended only for making signatures, and (b) it has not = been used=20 for any other purpose.
 
If the word 'key' here refers only to the private = key of a=20 key-pair then sending someone an encrypted message using their = public=20 signature verification key does not undermine their private signature key provided that they have = never used=20 the latter for decrypting any encryted messages that they = have=20 been sent. If, however, the word 'key' = refers to=20 the key-pair and not just the private key, then sending someone an = encrypted=20 message using their public signature verification key does undermine = their=20 private signature key.
 
In principle it may hence be = possible to=20 interpret the Bill in a way that does not allow the malicious = undermining of=20 signature keys.  But is this the intent = and is=20 this sufficient to maintain trust in the cryptographic signatures = of UK=20 citizens?   I suspect the answer is 'no' but it is worth=20 considering since a point of some importance rests on a = very=20 precise understanding of the scope of the word = 'key'.
 
If private signature keys are immune = from seizure=20 provided they have never been used for decryption, this raises the = issue of=20 how the immunity is actually obtained when the authorities = turn up=20 with a notice to seize a signature key.  When I say 'I am not = giving you=20 this key because (a) it is a signature key, and (b) I have not used it = for any=20 other purpose, what happens next?   Can I assume that the = authorities=20 would have to prove (to what level?) that I had used it for = decryption in=20 order to obtain a conviction for witholding it?
 
If all of this is correct it is also obvious = what=20 criminals should do to communicate crtitical messages - they should all = have=20 both secrecy and signature keys and send critical (but infrequent)=20 messages using their signature keys, making sure to remove all = evidence of=20 decryption using them.
 
          =20 Brian
 
------=_NextPart_000_0025_01BF9F27.8AC1A270-- From liaquat.khan@gta.multicert.org Wed, 5 Apr 2000 18:27:00 +0100 Date: Wed, 5 Apr 2000 18:27:00 +0100 From: Liaquat Khan liaquat.khan@gta.multicert.org Subject: Signature Keys Used for Confidentiality This is a multi-part message in MIME format. ------=_NextPart_000_000F_01BF9F2C.8840F8C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Interesting... One would assume that the authorities may 'prove' the misuse of a = signature key pair, by showing some ciphertext which has been encrypted = by the 'public verification key'. This assumes that the ciphertext = contains a link to the public verification key. =20 The problem with this is that a malicious third party could force you to = release your private signature key by simply sending you an encrypted = message using your public verification key. =20 Does this make sense? Regards, Liaquat =20 ----- Original Message -----=20 From: Brian Gladman=20 To: ukcrypto=20 Sent: Wednesday, April 05, 2000 5:51 PM Subject: RIP: Signature Keys Used for Confidentiality [cut] If private signature keys are immune from seizure provided they have = never been used for decryption, this raises the issue of how the = immunity is actually obtained when the authorities turn up with a notice = to seize a signature key. When I say 'I am not giving you this key = because (a) it is a signature key, and (b) I have not used it for any = other purpose, what happens next? Can I assume that the authorities = would have to prove (to what level?) that I had used it for decryption = in order to obtain a conviction for witholding it? If all of this is correct it is also obvious what criminals should do = to communicate crtitical messages - they should all have both secrecy = and signature keys and send critical (but infrequent) messages using = their signature keys, making sure to remove all evidence of decryption = using them. Brian ------=_NextPart_000_000F_01BF9F2C.8840F8C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Interesting...
 
One would assume that the authorities = may 'prove'=20 the misuse of a signature key pair, by showing some ciphertext = which has=20 been encrypted by the 'public verification key'.  This assumes = that=20 the ciphertext contains a link to the public verification=20 key.  
 
The problem with this is that a = malicious third=20 party could force you to release your private signature key by simply = sending=20 you an encrypted message using your public verification key. =20
 
 Does this make = sense?
 
Regards,
Liaquat  
----- Original Message -----
From:=20 Brian Gladman
To: ukcrypto
Sent: Wednesday, April 05, 2000 = 5:51=20 PM
Subject: RIP: Signature Keys = Used for=20 Confidentiality
 
[cut]
 
If private signature keys are immune = from seizure=20 provided they have never been used for decryption, this raises = the issue=20 of how the immunity is actually obtained when = the authorities turn=20 up with a notice to seize a signature key.  When I say 'I am not = giving=20 you this key because (a) it is a signature key, and (b) I have not = used it for=20 any other purpose, what happens next?   Can I assume that = the=20 authorities would have to prove (to what level?) that I had used = it for=20 decryption in order to obtain a conviction for witholding = it?
 
If all of this is correct it is also obvious = what=20 criminals should do to communicate crtitical messages - they should = all have=20 both secrecy and signature keys and send critical (but infrequent)=20 messages using their signature keys, making sure to remove all = evidence=20 of decryption using them.
 
          =20 Brian
 
------=_NextPart_000_000F_01BF9F2C.8840F8C0-- From Ian_Miller@home.scientia.com Wed, 5 Apr 2000 17:19:06 +0000 Date: Wed, 5 Apr 2000 17:19:06 +0000 From: Ian Miller Ian_Miller@home.scientia.com Subject: RIP: Signature Keys Used for Confidentiality On Wed, 05 Apr 2000, Brian Gladman wrote: > If the word 'key' here refers only to the private key of a key-pair=20 > then sending someone an encrypted message using their public signature > verification key does not undermine their private signature key provide= d > that they have never used the latter for decrypting any encryted messag= es > that they have been sent.=20 It does not directly undermine it. However there is a potential=20 'second notice' problem. If a private signature key has been used for=20 encryption, with or without the connivance the key owner, there will=20 exist a session key that is unambiguously an encryption key and is=20 therefore subject to seizure. Accordingly I cannot see how, if provided=20 with the encrypted session key and modified decryption software, the=20 key owner can refuse to decrypt the session key. At this point, the secret key has 'in fact been used for' encryption and on my=20 reading of the bill [s46(6)(b)] is no longer immune from seizure. A second section 46 notice could demand the signature key. How would the lawyers recommend the key owner responds to this sequence of demands? Ian --=20 Ian Miller Scientia Ltd. From nbohm@ernest.net Wed, 05 Apr 2000 19:08:47 +0100 Date: Wed, 05 Apr 2000 19:08:47 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Signature Keys Used for Confidentiality At 06:27 PM 4/5/2000 +0100, Liaquat Khan wrote:=20 >>>> ArialInteresting... =20 ArialOne would assume that the authorities may 'prove' the misuse of a signature key pair, by showing some ciphertext which has been encrypted by the 'public verification key'. This assumes that the ciphertext contains a link to the public verification key. <<<<<<<< Arguably this is not enough unless the private key (which they are seeking) has in fact been used to decrypt it. >>>> ArialThe problem with this is that a malicious third party could force you to release your private signature key by simply sending you an encrypted message using your public verification key. =20 <<<<<<<< You would have to take great care to refrain from decrypting it, and might be wise to reply asking for the message to be encrypted under a confidentiality key instead. A mistake here would expose your signature key to compulsory disclosure under the RIP Act >>>> Arial Does this make sense? <<<<<<<< Well may you ask -- see comments on Brian's remarks below. >>>> ArialRegards, Liaquat =20 ----- Original Message -----=20 From: <Brian Gladman=20 To: <ukcrypto=20 Sent: Wednesday, April 05, 2000 5:51 PM Subject: RIP: Signature Keys Used for Confidentiality =20 Arial[cut] =20 If private signature keys are immune from seizure provided they have never been used for decryption, this raises the issue of how the immunity is actually obtained when the authorities turn up with a notice to seize a signature key. When I say 'I am not giving you this key because (a) it is a signature key, and (b) I have not used it for any other purpose, what happens next? Can I assume that the authorities would have to prove (to what level?) that I had used it for decryption in order to obtain a conviction for witholding it? <<<<<<<< If the server of the notice refuses to accept that the key is immune from seizure but provides no convincing justification for that refusal (and you have no right to require any justification until you are later prosecuted), you face a very awkward situation. Either you comply with the notice (compromising a signature key) or you refuse and run the resulting risk. You have to make that decision on the information available. That information consists of your own knowledge that the key has never been used by you for decryption and your own degree of confidence in your exclusive control of the key (if you do not have exclusive control, e.g. because it is a shared corporate key, you cannot be at all sure another user has not used it for decryption, leaving you obliged to disclose it). What you cannot know is why the notice server thinks he can convince a court that in fact you have used the key for decryption. It may be pure bluff. It may be that he has misunderstood some past events; but maybe a judge or jury would misunderstand them the same way (courts can make mistakes). On any analysis this is a very unsatisfactory legal environment for the security of digital signature keys. I do not think key disclosure powers are compatible with the security of digital signatures. It is all the more disquieting that the Inland Revenue and Customs & Excise schemes for electronic tax and VAT returns will make purported signers of returns responsible for them whether they signed them or not (even if they can prove they did not): the use of conclusive (i.e. irrebuttable) presumptions should make all prospective users steer well away from these schemes. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From brian.gladman@btinternet.com Wed, 5 Apr 2000 19:43:48 +0100 Date: Wed, 5 Apr 2000 19:43:48 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: RIP: Signature Keys Used for Confidentiality ----- Original Message ----- From: "Ian Miller" To: Sent: Wednesday, April 05, 2000 6:19 PM Subject: Re: RIP: Signature Keys Used for Confidentiality On Wed, 05 Apr 2000, Brian Gladman wrote: > If the word 'key' here refers only to the private key of a key-pair > then sending someone an encrypted message using their public signature > verification key does not undermine their private signature key provided > that they have never used the latter for decrypting any encryted messages > that they have been sent. > It does not directly undermine it. However there is a potential > 'second notice' problem. If a private signature key has been used for > encryption, with or without the connivance the key owner, there will > exist a session key that is unambiguously an encryption key and is > therefore subject to seizure. Accordingly I cannot see how, if provided > with the encrypted session key and modified decryption software, the > key owner can refuse to decrypt the session key. At this point, the > secret key has 'in fact been used for' encryption and on my > reading of the bill [s46(6)(b)] is no longer immune from seizure. > A second section 46 notice could demand the signature key. An interesting point - can a decryption notice force a key owner to misuse their own signature key and thereby render it useless for the purposes he or she intended? Brian From brian.gladman@btinternet.com Wed, 5 Apr 2000 19:49:14 +0100 Date: Wed, 5 Apr 2000 19:49:14 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: RIP: Signature Keys Used for Confidentiality From: "Ian Miller" To: Sent: Wednesday, April 05, 2000 6:19 PM Subject: Re: RIP: Signature Keys Used for Confidentiality On Wed, 05 Apr 2000, Brian Gladman wrote: > If the word 'key' here refers only to the private key of a key-pair > then sending someone an encrypted message using their public signature > verification key does not undermine their private signature key provided > that they have never used the latter for decrypting any encryted messages > that they have been sent. > It does not directly undermine it. However there is a potential > 'second notice' problem. If a private signature key has been used for > encryption, with or without the connivance the key owner, there will > exist a session key that is unambiguously an encryption key and is > therefore subject to seizure. Accordingly I cannot see how, if provided > with the encrypted session key and modified decryption software, the > key owner can refuse to decrypt the session key. At this point, the > secret key has 'in fact been used for' encryption and on my > reading of the bill [s46(6)(b)] is no longer immune from seizure. > A second section 46 notice could demand the signature key. An interesting point - can a decryption notice force a key owner to misuse their own signature key and thereby render it useless for the purposes he or she intended? Brian From bradley@compsci.bristol.ac.uk Wed, 5 Apr 2000 21:33:27 +0100 (BST) Date: Wed, 5 Apr 2000 21:33:27 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Home Office question on wiped rather than encrypted data. On Wed, 5 Apr 2000, Alan Ramsbottom wrote: > > However when the FBI tried to do this to a member of the cypherpunks > > mailing list (who was "threatening federal officials in his > > postings") - mysteriously the private key was published on the > > mailing list. Then it could be claimed that anyone could have > > impersonated him. > > Hmmm.. didn't that (plus other fun & games) get several cypherpunks > subpoenaed by a Grand Jury looking into obstruction? Oh I hadn't heard that twist... presumably the postee of the original key was clever enough to do it anonymously. It occurs to me though that getting someone to deny their signature by "accidentally" publishing their private key - would be an excellent way of doing what an S.46 was intended for in the first place... therefore enabling reading of all past messages encrypted with that key. There is definitely a moral about having different sig and encryption keys. --Jeremy. From nigelhickson@compuserve.com Wed, 5 Apr 2000 16:45:18 -0400 Date: Wed, 5 Apr 2000 16:45:18 -0400 From: Nigel Hickson nigelhickson@compuserve.com Subject: Target selection Now hang on! It is fair game to keep on about cl 49 (burden of proof) bu= t someone should have reported the concession the HO made in Committee yesterday re "plain text and keys" (It might help our banking friend). M= r Clarke said (and I paraphrase) that where the recipient of a notice had plain text there would only be "exceptional" circumstances (which would b= e defined in Bill) where a key would be required instead. So banks - I suspect - would always be in clear. = Nigel = From bradley@compsci.bristol.ac.uk Wed, 5 Apr 2000 22:16:56 +0100 (BST) Date: Wed, 5 Apr 2000 22:16:56 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Signature Keys Used for Confidentiality On Wed, 5 Apr 2000, Liaquat Khan wrote: > One would assume that the authorities may 'prove' the misuse of a > signature key pair, by showing some ciphertext which has been > encrypted by the 'public verification key'. This assumes that the > ciphertext contains a link to the public verification key. I would have thought the only way to prove a link between the ciphertext and the public key would be to obtain the private key and decrypt or demonstrate non-decryption... ie obtain the key over which the original contention was in the first place. Cyclic dependency - Yuk! So: Plod: I have an S.46 for this key id (if you're lucky and a key id is indeed given) Alice: But that's my signature key and I have never used it for anything other than signing data - therefore the key is not obtainable under the Act and your S.46 is invalid. Plod: Oh. But I have an encrypted message which I believe was encrypted using this key. Alice: Well you have to prove that the key is an encryption key before the Act can come into force and I claim that the data you believe to be encrypted with that key is either a valid message encrypted with another key or a random message made out to look like an encrypted message. Plod: Ah but I need your private key to prove (or disprove) that the message belongs to that key-pair and to obtain your private key I need an S.46, in order to prove the link and demonstrate that the original S.46 is valid... oh arse! Alice: Watch me care... > The problem with this is that a malicious third party could force you > to release your private signature key by simply sending you an > encrypted message using your public verification key. The worst of it is that if an S.46 came for a valid signature key, you would have to revoke that key immediately (if you were not prepared to go though the courts with the argument above, that is) just in case a bent or just frustrated Plod then decided to force the issue by sending an anononymous but encrypted message using your previously sig-only public key. --Jeremy. From hopwood@zetnet.co.uk Thu, 06 Apr 2000 04:14:05 +0100 Date: Thu, 06 Apr 2000 04:14:05 +0100 From: David Hopwood hopwood@zetnet.co.uk Subject: Target selection -----BEGIN PGP SIGNED MESSAGE----- Owen Lewis wrote: [...] > The operations of an oversea company in the UK are entirely subject to UK > law. > > If such a company organises its crypto management for the UK operation in a > way that no UK based personnel have access to or knowledge of the crypto > keys, then it would seem that would fall outside the proposed legislation. This is a useful application of the backward security property I talked about in a recent post. In this case you would put the off-line keys off-shore (Switzerland or whereever), and get UK staff to access them only as needed via an authenticated, encrypted connection (with the ability to change the authentication key via a different channel, in case it is compromised). The off-shore end of the connection would enforce the mapping of private keys to time periods. This would ensure that the scope of a key compromise in the UK is limited in time. Note that this only requires one connection to the off-shore server per time period, and the organisation can continue to use a single public key (or however many public keys are convenient). It works for all types of keys (e.g. encryption, signature, and long-term authentication keys for key agreement), although in the case of signatures, the attacker can still forge a signature with a timestamp in the period when the compromise occurred. More generally, a company with offices in several different countries could use this method in conjunction with a secret sharing algorithm, to make sure that a catastrophic key compromise (i.e. with effects not limited in time) could only occur if private information in all, or at least n of the countries were compromised. (Of course this also has advantages against corruption, organised crime, etc., not just misguided laws. Funny how these tend to require the same security properties, isn't it?) - -- David Hopwood PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOOwAozkCAxeYt5gVAQHwdQf/eKb2/qsu/Yc27YKRx/QDdEElX2I3xCwf Q9P1qGyf8slFr6EbpfPwCYM7Xdrkz7lU5uqvTfGcZ4LxoMrz9bCgdNJHudeCNOYB 2nrdaIuY+NOWrITt0RAu1lcO7Z4wYZvYsXeb907oFVN74q2DXO9yAwimI6WDCz55 Dl0AGKIp0Y36GL6UenRQG8VrClj6OhmO25PX6i9Ts9d+P+tLE4eKhVXE0m9jNj6p HtP5So3ppBI4M2cqpLQzQ8e7o7U8exeOwwYVgBrNfycjevkiiACbm7dqpCnt77P8 zOzfE7dwtRgTFstw4oCLQ4OZ/3qegu59iIPeyEEs7lyOfXT5uAz4LQ== =lR5v -----END PGP SIGNATURE----- From I.G.Batten@ftel.co.uk Thu, 6 Apr 2000 08:38:27 +0100 (BST) Date: Thu, 6 Apr 2000 08:38:27 +0100 (BST) From: Ian G Batten I.G.Batten@ftel.co.uk Subject: Signature Keys Used for Confidentiality This is a multi-part message in MIME format... ------------=_955006699-14705-0 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Md5: tQmFXufDxo9yxlmpcVw9qQ== > One would assume that the authorities may 'prove' the misuse of a =3D > signature key pair, by showing some ciphertext which has been encrypted = =3D > by the 'public verification key'. This assumes that the ciphertext =3D > contains a link to the public verification key. =3D20 And how would they do that? Unless they have some known plaintext, that is. Obviously, some existing systems stamp some sort of KeyID into the preamble, but leaving aside the ``someone has stuck my signature KeyID into a message to force me to reveal my private key'' defence, if you're playing games with keys like this you'll be modifying the code to put a random KeyID in. ian ------------=_955006699-14705-0 Content-Type: application/pgp-signature Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Description: PGP Information -----BEGIN PGP MESSAGE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: 4aSJqbc/s/mqNjrrY+AFGt3+Xp0InNSk iQB1AwUBOOw+68oy0yij3IvtAQGfRwL/WVXshZniXLevHTdpV24F7DygEOg1iEsi YO4CvnsWgCNG0H8A8dCUyRvebTEzov0sayMyJXAhwounZSvy9RetvbRTfruaDJIz trByLZdwtmTfmrkBrgIVWwGQHpdc+Bi4 =UzYz -----END PGP MESSAGE----- ------------=_955006699-14705-0-- From brian.gladman@btinternet.com Thu, 6 Apr 2000 00:38:28 +0100 Date: Thu, 6 Apr 2000 00:38:28 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: Target selection > From: "Nigel Hickson" > To: > Sent: Wednesday, April 05, 2000 9:45 PM > Subject: Target selection > > Now hang on! It is fair game to keep on about cl 49 (burden of proof) but > someone should have reported the concession the HO made in Committee > yesterday re "plain text and keys" (It might help our banking friend). Mr > Clarke said (and I paraphrase) that where the recipient of a notice had > plain text there would only be "exceptional" circumstances (which would be > defined in Bill) where a key would be required instead. So banks - I > suspect - would always be in clear. I saw this 'concession' but I would like to see it in its full glory before taking it seriously. This change also makes it even more important to know why it is ever going to be necessary to seize keys for the following reasons: (a) a large proportion of the costs of protection arise because keys are subject to seizure - when only a few keys are seized this makes the 'cost per key' enormous and, I believe, impossible to justify (remember this is TAXPAYERS money). (b) almost all of the negative impact on e-commerce arises because of the possibility of key seizure - we are hence risking the UK's future prosperity for the sake of seizing a few keys. This simply cannot make sense when decryption orders without GAK will meet almost all law enforcement needs - i.e. 'we can get 99% of what we need for 1% of the cost' Mr Clarke has made much of the need for these measures in order to combat child pornography and paedophilia. I wish he was serious about countering such abhorrent criminal pursuits but I fear he is not since there are far better ways of spending £25 million to achieve this in place of his proposals in RIP. Now that he knows what the costs truly are (at minimum) I hope he will reflect on other ways in which this money might be spent in combatting crime in cyberspace. Brian From davidh@spidacom.co.uk Thu, 6 Apr 2000 09:44:43 +0100 Date: Thu, 6 Apr 2000 09:44:43 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Target selection On 5 Apr 00, at 16:45, Nigel Hickson wrote: > Now hang on! It is fair game to keep on about cl 49 (burden of proof) > but someone should have reported the concession the HO made in > Committee yesterday re "plain text and keys" The weasel words of a party politician in Westminster are worthless and unreliable. They are not generally taken into account by the courts, what is written down is. If he explicitly transfers his words into the wording of the bill. then he will get half a cheer. Until then people will keep their own consul. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From Ian_Miller@home.scientia.com Thu, 6 Apr 2000 08:38:44 +0000 Date: Thu, 6 Apr 2000 08:38:44 +0000 From: Ian Miller Ian_Miller@home.scientia.com Subject: Perpetual retention of keys? Section 46 notices do not seem to expire, and are valid for material 'likely to come' 'into the possession' of issuing authority. This=20 implies that material that does not yet exist may be covered, and that the recipient might have to decrypt at an arbituary time in the future. Further there is no "don't have the key" defence if the key was in your possession at the time the notice was issued. Accordingly it seems to=20 me that, even if session keys are deemed adequate in all cases, once a section 46 notice has been issued the long-term key can never be safely= =20 destroyed. I think this could have serious consequences for the security of systems that wish to follow the good practice of re-keying at regular intervals. This also makes Charles Lindsey's scenerio 5 considerably nastier. Append:- Alice: But I destroyed that key two years ago. Plod: Go to gaol, do not pass Go... Ian --=20 Ian Miller Scientia Ltd. From liaquat.khan@gta.multicert.org Thu, 6 Apr 2000 10:12:06 +0100 Date: Thu, 6 Apr 2000 10:12:06 +0100 From: Liaquat Khan liaquat.khan@gta.multicert.org Subject: Signature Keys Used for Confidentiality ----- Original Message ----- From: J.T.Bradley To: ukcrypto Sent: Wednesday, April 05, 2000 10:16 PM Subject: Re: Signature Keys Used for Confidentiality > > The worst of it is that if an S.46 came for a valid signature key, you > would have to revoke that key immediately (if you were not prepared to go > though the courts with the argument above, that is) just in case a bent or > just frustrated Plod then decided to force the issue by sending an > anononymous but encrypted message using your previously sig-only public > key. > > --Jeremy. > > > Revoking a key is not a simple exercise, especially for top-level keys (e.g. the private signature key of a Root CA). Not only do all relying parties need to be informed that the private key has been revoked, but you all so need to revoke all certificates ever issued with that private signature key, generate a new key pair, distribute the new public verification key in an authentic manner to all relying parties, and re-issue all the lower level certificates with the new private signature key... You can prepare for certain aspects associated with key revocation in advance, e.g. by having a secondary key pair, but it will still be nightmare for a CA network of any size. Scary to think that anyone could potentially trigger the eventual revocation of a top-level CA private signature key, by sending an encrypted message using the CA's public verification key. Regards, Liaquat From sjmz@hplb.hpl.hp.com Thu, 06 Apr 2000 10:58:26 +0100 Date: Thu, 06 Apr 2000 10:58:26 +0100 From: Stefek Zaba sjmz@hplb.hpl.hp.com Subject: Target selection Nigel Hickson writes: [ ... ] > someone should have reported the concession the HO made in Committee > yesterday re "plain text and keys" (It might help our banking friend). Mr > Clarke said (and I paraphrase) that where the recipient of a notice had > plain text there would only be "exceptional" circumstances (which would be > defined in Bill) where a key would be required instead. So banks - I > suspect - would always be in clear. = > The verbal assurance in committee is useful, given that it indicates current HO thinking. To reassure e-commerce practitioners *effectively*, that thinking now needs to be reflected in the text of a Govt amendment. A *sensible* course of action - which it is probably too late in the bill-passing process to implement - is to make the "s.46" notice demand always for plaintext - defined something along the lines of "the communication in the form intended to be intelligible to the recipient"; with the option for the recipient of an "s.46" notice to provide, at their discretion, "means" (i.e. keys plus such supporting software and documentation as GTAC may need) to allow the notice-server to perform the rendering-to-intelligibility step themselves. Then, to counter the smart-arse who claims that *every* message corresponds to the plaintext "Mary had a little lamb", or who dumps a pile of source-code, an alleged key, and says "oh, I lost the Makefile in a hard disk crash, and the object code runs only on this soldering-iron modified ZX81 which unfortunately was crushed under a lorry yesterday", you introduce a subsidiary offence of "wilful obstruction" or "wilful noncompliance" with the "s.46" notice. The burden of proof for that offence would rest where it should - with the prosecution, to show - beyond a reasonable doubt - that the recipient of an "s.46"-style notice was playing silly b****rs. I say it's "probably too late" to introduce such a structural change into the Bill. How (I can almost hear Nigel splutter) can anyone claim there's not been enough time to make constructive proposals, when we've been engaged in public and semi-public debate on encryption policy in the UK since 1996 at least!? The answer (he says, attempting to collapse an anticipated thread into a single self-authored message :-) is that the public consultation on encryption poicy has been polluted by the key escrow proposals. Indeed, many participants are worried that there is still an effort to encourage operator-managed rather than end-user-controlled encryption. That dog just won't bark: it flies in the face of the basic architecture of the Internet, which is fundamentally based on dumb packet forwarding in the middle, while everything from flow control upwards to application logic happens at the computers on the edges. Less like the phone network it couldn't be. And it's that separation of concerns which *makes* the Internet such an innovative environment: you don't need the "permission" of an operator to run a new protocol or new service over it, just some machines connected which want to do that new thing. Hence the Web taking off the way it did - mutans mutandis, hence "push" distribution falling on its face as quickly as it did - the end-users didn't particularly want it, and the investment in the servers which commercially trialled the service has had to be written off. Depressing for the wannabe kings of "push", but note that the whole cycle of hype to IPO to furniture--sold-off-for-5p-on-the-pound went round several times faster than for video-on-demand. It's the economic and competitive efficiency of this architecture, as well as its technical merits, which mean it's not about to be reworked. The DTI "got it" after a few years; the HO is "getting it" actually at a faster pace, but from more of a standing start. However - having polluted the debate with key escrow, and with a GAK element still present in the current proposals, an effective debate on making Labour Party policy effective is barely starting. For historians, I repeat the words here: The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant (in the same way that a warrant is required in order to search someone's home). Decryption warrants? Yup. Key disclosure? Not mentioned above - and the main concern for e-commerce operators in the UK, I claim. Stefek From ben@algroup.co.uk Thu, 06 Apr 2000 11:13:14 +0100 Date: Thu, 06 Apr 2000 11:13:14 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Perpetual retention of keys? Ian Miller wrote: > > Section 46 notices do not seem to expire, and are valid for material > 'likely to come' 'into the possession' of issuing authority. This > implies that material that does not yet exist may be covered, and that > the recipient might have to decrypt at an arbituary time in the future. > Further there is no "don't have the key" defence if the key was in your > possession at the time the notice was issued. Accordingly it seems to > me that, even if session keys are deemed adequate in all cases, once > a section 46 notice has been issued the long-term key can never be safely > destroyed. > > I think this could have serious consequences for the security of systems > that wish to follow the good practice of re-keying at regular intervals. Even if its correct that the long-term key cannot be destroyed, I can't see why that would prevent rekeying? Cheers, Ben. -- http://www.apache-ssl.org/ben.html From cs97ktb@brunel.ac.uk Thu, 6 Apr 2000 11:23:37 +0100 (BST) Date: Thu, 6 Apr 2000 11:23:37 +0100 (BST) From: Kieran Barry cs97ktb@brunel.ac.uk Subject: Parliament in internet time (was Re: Target selection) On Thu, 6 Apr 2000, David Hansen wrote: > On 5 Apr 00, at 16:45, Nigel Hickson wrote: > > > Now hang on! It is fair game to keep on about cl 49 (burden of proof) > > but someone should have reported the concession the HO made in > > Committee yesterday re "plain text and keys" > > The weasel words of a party politician in Westminster are worthless > and unreliable. They are not generally taken into account by the > courts, what is written down is. > > If he explicitly transfers his words into the wording of the bill. then he > will get half a cheer. Until then people will keep their own consul. Does the revised wording get reviewed by committee? My understanding is that amendments get proposed by the government en masse at the end. After the antics of the Home Office team ("respond to the easy questions every week, except when we're away), it could be a procedural device to duck a difficult question. A lot of people are watching this bill. If the minister wishes to be taken seriously, he needs to publish his amendments more quickly.As Michael Howard (presumably still remembered fondly at the Home Office) proved, statements, assurances and/or decisions of politicians are not binding on the courts :) Regards Kieran From Richard.Lucock@jet.uk Thu, 6 Apr 2000 14:48:34 +0100 (BST) Date: Thu, 6 Apr 2000 14:48:34 +0100 (BST) From: Richard.Lucock@jet.uk Richard.Lucock@jet.uk Subject: RIP: Signature Keys Used for Confidentiality Hi, On 5 Apr, Ian Miller wrote: > It does not directly undermine it. However there is a potential > 'second notice' problem. If a private signature key has been used for > encryption, with or without the connivance the key owner, there will The *private* key cannot be used except by the owner anyway (unless it has been compromised). If you meant 'public signature key', then you are safe, since no disclosure notice can be issued for the corresponding private key since it hasn't been used for decryption. Note that the s46 notice cannot force you to decrypt - it is only an optional way of fulfilling a discolure notice, to be used when mutually agreeable. However, it does bring up a good point - in such a case, you shouldn't voluntarily decrypt for the LEA, because thereafter they *can* force disclosure of your private signature key, since it now *has* been 'used for other purposes'. Richard From brian.gladman@btinternet.com Thu, 6 Apr 2000 13:10:30 +0100 Date: Thu, 6 Apr 2000 13:10:30 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: Target selection From: "Stefek Zaba" To: Sent: Thursday, April 06, 2000 10:58 AM Subject: Re: Target selection [snip much good stuff] > However - having polluted the debate with key escrow, and with a GAK element > still present in the current proposals, an effective debate on making Labour > Party policy effective is barely starting. For historians, I repeat the > words here: > > The only power we would wish to give to the authorities, in order > to pursue a defined legitimate anti-criminal purpose, would be > to enable decryption to be demanded under judicial warrant (in > the same way that a warrant is required in order to search someone's > home). > > Decryption warrants? Yup. Key disclosure? Not mentioned above - and the > main concern for e-commerce operators in the UK, I claim. > > Stefek Spot on, Stefek, as always - GAK in RIP will damage the UK's e-commerce aspirations. There is no better demonstration of the power of the UK civil service over our politicians in respect of cryptography policy than the rapidity with which a sound and sensible Labour Party encryption policy in opposition degenerated within months of coming to power. If our current politicians had stuck to their guns we would by now have a policy with widespread support. And this broad concensus would have promoted a closer association between government, industry and public interest organisations in identifying and ***implementing*** practical measures to combat the use of cyberspace to support child pornography, paedophilia, fraud, ..... In contrast we have had three years of progressive government 'retreat' during which we have moved ever closer to the exact policy that the Labour Party had already established when it came to power! In consequence we have wasted three more years when we could have been ***doing*** things to make sure that UK citizens and companies were safe and secure in their use of cyberspace. Its not too late, Mr Clarke - return to your pre-election policy by implementing decryption notices without GAK. Making such a gesture now will provide a basis for concensus and this in turn will promote rapid progress in e-commerce and an environment where all parties will co-operate in identifying measures to combat criminals who expolit cyberspace for their evil ends. In contrast continuing with GAK in RIP will destroy any prospects for concensus since it can only serve to continue what will prove to be a highly damaging debate about GAK. Remember that this is the history of UK encryption policy over the last five years - we have had three rounds of badly mistaken policy - please, please don't make this yet one more. Brian Gladman From Richard.Lucock@jet.uk Thu, 6 Apr 2000 15:43:29 +0100 (BST) Date: Thu, 6 Apr 2000 15:43:29 +0100 (BST) From: Richard.Lucock@jet.uk Richard.Lucock@jet.uk Subject: RIP: Signature Keys Used for Confidentiality On 6 Apr, Ian Miller wrote: > How do you come to that conclusion? The key that you are formally being > required to produce is the session key, not the signature key. How do > you legally refuse to provide that key? How do you provide either that > session key or the ultimate plaintext without decrypting the session key? Ah, I misunderstood your question. I guess that it comes down to whether or not possesion of the encrypted session key amounts to possession of the session key itself. But it seems to me that if it does, then by the same argument the LEA also has possession of the session key and is therefore not allowed to give a disclosure notice (s46/2/d - a notice is only allowed of there is no other way for the LEA to get it). BTW, IANAL Richard From sjmz@hplb.hpl.hp.com Thu, 06 Apr 2000 16:54:05 +0100 Date: Thu, 06 Apr 2000 16:54:05 +0100 From: Stefek Zaba sjmz@hplb.hpl.hp.com Subject: Target selection Munch, munch, munch - mmm, what *delicious* 'umble pie! On a chance re-reading of Nigel's message, I realise he'd said that Mr Clarke *has* committed to defining the "exceptional" circumstances for key (as opposed to sessionkey/plaintext) access in the bill. This is indeed a welcome move. Gobble gobble gobble, Munch munch munch. Bring on the 'umble pie! More! more! To quote, maybe to clarify: > Clarke said (and I paraphrase) that where the recipient of a notice had > plain text there would only be "exceptional" circumstances (which would be > defined in Bill) where a key would be required instead. So banks - I > suspect - would always be in clear. > One remaining quibble (there's always one, isn't there? :-) would be with Nigel's paraphrase re. "where the recipient had plaintext" - for drafting I'd hope to see this rendered as, for example, "is able to produce plaintext" rather than "has" plaintext. The rationale for the distinction is twofold. Firstly, to not accidentally limit the "here's the plaintext" response to those cases where plaintext is already in existence at the moment the s.46 notice is served, but to include those cases where it can be made available. Secondly, to include those cases where it's not physically *possible* to render up the key - e.g. it's on a well-protected cryptographic module, which will perform encryption and decryption on demand but which is designed *not* to let the key leave the security perimiter. Can I have thirds, please? Stefek From davidh@spidacom.co.uk Thu, 6 Apr 2000 17:36:01 +0100 Date: Thu, 6 Apr 2000 17:36:01 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Parliament in internet time (was Re: Target selection) On 6 Apr 00, at 11:23, Kieran Barry wrote: > After the antics of the Home Office team ("respond to the easy > questions every week, except when we're away), it could be a > procedural device to duck a difficult question. That reminds me that we still haven't seen another "response" from the Home Office yet. Are they really so short staffed or under trained that when someone "goes on holiday" there is nobody else who can respond? There does seem to be a lot of ducking going on. Why are they flogging a dead horse? David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From sjmz@hplb.hpl.hp.com Thu, 06 Apr 2000 17:39:58 +0100 Date: Thu, 06 Apr 2000 17:39:58 +0100 From: Stefek Zaba sjmz@hplb.hpl.hp.com Subject: A Decryptor's Lot On a note of light relief... my lad was playing the part of Major General these last two nights, and I found myself adapting and updating the words of one of the well-known numbers from Pirates of Penzance while sitting in the primary school hall, chest swelling with paternal pride. So - with apologies to the original librettists, whose work can be found at http://diamond.idbsu.edu/gas/pirates/libretto.txt I bring you: A Decryptor's Lot When a felon's not engaged in his employment Or transmitting his felonious little plans, His capacity for innocent enjoyment Is just as great as any honest man's. Our feelings we with difficulty smother When intercepting duty's to be done. Ah, take one consideration with another, A decryptor's lot is not a happy one. Ah, when intercepting duty's to be done, to be done, A decryptor's lot is not a happy one, happy one. When the enterprising burglar's not a-burgling When the smuggler's not avoiding VAT He loves to hear the little brook a-gurgling And listen to a merry MP3. When the crack-head's finished jumping on his mother, He loves to lie a-basking in the sun. Ah, take one consideration with another, A decryptor's lot is not a happy one. Ah, when intercepting duty's to be done, to be done, A decryptor's lot is not a happy one, happy one. All rights hereby placed in the public domain: a photo of this ditty on the wall of GTAC would be appreciated :-) Stefek From Simon.Watkin@homeoffice.gsi.gov.uk Thu, 6 Apr 2000 18:23:08 +0100 Date: Thu, 6 Apr 2000 18:23:08 +0100 From: Watkin Simon Simon.Watkin@homeoffice.gsi.gov.uk Subject: Parliament in internet time (was Re: Target selection) 1. I wasn't on holiday. I did say I was working away from the office. 2. When I came back I had nine day's worth of postings to go through (several hundred of them) with my colleagues in the Bill team who, as you know, are at the House in Committee as I write to you. 3. No one else responds when I'm away because no one else working on the Bill or its consequent implementation is a subscriber, only me. 4. I sense an expectation that I (as the Home Office) *should* be responding instantly to every posting with a question or comment on the RIP Bill. 5. In general Ukcrypto correspondents put forward their personal views. I don't. You don't get my personal view. You get a Home Office view. 6. In general Ukcrypto correspondents make postings but if no one picks up their thread they can't complain. No Ukcrypto correspondent is *expected* to respond - except me. If I was dispensing my personal view, of course you would get Internet time responses. You know I am not an *ordinary* Ukcrypto correspondent so please don't expect me to behave like one. I'll be back to you this week. Promise. Simon Watkin Encryption Co-ordination Unit Home Office -----Original Message----- From: David Hansen [mailto:davidh@spidacom.co.uk] Sent: 06 April 2000 17:36 To: ukcrypto@maillist.ox.ac.uk Subject: Re: Parliament in internet time (was Re: Target selection) On 6 Apr 00, at 11:23, Kieran Barry wrote: > After the antics of the Home Office team ("respond to the easy > questions every week, except when we're away), it could be a > procedural device to duck a difficult question. That reminds me that we still haven't seen another "response" from the Home Office yet. Are they really so short staffed or under trained that when someone "goes on holiday" there is nobody else who can respond? There does seem to be a lot of ducking going on. Why are they flogging a dead horse? David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E ********************************************************************** This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. This email message has been swept for computer viruses. ********************************************************************** From davidh@spidacom.co.uk Thu, 6 Apr 2000 18:23:14 +0100 Date: Thu, 6 Apr 2000 18:23:14 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Target selection On 6 Apr 00, at 16:54, Stefek Zaba wrote: > On a chance re-reading of Nigel's message, I realise he'd said that Mr > Clarke *has* committed to defining the "exceptional" circumstances for > key (as opposed to sessionkey/plaintext) access in the bill. Yes, but these are the people who once said "It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers." > This is indeed a welcome move. As I said, it will get half a cheer if and when it actually is put into the bill. The words of party politicians are meaningless, what matters is what they write down in the law. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From cb@fipr.org Thu, 6 Apr 2000 18:27:13 +0100 Date: Thu, 6 Apr 2000 18:27:13 +0100 From: Caspar Bowden cb@fipr.org Subject: Parliament in internet time (was Re: Target selection) > There does seem to be a lot of ducking going on. Why are they > flogging a dead horse? An uncharitable interpretation is that the "dialogue" was useful to work out rebuttal points for Standing Committee debate. I'd find it very helpful if anyone had the time to go through and consolidate the outstanding points raised, and re-post to the list. Standing Committee ended this morning. I've posted Tuesday's sessions (on Part.III) as single HTML files on http://www.fipr.org/rip/parliament.html. Well worth a close read. -- Caspar Bowden Tel: +44(0)171 354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media From nd@hplb.hpl.hp.com Thu, 06 Apr 2000 18:26:37 +0100 Date: Thu, 06 Apr 2000 18:26:37 +0100 From: Neil Dunbar nd@hplb.hpl.hp.com Subject: Target selection This is a multi-part message in MIME format. --------------23A388C328EEC0C48347766C Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Nigel Hickson wrote: > Mr > Clarke said (and I paraphrase) that where the recipient of a notice had > plain text there would only be "exceptional" circumstances (which would be > defined in Bill) where a key would be required instead. Hmm. The minister said :- "We might consider amending the Bill to allow insistence on producing the key only exceptionally and to state what might be exceptional in the code of practice." Note - the circumstances of exceptional behaviour are to be defined in a code of practice. Can the lawyers on the list tell me if this carries the same legal weight as an Act or Statutory Instrument? I suspect not. Neil --------------23A388C328EEC0C48347766C Content-Type: text/x-vcard; charset=us-ascii; name="nd.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Neil Dunbar Content-Disposition: attachment; filename="nd.vcf" begin:vcard n:Dunbar;Neil tel;fax:+44 (0) 117 312 9901 tel;home:+44 (0) 1454 856684 tel;work:+44 (0) 117 312 9471 x-mozilla-html:FALSE org:Hewlett Packard Laboratories version:2.1 email;internet:nd@hplb.hpl.hp.com title:Technology Engineer adr;quoted-printable:;;Filton Road=0D=0AStoke Gifford;Bristol;England;BS34 6QZ;United Kingdom x-mozilla-cpt:;-9632 fn:Neil Dunbar end:vcard --------------23A388C328EEC0C48347766C-- From bdm@fenrir.demon.co.uk Thu, 06 Apr 2000 19:14:00 +0100 (BST) Date: Thu, 06 Apr 2000 19:14:00 +0100 (BST) From: Brian Morrison bdm@fenrir.demon.co.uk Subject: Parliament in internet time (was Re: Target selection) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Apr 2000 18:23:08 +0100, Watkin Simon wrote: >5. In general Ukcrypto correspondents put forward their personal views. I >don't. You don't get my personal view. You get a Home Office view. And there I think is the nub of the problem...... - -- Brian Morrison bdm@fenrir.demon.co.uk "Almost noon, and she had yet to go the launderette in Concreton to thaw out chickens in the spin-drier..." PGP Public Key Fingerprint= C7 12 B9 54 00 0F 51 F6 37 9B 18 D1 E1 61 14 0B -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i OS/2 for non-commercial use Comment: This comment _is_ plain text Charset: cp850 iQA/AwUBOOzT5/QTY1HeMuXFEQJukgCgofM2J5oBiDM97bqGQeK03f7+KfsAniOO EoojpCjqdchSDd/pxtBbpmNx =OuaP -----END PGP SIGNATURE----- From PHalliden@baltimore.com Thu, 6 Apr 2000 20:04:30 +0100 Date: Thu, 6 Apr 2000 20:04:30 +0100 From: Paul Halliden PHalliden@baltimore.com Subject: RIP: Signature Keys Used for Confidentiality >From: Brian Gladman >Sent: 05 April 2000 19:49 [snip] >An interesting point - can a decryption notice force a key >owner to misuse their own signature key >and thereby render it useless for the >purposes he or she intended? The notice might "require" them to misuse their key. However, on the assumption that the algorithm is RSA and that the private key is protected by hardware (e.g. a smart card or a security module), the notice will not be able to "force" misuse of the key since any reasonable security hardware will not permit it. The reason is that when the key is first created, the intended use is specified and the hardware will subsequently police usage of the key. So, although signing and decryption are mathematically the same process, the interface exposed by the hardware works at a higher level. The function that uses a signing key will expect to be presented with either a message to be hashed and signed (as a single call)or alternatively it will expect a hash which is then formatted and signed. In either case, it will not work with an encrypted block such as an encrypted message key as the additional processing will screw up (technical term) the decryption. Indeed, some smart cards are designed this way to make export easier - the vendor can claim that they do not do encryption - only signature. Regards Paul Halliden From nigelhickson@compuserve.com Thu, 6 Apr 2000 17:30:11 -0400 Date: Thu, 6 Apr 2000 17:30:11 -0400 From: Nigel Hickson nigelhickson@compuserve.com Subject: Target selection Stefak and others = You would not expect me to say too much on a Home Office Bill (and certainly not splutter). But clearly as what I reported was said in Committee it does give the government the opportunity to return with an amendement at Report Stage in the Commons. The Bill then has a second reading in the Lords and then Committee stage there. So lots more time (= so to speak). We are still looking at amendmnets to the EC Bill and that ha= s finished Committee stage in Lords. = And despite what Brian says, history will tell that encryption policy WAS= influenced by ministers. = Regards Nigel = From ACR@als.co.uk Thu, 6 Apr 2000 23:05:11 +0100 Date: Thu, 6 Apr 2000 23:05:11 +0100 From: Alan Ramsbottom ACR@als.co.uk Subject: Target selection > From: Nigel Hickson [mailto:nigelhickson@compuserve.com] > You would not expect me to say too much on a Home Office Bill (and > certainly not splutter). Well, how about something on the survey that's been mentioned in a few places this week? From the Register today: "British companies are too complacent when it comes to Internet security and only have themselves to blame if their IT systems are compromised by hackers. That's just one of the conclusions of a new survey published by the Department of Trade and Industry (DTI) which reveals that two thirds of companies in Britain have suffered security breaches within the last two years." Security is hard so I don't think it's just complancency, but that makes interesting reading in the light of Mr Clarkes comments about reverse burden of proof ("in terms of common-sense understanding"): "There are two clear different circumstances, the first of which involves the case of a business. The business, which is responsible and secure, always has back-up mechanisms, always anticipates the loss of a key and always has an audit trail that establishes when keys were used for what purposes and when they were thrown away." Sadly, no mention of how it could affect all those less than perfect businesses revealed by that DTI survey. Then for **individuals** Mr Clarke gave us this street-wise gem: "Precisely because forgetting a password is such a reasonable thing to do, it is rare that there are no contingency arrangements for such an eventuality" ROFL. Businesses are bad enough (which is why folk sell all those password recovery utilities/services), what hope for individuals? -Alan- From brian.gladman@btinternet.com Thu, 6 Apr 2000 23:27:26 +0100 Date: Thu, 6 Apr 2000 23:27:26 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: Target selection > From: "Nigel Hickson" > To: > Sent: Thursday, April 06, 2000 10:30 PM > Subject: Re: Target selection > > Stefak and others > > You would not expect me to say too much on a Home Office Bill (and > certainly not splutter). But clearly as what I reported was said in > Committee it does give the government the opportunity to return with an > amendement at Report Stage in the Commons. The Bill then has a second > reading in the Lords and then Committee stage there. So lots more time (so > to speak). We are still looking at amendmnets to the EC Bill and that has > finished Committee stage in Lords. > > And despite what Brian says, history will tell that encryption policy WAS > influenced by ministers. I agree - without the political input we would still be in the dark ages. But I don't think this changes the role that certain elements in the civil service have had in dominating the agenda. And the sudden change in the Labour Party policy shows this very clearly. But time has always been on the side of the angels and we only have to be patient to see our thinking prevail. The sad thing about GAK in RIP is that it won't work but it will create enormous damage - if this legislation passes into law with this aspect intact it will be a sad day for the UK. If this happens I and many other experts will have to advise that the UK is not a safe place for e-commerce. Of course many others (including the Government) will say that this is wrong but this won't carry much weight since it will be the resulting uncertainty as much as the truth that will do the damage. I doubt that the incredible sensitivity of information security decisions to even slight uncertainties is well understood by many within Government. As I keep saying, decryption notices without GAK get us 99% of the way to where we need to be for 1% of the cost - I just hope that the Home Office listens to reason before it's too late. Brian From cb@fipr.org Thu, 6 Apr 2000 23:40:37 +0100 Date: Thu, 6 Apr 2000 23:40:37 +0100 From: Caspar Bowden cb@fipr.org Subject: 'DIGITAL STORM' BREWS AT FBI - Washington Post 'DIGITAL STORM' BREWS AT FBI Issue: Privacy The FBI is seeking $75 million in budget appropriations to update its court-sanctioned telephone and cellular phone data collection systems. One is called "Digital Storm" and allows agents to monitor telephone calls and analyze computerized recordings. The FBI is also looking to create a system that would provide the "foundation for an up-to-date flexible digital collection infrastructure" for wiretaps and an "enterprise database" that would enable agents to analyze and share a huge amount of data via a secure World Wide Web network. FBI officials said the bureau's information technology systems are aging and need to be updated to keep pace with criminal activities that occur both on the Internet and offline. But civil liberties activists, legislators and legal specialists claim that the bureau's proposal could erode constitutional protections that limit government searches. For example, the FBI estimates that the technological advances would so improve the ability to conduct wiretaps that the number of approved taps would increase by 300 percent over the next decade. Deputy Assistant Director Edward Allen played down that number. [SOURCE: Washington Post (A1), AUTHOR: Robert O'Harrow Jr.] (http://www.washingtonpost.com/wp-dyn/articles/A20426-2000Apr5.html) From padgett@gdi.net Thu, 06 Apr 2000 18:51:04 -0400 Date: Thu, 06 Apr 2000 18:51:04 -0400 From: Padgett 0sirius padgett@gdi.net Subject: Not all bad at least from my viewpoint - the RIP bill is the greatest argument against KMS schemes I have ever seen. A. Padgett Peterson, P.E., CISSP: Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From midgley@mednetics.org Thu, 6 Apr 2000 19:50:07 +0100 Date: Thu, 6 Apr 2000 19:50:07 +0100 From: Adrian Midgley midgley@mednetics.org Subject: Parliament in internet time (was Re: Target selection) -----BEGIN PGP SIGNED MESSAGE----- From: Simon.Watkin@homeoffice.gsi.gov.uk >You know I am not an *ordinary* Ukcrypto correspondent so please don't >expect me to behave like one. I'll be back to you this week. Promise. That's fair enough, really. - -- Midgley -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i Comment: The NHS needs Open Source and Strong Encryption iQCVAwUBOOzcX5UucX3Gd7MFAQHBbQP/SRKrdApnJaK/Mc0Ttzo5i5H2Bwm3NsMF WEMqKBpWxCZGs5HDR4F1PA7Xk9A7CckpxR2Cq0FBZb60LQRlTvT0Pg+ghJtOwvgk ExM/RNEE3wPCXmCBAwaYgmYmrqQkVJKIh8cPZ+4ykmrrpCwUU1YJ1b2YwcKn2yg6 +Mw5XNqztDk= =S6JQ -----END PGP SIGNATURE----- From donald@ramsbottom.co.uk Fri, 07 Apr 2000 07:51:09 +0100 Date: Fri, 07 Apr 2000 07:51:09 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: TELCO costs Below is a snippet from a US Newspaper (Cryptome doesn't say which one). Link from cryptome below. It does show what US Telcos believe the costs of implementing wiretaps will cost. Even if we only take 25% of that figure for UK it still ends up around =A380m, just for the Telco side of things not taking into account ISPs etc.= I do not know whether the same would be needed over here or whether we we have the same problems, but it does give some indication that the costs may be higher than the =A325m threshhold quoted by the Cabinet office as= "significant". http://cryptome.org/wiretab.htm "WASHINGTON -- The telecommunications industry is pressing Congress for full payment of nearly $500 million to help companies fund software upgrades needed to enable law-enforcement agencies to wiretap digital- and wireless-telephone networks. An emergency spending bill approved by the House last week would make the final $382 million available, but the financing is threatened by the Senate's stalling over the larger appropriations package. The budget fighting could further delay the phone companies' compliance with a 1994 surveillance law, already nearly two years behind schedule. Since the early 1990s, the Federal Bureau of Investigation has been warning that conversion to digital and wireless equipment was threatening to undermine the usefulness of court-approved phone surveillance. Traditional intercept gear monitors a single line, recording incoming and outgoing call information. But digital systems don't have analog pulses that make such information readily obtainable. And when digital switches route a call using a feature such as call forwarding, it isn't detectable.........." Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Fri, 07 Apr 2000 08:00:56 +0100 Date: Fri, 07 Apr 2000 08:00:56 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Target selection SNIP Ross said > >It won't work, of course, and an insight into why it won't work came >from a London manager of a US bank who manages security for all >Europe, including Switzerland. He's in an impossible position once the >bill is passed. If he fails to hand over a key, he commits a criminal >offence under UK law. If he does hand it over, he commits a criminal >offence under Swiss law. So the corporate key recovery function will >move to Zuerich, and the guys there will be forbidden to recover keys >at the request of London managers. This chap said his employer didn't >want any publicity but had made representations to the UK government. > >Just thought list members might be interested, This is just what I have found to be the case and business will vote with its feet. It my get worse if LEAs seeking to bring pressure on Banks etc try to use S:69 to bring pressure on local managers. Do we have to atually loose the business before the HO see that they have shot UK PLC in the foot, or will they give in gracefully? A serious re think is required to determine exactly what it is that the LEAs want and if they can get 99% of what they want by other means, is the economic damage worth the other 1% even if it will only be used in "exceptional" circumstances. What is hard to see is why the HO is so obdurate over this issue, and why they are willing to make such an enormous gamble for so little perceived gain. Again two dimensional thought in a three dimensional world. Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Fri, 07 Apr 2000 08:09:33 +0100 Date: Fri, 07 Apr 2000 08:09:33 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Irish EC Bill in PDF The Irish Electronic communications bill in pdf now available. http://www.irlgov.ie/tec/html/whatsnew.html Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From ACR@als.co.uk Fri, 7 Apr 2000 08:35:49 +0100 Date: Fri, 7 Apr 2000 08:35:49 +0100 From: Alan Ramsbottom ACR@als.co.uk Subject: Irish EC Bill in PDF Haven't read it, but from the accompanying memo: "Section 26 provides that nothing in this Bill shall be construed as requiring the disclosure of keys or codes that may be necessary to make information or an electronic communication intelligible." From donald@ramsbottom.co.uk Fri, 07 Apr 2000 08:47:17 +0100 Date: Fri, 07 Apr 2000 08:47:17 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Irish EC bill S25&26 Below are S:25 & 26 of the Irish E comms bill as published. S:26 is noteworthy, despite the provisions of S:25 I hope the formatting is ok it looks fine on my screen, but has gone awry before! 25.-(1) Where, on the sworn information of an officer of the Minister or a member of the Garda Si=B4ocha=B4 na, a judge of the District Court is satisfied that there are reasonable grounds for suspecting=20 that evidence of or relating to an offence under this Act is to be found at a place specified in the information, the judge may issue a warrant for the search of that place and any persons found at that place. (2) A warrant issued under this section shall authorise a named=20 officer of the Minister or member of the Garda Si=B4ocha=B4 na, alone or accompanied by such member or other members of the Garda Si=B4ocha=B4 na and such other persons as may be necessary- (a) to enter, within 7 days from the date of the warrant, and if necessary by the use of reasonable force, the place named=20 in the warrant, (b) to search the place and any person reasonably suspected of being connected with any activities of the place found thereon, and (c) to seize anything found there, or anything found in the pos session of a person present there at the time of the search, which that officer or member reasonably believes to be evidence of or relating to an offence under this Act and, where the thing seized is or contains information or an electronic communication that cannot readily be accessed=20 or put into intelligible form, to require the disclosure of the information or electronic communication in intelli-gible form. (3) An officer of the Minister or member of the Garda Si=B4ocha=B4 na acting in accordance with a warrant issued under this section may=20 require any person found at the place where the search is carried out to give the officer or member the person's name and address. (4) A person who or public body which- (a) obstructs or attempts to obstruct an officer of the Minister or member of the Garda Si=B4ocha=B4 na acting in accordance with a warrant issued under subsection (1), (b) fails or refuses to comply with a requirement under this section, or=20 (c) gives a name or address which is false or misleading, is guilty of a summary offence. (5) An officer of the Minister or member of the Garda Si=B4ocha=B4 na may retain anything seized under subsection (2)(c) which he or she has reasonable grounds for believing to be evidence of an offence=20 under this Act, for use as evidence in relation to proceedings in relation to any such offence, for such period as is reasonable or, if proceedings are commenced in which the thing is required to be used in evidence, until the conclusion of the proceedings. (6) In this section ''place'' includes any dwelling, any building or=20 part of a building and any vehicle, vessel or structure. 26.-Nothing in this Act shall be construed as requiring the disclosure of unique data, such as codes, passwords, algorithms, private cryptographic keys, or other data, that may be necessary to render information or an electronic communication intelligible.=20 Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From roland@linx.net Fri, 7 Apr 2000 09:19:18 +0100 Date: Fri, 7 Apr 2000 09:19:18 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <1.5.4.32.20000407065109.0139aff4@192.168.0.65>, Donald Ramsbottom writes >It does show what US Telcos believe the costs of implementing wiretaps will >cost. Even if we only take 25% of that figure for UK it still ends up around >£80m, Does anyone have an idea of the topology of the USA phone system, in terms of where it could be centrally tapped? The 'advantage' we have in the UK is that most networks are National [or only cover one area; say, London]. In the USA, if there is at least one network per State, with no chance of tapping a subscriber line in California from a control room in Florida, then it could be that we should start from 1/50th of the USA figure, and then work up because I assume we have more OLOs than a typical USA state. But even so, if there are 350 UK telcos to tap [source: IOCA consultation] and 25M to go round, that's only 75K each, and we've not had any ISP costs yet. -- Roland Perry From jeremy.scott-joynt@afxnews.com Fri, 7 Apr 2000 09:27:09 +0100 Date: Fri, 7 Apr 2000 09:27:09 +0100 From: Jeremy Scott-Joynt jeremy.scott-joynt@afxnews.com Subject: TELCO costs Is the 25M figure firmed up? Last time I talked to the home office, they weren't committing to a number. Jeremy _______________ Jeremy Scott-Joynt Technology Correspondent AFX News t +44 (0)20 7825 8483 m +44 (0)973 257380 f +44 (0)20 7825 7537 e jeremysj@pobox.com -----Original Message----- From: Roland Perry To: ukcrypto@maillist.ox.ac.uk Date: 07 April 2000 09:23 Subject: Re: TELCO costs >In article <1.5.4.32.20000407065109.0139aff4@192.168.0.65>, Donald >Ramsbottom writes >>It does show what US Telcos believe the costs of implementing wiretaps will >>cost. Even if we only take 25% of that figure for UK it still ends up around >>£80m, > >Does anyone have an idea of the topology of the USA phone system, in >terms of where it could be centrally tapped? The 'advantage' we have in >the UK is that most networks are National [or only cover one area; say, >London]. > >In the USA, if there is at least one network per State, with no chance >of tapping a subscriber line in California from a control room in >Florida, then it could be that we should start from 1/50th of the USA >figure, and then work up because I assume we have more OLOs than a >typical USA state. > >But even so, if there are 350 UK telcos to tap [source: IOCA >consultation] and 25M to go round, that's only 75K each, and we've not >had any ISP costs yet. >-- >Roland Perry From Richard.Lucock@jet.uk Fri, 7 Apr 2000 09:33:24 +0100 (BST) Date: Fri, 7 Apr 2000 09:33:24 +0100 (BST) From: Richard.Lucock@jet.uk Richard.Lucock@jet.uk Subject: RIP: Signature Keys Used for Confidentiality Hi, On 6 Apr, Ian Miller wrote: >> Ah, I misunderstood your question. I guess that it comes down >> to whether or not possesion of the encrypted session key amounts to >> possession of the session key itself. > I don't think that there is any doubt about that. Section 52 (2) > states "References in this Part to a person's having in his possession > a key to any protected information include references to his having > an immediate right of access to the key". If you can get the key > then you are deemed to possess it. Ouch. That does seem fairly conclusive: you *can* get the session key (using your signature key to decrypt) therefore you have access, therefore you are deemed to possess it, therefore you have to supply it on request. And having done that once, your signature key is no longer sacrosanct. I suppose it would be possible to argue whether the term 'right of access' does actually cover this situation, but I'm not sure that I would like to rely on it. Richard From midgley@mednetics.org Thu, 6 Apr 2000 19:50:07 +0100 Date: Thu, 6 Apr 2000 19:50:07 +0100 From: Adrian Midgley midgley@mednetics.org Subject: Parliament in internet time (was Re: Target selection) -----BEGIN PGP SIGNED MESSAGE----- From: Simon.Watkin@homeoffice.gsi.gov.uk >You know I am not an *ordinary* Ukcrypto correspondent so please don't >expect me to behave like one. I'll be back to you this week. Promise. That's fair enough, really. - -- Midgley -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i Comment: The NHS needs Open Source and Strong Encryption iQCVAwUBOOzcX5UucX3Gd7MFAQHBbQP/SRKrdApnJaK/Mc0Ttzo5i5H2Bwm3NsMF WEMqKBpWxCZGs5HDR4F1PA7Xk9A7CckpxR2Cq0FBZb60LQRlTvT0Pg+ghJtOwvgk ExM/RNEE3wPCXmCBAwaYgmYmrqQkVJKIh8cPZ+4ykmrrpCwUU1YJ1b2YwcKn2yg6 +Mw5XNqztDk= =S6JQ -----END PGP SIGNATURE----- From jeremy.scott-joynt@afxnews.com Fri, 7 Apr 2000 09:27:09 +0100 Date: Fri, 7 Apr 2000 09:27:09 +0100 From: Jeremy Scott-Joynt jeremy.scott-joynt@afxnews.com Subject: TELCO costs Is the 25M figure firmed up? Last time I talked to the home office, they weren't committing to a number. Jeremy _______________ Jeremy Scott-Joynt Technology Correspondent AFX News t +44 (0)20 7825 8483 m +44 (0)973 257380 f +44 (0)20 7825 7537 e jeremysj@pobox.com -----Original Message----- From: Roland Perry To: ukcrypto@maillist.ox.ac.uk Date: 07 April 2000 09:23 Subject: Re: TELCO costs >In article <1.5.4.32.20000407065109.0139aff4@192.168.0.65>, Donald >Ramsbottom writes >>It does show what US Telcos believe the costs of implementing wiretaps will >>cost. Even if we only take 25% of that figure for UK it still ends up around >>£80m, > >Does anyone have an idea of the topology of the USA phone system, in >terms of where it could be centrally tapped? The 'advantage' we have in >the UK is that most networks are National [or only cover one area; say, >London]. > >In the USA, if there is at least one network per State, with no chance >of tapping a subscriber line in California from a control room in >Florida, then it could be that we should start from 1/50th of the USA >figure, and then work up because I assume we have more OLOs than a >typical USA state. > >But even so, if there are 350 UK telcos to tap [source: IOCA >consultation] and 25M to go round, that's only 75K each, and we've not >had any ISP costs yet. >-- >Roland Perry From davidh@spidacom.co.uk Fri, 7 Apr 2000 09:58:35 +0100 Date: Fri, 7 Apr 2000 09:58:35 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Target selection On 7 Apr 00, at 8:00, Donald Ramsbottom wrote: > Do we have to atually loose the business before the HO see that they > have shot UK PLC in the foot, or will they give in gracefully? You're being too charitable. After the UK has lost business watch out for officials and party politicians telling us that everything in the garden is rosy. > What is hard to see is why the HO is so obdurate over this issue, and > why they are willing to make such an enormous gamble for so little > perceived gain. It is a feature of the Home Office in particular, partly due to the incompetence of the current and last Home Secretaries who cannot conceive that they could ever make a mistake. They had this dumped on them when it became to hot to handle in the e- commerce bill, there is now no doubt a thin red line bunker mentality. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From davidh@spidacom.co.uk Fri, 7 Apr 2000 09:58:35 +0100 Date: Fri, 7 Apr 2000 09:58:35 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Parliament in internet time (was Re: Target selection) On 6 Apr 00, at 18:23, Watkin Simon wrote: > 3. No one > else responds when I'm away because no one else working on the Bill or > its consequent implementation is a subscriber, only me. Fascinating, revealing and rather worrying. > 4. I sense an > expectation that I (as the Home Office) *should* be responding > instantly to every posting with a question or comment on the RIP Bill. I think you are being over sensitive. People understand that a semi- official posting must be checked to ensure the stories are all the same (that's not necessarily a criticism by the way). However the Home Office is making a monumental cockup that will put most of its other cockups in the shade. Things are very urgent. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From roland@linx.net Fri, 7 Apr 2000 10:17:30 +0100 Date: Fri, 7 Apr 2000 10:17:30 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <00d001bfa06b$10e74500$b017f691@23.174.afxnews>, Jeremy Scott-Joynt writes >Is the 25M figure firmed up? Last time I talked to the home office, they >weren't committing to a number. As I understand it, each Part of the bill is stated to cost less than the threshold at which it's necessary to produce an actual detailed estimate of the costs. The Part which gets most discussion amongst industry is Interception and Communications Data (Part I), which is 25M. There would be a second 25M for the Decryption (Part III). Remember also that this is the cost not including measures operated by Law Enforcement [I assume this is standard practice] and therefore GTAC's budget does not appear anywhere here, in the same way that the costs of preparing warrants to put in front of the Home Secretary aren't included. -- Roland Perry From roland@linx.net Fri, 7 Apr 2000 10:26:35 +0100 Date: Fri, 7 Apr 2000 10:26:35 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <6$kwpBAqea74Ewlr@perry.co.uk>, Roland Perry writes >The Part which gets most discussion amongst industry is Interception and >Communications Data (Part I), which is 25M. There would be a second 25M >for the Decryption (Part III). Apologies - the figure is 20M, not 25M. -- Roland Perry From roland@linx.net Fri, 7 Apr 2000 10:33:16 +0100 Date: Fri, 7 Apr 2000 10:33:16 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <+ytCeMAGoZ74EwVQ@perry.co.uk>, Roland Perry writes >But even so, if there are 350 UK telcos to tap [source: IOCA >consultation] and 25M to go round, that's only 75K each, and we've not >had any ISP costs yet. Hmm, I've just re-read the Home Office document (Regulatory Impact Assessment) and it's got quite a different angle on this. They say: All the 40 traditional PTOs are compliant already - so no extra cost. The 233 ISVRs won't be tapped, the upstream PTOs will - so no extra costs. Most postal carriers already have measures in place due to interaction with Customs. Which just leaves ISPs; and it's 20M (apologies for misquoting 25M earlier). -- Roland Perry From nbohm@ernest.net Fri, 07 Apr 2000 10:58:49 +0100 Date: Fri, 07 Apr 2000 10:58:49 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Target selection At 06:26 PM 4/6/2000 +0100, Neil Dunbar wrote: >Nigel Hickson wrote: > >> Mr >> Clarke said (and I paraphrase) that where the recipient of a notice had >> plain text there would only be "exceptional" circumstances (which would be >> defined in Bill) where a key would be required instead. > >Hmm. > >The minister said :- > >"We might consider amending the Bill to allow insistence on producing the key >only exceptionally and to state what might be exceptional in the code of >practice." > >Note - the circumstances of exceptional behaviour are to be defined in >a code of practice. Can the lawyers on the list tell me if this carries the same >legal weight as an Act or Statutory Instrument? I suspect not. "Hmm" is right. Codes of practice carry such weight as the Act says - breach of the Highway Code is not a breach of the law, but may be taken into account in deciding whether some other rule has been broken. To put it mildly, a very feeble hint of a concession, but any crack is worth its wedge. I look forward to seeing the HO justification for requiring keys (requested more than once). If there is one, then it should be made the only statutory basis for compulsory key disclosure, and anything outside its scope should be statutorily excluded. Whether the justification is made out in a particular case should depend on judicial authority based on sworn evidence available to the addressee of the notice. And something a lot better needs to be done about the dilemma resulting from demand for disclosure of what the addressee alleges is a decryption only key. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From Ian_Miller@scientia.com Fri, 7 Apr 2000 09:27:02 +0000 Date: Fri, 7 Apr 2000 09:27:02 +0000 From: Ian Miller Ian_Miller@scientia.com Subject: RIP: Signature Keys Used for Confidentiality On Thu, 06 Apr 2000, Paul Halliden wrote: > The notice might "require" them to misuse their key. However, on the > assumption that the algorithm is RSA and that the private key is protec= ted > by hardware (e.g. a smart card or a security module), the notice will n= ot be > able to "force" misuse of the key since any reasonable security hardwar= e > will not permit it. =20 Agreed and that is a strong case for using such tamper-resistance solutions. However this is little comfort to someone using PGP or similar all-software encryption solutions. =20 Ian From donald@ramsbottom.co.uk Fri, 07 Apr 2000 11:50:19 +0100 Date: Fri, 07 Apr 2000 11:50:19 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: TELCO costs At 10:33 07/04/00 +0100, you wrote: >In article <+ytCeMAGoZ74EwVQ@perry.co.uk>, Roland Perry > writes >>But even so, if there are 350 UK telcos to tap [source: IOCA >>consultation] and 25M to go round, that's only 75K each, and we've not >>had any ISP costs yet. > >Hmm, I've just re-read the Home Office document (Regulatory Impact >Assessment) and it's got quite a different angle on this. They say: > >All the 40 traditional PTOs are compliant already - so no extra cost. > >The 233 ISVRs won't be tapped, the upstream PTOs will - so no extra >costs. Is this a reasonable assumption in the RIA? I ask because I do not know. >Which just leaves ISPs; and it's 20M (apologies for misquoting 25M >earlier). That was my fault I quoted =A325m when it should have been =A320m. I also note what you say about all the different companies in the States, but surely they are not so backward that we have all the necessaries in place and they do not? With all the Telcos in this country are they all truly integrated to the extent that the RIA assessment is accurate? If no new measures are required what is the point of part 1 of the act (so far as it does relate to Telcos rather than IISPs)? I know this is not crypto, but it is intriguing. I based my 25% of the $500m figure on volume of traffic as well as variety of Telcos, and while that may not stand up to scruitiny I think that 1/50 is taking it to far the other way (this assumes there is a real cost over and above the RIA estimates). Does anyone have any thoughts? Does anyone have any US(or elsewhere) ISP figures for comparison? Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From C.R.Snow@ncl.ac.uk Fri, 7 Apr 2000 13:06:37 +0100 Date: Fri, 7 Apr 2000 13:06:37 +0100 From: Richard Snow C.R.Snow@ncl.ac.uk Subject: Target selection At 18:26 +0100 6/4/0, Neil Dunbar wrote: >Nigel Hickson wrote: > >> Mr >> Clarke said (and I paraphrase) that where the recipient of a notice had >> plain text there would only be "exceptional" circumstances (which would be >> defined in Bill) where a key would be required instead. > >Hmm. > >The minister said :- > >"We might consider amending the Bill to allow insistence on producing the key >only exceptionally and to state what might be exceptional in the code of >practice." > But the Bill (as is) does not give this impression. Section 47 (provision of plaintext in lieu of key) states that *explicit* authorisation by the server of the notice is required. In my reading of the Bill, it is the provision of the plaintext which is the exceptional case. All the other sections in Part III talk about disclosure of the key. In my view, the minister's words can only be taken seriously if the whole of Part III is re-written to reflect the fact that it is the information which is required, and that "exceptionally" a key may be required to obtain that information. I am also very worried about the actual quote from the minister (as opposed to Nigel's paraphrased version) which starts with "We might consider amending the Bill ...", which to me is politician-speak for "We might think about amending the Bill, but we are so busy that we probably won't - and even if we do think about it, we will probably decide not to amend it after all ...". Perhaps those more familiar with parliamentary draughtsmanship could tell us whether amendments ever take the form of whole parts of a bill being completely re-written. I am inclined to doubt it. ... Dick. Dr C.R.Snow Department of Computing Science University of Newcastle Newcastle upon Tyne, NE1 7RU United Kingdom. E-mail: C.R.Snow@ncl.ac.uk Phone: +44 191 222 8064 Fax: +44 191 222 8232 WWW: http://www.cs.ncl.ac.uk/people/c.r.snow/ From PHalliden@baltimore.com Fri, 7 Apr 2000 14:31:57 +0100 Date: Fri, 7 Apr 2000 14:31:57 +0100 From: Paul Halliden PHalliden@baltimore.com Subject: RIP: Signature Keys Used for Confidentiality The case is more complex for all software solutions since it depends on how the software has been architected, what interfaces have been exposed and who is available with the skills to any lower level interfaces that have been exposed (no-one in your average non-technical SME). For example software solutions that have been designed to optionally support hardware are likely to follow the same approach to key policing as the hardware. Even software only products can (and should) be designed so that the "wrong" key type cannot be used from the user interface. Regards Paul Halliden >-----Original Message----- >From: Ian Miller [mailto:Ian_Miller@scientia.com] >Sent: 07 April 2000 10:27 >To: ukcrypto@maillist.ox.ac.uk >Subject: RE: RIP: Signature Keys Used for Confidentiality > > >On Thu, 06 Apr 2000, Paul Halliden wrote: >> The notice might "require" them to misuse their key. However, on the >> assumption that the algorithm is RSA and that the private >key is protected >> by hardware (e.g. a smart card or a security module), the >notice will not be >> able to "force" misuse of the key since any reasonable >security hardware >> will not permit it. > >Agreed and that is a strong case for using such tamper-resistance >solutions. However this is little comfort to someone using PGP or >similar all-software encryption solutions. > >Ian > From rguerra@yahoo.com Fri, 7 Apr 2000 09:41:16 -0400 Date: Fri, 7 Apr 2000 09:41:16 -0400 From: Robert Guerra rguerra@yahoo.com Subject: RIP bill at CFP2000 Hi: Just a short note to let the people on here know that the RIP bill was explained and discussed at a BOF session at the CFP2000 conference (http://www.cfp2000.org) being held here in Toronto (Canada). Several aspects of the Bill have been mentioned and discussed by several of the speakers. I haven't noticed any mention of the conference in the last while here and though the list members should know that there are others which are very carefully watching what is occuring in the UK. Many are willing to help, and others are very much surprised that such legislation is being introduced and rammed through the house. Robert Guerra From nbohm@ernest.net Fri, 07 Apr 2000 15:09:38 +0100 Date: Fri, 07 Apr 2000 15:09:38 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Target selection (repeat, corrected) This is a repeat of my earlier message, but correcting a reference to a "decryption key" which should have been to a signature key (thanks to Antonomasia for spotting it). At 06:26 PM 4/6/2000 +0100, Neil Dunbar wrote: >Nigel Hickson wrote: > >> Mr >> Clarke said (and I paraphrase) that where the recipient of a notice had >> plain text there would only be "exceptional" circumstances (which would be >> defined in Bill) where a key would be required instead. > >Hmm. > >The minister said :- > >"We might consider amending the Bill to allow insistence on producing the key >only exceptionally and to state what might be exceptional in the code of >practice." > >Note - the circumstances of exceptional behaviour are to be defined in >a code of practice. Can the lawyers on the list tell me if this carries the same >legal weight as an Act or Statutory Instrument? I suspect not. "Hmm" is right. Codes of practice carry such weight as the Act says - breach of the Highway Code is not a breach of the law, but may be taken into account in deciding whether some other rule has been broken. To put it mildly, a very feeble hint of a concession, but any crack is worth its wedge. I look forward to seeing the HO justification for requiring keys (requested more than once). If there is one, then it should be made the only statutory basis for compulsory key disclosure, and anything outside its scope should be statutorily excluded. Whether the justification is made out in a particular case should depend on judicial authority based on sworn evidence available to the addressee of the notice. And something a lot better needs to be done about the dilemma resulting from demand for disclosure of what the addressee alleges is a signature only key. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From nbohm@ernest.net Fri, 07 Apr 2000 15:19:02 +0100 Date: Fri, 07 Apr 2000 15:19:02 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Target selection At 01:06 PM 4/7/2000 +0100, Richard Snow wrote: >At 18:26 +0100 6/4/0, Neil Dunbar wrote: >>Nigel Hickson wrote: >> >>> Mr >>> Clarke said (and I paraphrase) that where the recipient of a notice had >>> plain text there would only be "exceptional" circumstances (which would= be >>> defined in Bill) where a key would be required instead. >> >>Hmm. >> >>The minister said :- >> >>"We might consider amending the Bill to allow insistence on producing the key >>only exceptionally and to state what might be exceptional in the code of >>practice." >> > >But the Bill (as is) does not give this impression. Section 47 (provision >of plaintext in lieu of key) states that *explicit* authorisation by the >server of the notice is required. In my reading of the Bill, it is the >provision of the plaintext which is the exceptional case. All the other >sections in Part III talk about disclosure of the key. Look again as 47(3): "(3) Compliance with a requirement to disclose a key to protected information by the provision of the information in an intelligible form is authorised for the purposes of this section unless=97=20 (a) the person who for the purposes of Schedule 1 granted the permission for the giving of a section 46 notice in relation to that information, or (b) any person whose permission for the giving of a such a notice in relation to that information would constitute the appropriate 40 permission under that Schedule, has given a direction that the requirement can be complied with only by the disclosure of the key itself." >From this it is clear that the default mode is plaintext, which can only be converted into a key requirement by a direction that a key must be= disclosed. >In my view, the minister's words can only be taken seriously if the whole >of Part III is re-written to reflect the fact that it is the information >which is required, and that "exceptionally" a key may be required to obtain >that information. This would a huge and valuable improvement, though mainly cosmetic. >I am also very worried about the actual quote from the minister (as opposed >to Nigel's paraphrased version) which starts with "We might consider >amending the Bill ...", which to me is politician-speak for "We might think >about amending the Bill, but we are so busy that we probably won't - and >even if we do think about it, we will probably decide not to amend it after >all ...". Bear in mind that "We were wrong and will put it right" is outside the range of available Parliamentary language; but even so what has been offered is only the very faintest hint of a concession. >Perhaps those more familiar with parliamentary draughtsmanship could tell >us whether amendments ever take the form of whole parts of a bill being >completely re-written. I am inclined to doubt it. It happens from time to time, usually under considerable Parliamentary pressure. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From Q.G.Campbell@newcastle.ac.uk Fri, 7 Apr 2000 15:28:03 +0100 (GMT) Date: Fri, 7 Apr 2000 15:28:03 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Target selection On Fri, 7 Apr 2000, Richard Snow wrote: [snip] > At 18:26 +0100 6/4/0, Neil Dunbar wrote: > >Nigel Hickson wrote: > > > >> Mr > >> Clarke said (and I paraphrase) that where the recipient of a notice had > >> plain text there would only be "exceptional" circumstances (which would be > >> defined in Bill) where a key would be required instead. > > > >Hmm. > > > >The minister said :- > > > >"We might consider amending the Bill to allow insistence on producing the key > >only exceptionally and to state what might be exceptional in the code of > >practice." > > > > But the Bill (as is) does not give this impression. Section 47 (provision > of plaintext in lieu of key) states that *explicit* authorisation by the > server of the notice is required. In my reading of the Bill, it is the > provision of the plaintext which is the exceptional case. All the other > sections in Part III talk about disclosure of the key. > > In my view, the minister's words can only be taken seriously if the whole > of Part III is re-written to reflect the fact that it is the information > which is required, and that "exceptionally" a key may be required to obtain > that information. > > I am also very worried about the actual quote from the minister (as opposed > to Nigel's paraphrased version) which starts with "We might consider > amending the Bill ...", which to me is politician-speak for "We might think > about amending the Bill, but we are so busy that we probably won't - and > even if we do think about it, we will probably decide not to amend it after > all ...". > > Perhaps those more familiar with parliamentary draughtsmanship could tell > us whether amendments ever take the form of whole parts of a bill being > completely re-written. I am inclined to doubt it. > > ... Dick. I am confused as to which version of Mr Clark's statements on this issue is the most recent. In the most recent one I have seen he does not mention a "code of practice". According to the URL put up by Caspar reporting on the Standing Committee debate of clause 46 (Tuesday, 4 April), Mr Clark said the following: "I was going to address the matter in the clause 47 stand part debate. However, Committee members may find it helpful if I remind them of an assurance that I gave on Second Reading. I said: "We envisage that the disclosure of the plain text of protected material, rather than a key, will be sufficient in almost all cases responding to a decryption notice and I expect there to be very few cases where disclosure of the keys themselves will be required. [Official Report, 6 March 2000; Vol.345, c.834] "I acknowledge that disclosure of the key should be a higher test than the reasonable issue suggested by the hon. Gentleman. I am therefore considering whether the Bill should clarify that demanding the key would be an exceptional step and set out a definition of ``exceptional'' in such circumstances. "That would meet some of the concerns that have been raised. The matter ought really to be debated in relation to clause 47, but, in the light of our discussion, it would be slightly artificial of me not to say that I had been considering the matter. I am prepared to be helpful in making disclosure of the key exceptional for the reasons given. Unhelpfully, however, I am not in favour of defining more tightly, with reference to encryption, the circumstances in which a key can be sought". The context in which this reply was made is important and can be found in the full report of the debate at the URL: http://www.fipr.org/rip/StandRIP.4.4.2000.am.htm Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From pgut001@cs.auckland.ac.nz Sat, 8 Apr 2000 02:43:46 (NZST) Date: Sat, 8 Apr 2000 02:43:46 (NZST) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: TELCO costs Donald Ramsbottom writes: >Below is a snippet from a US Newspaper (Cryptome doesn't say which one). >Link from cryptome below. > >It does show what US Telcos believe the costs of implementing wiretaps will >cost. Not quite. The $500M figure is the FBI's 1994 estimate, which was more or less pulled out of thin air and which noone actually believed (well, the FBI might have, but noone else did, and certainly not the telco's who were supposed to implement the thing). The FBI estimate actually started at $150M in 1992, but after criticism from the industry they modified it first to $300M and then again to $500M in 1994 for CALEA. An estimate from the telco's made at the same time was that the actual cost was $3B, not the FBI's $500M guess. In 1998 they performed a study which put the actual cost at $8B, or $12M per wiretap. What the article is pointing out is that the FBI haven't even managed to scrape together their 1994 $500M, let alone the remaining $7,500M which it's actually costing. The history of US efforts makes a good argument against the figure being quoted for the UK - if it's costing them $8B then it's pure fantasy to think it can be done for UKP25M in the UK, especially since the UK proposal goes far beyond CALEA. Peter. From nbohm@ernest.net Fri, 07 Apr 2000 16:01:00 +0100 Date: Fri, 07 Apr 2000 16:01:00 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Target selection At 03:28 PM 4/7/2000 +0100, Quentin Campbell wrote: >On Fri, 7 Apr 2000, Richard Snow wrote: > >[snip] >> At 18:26 +0100 6/4/0, Neil Dunbar wrote: >> >Nigel Hickson wrote: >> > >> >> Mr >> >> Clarke said (and I paraphrase) that where the recipient of a notice had >> >> plain text there would only be "exceptional" circumstances (which would be >> >> defined in Bill) where a key would be required instead. >> > >> >Hmm. >> > >> >The minister said :- >> > >> >"We might consider amending the Bill to allow insistence on producing the key >> >only exceptionally and to state what might be exceptional in the code of >> >practice." >> > >> >> But the Bill (as is) does not give this impression. Section 47 (provision >> of plaintext in lieu of key) states that *explicit* authorisation by the >> server of the notice is required. In my reading of the Bill, it is the >> provision of the plaintext which is the exceptional case. All the other >> sections in Part III talk about disclosure of the key. >> >> In my view, the minister's words can only be taken seriously if the whole >> of Part III is re-written to reflect the fact that it is the information >> which is required, and that "exceptionally" a key may be required to obtain >> that information. >> >> I am also very worried about the actual quote from the minister (as opposed >> to Nigel's paraphrased version) which starts with "We might consider >> amending the Bill ...", which to me is politician-speak for "We might think >> about amending the Bill, but we are so busy that we probably won't - and >> even if we do think about it, we will probably decide not to amend it after >> all ...". >> >> Perhaps those more familiar with parliamentary draughtsmanship could tell >> us whether amendments ever take the form of whole parts of a bill being >> completely re-written. I am inclined to doubt it. >> >> ... Dick. > >I am confused as to which version of Mr Clark's statements on this issue >is the most recent. In the most recent one I have seen he does not >mention a "code of practice". > >According to the URL put up by Caspar reporting on the Standing Committee >debate of clause 46 (Tuesday, 4 April), Mr Clark said the following: > >"I was going to address the matter in the clause 47 stand part debate. > However, Committee members may find it helpful if I remind them of an > assurance that I gave on Second Reading. I said: > > "We envisage that the disclosure of the plain text of protected > material, rather than a key, will be sufficient in almost all > cases responding to a decryption notice and I expect there to be > very few cases where disclosure of the keys themselves will be > required. [Official Report, 6 March 2000; Vol.345, c.834] > >"I acknowledge that disclosure of the key should be a higher test than the > reasonable issue suggested by the hon. Gentleman. I am therefore > considering whether the Bill should clarify that demanding the key would > be an exceptional step and set out a definition of ``exceptional'' in > such circumstances. > >"That would meet some of the concerns that have been raised. The matter > ought really to be debated in relation to clause 47, but, in the > light of our discussion, it would be slightly artificial of me not to say > that I had been considering the matter. I am prepared to be helpful > in making disclosure of the key exceptional for the reasons given. > Unhelpfully, however, I am not in favour of defining more tightly, with > reference to encryption, the circumstances in which a key can be sought". > > >The context in which this reply was made is important and can be found in >the full report of the debate at the URL: > > http://www.fipr.org/rip/StandRIP.4.4.2000.am.htm This seems to express a willingness to define "exceptional" coupled with an unwillingness to define more tightly than by saying "exceptional". It is certainly not easy to see where this will lead. Where it will probably not lead is to anything objective: it will almost certainly be for the notice giver to decide whether the case is exceptional, with no opportunity for challenge and resolution of the issue before compliance or refusal. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ACR@als.co.uk Fri, 7 Apr 2000 16:04:28 +0100 Date: Fri, 7 Apr 2000 16:04:28 +0100 From: Alan Ramsbottom ACR@als.co.uk Subject: Target selection > From: Quentin Campbell [mailto:Q.G.Campbell@newcastle.ac.uk] > I am confused as to which version of Mr Clark's statements on > this issue is the most recent. Clarke first mentioned The Concession[TM] in the Tues AM session (as quoted in your mail) and I thought the exceptions would be in the bill. At the start of the Tues PM session he explicitly talked about putting the exceptions in the code of practice: "We would include guidance in the code of practice on those exceptional circumstances. Those circumstances could include cases in which timeliness is an issue and the plaintext would take longer to produce than a key; in which trust is an issue and the person who hands over the key might not be reliable, so chains of evidence must be protected; or in which security is an issue." -Alan- From donald@ramsbottom.co.uk Fri, 07 Apr 2000 16:13:36 +0100 Date: Fri, 07 Apr 2000 16:13:36 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: RIP bill at CFP2000 SNIP >I haven't noticed any mention of the conference in the last while >here and though the list members should know that there are others >which are very carefully watching what is occuring in the UK. Many >are willing to help, and others are very much surprised that such >legislation is being introduced and rammed through the house. > > >Robert Guerra > Robert it is good to know that there are others looking on (even if they are rubbing their hands with glee). I had a German subsidiary of a large multinational on to me a day or two ago about all this and it seems that the proposals would amount to a breach of Germany's very tight data protection laws, breach of which can also be a criminal offence (so I am informed), and thus there is a repeat of the Swiss secnario which Ross referred to earlier today. What is E business to do, well not set up in the UK that is for sure. BTW are there any German legal types on the list who could enlighten us further on the data protection rules which were quoted to me? Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From C.R.Snow@ncl.ac.uk Fri, 7 Apr 2000 16:51:28 +0100 Date: Fri, 7 Apr 2000 16:51:28 +0100 From: Richard Snow C.R.Snow@ncl.ac.uk Subject: Target selection At 15:19 +0100 7/4/0, Nicholas Bohm wrote: >At 01:06 PM 4/7/2000 +0100, Richard Snow wrote: >>But the Bill (as is) does not give this impression. Section 47 (provision >>of plaintext in lieu of key) states that *explicit* authorisation by the >>server of the notice is required. In my reading of the Bill, it is the >>provision of the plaintext which is the exceptional case. All the other >>sections in Part III talk about disclosure of the key. > >Look again as 47(3): > >"(3) Compliance with a requirement to disclose a key to protected >information by the provision of the information in an intelligible form is >authorised for the purposes of this section unless=97 > >(a) the person who for the purposes of Schedule 1 granted the >permission for the giving of a section 46 notice in relation to that >information, or > >(b) any person whose permission for the giving of a such a notice in >relation to that information would constitute the appropriate 40 >permission under that Schedule, > >has given a direction that the requirement can be complied with only by the >disclosure of the key itself." > >>From this it is clear that the default mode is plaintext, which can only b= e >converted into a key requirement by a direction that a key must be disclose= d. > My apologies, Nicholas, you are right, of course. IANAL, and it's probably just as well! However, I still find it odd, that of the seven sections in Part III, (well, perhaps I shouldn't include the "Interpretation" section), five of them, including the all-important section 46, talk about the "exceptional" case of key disclosure, and only one about the "normal" situation of disclosing the plaintext. I very much fear that when Plod comes a-callin', he will demand the key, and will probably be given it unless the target of the notice has wit enough to point out that all he really requires is the plaintext. Presumably, though, the notice will effectively give Plod his instructions. So the question is: What will the notice say? If it says: "You must hand over the key so that message X can be decrypted", most law-abiding citizens will hand over the key. If it says: "You must provide the intelligible form of message X", I would have thought that most law-abiding citizens would hand over the plaintext without disclosing the key. I would suggest that as it appears in section 46 (sub-section (2) "by notice to the person whom he believes to have possession of the key, require the disclosure of the key."), the former is more likely. It will only be those who are well-versed in the law (and/or have been following ukcrypto) who will respond to such a notice with "Surely you only really need the plaintext?" ... Dick. Dr C.R.Snow Department of Computing Science University of Newcastle Newcastle upon Tyne, NE1 7RU United Kingdom. E-mail: C.R.Snow@ncl.ac.uk Phone: +44 191 222 8064 =46ax: +44 191 222 8232 WWW: http://www.cs.ncl.ac.uk/people/c.r.snow/ From donald@ramsbottom.co.uk Fri, 07 Apr 2000 17:19:14 +0100 Date: Fri, 07 Apr 2000 17:19:14 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Irish notes on EC bill The Irish notes to the bill regarding financial implications for Telcos are set out below from the explanatory notes provided. It will be noted there is reference to the "light regulatory touch" "Financial Implications Exchequer and staffing costs The designation of bodies under section 27 may result in staffing implications for the bodies designated to administer the schemes. It is not possible to predict precisely at this stage the numbers and the costs involved, but it is anticipated that they will be low due to the light regulatory touch provided for in the Bill. The Bill may also lead to accelerated investment in the public sector in information and communications technologies and associated staff training. This is difficult to quantify at this point in time. An Roinn Fiontar Poibli=B4, Aibrea=B4n, 2000." Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Fri, 07 Apr 2000 17:34:55 +0100 Date: Fri, 07 Apr 2000 17:34:55 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: TELCO costs At 02:43 08/04/00, you wrote: >Donald Ramsbottom writes: > >>Below is a snippet from a US Newspaper (Cryptome doesn't say which one). >>Link from cryptome below. >> >>It does show what US Telcos believe the costs of implementing wiretaps= will >>cost. > >Not quite. The $500M figure is the FBI's 1994 estimate, which was more or= less >pulled out of thin air and which noone actually believed (well, the FBI= might >have, but noone else did, and certainly not the telco's who were supposed= to >implement the thing). The FBI estimate actually started at $150M in 1992,= but >after criticism from the industry they modified it first to $300M and then >again to $500M in 1994 for CALEA. An estimate from the telco's made at the >same time was that the actual cost was $3B, not the FBI's $500M guess. In= 1998 >they performed a study which put the actual cost at $8B, or $12M per= wiretap. >What the article is pointing out is that the FBI haven't even managed to= scrape >together their 1994 $500M, let alone the remaining $7,500M which it's= actually >costing. > >The history of US efforts makes a good argument against the figure being= quoted >for the UK - if it's costing them $8B then it's pure fantasy to think it= can be >done for UKP25M in the UK, especially since the UK proposal goes far beyond >CALEA. Peter these are truly staggering figures, may I ask where they may be found, as if they are even partially accurate then someone has seriously got things wrong and needs to look at those figures again. Even costing for Uk at 1% of US estimates means =A380m again, I just cannot see how our more intrusive (than CALEA) new regime can be that much cheaper. Do the US figures include ISP estimates or just Telcos? Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From brian.gladman@btinternet.com Fri, 7 Apr 2000 17:24:47 +0100 Date: Fri, 7 Apr 2000 17:24:47 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: TELCO costs From: "Jeremy Scott-Joynt" To: Sent: Friday, April 07, 2000 9:27 AM Subject: Re: TELCO costs > Is the 25M figure firmed up? Last time I talked to the home office, they > weren't committing to a number. No, there is a £25M for GTAC and a similar figure for ISP costs. No doubt both estimates will prove to be too low. Its quite amazing that any Department of Government can put a Bill before Parliament with a cost estimate of £750,000 when, within the space of four weeks or so, we find the costs are probably 100 times higher. I am not surprised that security experts can do a much better job than the Home Office in estimating costs but I am surprised that the Home Office did not do this work before the Bill was put to Parliament. I am also told that the Encryption Co-ordination Unit within the Home Office includes ex-GCHQ people (is this right?). If this is true then this situation is nothing short of scandalous since it is GCHQ that has put all the standards in place that make the costs so high. Anyone from GCHQ would know of these costs and would know that the £750,000 figure was completely silly. Worse still, David Omand, the Permanent Secretary at the Home Office, is ex-MOD and ex-GCHQ and he knows only too well what the issues and costs are here. And given this situation I find it quite hard to understand who allowed the £750,000 estimate through. I think the Home Office will have no option but to admit that this was a serious error on their part. If Parliament exerted any real power over the executive this measure would be rejected as incompetent. Examples like this show that the domination of so much of what Parliament does by blindly pursued Party alignmnents often undermine the true interests of UK citizens. Brian Gladman From bdm@fenrir.demon.co.uk Fri, 07 Apr 2000 17:34:43 +0100 Date: Fri, 07 Apr 2000 17:34:43 +0100 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: TELCO costs On Fri, 7 Apr 2000 17:24:47 +0100, Brian Gladman wrote: > And given this situation I find it quite hard to understand who >allowed the 750,000 estimate through. I think the Home Office will have no >option but to admit that this was a serious error on their part. No doubt a deliberate one to see if they could blind-side the critics. > >If Parliament exerted any real power over the executive this measure would >be rejected as incompetent. Examples like this show that the domination of >so much of what Parliament does by blindly pursued Party alignmnents >often undermine the true interests of UK citizens. A very common story.. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From nbohm@ernest.net Fri, 07 Apr 2000 18:08:11 +0100 Date: Fri, 07 Apr 2000 18:08:11 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Target selection At 04:51 PM 4/7/2000 +0100, Richard Snow wrote: >At 15:19 +0100 7/4/0, Nicholas Bohm wrote: >>At 01:06 PM 4/7/2000 +0100, Richard Snow wrote: >>>But the Bill (as is) does not give this impression. Section 47 (provision >>>of plaintext in lieu of key) states that *explicit* authorisation by the >>>server of the notice is required. In my reading of the Bill, it is the >>>provision of the plaintext which is the exceptional case. All the other >>>sections in Part III talk about disclosure of the key. >> >>Look again as 47(3): >> >>"(3) Compliance with a requirement to disclose a key to protected >>information by the provision of the information in an intelligible form is >>authorised for the purposes of this section unless=97 >> >>(a) the person who for the purposes of Schedule 1 granted the >>permission for the giving of a section 46 notice in relation to that >>information, or >> >>(b) any person whose permission for the giving of a such a notice in >>relation to that information would constitute the appropriate 40 >>permission under that Schedule, >> >>has given a direction that the requirement can be complied with only by= the >>disclosure of the key itself." >> >>>From this it is clear that the default mode is plaintext, which can only= be >>converted into a key requirement by a direction that a key must be disclosed. >> > >My apologies, Nicholas, you are right, of course. IANAL, and it's probably >just as well! > >However, I still find it odd, that of the seven sections in Part III, >(well, perhaps I shouldn't include the "Interpretation" section), five of >them, including the all-important section 46, talk about the "exceptional" >case of key disclosure, and only one about the "normal" situation of >disclosing the plaintext. I very much fear that when Plod comes a-callin', >he will demand the key, and will probably be given it unless the target of >the notice has wit enough to point out that all he really requires is the >plaintext. > >Presumably, though, the notice will effectively give Plod his instructions. >So the question is: What will the notice say? > >If it says: "You must hand over the key so that message X can be >decrypted", most law-abiding citizens will hand over the key. > >If it says: "You must provide the intelligible form of message X", I would >have thought that most law-abiding citizens would hand over the plaintext >without disclosing the key. > >I would suggest that as it appears in section 46 (sub-section (2) "by >notice to the person whom he believes to have possession of the key, >require the disclosure of the key."), the former is more likely. It will >only be those who are well-versed in the law (and/or have been following >ukcrypto) who will respond to such a notice with "Surely you only really >need the plaintext?" I entirely agree. It is necessary for the law to be right, but that is not sufficient if its state is too hard for people to understand correctly in practice. Amendment to cure this would be cosmetic in the sense of not changing the substance, but important in making it work as it should. I think you are exactly right about how it would probably work if left to itself; though this is the sort of thing a code of practice might in fact help. The code could say that any notice which can be complied with by delivery of plaintext must make that explicit; and since it would be apparent from the face of any notice whether this requirement had been observed, it would be easily policed by Commissioners etc. Regards, Nicholas=20 Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From damouth@shianet.org Fri, 7 Apr 2000 14:05:06 -0400 Date: Fri, 7 Apr 2000 14:05:06 -0400 From: Les Damouth damouth@shianet.org Subject: New FBI inititiative This is a multi-part message in MIME format. ------=_NextPart_000_0086_01BFA09A.4726DC00 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable 'Digital Storm' Brews at FBI=20 By Robert O'Harrow Jr. Washington Post Staff Writer Thursday , April 6, 2000 ; A01=20 In response to growing concerns about terrorism, hackers and other = high-tech criminals, the Federal Bureau of Investigation is planning a = series of sophisticated computer systems that would sharply increase = agents' ability to gather and analyze information.=20 The FBI is seeking more than $75 million in budget appropriations to = continue a massive information technology expansion, which includes a = system dubbed "Digital Storm" that eases the court-sanctioned collection = and electronic sifting of traffic on telephones and cellular phones.=20 Another proposed system would create "the foundation for an up-to-date, = flexible digital collection infrastructure" for wiretaps under the = Foreign Intelligence Surveillance Act. A third initiative would develop = an "enterprise database" that would enable agents to analyze huge = amounts of data and share them via a secure World Wide Web-style = network. The bureau has also formed a privacy council to review the use = of data and protect against unwarranted intrusions into innocent = Americans' lives, a concern raised by privacy advocates.=20 FBI officials said the bureau's information technology systems are aging = and need to be updated to keep pace with criminal activities, both on = the Internet and offline.=20 "Our crimes that we're investigating today have a much more national and = global scale," said Deputy Assistant Director Edward Allen. "And it's so = much faster-paced. It becomes much more critical that we communicate = more comprehensively."=20 The proposals follow a series of bureau initiatives in recent years to = gain more authority to conduct wiretaps, crack encrypted documents and = subpoena computer-related information. FBI officials believe that the = new data surveillance capability is crucial to the bureau's strategic = goal of deterring major criminal acts through surveillance and = intelligence-gathering.=20 "The [information technology] demanded of this plan presently does not = exist within the FBI, but is at the core of activities to be = implemented," the budget documents state.=20 But civil liberties activists, legislators and legal specialists are = alarmed that the bureau's proposals could erode constitutional = protections that limit government searches, with almost no discussion to = date about the implications on Capitol Hill.=20 The initiatives apparently would not require an expansion of FBI powers = under existing law. But critics said the linking of scattered sources of = information would lead to a huge increase in data collection and = analysis.=20 In its budget documents, for example, the FBI estimates that = technological advances would so improve the ability to conduct wiretaps = that the number of approved taps would grow by 300 percent over the next = decade. Allen played down that figure, saying it was the result of a = "poor analysis" and probably would be much lower.=20 The agency would also continue expanding its use of commercial databases = containing credit information, real estate records, vehicle = registrations and a plethora of other personal details.=20 The budget says "the explosion and availability of open source = information, and the number of information bases and data sources that = can and should be searched becomes formidable."=20 "They're not merely talking about making more efficient use of = information they already have," said James Dempsey, senior staff counsel = at the Center for Democracy and Technology, an advocacy group in the = District. "They're talking about casting a wider net and sweeping in = vastly more information."=20 Others, such as Stewart Baker, former general counsel for the National = Security Agency, say the FBI already has tremendous power and little = oversight.=20 "They're acting within the law, but it's fair to be nervous about that," = said Baker, a partner at the law firm Steptoe & Johnson and a member of = a privacy advisory board at the Federal Trade Commission. "An awful lot = of information can be gathered with only a modest amount of = justification."=20 Rep. Robert L. Barr Jr. (R-Ga.) said the FBI has focused so tightly on = preventing terrorist activity that it has virtually ignored the = implications of its plans, at least publicly. "They're saying, 'We need = to do whatever it takes,' " Barr said.=20 Barr will raise his concerns at a hearing today of the Constitution = subcommittee of the House Judiciary Committee. The subcommittee will = explore the adequacy of privacy protections under current laws.=20 "They reason we're focusing on this now . . . because of the = government's ability to gather, store and manipulate massive amounts of = data," Barr said.=20 The FBI's Allen acknowledged that the bureau's ability to manage that = data will soar with the new technology. But he said bureau employees = will have only restricted access to the databases, and that there = already are legal restraints on wiretaps and other surveillance. Agents = seeking a wiretap, for instance, will still have to receive court = approval and then make regular reports to the judge about the progress = of the case.=20 Allen also said that the FBI will include software that tracks who = accesses files in order to create an audit trail.=20 The bureau is seeking $15 million for Digital Storm, a digital = surveillance system that helps agents monitor telephone calls and = analyze computerized recordings under federal Title III wiretap = authority. Other law enforcement agencies use similar systems. A similar = program for monitoring under the Foreign Intelligence Surveillance Act = (FISA) would cost $10 million next year.=20 Information from Digital Storm and the FISA system would be fed into new = in-house databases known as Casa De Web. It would enable agents and = other authorities to use Web browsers to instantly upload the results of = surveillance or other evidence. It also would archive "audio, data, and = reports produced on these collection systems," the budget states.=20 "It facilitates the sharing of electronic surveillance evidentiary data = . . . and intelligence . . . between FBI field offices," the budget = documents said in the $10 million request for Casa De Web.=20 The bureau also is asking Congress for $41 million for an Information = Sharing Initiative. That program, begun last year, calls for the = creation of a giant "enterprise database" and an array of other = technological improvements that would give the bureau "a robust = intelligence capability."=20 Carolyn Morris, head of the bureau's information resources division, = noted that the "enterprise database"--essentially a data = warehouse--would contain the same information the bureau already = collects. "A lot of people think it's going to be something entirely = new," she said. "It isn't."=20 But the database would give analysts the unprecedented ability to = conduct "data mining" on vast mountains of digital records for patterns = or clues now buried in paper files or scattered in unlinked FBI = computers.=20 "You've got to have an electronic repository for everything you collect = . . . which means you can mine it, look for links," Morris said.=20 At the same time, Morris said, the bureau is sensitive to Americans' = privacy concerns. Several months ago, the bureau created a privacy = council led by Patrick Kelley, deputy general counsel and the senior = privacy officer. Among other things, the council will develop privacy = rules for databases with 10,000 or more records.=20 "Our goal is to ensure that there are no unwarranted invasions of = personal privacy and to balance the interests" of investigators and = individual citizens.=20 In a speech to a Senate Appropriations subcommittee in February, FBI = Director Louis J. Freeh warned of a coming wave of Internet crime and = Web-based terrorism.=20 "I am confident that once the scope of the problem is clear, we can work = together to develop the capabilities to meet the computer crime problem, = in all its facets, head on," Freeh said to the subcommittee for the = departments of Commerce, Justice, State and the judiciary. "Our economy = and public safety depend on it."=20 Dempsey, of the Center for Democracy and Technology, said federal agents = need to be as technologically savvy as criminals and terrorists. But he = said limits are needed to protect innocent people.=20 "As we rush forward into this digital storm, we need to consider the = rules by which the government uses these techniques to collect = information about Americans," he said.=20 =A9 2000 The Washington Post Company=20 ------=_NextPart_000_0086_01BFA09A.4726DC00 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
'Digital Storm' Brews at = FBI=20

By Robert O'Harrow Jr.
Washington Post Staff=20 Writer
Thursday , April 6, 2000 ; A01

In response to growing concerns about terrorism, hackers and = other=20 high-tech criminals, the Federal Bureau of Investigation is planning a = series of=20 sophisticated computer systems that would sharply increase agents' = ability to=20 gather and analyze information.=20

The FBI is seeking more than $75 million in budget appropriations to = continue=20 a massive information technology expansion, which includes a system = dubbed=20 "Digital Storm" that eases the court-sanctioned collection and = electronic=20 sifting of traffic on telephones and cellular phones.=20

Another proposed system would create "the foundation for an = up-to-date,=20 flexible digital collection infrastructure" for wiretaps under the = Foreign=20 Intelligence Surveillance Act. A third initiative would develop an = "enterprise=20 database" that would enable agents to analyze huge amounts of data and = share=20 them via a secure World Wide Web-style network. The bureau has also = formed a=20 privacy council to review the use of data and protect against = unwarranted=20 intrusions into innocent Americans' lives, a concern raised by privacy=20 advocates.=20

FBI officials said the bureau's information technology systems are = aging and=20 need to be updated to keep pace with criminal activities, both on the = Internet=20 and offline.=20

"Our crimes that we're investigating today have a much more national = and=20 global scale," said Deputy Assistant Director Edward Allen. "And it's so = much=20 faster-paced. It becomes much more critical that we communicate more=20 comprehensively."=20

The proposals follow a series of bureau initiatives in recent years = to gain=20 more authority to conduct wiretaps, crack encrypted documents and = subpoena=20 computer-related information. FBI officials believe that the new data=20 surveillance capability is crucial to the bureau's strategic goal of = deterring=20 major criminal acts through surveillance and intelligence-gathering.=20

"The [information technology] demanded of this plan presently does = not exist=20 within the FBI, but is at the core of activities to be implemented," the = budget=20 documents state.=20

But civil liberties activists, legislators and legal specialists are = alarmed=20 that the bureau's proposals could erode constitutional protections that = limit=20 government searches, with almost no discussion to date about the = implications on=20 Capitol Hill.=20

The initiatives apparently would not require an expansion of FBI = powers under=20 existing law. But critics said the linking of scattered sources of = information=20 would lead to a huge increase in data collection and analysis.=20

In its budget documents, for example, the FBI estimates that = technological=20 advances would so improve the ability to conduct wiretaps that the = number of=20 approved taps would grow by 300 percent over the next decade. Allen = played down=20 that figure, saying it was the result of a "poor analysis" and probably = would be=20 much lower.=20

The agency would also continue expanding its use of commercial = databases=20 containing credit information, real estate records, vehicle = registrations and a=20 plethora of other personal details.=20

The budget says "the explosion and availability of open source = information,=20 and the number of information bases and data sources that can and should = be=20 searched becomes formidable."=20

"They're not merely talking about making more efficient use of = information=20 they already have," said James Dempsey, senior staff counsel at the = Center for=20 Democracy and Technology, an advocacy group in the District. "They're = talking=20 about casting a wider net and sweeping in vastly more information."=20

Others, such as Stewart Baker, former general counsel for the = National=20 Security Agency, say the FBI already has tremendous power and little = oversight.=20

"They're acting within the law, but it's fair to be nervous about = that," said=20 Baker, a partner at the law firm Steptoe & Johnson and a member of a = privacy=20 advisory board at the Federal Trade Commission. "An awful lot of = information can=20 be gathered with only a modest amount of justification."=20

Rep. Robert L. Barr Jr. (R-Ga.) said the FBI has focused so tightly = on=20 preventing terrorist activity that it has virtually ignored the = implications of=20 its plans, at least publicly. "They're saying, 'We need to do whatever = it=20 takes,' " Barr said.=20

Barr will raise his concerns at a hearing today of the Constitution=20 subcommittee of the House Judiciary Committee. The subcommittee will = explore the=20 adequacy of privacy protections under current laws.=20

"They reason we're focusing on this now . . . because of the = government's=20 ability to gather, store and manipulate massive amounts of data," Barr = said.=20

The FBI's Allen acknowledged that the bureau's ability to manage that = data=20 will soar with the new technology. But he said bureau employees will = have only=20 restricted access to the databases, and that there already are legal = restraints=20 on wiretaps and other surveillance. Agents seeking a wiretap, for = instance, will=20 still have to receive court approval and then make regular reports to = the judge=20 about the progress of the case.=20

Allen also said that the FBI will include software that tracks who = accesses=20 files in order to create an audit trail.=20

The bureau is seeking $15 million for Digital Storm, a digital = surveillance=20 system that helps agents monitor telephone calls and analyze = computerized=20 recordings under federal Title III wiretap authority. Other law = enforcement=20 agencies use similar systems. A similar program for monitoring under the = Foreign=20 Intelligence Surveillance Act (FISA) would cost $10 million next year.=20

Information from Digital Storm and the FISA system would be fed into = new=20 in-house databases known as Casa De Web. It would enable agents and = other=20 authorities to use Web browsers to instantly upload the results of = surveillance=20 or other evidence. It also would archive "audio, data, and reports = produced on=20 these collection systems," the budget states.=20

"It facilitates the sharing of electronic surveillance evidentiary = data . . .=20 and intelligence . . . between FBI field offices," the budget documents = said in=20 the $10 million request for Casa De Web.=20

The bureau also is asking Congress for $41 million for an Information = Sharing=20 Initiative. That program, begun last year, calls for the creation of a = giant=20 "enterprise database" and an array of other technological improvements = that=20 would give the bureau "a robust intelligence capability."=20

Carolyn Morris, head of the bureau's information resources division, = noted=20 that the "enterprise database"--essentially a data warehouse--would = contain the=20 same information the bureau already collects. "A lot of people think = it's going=20 to be something entirely new," she said. "It isn't."=20

But the database would give analysts the unprecedented ability to = conduct=20 "data mining" on vast mountains of digital records for patterns or clues = now=20 buried in paper files or scattered in unlinked FBI computers.=20

"You've got to have an electronic repository for everything you = collect . . .=20 which means you can mine it, look for links," Morris said.=20

At the same time, Morris said, the bureau is sensitive to Americans' = privacy=20 concerns. Several months ago, the bureau created a privacy council led = by=20 Patrick Kelley, deputy general counsel and the senior privacy officer. = Among=20 other things, the council will develop privacy rules for databases with = 10,000=20 or more records.=20

"Our goal is to ensure that there are no unwarranted invasions of = personal=20 privacy and to balance the interests" of investigators and individual = citizens.=20

In a speech to a Senate Appropriations subcommittee in February, FBI = Director=20 Louis J. Freeh warned of a coming wave of Internet crime and Web-based=20 terrorism.=20

"I am confident that once the scope of the problem is clear, we can = work=20 together to develop the capabilities to meet the computer crime problem, = in all=20 its facets, head on," Freeh said to the subcommittee for the departments = of=20 Commerce, Justice, State and the judiciary. "Our economy and public = safety=20 depend on it."=20

Dempsey, of the Center for Democracy and Technology, said federal = agents need=20 to be as technologically savvy as criminals and terrorists. But he said = limits=20 are needed to protect innocent people.=20

"As we rush forward into this digital storm, we need to consider the = rules by=20 which the government uses these techniques to collect information about=20 Americans," he said.=20

=A9 2000 The Washington Post Company=20
------=_NextPart_000_0086_01BFA09A.4726DC00-- From phr@doc.ic.ac.uk Fri, 07 Apr 2000 19:55:19 +0100 Date: Fri, 07 Apr 2000 19:55:19 +0100 From: Philip Rowlands phr@doc.ic.ac.uk Subject: Target selection Richard Snow wrote: > > Presumably, though, the notice will effectively give Plod his instructions. > So the question is: What will the notice say? > > If it says: "You must hand over the key so that message X can be > decrypted", most law-abiding citizens will hand over the key. > > If it says: "You must provide the intelligible form of message X", I would > have thought that most law-abiding citizens would hand over the plaintext > without disclosing the key. > > I would suggest that as it appears in section 46 (sub-section (2) "by > notice to the person whom he believes to have possession of the key, > require the disclosure of the key."), the former is more likely. It will > only be those who are well-versed in the law (and/or have been following > ukcrypto) who will respond to such a notice with "Surely you only really > need the plaintext?" This was addressed on Tuesday in committee, when Oliver Heald asked that notices must be given in a standard form, otherwise each agency allowed to serve them will end up with its own version. The Minister said that it was an issue for the code of practise to address, and seemed to be agreeing with the sentiments that a standard form was preferable. I would assume that a S46 notice form (in the paper, rather than abstract sense) would have a "Unless this box is ticked, then plaintext is acceptable in lieu of the key" or something similar. Phil From roland@linx.net Fri, 7 Apr 2000 19:53:38 +0100 Date: Fri, 7 Apr 2000 19:53:38 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <006c01bfa0ad$dd935570$1faaac3e@fortytwo>, Brian Gladman writes >would know that the £750,000 figure was completely silly. I think you are missing the point here. The 750K is *only* the cost of the new oversight Commissioner. While I have my own reservations about what budget the interception responsibilities of public service networks (like the Heath Service) should be included under [currently it can only logically be assumed to be within the 20M for CSPs] I don't think that Law Enforcement costs can ever be included under the umbrella of the 750K in the Bill. -- Roland Perry From roland@linx.net Fri, 7 Apr 2000 19:49:08 +0100 Date: Fri, 7 Apr 2000 19:49:08 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <1.5.4.32.20000407105019.0133c8fc@192.168.0.65>, Donald Ramsbottom writes >At 10:33 07/04/00 +0100, you wrote: >>In article <+ytCeMAGoZ74EwVQ@perry.co.uk>, Roland Perry >>All the 40 traditional PTOs are compliant already - so no extra cost. >> >>The 233 ISVRs won't be tapped, the upstream PTOs will - so no extra >>costs. > >Is this a reasonable assumption in the RIA? I ask because I do not know. According to para 3.4 of the original IOCA consultation last summer, all the licenced PTOs are indeed already covered. It was the ISRs (see para 3.4) that needed to be included. I suppose that if hey now say this isn't necessary, it's about of an about-face. >I also note what you say about all the different companies in the States, >but surely they are not so backward that we have all the necessaries in >place and they do not? It's always been felt that while the Americans are good at literally rocket science, their utilities are rather behind the times, technologically. >With all the Telcos in this country are they all >truly integrated to the extent that the RIA assessment is accurate? They are not integrated between themselves (other than because they all have interconnect agreements). But each OLO itself has a fairly "together" operation as far as its UK telephony is concerned. -- Roland Perry | tel: +44 1733 705000 | roland@linx.org Regulation Officer | fax: +44 1733 353929 | http://www.linx.net/ London Internet Exchange | mbl: +44 7050 604080 | From brian.gladman@btinternet.com Fri, 7 Apr 2000 20:19:09 +0100 Date: Fri, 7 Apr 2000 20:19:09 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: TELCO costs From: "Roland Perry" To: Sent: Friday, April 07, 2000 7:53 PM Subject: Re: TELCO costs > In article <006c01bfa0ad$dd935570$1faaac3e@fortytwo>, Brian Gladman > writes > >would know that the £750,000 figure was completely silly. > > I think you are missing the point here. The 750K is *only* the cost of > the new oversight Commissioner. Maybe so, but if this is the case then there is a big gap in identifying the costs of the Bill for UK taxpayers. > While I have my own reservations about what budget the interception > responsibilities of public service networks (like the Heath Service) > should be included under [currently it can only logically be assumed to > be within the 20M for CSPs] I don't think that Law Enforcement costs can > ever be included under the umbrella of the 750K in the Bill. The Bill should identify the total cost to the UK taxpayer for its implementation since, if it does not, Parliament cannot decide if the benefits claimed are worthwhile in view of the costs involved. Brian From roland@linx.net Fri, 7 Apr 2000 20:34:21 +0100 Date: Fri, 7 Apr 2000 20:34:21 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <001501bfa0c6$2673b830$653463c3@fortytwo>, Brian Gladman writes >The Bill should identify the total cost to the UK taxpayer for its >implementation since, if it does not, Parliament cannot decide if the >benefits claimed are worthwhile in view of the costs involved. We need to be clear what's included in these assessments. Did the one that introduced yellow lines include the wages (and pensions) for thousands of traffic wardens as a cost? -- Roland Perry From dave@xemu.demon.co.uk Fri, 7 Apr 2000 16:00:32 +0100 Date: Fri, 7 Apr 2000 16:00:32 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: RIP bill at CFP2000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Robert Guerra writes: >Hi: > >Just a short note to let the people on here know that the RIP bill was explained >and discussed at a BOF session at the CFP2000 conference >(http://www.cfp2000.org) being held here in Toronto (Canada). > >Several aspects of the Bill have been mentioned and discussed by several of the >speakers. Chris Bayliss from GreenNet was at both CFP2000 and SFS2000 so he probably said something. A number of north american contacts of mine were/are (has it finished yet?) at CFP. > >I haven't noticed any mention of the conference in the last while here and >though the list members should know that there are others which are very >carefully watching what is occuring in the UK. Many are willing to help, and >others are very much surprised that such legislation is being introduced and >rammed through the house. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOO34EH8v/Y5zkfRPEQKx9ACg7t+Gs3ZdklRvHEbBRnAbYDyPJhQAn17u +8EpoJuTYiGWtiWcug1rVQ3a =z3+j -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Fri, 7 Apr 2000 16:05:29 +0100 Date: Fri, 7 Apr 2000 16:05:29 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Irish EC bill S25&26 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <1.5.4.32.20000407074717.013335b4@192.168.0.65>, Donald Ramsbottom writes >(c) to seize anything found there, or anything found in the pos >session of a person present there at the time of the search, >which that officer or member reasonably believes to be >evidence of or relating to an offence under this Act and, >where the thing seized is or contains information or an >electronic communication that cannot readily be accessed >or put into intelligible form, to require the disclosure of >the information or electronic communication in intelli-gible >form. [............] >26.-Nothing in this Act shall be construed as requiring the disclosure >of unique data, such as codes, passwords, algorithms, private >cryptographic keys, or other data, that may be necessary to render >information or an electronic communication intelligible. Plaintext but not keys; very sensible. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOO35OX8v/Y5zkfRPEQJaRwCgjk3ptC6SseNsIRv8qASkqJc6tpgAn3ZE mU8bB+Zxx0KDfK8TMFRauKiy =X8HU -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Fri, 7 Apr 2000 15:57:28 +0100 Date: Fri, 7 Apr 2000 15:57:28 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Parliament in internet time (was Re: Target selection) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <192CA233715FD21184E70008C71E812801557425@L01EB002>, Watkin Simon writes >1. I wasn't on holiday. I did say I was working away from the office. >2. When I came back I had nine day's worth of postings to go through >(several hundred of them) with my colleagues in the Bill team who, as you >know, are at the House in Committee as I write to you. >3. No one else responds when I'm away because no one else working on the >Bill or its consequent implementation is a subscriber, only me. >4. I sense an expectation that I (as the Home Office) *should* be responding >instantly to every posting with a question or comment on the RIP Bill. [..................] >6. In general Ukcrypto correspondents make postings but if no one picks up >their thread they can't complain. No Ukcrypto correspondent is *expected* >to respond - except me. Yes but the difference is that: >5. In general Ukcrypto correspondents put forward their personal views. I >don't. You don't get my personal view. You get a Home Office view. We do expect that the Home Office VIEWPOINT, having been stated here, will also reply to perceptive criticism here (or the suspicion is it hasn't got any answers worth hearing). Not to each person, but to a sample of the main VIEWPOINTS expressed. That you are the only person who can speak for it is the Home Office's choice, not ours. That nobody much else will speak up for the HO's view likewise..... We do appreciate you replying. We don't generally much like the Home Office, but do know the difference between you and your job; and also that officials are often lions led by donkeys or whatever (owls led by vultures?). You personally, or the Home Office, don't HAVE to consult with informed opinion in specialised areas at all. But there are obvious benefits to both sides if you do. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOO33WH8v/Y5zkfRPEQK89wCfdJ7596I1WhaG6Wif/vlwQjgSh6AAoN95 Ww2H46942ZorInCMwO7jUzlp =HEQO -----END PGP SIGNATURE----- From pgut001@cs.auckland.ac.nz Sat, 8 Apr 2000 08:38:56 (NZST) Date: Sat, 8 Apr 2000 08:38:56 (NZST) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: TELCO costs Donald Ramsbottom writes: >these are truly staggering figures, may I ask where they may be found, as if >they are even partially accurate then someone has seriously got things wrong >and needs to look at those figures again. Even costing for Uk at 1% of US >estimates means M-#80m again, I just cannot see how our more intrusive (than >CALEA) new regime can be that much cheaper. Here are some reports from 1996 and 1997, I can't find the 1998 one or anything newer which is probably due to the fact that I got tired of filing them at some point and just let them pass. (What's the UK population? Is ( pop_UK / pop_US ) * $xB a good way to estimate the potential UK cost? Note that you'd probably want to make it a bit higher than the basic population ratio since RIP is vastly more intrusive than CALEA). Peter. -- Snip -- The Washington Post, October 27, 1996, pp. H1, H12. Heightened Tensions Over Digital Taps Telecommunications Industry, FBI at Odds Over High-Tech Tools By Jim McGee [...] The industry also estimates that the necessary technological upgrades would cost $1.8 billion; FBI officials put the price tag at $500 million. [...] Federal Bar Journal, late 1996 or early 1997 THE LAW ENFORCEMENT ARGUMENT FOR MANDATORY KEY ESCROW ENCRYPTION: THE "DANK" CASE REVISITED by Andrew Grosso [...] In a similar vein, the most recent estimates of the national cost for implementing the Digital Telephony law, which requires that commercial telecommunications companies wiretap our nation's communications network for the government's benefit, is approximately three billion dollars. Three billion dollars will buy an enormous number of police man hours, officer training, and crime fighting equipment. It is difficult to see that this amount of money, by being spent on wire tapping the nation, is being spent most advantageously with regard to law enforcement's needs. [...] USA TODAY Our View September 26, 1997 Computer privacy at risk if FBI gets the codes [...] Domestic limits would only add costs. The Congressional Budget Office estimates that buyers will pay $ 5 to $ 10 more for software, up to $ 2 billion a year, to implement the FBI's system. And 11 of the world's top cryptographers in May warned that the FBI plan creates targets for criminals by establishing centers where billions of secrets are held. [...] The Netly News Afternoon Line April 1, 1998 Golden Fleecing [...] Last September the Congressional Budget Office came up with a much lower, price tag. Requiring key escrow, they said, would cost consumers just $200 million to $2 billion a year. [...] Source: Yahoo! News Friday October 16 3:00 PM EDT FCC To Propose Resolving Digital Wiretap Debate By Aaron Pressman [...] The industry fears refitting existing equipment to add those capabilities will cost billions of dollars. Their fears were confirmed in a recent letter from Attorney General Janet Reno and FBI Director Louis Freeh to Congress, dated Oct. 6, and obtained by Reuters, that conceded the costs could reach $2 billion. [...] And from the really extreme end of the scale: Wireless Week, November 16, 1998 WTB Questioning CALEA Estimates By Edward Warner [...] The industry has fought adding the functions, saying they're too costly, but Vaughan said there's no accurate way of assessing that. He said the price tag for the Communications Assistance to Law Enforcement Act "is not $8 billion; it's not $1 billion." He advised the industry to take its cost concerns to Congress and to consider recovering some of its costs by finding secondary commercial uses for the new network functions. Vaughan's view caught the industry by surprise. Steve Berry, the chief congressional lobbyist for the Cellular Telecommunications Industry Association, said it was "hard to hear" that the FCC is uninterested in what could be a $12 billion "surveillance tax" on carriers. [...] From brian.gladman@btinternet.com Fri, 7 Apr 2000 21:42:44 +0100 Date: Fri, 7 Apr 2000 21:42:44 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: TELCO costs From: "Roland Perry" To: Sent: Friday, April 07, 2000 8:34 PM Subject: Re: TELCO costs > In article <001501bfa0c6$2673b830$653463c3@fortytwo>, Brian Gladman > writes > >The Bill should identify the total cost to the UK taxpayer for its > >implementation since, if it does not, Parliament cannot decide if the > >benefits claimed are worthwhile in view of the costs involved. > > We need to be clear what's included in these assessments. Did the one > that introduced yellow lines include the wages (and pensions) for > thousands of traffic wardens as a cost? I have no idea but it should have done. If this does not happen it is then all too easy for central government to enact measures without concern for the interests of taxpayers. And this seems to be a frequent occurrence, particularly so when it is Council Tax payers who pick up the tab, one reason why local government costs are increasing at well above the rate of inflation (where I live at least). The priciple is clear enough - for any piece of legislation Parliament should be in a position to judge whether the benefits to be secured are worth the money that has to be spent to obtain them. I agree that this will always involve difficult judgements about direct and indirect costs but in the case of the RIP Bill the costs involved in setting up a GTAC capability to protect seized keys are a direct consequence of GAK in RIP. And this means that, even on Government estimates, £25M was conveniently omitted from the costs involved. I also believe that ISP costs may be covered by taxpayers and these could easy be much higher still. So the £750k seems a very bad estimate of the costs involved. Brian From padgett@gdi.net Fri, 07 Apr 2000 18:40:39 -0400 Date: Fri, 07 Apr 2000 18:40:39 -0400 From: Padgett 0sirius padgett@gdi.net Subject: Target selection >> Do we have to atually loose the business before the HO see that they >> have shot UK PLC in the foot, or will they give in gracefully? You are making the assumption that the principle concern is to enhance UK business. If the agenda is different (and often is) then you need to know the real drivers before logic can work. OTOH it is often a mistake to attribute to malice what can be explained by ignorance. A. Padgett Peterson, P.E., CISSP: Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From padgett@gdi.net Fri, 07 Apr 2000 18:51:44 -0400 Date: Fri, 07 Apr 2000 18:51:44 -0400 From: Padgett 0sirius padgett@gdi.net Subject: TELCO costs >It's always been felt that while the Americans are good at literally rocket >science, their utilities are rather behind the times, technologically. Perhaps, but they work & are inexpensive. 8*). A. Padgett Peterson, P.E., CISSP: Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From roland@linx.net Sat, 8 Apr 2000 08:18:43 +0100 Date: Sat, 8 Apr 2000 08:18:43 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <005901bfa0d1$d46103c0$653463c3@fortytwo>, Brian Gladman writes >The priciple is clear enough - for any piece of legislation Parliament >should be in a position to judge whether the benefits to be secured are >worth the money that has to be spent to obtain them. I have some difficulty with this. When the Health and Safety Act was passed, it could be predicted that there would be a cost to the taxpayer in setting up an agency to police it, and a cost to (say) British Rail [then in Public ownership] of a department to ensure their own compliance. Who could tell that twenty years later it would emerge that Railtrack [now privately owned, but let's ignore that for these purposes] would be told, under the Act, to spend 15 Billion (or whatever very large sum it is) installing Automatic Train Protection? Could have predicted the dramatic recent escalation in costs to local authorities, and indeed the government, for asylum seekers? >I agree that this will always involve difficult judgements about direct and >indirect costs but in the case of the RIP Bill the costs involved in setting >up a GTAC capability to protect seized keys are a direct consequence of GAK >in RIP. And this means that, even on Government estimates, £25M was >conveniently omitted from the costs involved. I also believe that ISP costs >may be covered by taxpayers and these could easy be much higher still. So >the £750k seems a very bad estimate of the costs involved. It is clear that the 750K is only the cost of the new Commissioner. If you want to argue that there should be other items under that umbrella (and I might argue that public sector CSPs should be included) then you need to look at para 354 of the Explanatory Notes and find someone to complain to that "public expenditure and public service manpower" should not exclude the cost to Law Enforcement Agencies. Incidentally, the 20M figures in the RIA appear to concentrate on "costs to business", and thus probably excludes costs to public sector CSPs (compare and contrast carefully with the distinction between public and private in the context of Clause 2). In any case, I think the 20M (for interception at least) will be shown to be far too low. As I keep pointing out, much of the skill of running an ISP is in expanding fast enough to be able to take advantage of the business opportunities. Having ones project managers and engineers thinking about interception instead of building the business is a huge opportunity cost which some have estimated as in excess of 10x the actual payroll cost. -- Roland Perry From brian.gladman@btinternet.com Sat, 8 Apr 2000 13:03:22 +0100 Date: Sat, 8 Apr 2000 13:03:22 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: TELCO costs From: "Roland Perry" To: Sent: Saturday, April 08, 2000 8:18 AM Subject: Re: TELCO costs > In article <005901bfa0d1$d46103c0$653463c3@fortytwo>, Brian Gladman > writes > >The priciple is clear enough - for any piece of legislation Parliament > >should be in a position to judge whether the benefits to be secured are > >worth the money that has to be spent to obtain them. > > I have some difficulty with this. When the Health and Safety Act was > passed, it could be predicted that there would be a cost to the taxpayer > in setting up an agency to police it, and a cost to (say) British Rail > [then in Public ownership] of a department to ensure their own > compliance. Who could tell that twenty years later it would emerge that > Railtrack [now privately owned, but let's ignore that for these > purposes] would be told, under the Act, to spend 15 Billion (or whatever > very large sum it is) installing Automatic Train Protection? > > Could have predicted the dramatic > recent escalation in costs to local authorities, and indeed the > government, for asylum seekers? But I am not arguing for perfect forward prediction of costs since this is never possible but I do think that Parliament should be given the best possible estimates of the cost impact of any legislation it is being asked to enact. I agree that this will not always be possible but where it can be sensibly done it should be. As I said earlier taxpayers, especially Council Tax payers, are very likely to be saddled with large, unjustified costs when this is not done. And for GAK in RIP and for ISP interception costs I believe that this is relatively easy to do. Without forcing out the GTAC costs into the open. a significant proportion of these costs would have fallen on Council Tax payers who fund Police Authorities and I am very confident that any money I contribute to my local Police for implementing GAK would be much better spent on other ways of reducing crime. Moreover, now that we have forced a minimum estimate of these costs into the open, we can that we are going to pay between £1,000,000 and £100,000 per key seized and we have yet to see any explanation of the sort of keys that are worth such expenditure (I don't believe that there are any). Put simply I do not think that we should allow the executive to hoodwink Parliament into imposing unknown costs on taxpayers. If there is an argument that says the costs cannot be estimated then its up to the Department to say this to Parliament - and for Parliament to ask the right questions to ensure that this is true. > It is clear that the 750K is only the cost of the new Commissioner. If > you want to argue that there should be other items under that umbrella > (and I might argue that public sector CSPs should be included) then you > need to look at para 354 of the Explanatory Notes and find someone to > complain to that "public expenditure and public service manpower" should > not exclude the cost to Law Enforcement Agencies. Any cost paid directly by taxpayers or Council Tax payers needs to be included. Costs on business also need to be estimated since these will ultimately fall on customers. [snip] > In any case, I think the 20M (for interception at least) will be shown to be far too low. I completely agree - I am now inclined to think that this is going to be the largest cost and will push the cost of this Bill well into nine figures. I am not sure whether the return on interception justifies such expenditure since I have not looked at this - I have been concentrating on GAK in RIP where the lack of justification is only too evident. Brian From richard@turnpike.com Sat, 8 Apr 2000 18:48:36 +0100 Date: Sat, 8 Apr 2000 18:48:36 +0100 From: Richard Clayton richard@turnpike.com Subject: TELCO costs -----BEGIN PGP SIGNED MESSAGE----- In article <95513993614244@kahu.cs.auckland.ac.nz>, Peter Gutmann writes >Wireless Week, November 16, 1998 >WTB Questioning CALEA Estimates >By Edward Warner > >[...] > >He advised the industry to take its cost concerns to Congress and to consider >recovering some of its costs by finding secondary commercial uses for the new >network functions. Gee, we could sell the IP streams of customers to advertisers interested in knowing all about their private lives. NOT! We could provide monitoring functions to corporates who were concerned what their employees were emailing to each other. NOT! What commercial use could there possibly be for wiretap product ? - -- richard writing to inform and not as company policy fewer than 20 MPs still need adopting: http://www.stand.org.uk/ "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQCVAwUBOO9w9KlbUjjcq7SFAQGnBwQAjvbsRsjKn4kjeHjjiUiHXz3kAgYxaIMq KxeHLPdIQfjcZDB7bd05QD/tMG2MeTFMQLKgcebzMkEbMstEaLByPRDVXRYoiXVC U7oV0CTtxWDj5R8SSzZGkqa5j3oeVOUsruj7ORv5lB4HPQJ4dhBd90IlIt+BtVS2 9pULhGCekq4= =Ydl6 -----END PGP SIGNATURE----- From pgut001@cs.auckland.ac.nz Sun, 9 Apr 2000 06:16:49 (NZST) Date: Sun, 9 Apr 2000 06:16:49 (NZST) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: TELCO costs Richard Clayton writes: >In article <95513993614244@kahu.cs.auckland.ac.nz>, Peter Gutmann > writes > >>Wireless Week, November 16, 1998 >>WTB Questioning CALEA Estimates >>By Edward Warner >> >>[...] >> >>He advised the industry to take its cost concerns to Congress and to consider >>recovering some of its costs by finding secondary commercial uses for the new >>network functions. >What commercial use could there possibly be for wiretap product ? I'm sure your competitors would pay handsomely for the data. Of course you might be violating some sort of law or something by selling it to them... Peter. From dave@xemu.demon.co.uk Sat, 8 Apr 2000 11:28:40 +0100 Date: Sat, 8 Apr 2000 11:28:40 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: TELCO costs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <95513993614244@kahu.cs.auckland.ac.nz>, Peter Gutmann writes >(What's the UK population? Is ( pop_UK / pop_US ) * $xB a good way to estimate $OneOff + ( 60 / 300 =.2) *($xB - $OneOff) > the potential UK cost? If you are comparing like systems implemented under similar conditions then probably, except there are probably economies of scale as some costs are basically one-off set-up costs and not per size. >Note that you'd probably want to make it a bit higher > than the basic population ratio since RIP is vastly more intrusive than > CALEA). - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOO8J2H8v/Y5zkfRPEQJ4dwCeMwAqIkdUlJF4XSG/RQttQLNoVukAoN1y vE4Cv8VaXKEPsnsQqnn8ejtN =T1ns -----END PGP SIGNATURE----- From dave@xemu.demon.co.uk Sat, 8 Apr 2000 11:23:34 +0100 Date: Sat, 8 Apr 2000 11:23:34 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Target selection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <3.0.5.32.20000407184039.008eb100@gdi.net>, Padgett 0sirius writes >>> Do we have to atually loose the business before the HO see that they >>> have shot UK PLC in the foot, or will they give in gracefully? > >You are making the assumption that the principle concern is to enhance UK >business. If the agenda is different (and often is) then you need to know >the real drivers before logic can work. > >OTOH it is often a mistake to attribute to malice what can be explained by >ignorance. Well make that ignorance, arrogance, and plain bull-headed stupidity, having heard the point explained many times and just plain refusing to listen. But I tend to think the H O is malicious (or, if you prefer, has other priorities with which I disagree). - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOO8Ipn8v/Y5zkfRPEQL0ewCfYwS+p3tOcFHInUP5m4ZSItj3BB8AoNsC iWHHBCmzA2l4pM0+wtg5Es6q =Dsbt -----END PGP SIGNATURE----- From ben@algroup.co.uk Sat, 08 Apr 2000 22:54:37 +0100 Date: Sat, 08 Apr 2000 22:54:37 +0100 From: Ben Laurie ben@algroup.co.uk Subject: TELCO costs Richard Clayton wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > In article <95513993614244@kahu.cs.auckland.ac.nz>, Peter Gutmann > writes > > >Wireless Week, November 16, 1998 > >WTB Questioning CALEA Estimates > >By Edward Warner > > > >[...] > > > >He advised the industry to take its cost concerns to Congress and to consider > >recovering some of its costs by finding secondary commercial uses for the new > >network functions. > > Gee, we could sell the IP streams of customers to advertisers interested > in knowing all about their private lives. NOT! > > We could provide monitoring functions to corporates who were concerned > what their employees were emailing to each other. NOT! > > What commercial use could there possibly be for wiretap product ? Sell it to the KGB? Cheers, Ben. -- http://www.apache-ssl.org/ben.html From roland@linx.net Sun, 9 Apr 2000 10:15:26 +0100 Date: Sun, 9 Apr 2000 10:15:26 +0100 From: Roland Perry roland@linx.net Subject: TELCO costs In article <003401bfa152$bf5e4600$3c3563c3@fortytwo>, Brian Gladman writes >Moreover, now that we have forced a minimum estimate of these costs into= the >open, we can that we are going to pay between =A31,000,000 and =A3100,00= 0 per >key seized and we have yet to see any explanation of the sort of keys th= at >are worth such expenditure (I don't believe that there are any). What if some vital evidence that would crack the Jill Dando case (costs currently must be in the tens of millions) was on a password protected organiser, and you needed to get at it. In this context, 'plain text' might be an unlocked organiser, but for some reason you can't or won't get the owner and his organiser in one place so he can type the password in under close supervision. You might say "don't be silly, those aren't the sorts if keys we are worried about". I think the bill might do well to tray and distinguish a little between different kinds of 'key' (in addition to signature and non-signature ones) to clarify things. --=20 Roland Perry From brian.gladman@btinternet.com Sun, 9 Apr 2000 14:58:06 +0100 Date: Sun, 9 Apr 2000 14:58:06 +0100 From: Brian Gladman brian.gladman@btinternet.com Subject: TELCO costs >From: "Roland Perry" >To: >Sent: Sunday, April 09, 2000 10:15 AM >Subject: Re: TELCO costs > >In article <003401bfa152$bf5e4600$3c3563c3@fortytwo>, Brian Gladman > writes >>Moreover, now that we have forced a minimum estimate of these costs into the >>open, we can that we are going to pay between £1,000,000 and £100,000 per >>key seized and we have yet to see any explanation of the sort of keys that >>are worth such expenditure (I don't believe that there are any). > >What if some vital evidence that would crack the Jill Dando case (costs >currently must be in the tens of millions) was on a password protected >organiser, and you needed to get at it. In this context, 'plain text' >might be an unlocked organiser, but for some reason you can't or won't >get the owner and his organiser in one place so he can type the password >in under close supervision. I am very doubtful that cases of this kind, where decryption notices without GAK won't work, are sufficiently likely to be a cause for concern. It is not difficult to construct examples in support of GAK where the lack of access to keys would be truly catastrophic (far more so than the Dando case) but the fact we can do this does not make the case. IMHO GAK legislation should only be contemplated if there is clear evidence to show that lack of access to keys is casuing substantial problems for law enforement. >You might say "don't be silly, those aren't the sorts if keys we are worried about". I would not say this but I do want evidence of actual law enforcement problems that would be solved by GAK. The downside of providing such capabilities is much too large to do this without very clear evidence of a real need. >I think the bill might do well to tray and distinguish a little between >different kinds of 'key' (in addition to signature and non-signature >ones) to clarify things. Maybe, but I would first like to see the case for GAK - so far the Home Office has not answered any of the hard questions in respect of GAK justification. Mr Clarke has made a welcome concession to indicate that GAK will almost never be sought and this alone makes it necessary to ask whether these last few cases are truly so important that we have to carry all the risks that GAK will involve in order to deal with them. Brian From bradley@compsci.bristol.ac.uk Sun, 9 Apr 2000 17:53:28 +0100 (BST) Date: Sun, 9 Apr 2000 17:53:28 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Irish view and public/private keys > > The case where you cannot provide a session key, namely where you haven't > > got the ciphertext, is the awkward one. Where the authorities have the > > ciphertext they should be obliged to provide it to you so that you can > > comply by using or providing a session key. > > In practice I expect they won't provide the ciphertext as they won't > want you to know which of your correspondents is being watched. > > Logically Plod should be satisfied if he can send you a key packet > (the session key encrypted under your public key) and get back the > clear session key. But this is almost as unsatisfactory for him: you > might have kept a list of one-way hashes of session keys, so you can > identify the messages of interest. It's much less satisfactory for you > too. If you don't have such a list then Plod can get you to decrypt > keys for all sorts of stuff he has no right to - such as emails from > your lawyer. If you do have such a list, there are other problems > (e.g. he demands it and then serves further notices). If you don't have a list of hashed-session keys used, but do have a record of all your previous received encrypted mail (for sent mail under asymmetric encrytpion Plod would be S.46-ing your correspondee)... ...then presumably you can run your session key over all the messages you've kept to see which one decrypts correctly, to determine whether Plod has a legal right to look at it... if you can be bothered of course - this may be only a few messages or a search space of many thousands. --Jeremy. From dave@xemu.demon.co.uk Sun, 9 Apr 2000 17:50:16 +0100 Date: Sun, 9 Apr 2000 17:50:16 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Some thoughts on Crypto and RIP. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A security system, one for keeping your stored or communications data secure, has layers which are algorithmic (how the ciphers and message digests operate), constructional (how they interconnect), and operational (how staff/participants use the program commands and other office procedures such as safes and backups). Normally it is made "as strong as is necessary or reasonably possible" in terms of the work needed to break in, so it is just not worthwhile proportionate to the value of securing/revealing the material concerned. One way which helps the equation balance is "not to put too many eggs in one basket" but to disperse target material between different locations, keys, procedures etc. If the algorithmic level is rubbish then it is very easy for the attacker to sit in his armchair and proceed with cracking; if not he will go down another track. Attacks may be at any level. Precautions against one level of attack may use a different level of response, e.g. the response to people writing down passwords (operational) may be to add a facility for split keys (constructional); see below.... PGP is very "strong", enough for present attacks, algorithmically. PGP works quite well in the degree of police state envisioned for, say, Serbia. Some third world people will be killed if their names get out. A bunch of thugs in police uniforms and interior ministry men in suits turn up and demand the passphrase on pain of death. The data holder doesn't give it. They break his arms and a couple of ribs then go away. But the security is kept. PGP works quite badly in the degree of police state envisioned for, Britain. Some third world people will be killed if their names get out, their UK contact his been careless and let his mate know names. A bunch of thugs in police uniforms and interior ministry men in suits turn up and demand the passphrase on pain of two years in jail for hiding it, ten years in jail for telling anyone he had been subject to this blackmail. He gives the names, and people are killed. Not good. The weakness is constructional. Rather than have to defy thugs and do jail time, people can should and will overcome the operational/constructional weakness by operational changes in how they use the program commands, plus a few allied programs. Even better they will make constructional changes using the commercial PGP library and a few allied libraries to automate these operations in simple clients. There will be a demand for these, and the supply will emerge to fill it. People can should and will make sure breaking this message gives no access to earlier or later ones, indeed once decrypted there is no repeat access. Any technical geek, pressure group, or organised criminal such as drug importer or money laundered will employ them. I won't even bother enumerating all of them but there can be multiple layers like.... Stego, data appears innocent but contains encrypted message. Noise, data appears encrypted but is random wipe with the methods and procedures of wiping carefully recorded. Innered, looks like simple PGP which is open to "simple" operational breaking by threat, but inside that is only a stronger construction with decode-once-only properties. What can happen, what must happen, is that people put in place constructions and procedures to make sure they CANNOT (or can plausibly deny they can) open the message when the threats appear. THEY MUST DO THIS TO ENSURE THEIR LEGITIMATE SECURITY. If there is a demand that owners of a business holding secure data commit a crime if they do not make it insecure, then there is only one thing they can do: trade from the Irish Republic. One must conclude that any assurance there will be no limit on the type of system allowed or compulsion to escrow. Either (a): then people will and must do everything to protect themselves and interception will very largely not work, or (b) the minister is lying through his teeth because there is intended to be such a thing or it exists right now in the attack on directors. Or I suppose there is a third alternative, the minister is totally incompetent and talking through his arse and has not even the sense to listen to any of his advisers who might know better. The one thing that WILL effectively happen is that British digital signatures cannot be relied upon. The guarantees in the bill are meaningless, signature keys WILL be compromised to convince the courts on decryption matters.... forward and backward integrity of both signing and content will be lost, doubly so because of a blackmail threat against EVER repairing security breaches by revealing them. Communications can be protected again, but not signature and not large amounts of official stored data. Trust in these from UK will go to zero. ~~~~~~~~~~~ Any responsible organisation in a decent country will demand a registration system for foreign customers and traders similar to the consumer credit act. To communicate commercially with people or businesses in this country to a value of over £1000 in any one year you must consider the following categories: Sending secure data on your own behalf up to a given max value, or sending secure data on behalf of others up to a given max value; Sending a signature which authorises matters of payment or liability up to a given max value, or such signatures which commit others; Storing secure data for others, up to a total max value of loss if all of it becomes unsecure. You are required to guarantee that: you have done everything technically possible to make decryption or forgery by other than the owner impossible, and to protect the compromising of one document or transaction from also compromising earlier or later (or other people's) documents or transactions; specifically that any compromise is reported immediately, or at least immediately the relevant trial has either been dropped or been successfully proceeded with; that to the extent you cannot guarantee proper security you have government underwriting, private insurance, or money in escrow in this juriosdiction where it can be reached. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOPC0yH8v/Y5zkfRPEQKwcACfR2XUYTDoYXqTAeBIQB2/Yk5+hgcAoLZx npjquzY5jHYZ1j5rXAsgKosx =1vWP -----END PGP SIGNATURE----- From Richard.Cox@mandarin.org Sun, 9 Apr 2000 18:13 +0100 (BST) Date: Sun, 9 Apr 2000 18:13 +0100 (BST) From: Richard D G Cox Richard.Cox@mandarin.org Subject: Target selection Dave Bird said: > But I tend to think the HO is malicious > (or, if you prefer, has other priorities with which I disagree). Some are born with priorities ... Some achieve their own priorities ... And others have priorities thrust upon them! (with apologies to himself of Stratford upon Avon) -- Richard D G Cox Mandarin Technology, Penarth - Phone (029) 2031 1131, Fax (029) 2031 1110 From bradley@compsci.bristol.ac.uk Sun, 9 Apr 2000 21:00:27 +0100 (BST) Date: Sun, 9 Apr 2000 21:00:27 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Anti-RIP protocol RFC: [Was: Re: Target selection] A possible protocol for avoiding an RIP security breach. Please comment, amend, rubbish - I hope this is feasible... it would be nice if we could get this working... On Wed, 5 Apr 2000, Ross Anderson wrote: > It won't work, of course, and an insight into why it won't work came > from a London manager of a US bank who manages security for all > Europe, including Switzerland. He's in an impossible position once the > bill is passed. If he fails to hand over a key, he commits a criminal > offence under UK law. If he does hand it over, he commits a criminal > offence under Swiss law. So the corporate key recovery function will > move to Zuerich, and the guys there will be forbidden to recover keys > at the request of London managers. This chap said his employer didn't > want any publicity but had made representations to the UK government. Based on this idea of using a non-UK organisation to avoid RIP procedure (Switzerland would seen ideal!). How about a protocol for session key-super-encryption with such an organisation to maintain security while still being able to comply fully with RIP should an S.46 be served: ++++++++++++++++ Protocol: 1. People and key definitions Alice is an individual living in UK, who doesn't want to break the law but does want to maintain her company's security and reputation, etc... [apre - alice's private encryption key, apbe - alice's public encryption key, aprs - alice's private sig key, apbs - alice's public sig key] Bob is someone (maybe in the UK) who wants to communicate with Alice. Plod is a policeman listening to communications channels. Sam is a "superencrypting agency" which resides outside of the UK. [spre(n) - sam's private enc key used for n, spbe(n) - sam's public enc key used for n, sprs - sam's private sig key, spbs - sam's public sig key] 2. Key distribution Alice has: all her keys (apre, apbe, aprs, apbs) and Sam's public key created for her use, spbe(alice) as well as apbs Bob has Alice public key apbe and alice's superencryption public key (spbe(alice)). Sam has a set of public/private key pairs created for each user, n (spre(n) and spbe(n)) as well as his own sig keys (sprs, spbs) and the public keys of each of the users in this case, Alice, (apbe, apbs) It is critical that Alice never has to trust Sam. 3. Instance of protocol use The object of the protocol is to protect Alice's session keys, even in the face of an S.46 where she has to release her own private key (apre). [Note: (key){message} means "'message' encrypted with 'key'" - a session_key encrypts symmetrically, a public/private key encrypts asymmetrically] a. A message arrives from Bob for Alice - Bob has used both Alice's public key and Sam's superencryption public key for Alice to encrypt the session key: (spbe(alice)){(apbe){session_key_1}},(session_key_1){message_from_bob} ...which Alice archives for future reference. [...some time later...] b. Alice wishes to read her archived message from Bob. She requires both apre (which she does have) and spre(alice) (which she does not have). [Note: there are two choices for the protocol here - either Alice negotiates the encrypted delivery of spre(alice) so that she can fully decrypt the session key or she sends Sam the superencrypted session key so that Sam can perform _one_ of the asymmetric decryptions necessary to read the session key: I prefer the latter because at no stage are both private keys simultaneously in the UK.] Sam-decrypts scenario: Alice -> Sam: Alice not only does not want Sam to know (session_key_1) but also does not want him to know (apbe){session_key_1} - since if recorded this might be strong-armed out of Sam (it not being in itself a private key). For this purpose Alice creates a second public/private key pair which is transient and lasts only as long as the protocol interaction - a new pair will be generated for each interaction - we will call the pair (apre_tmp) and (apbe_tmp). {i_am_alice},(spbe(alice)) { {request_decrypt}, {session_key_2}, /* for return communication */ (apbe_tmp){(spbe(alice)){(apbe){session_key_1}}}, (aprs){hash_of_message} /* proof of id/message integrity */ } c. Sam applies (spre(alice)) to message to obtain decryption request - then applies (apbs) to signature to check validity of request. Sam now possesses (apbe_tmp)(spbe(alice)){(apbe){session_key_1}} which he knows to be from Alice. Sam applies (spre(alice)) to encrypted session key and sends result to Alice: Sam -> Alice: {i_am_sam},(session_key_2) { {response_to_decryption_request}, (apbe_tmp)(apbe){session_key_1}, (sprs){hash_of_message} } d. Alice applies (session_key_2), checks validity of signature with (spbs) - and now has (apbe_tmp)(apbe){session_key_1}. Alice applies (apre_tmp) and (apre) to get (session_key_1) and applies it in turn to obtain {message_from_bob} - taking care to dispose of (session_key_1), (session_key_2), (apbe_tmp), (apre_tmp), (apbe){session_key_1} and {message_from_bob} as soon as she is finished using them. At any stage a Plod who listens to all the communications between Alice, Bob and Sam will only see: 1. (spbe(alice)){(apbe){session_key_1}} 2. (spbe(alice)){...(apbe_tmp){(spbe(alice)){(apbe){session_key_1}}}...} 3. (session_key_2){...(apbe_tmp)(apbe){session_key_1}}...} ...versions of the {session_key_1}. e. Plod approaches Alice with S.46 Alice can now comply with S.46 and surrender to Plod (apre) so that Plod can obtain: 1. (spbe(alice)){session_key_1} 2. (spbe(alice)){...(apbe_tmp){(spbe(alice)){session_key_1}}...} 3. (session_key_2){...(apbe_tmp){session_key_1}...} ...although it's dubious whether 2 and 3 could actually be obtained given that they are wrapped up in their own superencryption. If Plod through international cooperation manages to get Sam to give him all his end of the communication chain the he can obtain: (apbe_tmp)(apbe){session_key_1} ...if Sam was stupid enough to record this bit of the process. From this and his first S.46 he can get: (apbe_tmp){session_key_1} A second S.46 for (apre_tmp) will fail because Alice can prove in "the balance of probabilities" that the software she uses only creates this key pair transiently and then securely removes all trace of the key pair. A few assumptions about this protocol: + Sam is legally bound my his country's law to keep (spre(alice)) secret + Sam does not have to be trusted by Alice to do anything other than provide a service to Alice - whichever bits of the conversation are recorded at Sam's end - these are useless to Sam and to Plod + transient key information which is removed by Alice's agent software at time of transmission cannot be requested (successfully!) in an S.46. Note: This is more complicated than I would like - especially the creation of the temporary key pair - this could be simplified to a symmetric session key if symmetric encryption and asymmetric encryption are commutative - but I don't think they are for general ciphers. Comments very welcome - I'm sure it needs a lot of refinement. --Jeremy. From Q.G.Campbell@newcastle.ac.uk Mon, 10 Apr 2000 09:18:35 +0100 (GMT) Date: Mon, 10 Apr 2000 09:18:35 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: TELCO costs On Sun, 9 Apr 2000, Brian Gladman wrote: [snip] > Mr Clarke has made a welcome concession to indicate that GAK will almost > never be sought and this alone makes it necessary to ask whether these last > few cases are truly so important that we have to carry all the risks that > GAK will involve in order to deal with them. It may be that the Banks' quiet diplomacy in its approach to the RIP Bill has had an effect here. In making this concession the government may be trying to appease City institutions and avert the same hostile opposition from the City and the Lords to the RIP Bill as it is facing against its proposed new Financial Services Act. The contrasts with the campaign against the RIP Bill are interesting. FSA Bill launched June 1999. Hostile opposition to it in both Houses. Already 1500 ammendments tabled (Sunday Telegraph, 9/4/00) with another 200 expected. Massive opposition to it by City institutions, one incentive being the costs to the City to operate Bill currently estimated at 200 million pounds a year. The opposition in the House of Lords is apparently led by a QC who specialises in this area of the law. In the case of the FSA Bill the Government cannot use scare tacticts by invoking concerns that child molesters and drug pushers will get a free reign unless it is passed unammended. Nor can it try to dismiss those campaigning against the bill as being (as the Australian Press would describe us) libertarian pinkos. While the FSA Bill *is* about preventing certain types of illegal activity these crimes do not seem to connect with peoples' anxieties so strongly and thus do not lend themselves to being portrayed in lurid tabloid head lines. There are also human rights issues with the new FSA that suggest new potential challenges to sections of the RIP Bill. One of the concerns about the new FSA is that it could be challenged by invoking what is called the "Saunder's Gambit". Recall that Ernest Saunders won a case in the ECHR that revolved around a denial of his right to remain silent. A "reverse Saunder's Gambit" might apply in the case of the RIP Bill and the ECHR may hold that it is illegal and oppressive for the Government to require an innocent party to remain silent under the Section 50 "tipping- off" provisions. The disproportionate nature of the penalty for "tipping-off" may alternatively be open to challenge. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From bradley@compsci.bristol.ac.uk Sun, 9 Apr 2000 21:00:27 +0100 (BST) Date: Sun, 9 Apr 2000 21:00:27 +0100 (BST) From: J.T.Bradley bradley@compsci.bristol.ac.uk Subject: Anti-RIP protocol RFC: [Was: Re: Target selection] A possible protocol for avoiding an RIP security breach. Please comment, amend, rubbish - I hope this is feasible... it would be nice if we could get this working... On Wed, 5 Apr 2000, Ross Anderson wrote: > It won't work, of course, and an insight into why it won't work came > from a London manager of a US bank who manages security for all > Europe, including Switzerland. He's in an impossible position once the > bill is passed. If he fails to hand over a key, he commits a criminal > offence under UK law. If he does hand it over, he commits a criminal > offence under Swiss law. So the corporate key recovery function will > move to Zuerich, and the guys there will be forbidden to recover keys > at the request of London managers. This chap said his employer didn't > want any publicity but had made representations to the UK government. Based on this idea of using a non-UK organisation to avoid RIP procedure (Switzerland would seen ideal!). How about a protocol for session key-super-encryption with such an organisation to maintain security while still being able to comply fully with RIP should an S.46 be served: ++++++++++++++++ Protocol: 1. People and key definitions Alice is an individual living in UK, who doesn't want to break the law but does want to maintain her company's security and reputation, etc... [apre - alice's private encryption key, apbe - alice's public encryption key, aprs - alice's private sig key, apbs - alice's public sig key] Bob is someone (maybe in the UK) who wants to communicate with Alice. Plod is a policeman listening to communications channels. Sam is a "superencrypting agency" which resides outside of the UK. [spre(n) - sam's private enc key used for n, spbe(n) - sam's public enc key used for n, sprs - sam's private sig key, spbs - sam's public sig key] 2. Key distribution Alice has: all her keys (apre, apbe, aprs, apbs) and Sam's public key created for her use, spbe(alice) as well as apbs Bob has Alice public key apbe and alice's superencryption public key (spbe(alice)). Sam has a set of public/private key pairs created for each user, n (spre(n) and spbe(n)) as well as his own sig keys (sprs, spbs) and the public keys of each of the users in this case, Alice, (apbe, apbs) It is critical that Alice never has to trust Sam. 3. Instance of protocol use The object of the protocol is to protect Alice's session keys, even in the face of an S.46 where she has to release her own private key (apre). [Note: (key){message} means "'message' encrypted with 'key'" - a session_key encrypts symmetrically, a public/private key encrypts asymmetrically] a. A message arrives from Bob for Alice - Bob has used both Alice's public key and Sam's superencryption public key for Alice to encrypt the session key: (spbe(alice)){(apbe){session_key_1}},(session_key_1){message_from_bob} ...which Alice archives for future reference. [...some time later...] b. Alice wishes to read her archived message from Bob. She requires both apre (which she does have) and spre(alice) (which she does not have). [Note: there are two choices for the protocol here - either Alice negotiates the encrypted delivery of spre(alice) so that she can fully decrypt the session key or she sends Sam the superencrypted session key so that Sam can perform _one_ of the asymmetric decryptions necessary to read the session key: I prefer the latter because at no stage are both private keys simultaneously in the UK.] Sam-decrypts scenario: Alice -> Sam: Alice not only does not want Sam to know (session_key_1) but also does not want him to know (apbe){session_key_1} - since if recorded this might be strong-armed out of Sam (it not being in itself a private key). For this purpose Alice creates a second public/private key pair which is transient and lasts only as long as the protocol interaction - a new pair will be generated for each interaction - we will call the pair (apre_tmp) and (apbe_tmp). {i_am_alice},(spbe(alice)) { {request_decrypt}, {session_key_2}, /* for return communication */ (apbe_tmp){(spbe(alice)){(apbe){session_key_1}}}, (aprs){hash_of_message} /* proof of id/message integrity */ } c. Sam applies (spre(alice)) to message to obtain decryption request - then applies (apbs) to signature to check validity of request. Sam now possesses (apbe_tmp)(spbe(alice)){(apbe){session_key_1}} which he knows to be from Alice. Sam applies (spre(alice)) to encrypted session key and sends result to Alice: Sam -> Alice: {i_am_sam},(session_key_2) { {response_to_decryption_request}, (apbe_tmp)(apbe){session_key_1}, (sprs){hash_of_message} } d. Alice applies (session_key_2), checks validity of signature with (spbs) - and now has (apbe_tmp)(apbe){session_key_1}. Alice applies (apre_tmp) and (apre) to get (session_key_1) and applies it in turn to obtain {message_from_bob} - taking care to dispose of (session_key_1), (session_key_2), (apbe_tmp), (apre_tmp), (apbe){session_key_1} and {message_from_bob} as soon as she is finished using them. At any stage a Plod who listens to all the communications between Alice, Bob and Sam will only see: 1. (spbe(alice)){(apbe){session_key_1}} 2. (spbe(alice)){...(apbe_tmp){(spbe(alice)){(apbe){session_key_1}}}...} 3. (session_key_2){...(apbe_tmp)(apbe){session_key_1}}...} ...versions of the {session_key_1}. e. Plod approaches Alice with S.46 Alice can now comply with S.46 and surrender to Plod (apre) so that Plod can obtain: 1. (spbe(alice)){session_key_1} 2. (spbe(alice)){...(apbe_tmp){(spbe(alice)){session_key_1}}...} 3. (session_key_2){...(apbe_tmp){session_key_1}...} ...although it's dubious whether 2 and 3 could actually be obtained given that they are wrapped up in their own superencryption. If Plod through international cooperation manages to get Sam to give him all his end of the communication chain the he can obtain: (apbe_tmp)(apbe){session_key_1} ...if Sam was stupid enough to record this bit of the process. From this and his first S.46 he can get: (apbe_tmp){session_key_1} A second S.46 for (apre_tmp) will fail because Alice can prove in "the balance of probabilities" that the software she uses only creates this key pair transiently and then securely removes all trace of the key pair. A few assumptions about this protocol: + Sam is legally bound my his country's law to keep (spre(alice)) secret + Sam does not have to be trusted by Alice to do anything other than provide a service to Alice - whichever bits of the conversation are recorded at Sam's end - these are useless to Sam and to Plod + transient key information which is removed by Alice's agent software at time of transmission cannot be requested (successfully!) in an S.46. Note: This is more complicated than I would like - especially the creation of the temporary key pair - this could be simplified to a symmetric session key if symmetric encryption and asymmetric encryption are commutative - but I don't think they are for general ciphers. Comments very welcome - I'm sure it needs a lot of refinement. --Jeremy. From nbohm@ernest.net Mon, 10 Apr 2000 11:42:11 +0100 Date: Mon, 10 Apr 2000 11:42:11 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Non-repudiation I drew attention some while ago to the introduction by VAT rules of a presumption that the person identified by HM Customs & Excise as the sender of an electronic VAT return is presumed to be the true sender. This approach has been followed by the Inland revenue in the introduction of electronic tax return filing.=20 >>>> The Income Tax (Electronic Communications) Regulations 2000 (Statutory Instrument 2000 No. 945) Proof of identity of sender or recipient of information=20 6. If it is necessary to prove, for any purpose, the identity of =97=20 (a) the sender of any information delivered by means of electronic communications to an official computer system, or=20 (b) the recipient of any information delivered by means of electronic communications from an official computer system,=20 the sender or recipient (as the case may be) shall be conclusively presumed to be the person recorded as such on an official computer system. <<<<<<<< Note that the presumption is "conclusive", so that even if it can be proved to be false, it still carries the day. I put this to Terry Hawes of the Inland Revenue Electronic Business Unit at a conference, and I think it would not be unfair to summarise his answer as "Trust us - we're the Inland Revenue". My own view is that nobody who uses an electronic signature in a computer with an insecure operating system connected to the Internet should accept the introduction of such a presumption. This is probably no great burden, since electronic tax and VAT returns are primarily valuable to the recipients, not the senders. Regards, Nicholas=20 Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From Theodor.SCHLICKMANN@cec.eu.int Mon, 10 Apr 2000 13:47:05 +0200 Date: Mon, 10 Apr 2000 13:47:05 +0200 From: Theodor.SCHLICKMANN@cec.eu.int Theodor.SCHLICKMANN@cec.eu.int Subject: Abhoeren macht taub This explains why many arguments are ignored ... -- London (dpa) Die Lauscher im Abhoerzentrum der britischen Regierung bekommen Schmerzensgeld wegen Hoerproblemen. Die Regierung habe bereits mehr als insgesamt 550 000 Pfund and rund 100 hoergeschaedigte Angestellte im Abhoerzentrum Cheltenham ueberwiesen, berichtete die Zeitung "The Sunday Telegraph". Bis zum Jahr 1995 seien Kopfhoerer minderer Qualitaet verwendet worden, deren Lautstaerke sich nicht korrekt habe einstellen lassen. Da die insgesamt 4000 Abhoerer vor allem waehrend des Kalten Krieges haeufig knisternde und rauschende Telefongespraeche und Funksprueche belauschten, seien einige von ihnen nun fast taub. Die Regierung habe akzeptiert, dass sie ihre Fuersorgepflicht vernachlaessigt habe. -- Theodor Schlickmann From cacib@liberty.org.uk Mon, 10 Apr 2000 14:55:11 +0100 Date: Mon, 10 Apr 2000 14:55:11 +0100 From: Campaign Against Censorship of the Internet in Britain cacib@liberty.org.uk Subject: Anti-Censorship Web Site Censored Monday 10th April 2000 13:00 PRESS RELEASE AUTHOR: Campaign Against Censorship of the Internet in Britain For immediate release. ANTI-CENSORSHIP WEB SITE CENSORED Civil liberties web site the "Campaign Against Censorship of the Internet in Britain" (CACIB) was itself censored by its Internet Service Provider today. The site was deleted from the ISP's web servers in response to a complaint from Laurence Godfrey, serial litigant, about reporting of censorship in the UK. Laurence Godfrey had settled an unrelated defamation action against Demon Internet last week. Commentators consider that law suit to have shown that ISPs are legally liable for their customers'actions. "We greatly regret having to take this action but our solicitors advise that the costs of defending a potential libel action would be prohibitive, even though a defence is most likely to be successful in this case. We are only a small company and cannot afford the risk." said Lee Maguire, spokesman for the Internet Service Provider Instant Web Ltd. The censored civil liberties campaign was outraged. "This shows that ISPs desparately need legal immunity from the actions of their customers. We stand behind our comments, but the ISP is naturally neither willing nor able to get involved. The result is that we are presumed guilty, and censored, because our ISP does not want to pay the legal fees to defend us. This shows that ISPs desparately need legal immunity from the actions of their customers." said Malcolm Hutty, director of CACIB. "We weren't even criticising Mr Godfrey personnally: we were simply commenting on the adverse consequences of the outcome of Godfrey vs Demon Internet." CACIB had run a story about yet another site that had been closed down, where the ISP had cited "the current legal environment" as a reason for not being able to resist the complaint. CACIB had described this outcome as being "Godfrey's first victim" - a reference to the outcome of the libel suit Godfrey launched against Demon Internet; Laurence Godfrey coinsiders connecting the two cases to be defamatory. Perhaps the biggest irony is that Mr Hutty, as well as being a director of CACIB, is also a founder and employee of Instant Web. "On a personal level it breaks my heart that the company I started is forced into censorship." he said. "I don't blame my colleagues, they're terrified. But I got into the Internet because I believed in the promise of freedom for all; I never imagined it would be the most easily censored medium there is." The CACIB web site is now hosted in the USA. -------------------ENDS---------------------------------------- Notes to Editors: [1] For further information contact: Campaign Against Censorship of the Internet in Britain Malcolm Hutty 020 7225 5418 (work) 07970 736 976 (mobile) Instant-Web Silash Ruparell 0207 589 4500 [2] The CACIB web site is located at http://www.liberty.org.uk/cacib/ This is now based on computer servers phyically located in the USA. [3] Malcolm Hutty is a minority share-holder and director of Instant Web. The decision to delete the CACIB web site was taken by his co-director, with Mr Hutty excusing himself from participation on the grounds of conflict of interest. [4] The legal advice referred to by Lee Maguire was given by Ince & Co, a major city law firm. ___ If you do not wish to be on this mailing list, please reply with the word "unsubscribe" in the subject. This email was sent to: ukcrypto@maillist.ox.ac.uk From I.Brown@cs.ucl.ac.uk Mon, 10 Apr 2000 15:37:44 +0100 Date: Mon, 10 Apr 2000 15:37:44 +0100 From: Ian Brown I.Brown@cs.ucl.ac.uk Subject: [Fwd: BSHM conference: 'History of Cryptography', Cambridge, U.K., 24 June 2000] This is a multi-part message in MIME format. --------------6B1A9D7932995D8DB840A16D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Final details, including booking form... --------------6B1A9D7932995D8DB840A16D Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from mail1.ccs.bbk.ac.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Tue, 28 Mar 2000 14:40:50 +0100 Received: from [193.61.20.2] (actually host port06.dialup.bbk.ac.uk) by mail3.ccs.bbk.ac.uk with SMTP (Mailer); Tue, 28 Mar 2000 14:39:25 +0100 X-Sender: ubwc039@acer.ccs.bbk.ac.uk Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 28 Mar 2000 14:39:19 +0100 To: jv.field@hist-art.bbk.ac.uk (J. V. Field) From: jv.field@hist-art.bbk.ac.uk (J. V. Field) Subject: BSHM conference: 'History of Cryptography', Cambridge, U.K., 24 June 2000 X-Mozilla-Status2: 00000000 & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & = & THE BRITISH SOCIETY FOR THE HISTORY OF MATHEMATICS http://www.dcs.warwick.ac.uk/bshm/ C O N F E R E N C E ' H i s t o r y o f C r y p t o g r a p h y. Cambridge, Mill Lane lecture rooms Saturday 24 June 2000 The meeting is a follow up to the very successful conference on this subject the BSHM held at Bletchley Park in June 1998. The organisers are Whitfield Diffie and J. V. Field. & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & &= & THE BRITISH SOCIETY FOR THE HISTORY OF MATHEMATICS http://www.dcs.warwick.ac.uk/bshm/ H I S T O R Y O F C R Y P T O G R A P H Y Cambridge, Mill Lane lecture rooms Saturday 24 June 2000 P R O G R A M M E 0930 Registration and coffee/tea 1025 Dr Ross Anderson Welcome (University of Cambridge) 1030 Dr Karl de Leeuw J. F. Euler (1741-1800) on (University of Utrecht) cryptology and the anatomy of writing 1130 Dr Gabriel Landini Secrets of mediaeval science?: (University of Birmingham) The Voynich Manuscript 1230 LUNCH 1400 Stephen Budiansky Codebreaking with IBM machines (Leesburg, VA) in World War II 1500 Dr R. A. Ratcliff How the Germans proved (Oakland, CA) Enigma secure 1600 Tea/coffee 1645 Professor Donald Michie Colossus and the breaking of (University of Edinburgh) the wartime Fish codes 1745 End The British Society for the History of Mathematics is grateful to the London Mathematical Society for its support of this conference SPONSORED BY nCipher The fee will be =A316 for members of the BSHM, =A327 for non-members, and = =A37 for students. This includes coffee and tea. Lunch will be available at =A314.50. =46URTHER DETAILS on the BSHM web site and from J. V. Field, Department of History of Art, Birkbeck College, 43 Gordon Square, London WC1H 0PD; fax 0171.631.6107, fax and voice messages 0171.736.9198; email jv.field@hart.bbk.ac.uk. N. B. From 22 April 2000 the teelphone numbers wiil change, the prefixes 0171 being replaced by 0207 & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & &= & THE BRITISH SOCIETY FOR THE HISTORY OF MATHEMATICS http://www.dcs.warwick.ac.uk/bshm/ H I S T O R Y O F C R Y P T O G R A P H Y Cambridge, Mill Lane lecture rooms Saturday 24 June 2000 BOOKING FORM Meeting alone (including tea and coffee) =A316 for BSHM members =A327 for non-members =A37 for students Buffet lunch (including a glass of wine, and coffee) =A314.50 I shall attend 'History of Cryptography', and do/do not want lunch. Please tick if you require a vegetarian meal Name Address (see note below if paying by credit card) Telephone number Email address a) I enclose a cheque for =A37/=A321.50/=A316/=A330.50/=A327/=A341.50,= payable to the BSHM b) Please charge =A37/=A321.50/=A316/=A330.50/=A327/=A341.50 to my credit c= ard Type of card (Mastercard, Visa etc.) Card number _ _ _ _-_ _ _ _-_ _ _ _-_ _ _ _ & expiry date: end _ _/_ _ Signature N.B. Address given above must be the one to which card statements are sent. The London Mathematical Society is monitoring the activities it supports, so we should be grateful if you would answer the following questions Are you a woman? Yes/No Are you a research student? Yes/No Please return this form to Dr A. E. L. Davis, 10 Montpelier Mews, London SW7 1HB, UK DEADLINE for lunch numbers is 17 June. =46urther details on the BSHM web site and from J. V. Field, Department of History of Art, Birkbeck College, 43 Gordon Square, London WC1H 0PD; fax 0171.631.6107, fax and voice messages 0171.736.9198; email jv.field@hart.bbk.ac.uk. The British Society for the History of Mathematics is grateful to the London Mathematical Society for its support of this conference SPONSORED BY nCipher The British Society for the History of Mathematics is registered as a company limited by guarantee no. 3326816 and as a charity no. 1061229. Registered office: 20 Dunvegan Close, Exeter, Devon EX4 4AF. & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & &= & --------------6B1A9D7932995D8DB840A16D-- From cb@fipr.org Mon, 10 Apr 2000 18:09:11 +0100 Date: Mon, 10 Apr 2000 18:09:11 +0100 From: Caspar Bowden cb@fipr.org Subject: Silicon.com 10/4/2000: "'Snooping Bill' slammed by Silicon.com viewers" http://www.silicon.com/bin/bladerunner?REQUNIQ=955382026&REQSESS=361943&3001 REQEVENT=&REQINT1=36839&REQSTR1=Text%20News&REQSTR2='Snooping%20Bill'%20slam med%20by%20Silicon.com%20viewers&REQAUTH=21046 'Snooping Bill' slammed by Silicon.com viewers The Home Office's Regulation of Investigatory Powers (RIP) Bill has received a damning vote of no confidence from members of the UK IT and business community. Silicon.com conducted a survey to gauge user opinion after the RIP Bill ran into controversy. Nearly three-quarters (73.6 per cent) of respondents said the Bill is not needed to protect individuals from criminal activity. Many added the Bill is fatally flawed and will allow law enforcers to abuse human rights. The Bill is designed to regulate police monitoring activities and contains updated legislation to cover electronic communications. Civil rights lobbyists have been protesting since last year about what they describe as draconian measures involving the use of encryption keys. Specifically, individuals could be jailed if they cannot produce an encryption key for data sent over the Net The main sticking point for 96 per cent of respondents is that the "burden of proof" is reversed - meaning individuals must be able to prove why they haven't got an encryption key if they are unable to produce one. One viewer said: "The onus is on the suspect to prove that he or she does not possess certain information. Ever tried to prove a negative? It is almost impossible. I regard the Bill as extremely dangerous and a blatant infringement of basic human rights." Nearly one-quarter of respondents even said they would consider leaving the country if the law is passed. Nick Rosen, director of research company Online Agency, said he was at a loss as to how such an unpopular Bill could be defeated and added its very existence was a result of political power struggles. According to Rosen, the Bill's history lies between the Home Office and the Department of Trade and Industry (DTI). The Home Secretary has remained in power since Labour's rise to power in 1997 but the DTI chief has changed several times. As a result, Rosen claimed the Home Office has forced the DTI to produce a "spook's charter". He added that e-minister Patricia Hewitt has done nothing to prevent its inclusion. The Home Office was unable to respond at the time of writing. For related news, see: 'Government accused of 'hopelessly underestimating' RIP costs' (www.silicon.com/a36658 ) 'Silicon.com Survey: the RIP Bill and you' (www.silicon.com/a36635 ) From pablos@shmoo.com Mon, 10 Apr 2000 10:36:32 -0700 Date: Mon, 10 Apr 2000 10:36:32 -0700 From: Paul Holman pablos@shmoo.com Subject: Internet Number Station -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you're a shortwave radio junkie, you probably already know what the term "number station" means. If you're like me (an Internet geek who's never touched a shortwave radio) then you may not have any idea what a number station is, let alone why they're so cool. In short, the stations are either a complete hoax or the cheapest, best way to send encrypted messages to people all over the world. They've been around since the 40's, and still no one knows exactly what they mean. In the spirit of crypto advocacy, TSG has set up it's own Internet Number Station at . We've enciphered a message into numbers and are broadcasting it across the net. If you're the first to break the code, you'll win a free DVD. The first contest is easy, and they'll get harder as new ones start, so play early if you don't want to think too hard. - -- Paul Holman Special Agent The Shmoo Group pablos@shmoo.com PGP fingerprint: CFBF CC8D 7BC8 FDE3 74BD 9DB0 88E6 B201 3F5A B569 -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 Comment: The magic words are squeamish ossifrage. iQA/AwUBOPIRNYjmsgE/WrVpEQLHmwCfXAbUgGH1Ihqqz47ovZ7+wRCx+ZgAnisp ZPZ2GaLFVhOE5ITQLwu5P8vx =q8+q -----END PGP SIGNATURE----- From axel.horns@fitug.de Mon, 10 Apr 2000 20:21:40 +0200 Date: Mon, 10 Apr 2000 20:21:40 +0200 From: Axel H Horns axel.horns@fitug.de Subject: [FYI] Britain warns EU to drop spying debate states over Echelon http://www.newsunlimited.co.uk/Distribution/Redirect_Artifact/0,4678,0 -157085,00.html ------------------------------ CUT --------------------------------- Britain warns EU to drop spying debate states over Echelon Ian Black in Brussels Saturday April 8, 2000 Britain is trying to stifle a European Union debate about its involvement in a US-led economic espionage network by warning its partners that their own secrets could be exposed. With Portugal planning to raise concerns about the controversial Echelon surveillance system - a network of satellites and listening posts - the government signalled yesterday that EU member states should think carefully before allowing any discussion. [...] ------------------------------ CUT --------------------------------- From invite@internetregistration.com Mon, 10 Apr 2000 17:41:20 -0700 Date: Mon, 10 Apr 2000 17:41:20 -0700 From: invite@internetregistration.com invite@internetregistration.com Subject: ADV: Domain Names go to the Dogs! Hello! I found your e-mail address at http://www.google.com/search?q=gag&num=100&start=200, and I thought you might be able to take advantage of our affiliate program. Domain names are now available for as low as $19.50 per year! ($17.55 per year after your affiliate commission) There will be 140 million domain names registered in the next 3 years! (thats over $2.5 billion in business, and we expect to pay out over $25 million in commissions) Take advantage of our site! Our affiliate program offers 10% commissions on all domain names sold through your site, and you earn 5% of the commissions earned by people you sign up as affiliates. It's easy, It's fast, It's free! Not only will you and your clients enjoy one of the lowest prices on domain names, but managing them is a snap with our web-based interface! No more annoying e-mails to internic to make changes in your domain information. Browse to http://www.InternetRegistration.com/e.php?e7 'The Spotcom people' and click on affiliates to learn more. Thank you for your time. Marlo Newman Managing Director InternetRegistration.com E-mail: Marlo@InternetRegistration.com You are not a mailing list or stored in a database, but if you never want to receive mail from us again send a blank mail to mailto:neveragain@internetregistration.com This mail is in accordance with the California Business & Professions Code section 17538.4 and 17538.45 which you can view at caselaw.findlaw.com/cgi-bin/getcode.pl?code=CA&law=bpc&art=17530-17539.6 From donald@ramsbottom.co.uk Tue, 11 Apr 2000 06:59:52 +0100 Date: Tue, 11 Apr 2000 06:59:52 +0100 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Times 110400 Todays Times: http://www.the-times.co.uk/onlinespecials/britain/privacy/ Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From Theodor.SCHLICKMANN@cec.eu.int Mon, 10 Apr 2000 13:47:05 +0200 Date: Mon, 10 Apr 2000 13:47:05 +0200 From: Theodor.SCHLICKMANN@cec.eu.int Theodor.SCHLICKMANN@cec.eu.int Subject: Abhoeren macht taub This explains why many arguments are ignored ... -- London (dpa) Die Lauscher im Abhoerzentrum der britischen Regierung bekommen Schmerzensgeld wegen Hoerproblemen. Die Regierung habe bereits mehr als insgesamt 550 000 Pfund and rund 100 hoergeschaedigte Angestellte im Abhoerzentrum Cheltenham ueberwiesen, berichtete die Zeitung "The Sunday Telegraph". Bis zum Jahr 1995 seien Kopfhoerer minderer Qualitaet verwendet worden, deren Lautstaerke sich nicht korrekt habe einstellen lassen. Da die insgesamt 4000 Abhoerer vor allem waehrend des Kalten Krieges haeufig knisternde und rauschende Telefongespraeche und Funksprueche belauschten, seien einige von ihnen nun fast taub. Die Regierung habe akzeptiert, dass sie ihre Fuersorgepflicht vernachlaessigt habe. -- Theodor Schlickmann From pablos@shmoo.com Mon, 10 Apr 2000 10:36:32 -0700 Date: Mon, 10 Apr 2000 10:36:32 -0700 From: Paul Holman pablos@shmoo.com Subject: Internet Number Station -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you're a shortwave radio junkie, you probably already know what the term "number station" means. If you're like me (an Internet geek who's never touched a shortwave radio) then you may not have any idea what a number station is, let alone why they're so cool. In short, the stations are either a complete hoax or the cheapest, best way to send encrypted messages to people all over the world. They've been around since the 40's, and still no one knows exactly what they mean. In the spirit of crypto advocacy, TSG has set up it's own Internet Number Station at . We've enciphered a message into numbers and are broadcasting it across the net. If you're the first to break the code, you'll win a free DVD. The first contest is easy, and they'll get harder as new ones start, so play early if you don't want to think too hard. - -- Paul Holman Special Agent The Shmoo Group pablos@shmoo.com PGP fingerprint: CFBF CC8D 7BC8 FDE3 74BD 9DB0 88E6 B201 3F5A B569 -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 Comment: The magic words are squeamish ossifrage. iQA/AwUBOPIRNYjmsgE/WrVpEQLHmwCfXAbUgGH1Ihqqz47ovZ7+wRCx+ZgAnisp ZPZ2GaLFVhOE5ITQLwu5P8vx =q8+q -----END PGP SIGNATURE----- From axel.horns@fitug.de Mon, 10 Apr 2000 20:21:40 +0200 Date: Mon, 10 Apr 2000 20:21:40 +0200 From: Axel H Horns axel.horns@fitug.de Subject: [FYI] Britain warns EU to drop spying debate states over Echelon http://www.newsunlimited.co.uk/Distribution/Redirect_Artifact/0,4678,0 -157085,00.html ------------------------------ CUT --------------------------------- Britain warns EU to drop spying debate states over Echelon Ian Black in Brussels Saturday April 8, 2000 Britain is trying to stifle a European Union debate about its involvement in a US-led economic espionage network by warning its partners that their own secrets could be exposed. With Portugal planning to raise concerns about the controversial Echelon surveillance system - a network of satellites and listening posts - the government signalled yesterday that EU member states should think carefully before allowing any discussion. [...] ------------------------------ CUT --------------------------------- From nbohm@ernest.net Tue, 11 Apr 2000 10:02:08 +0100 Date: Tue, 11 Apr 2000 10:02:08 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Abhoeren macht taub At 01:47 PM 4/10/2000 +0200, Theodor.SCHLICKMANN@cec.eu.int wrote: > >This explains why many arguments are ignored ... > >-- > >London (dpa) > >Die Lauscher im Abhoerzentrum der britischen Regierung bekommen >Schmerzensgeld wegen Hoerproblemen. Die Regierung habe bereits >mehr als insgesamt 550 000 Pfund and rund 100 hoergeschaedigte >Angestellte im Abhoerzentrum Cheltenham ueberwiesen, berichtete >die Zeitung "The Sunday Telegraph". Bis zum Jahr 1995 seien >Kopfhoerer minderer Qualitaet verwendet worden, deren Lautstaerke >sich nicht korrekt habe einstellen lassen. Da die insgesamt >4000 Abhoerer vor allem waehrend des Kalten Krieges haeufig >knisternde und rauschende Telefongespraeche und Funksprueche >belauschten, seien einige von ihnen nun fast taub. Die Regierung >habe akzeptiert, dass sie ihre Fuersorgepflicht vernachlaessigt >habe. > >-- > >Theodor Schlickmann According to babelfish: The eavesdroppers in the hearing center of the British government get smart money because of hearing problems. The government transferred, reported already more than altogether 550,000 Pound of and approximately 100 hearing-impaired employees in the hearing center Cheltenham the newspaper " The Sunday telegraph ". Up to the year 1995 headphones of inferior quality were used, whose volume could not correct be adjusted. Since those belauschten altogether 4000 snoopers particularly during the cold war frequently knisternde and rushing telephone calls and radiograms, were now almost deaf some from them. The government accepted that it neglected its welfare service obligation. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From Pete.Chown@skygate.co.uk Tue, 11 Apr 2000 10:09:00 +0100 Date: Tue, 11 Apr 2000 10:09:00 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Abhoeren macht taub Here is a rough translation of the previous message: The eavesdroppers at GCHQ have been awarded compensation because of hearing problems. The government has paid more than £550,000 to approximately 100 hearing impaired employees at GCHQ according to the Sunday Telegraph. Up to 1995 headphones of inferior quality were used, whose volume could not be adjusted properly. About 4000 snoopers, particularly during the cold war, were frequently rushing telephone calls and radio messages. Many of them are now almost deaf. The government accepted that it neglected its welfare obligations. ---------------------------------------------------------------------- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ From oml@eloka.demon.co.uk Tue, 11 Apr 2000 12:20:47 +0100 Date: Tue, 11 Apr 2000 12:20:47 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Abhoeren macht taub ----- Original Message ----- From: "Pete Chown" To: Sent: 11 April 2000 10:09 Subject: Re: Abhoeren macht taub > Here is a rough translation of the previous message: Speak up! I can hardly hear you. Owen Lewis From I.Brown@cs.ucl.ac.uk Tue, 11 Apr 2000 13:12:32 +0100 Date: Tue, 11 Apr 2000 13:12:32 +0100 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: Non-interactive forward secrecy (was Response from E-Envoy to RIP) Just a small point about David's scheme: >There is no lower limit on the length of a time period, so in practice >keys only need to be retained for long enough to make sure that a key >will not be deleted while messages that can be decrypted by it are still >in transit. One issue that Nicholas Bohm came up with while we were discussing non-interactive forward secrecy schemes is that you need to allow for people to be away from e-mail for n days. If you come back from a 3-week trip (like I just have) you don't want to find all your encrypted messages are unreadable and have to ask people to re-send them. The way we got round this with the simpler short lifetime public keys system was to say that software should only wipe expired private keys AFTER their owner has had the chance to decrypt any traffic that may still be in transit, e.g. after their mail client has retrieved and decrypted all mail from their POP server. Ian :) From ijackson@chiark.greenend.org.uk Tue, 11 Apr 2000 18:36:34 +0100 (BST) Date: Tue, 11 Apr 2000 18:36:34 +0100 (BST) From: Ian Jackson ijackson@chiark.greenend.org.uk Subject: Signature Keys Used for Confidentiality Nicholas Bohm writes ("Re: Signature Keys Used for Confidentiality"): > At 06:27 PM 4/5/2000 +0100, Liaquat Khan wrote:=20 > > >>>> > > ArialInteresting... > > =20 > > ArialOne would assume that the authorities may ... etc. Was that really intentional ? Ian. (I would reply to poster, but the list managers have disabled that.) From david@swarb.freeuk.com Tue, 11 Apr 2000 22:15:46 +0100 Date: Tue, 11 Apr 2000 22:15:46 +0100 From: David Swarbrick david@swarb.freeuk.com Subject: Abhoeren macht taub In message <3.0.5.32.20000411100208.009de4f0@mail.netkonect.co.uk>, Nicholas Bohm wrote: >At 01:47 PM 4/10/2000 +0200, Theodor.SCHLICKMANN@cec.eu.int wrote: >> >>This explains why many arguments are ignored ... >> >>-- >> >>Theodor Schlickmann > >According to babelfish: > ... and why the Hitchikers Galaxy was full of such exciting misunderstandings! -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com http://www.swarb.co.uk law-index of 10,800+ uk case summaries & uk.legalFQA The Law Society regulates our investment business. IP/IT Law and Contracts. From cb@fipr.org Wed, 12 Apr 2000 11:07:59 +0100 Date: Wed, 12 Apr 2000 11:07:59 +0100 From: Caspar Bowden cb@fipr.org Subject: Telepolis 11/4/2000: "Echelon in Holland" http://www.heise.de/tp/english/inhalt/co/6731/1.html Echelon in Holland Jelle van Buuren 11.04.2000 Dutch intelligence agency authorized to scan satellite communications The Dutch Intelligence Agency BVD is getting new powers. Among other things, the powers to intercept communications will be extended. The agency is authorized, if the government gets its way, to intercept satellite communications at random and search the intercepted traffic by keywords. Also, the BVD gets a new intelligence task: the gathering of economical information. Holland goes Echelon, it seems. The new 'Act on the intelligence and security agencies' (WIV), which is currently debated by Dutch parliament, gives the powers of the BVD a new legal basis. Actually, it means mainly the extension of investigative powers. In each amendment on the original proposal, new powers are given. For instance, in the first draft of the new Act, the BVD got the power to intercept, record and listen into telecommunications. In the latest amendment, from the beginning of this year, the power to 'receive' telecommunications was added. This means the BVD is authorized to directly pluck telecommunications, for instance GSM-traffic, out of the air. In this way, the BVD is no longer dependent on the willingness of telcom operators to intercept traffic, but can create for instance their own parallel network of receivers to intercept all GSM-traffic. Also, this prevents providers from 'leaking' about the fine work the BVD is doing in this area. The biggest extension, however, is the newly added article 25a. In this article, the BVD is authorized to intercept at random all international telecommunication that is not cable bound and scan the intercepted communication on items of interest (persons, groups, keywords). According to the explanatory note by the draft Act, this kind of random interception is needed to investigate if by any chance interesting messages are part of the international communication. The government says nonchalantly that it can't be prevented that in this manner the BVD gets acquainted with the content of the intercepted communications, although that isn't - still according to the Dutch government - the main purpose of the random interception. "The searching is primarily an instrument for the reconnaisance of the communication, to try to establish the nature of the communication and the identity of the person or organisation that is communicating. That in this way the agency gets acquainted with a part of the content of the communication is inevitable, in order to establish who is communicating and if it's a person or a group that has the interest of the agency. The searching however is not directed to get acquainted with the full content of the communication. In a certain way, this activity is comparable with the listening in on telephone conversations, to check if the connection is allright." This seems like a very creative way of saying that interception isn't really interception, but a mere technical testing of connections. And for that, no legal or governemental warrant is needed... Keywords As important parts of the international telecommunications are transmitted by satellites and beam transmitters, it is clear this article 25a authorises the Dutch BVD to intercept all these communications. This means an uncontrolled authority to intercept and scan all communication that is not cable bound. This can have a great impact on the Internet traffic. As a message on the Internet chooses the least busy route, and the heart of Internet lays in the United States, there is a big chance that email send within the Netherlands chooses an international route by satellite. In future this can also be the case for telephone conversations. All these messages can be intercepted and randomly searched. Even now, the phone conservations between two big Dutch cities, Amsterdam and Rotterdam, are being transmitted by beam transmitters. In the first draft of the WIV, the Home secretary had to give permission to the keywords the intelligence agency is using to scan the intercepted traffic. In the latest amendment, the Home secretary only gets once a year notification of the list of keywords, whereas the BVD is authorized to add new keywords to its own discretion. Besides that, the BVD is authorized to store all intercepted communication. Where the first proposal of the Act stipulated that the BVD has to destroy immediately all intercepted communication that isn't of interest for them, the new amendment gives the BVD the right to store all intercepted communication for a year. In this way, the Dutch government is creating its own mini-Echelon. The BVD uses for its interception tasks the facilities of the Technical information processing centre (TIVC) of the Navy intelligence. This centre, located at the Navy complex Kattenburg in Amsterdam, decodes satellite traffic that is being intercepted by different ground stations. The TIVC is working the same way as its big brother NSA, as showed by the publication of internal documents in the Dutch daily De Haagse Courant in 1985. Satellite conversations were intercepted, recorded and selected by keywords for further analysis. The intelligence the TIVC gathered was sent to the Foreign Intelligence Service (IDB), till this unit was closed down in 1994 after a serie of scandals. Since than, all signal intelligence is in the hands of Navy intelligence. According to a study of two Dutch Intelligence experts (Bob de Graaff and Cees Wiebes, Villa Maarheeze, 1998), the TIVC is part of a broader international network and works closely with other Western agencies. For instance in 1972, the TIVC reported to the Mossad that Egypt and Libya had developed a telephone- and telex-connection under sea. Israelian special forces destroyed this connection, so Egypt and Libya had to communicate again by satellites, which were an easy target for interception. According to the authors, the American CIA protested in 1992 firmly against the immanent dissolution of the IDB, because they were afraid Dutch signal intelligence capacity would diminish. Vital economic interests The new power to intercept satellite communications at random will undoubtfully be used for economic espionage. In the past, the signal intelligence capacity already served economic purposes. In the above mentioned study of the intelligence experts, examples of this are mentioned. The authors speak of an "incestious relation" between the intelligence services and Dutch industry. Leading persons of big dutch companies, with establishments abroad, worked for the IDB. In exchange, they got economic intelligence gathered by the TIVC. The Dutch multinational Philips has, according to the study, close relations with Dutch intelligence. The company installed interception devices in telephone centres it sold to foreign companies and governments, the report says. In the proposed new 'Act on the intelligence and security services', the BVD gets officially the task of economic intelligence gathering. The BVD has to "protect vital economic interests", which is seen as a part of the national security. "The Dutch economy is highly dependent of economic developments in the world; these developments are characterised by increasing internationalisation and globalisation. Decisions taken elsewhere, can have a sincere impact on the Dutch economy. It is possible to gather intelligence on these developments in different ways, for instance by cooperation with intelligence agencies of other countries. These agencies however, wil take in account their own interests. In order not to be dependent of information of third parties, the government thinks it is necessary to build up its own information position and enforce it." What excactly 'vital economic interests' are, is however wrapped in a cloud of mystery. "To end with, we remark that with the explicitation of 'vital economic interests of the Netherlands' in the terms of reference of the BVD, also the possibility is created - if it seems appropriate - to conduct investigations in this area, where national security as such isn't in danger or is difficult to argue for." Encryption The new powers of the BVD are also interesting because some articles are related to cryptography and information technology. The BVD is authorized to break into homes and offices to bug keyboards. Besides that, the BVD is authorized to break into computers and steal, alter or delete information that is stored in computers. In other words, the BVD is allowed to hack. In this way, the intelligence agency can steal data from computers, manipulate software, corrupt passwords or install a Trojan Horse, so access is secured and cryptography can be bypassed. Cryptography is a topic of special interest for the BVD. In the draft Act, the power to undo encryption is being extended. In the first proposal the BVD got the authority to decrypt encrypted communication and data "by technical means". In the latest amendment this is extended to decryption "by all possible means". According to the explanatory note, "practice has shown there are other ways than just technical means to decrypt encrypted communications." This cryptic description seems to be directed at infiltrators who diddle out passwords, or look over the shoulder when messages are encrypted, or intelligence teams breaking into homes and offices in search of the little piece of paper the password is written on. The articles on the interception of telecommunication also contain remarks on cryptography. Encrypted messages may be kept in storage as long as is necessary for the BVD to decrypt them. The explanatory note says: "Where telecommunication is concerned, of which the encryption is not undone, and where the mere fact that cryptography has been used makes this communication interesting for the agency, it is desirable to save this communication to the moment the capacity exists or is being developed to decrypt the communication." So the use of a perfectly normal technique to protect ones privacy, trade secrets or sensitive political information, is in the eyes of the Dutch government a highly suspected act. The draft Act also introduces the obligation for "every one" the authorities believes has acces to the keys, to cooperate with the intelligence agency in decrypting the encryption. Refusal is punishable with a sentence of two years. The Dutch parliament has asked the government if this means that suspects also are obliged to hand over the keys. The answer is not available yet. But if the governement confirms this obligation also applies to suspects, this will be a clear violation of the fundamental human rights, as stated for instance in the Treaty on the protection of the Human Rights and Fundamental Freedoms. It means an obligation to cooperate on your own condemniation and the reversal of the burden of proof. From 988005350@98.lincoln.ac.uk Wed, 12 Apr 2000 11:25:38 +0100 Date: Wed, 12 Apr 2000 11:25:38 +0100 From: F J BERNAL 988005350@98.lincoln.ac.uk Subject: More items on Echelon Flaw In Human Rights Uncovered Proposals for a new definition of human rights now before the European Parliament would ban ECHELON and update data protection rules to latest developments in telecommunications technology. Duncan Campbell International spying on communications should be identified as a breach of fundamental human rights, according to proposals now before the European Parliament. The new proposals suggest that treaties and rules on human rights drawn up 50 years ago or more failed to anticipate how, in the Internet age, threats to personal privacy can easily cross international boundaries. http://www.heise.de/tp/english/inhalt/co/6724/1.html Echelon in Holland Dutch intelligence agency authorized to scan satellite communications Jelle van Buuren The Dutch Intelligence Agency BVD is getting new powers. Among other things, the powers to intercept communications will be extended. The agency is authorized, if the government gets its way, to intercept satellite communications at random and search the intercepted traffic by keywords. Also, the BVD gets a new intelligence task: the gathering of economical information. Holland goes Echelon, it seems. http://www.heise.de/tp/english/inhalt/co/6731/1.html Digital Detectives in Holland Special powers to snoop on the Internet; the influence of ILETS; bugs in keyboards; an assault on anonymity on the Net Jelle van Buuren For some time now, the fight against cybercrime is a hot item on the political agenda all over the world. In the Netherlands, law enforcement agencies have also made the virtual world their hunting ground. New legislation gives the police the power to intercept the Internet and conduct investigations on the Internet. To avoid problems with encrypted communications, the police is allowed to placed bugs on the keybord of suspects. A report from the low lands. http://www.heise.de/tp/english/special/enfo/6727/1.html F J Bernal BA (Hons) Audiovisual Communications BA (Hons) European Media Production ------------- "All the lands, in their diversity, are one, and men are all neighbours and brothers" al-Zubaidi, tutor of the andalusi Caliph al-Hakam II From Q.G.Campbell@newcastle.ac.uk Wed, 12 Apr 2000 12:01:08 +0100 (GMT) Date: Wed, 12 Apr 2000 12:01:08 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Bugging and burglary That favoured method of Peter Wright, bugging and burglary, to obtain clear text and other intelligence information seems destined to make a comeback (if it hasn't already arrived?). What physical methods are readily available to prevent/detect tampering with a keyboard that is attached to your workstation? Will we all need security safes to lock computers away in each night, in much the same way as people who deal with classified material have to do each night with their papers and files? Perhaps new WAP devices that you always carry with you, rather like your wallet, will provide a greater measure of protection from bugging in the future. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From richard@stonix.demon.co.uk Wed, 12 Apr 2000 12:51:51 +0100 Date: Wed, 12 Apr 2000 12:51:51 +0100 From: Richard Lamont richard@stonix.demon.co.uk Subject: Letter to MP: reply from Jack Straw This morning I received a letter from my MP, Bill Cash, containing a reply to my letter to him about RIP. As one might expect, it seems to be a cut-and-paste job containing a mixture of familiar spin and some paragraphs which purport, rather feebly, to address the specific concerns I raised. There's an interesting non-denial of my suggestion that IoCA 1985 contains a loophole which enables HMG to get round the warrant system by arranging for a cooperative telco to 'monitor its own network' and pass the 'monitored' info to HMG: "This scenario has no application to the current provisions of the Bill." In case anyone's interested, I've stuck scans of Straw's reply, along with my original letter, at: http://www.stonix.demon.co.uk/misc/rip/ (This URL is just a directory listing of the various .gif images.) -- ** I've written to my MP about the RIP bill. ** Richard Lamont ** Have you written to yours? ** richard@stonix.demon.co.uk ** Please see: http://www.stand.org.uk/ ** http://www.stonix.demon.co.uk/ ** and: http://www.fipr.org/rip/ ** From oml@eloka.demon.co.uk Wed, 12 Apr 2000 13:56:28 +0100 Date: Wed, 12 Apr 2000 13:56:28 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Letter to MP: reply from Jack Straw ----- Original Message ----- From: "Richard Lamont" To: Sent: 12 April 2000 12:51 Subject: Letter to MP: reply from Jack Straw > > This morning I received a letter from my MP, Bill Cash, > containing a reply to my letter to him about RIP. > There's an interesting non-denial of my suggestion that IoCA > 1985 contains a loophole which enables HMG to get round the > warrant system by arranging for a cooperative telco to 'monitor > its own network' and pass the 'monitored' info to HMG: It is no 'loophole'. It is an explicit provision of the terms of grant of a PSTN provider's licence as set out in the Telecommunications Act 1984. >...."This > scenario has no application to the current provisions of the > Bill." True. TA 84 being the relevant statute. Owen Lewis From oml@eloka.demon.co.uk Wed, 12 Apr 2000 14:08:48 +0100 Date: Wed, 12 Apr 2000 14:08:48 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: More items on Echelon ----- Original Message ----- From: "F J BERNAL" <988005350@98.lincoln.ac.uk> To: Sent: 12 April 2000 11:25 Subject: More items on Echelon > International spying on communications should be identified as a breach of > fundamental human rights, according to proposals now before the European > Parliament. The new proposals suggest that treaties and rules on human > rights drawn up 50 years ago or more failed to anticipate how, in the > Internet age, threats to personal privacy can easily cross international > boundaries. With respect, 'the Internet Age' is just a buzz word. The essential principles of electronic surveillance (themselves only an adaptation of older principles) have not changed. They are simply modified to embrace the changes in communications technology. If Echelon exists, it surely is not an EU system. The EU has no such system (yet) but most if not all of its member states do. Do you seriously thing that the ECHR is going to outlaw surveillance undertaken in the several interests of nations' security? Not before we derive a federated EU (which wouldl then amalgamate the existing assets under its own direction). We still have a fair way to go even to reach a point where such might be discussed, I believe. Owen Lewis From davidh@spidacom.co.uk Wed, 12 Apr 2000 14:22:55 +0100 Date: Wed, 12 Apr 2000 14:22:55 +0100 From: David Hansen davidh@spidacom.co.uk Subject: Bugging and burglary On 12 Apr 00, at 12:01, Quentin Campbell wrote: > What physical methods are readily available to prevent/detect > tampering with a keyboard that is attached to your workstation? A stick of dynamite inside the case, set off if the correct password is not entered. The police (and other "agencies" that like to remain hidden) would be rather more circumspect after the first stick goes off. It would also be difficult to cover up the fact that an attempted penetration took place, thus bringing such activities into the light of day. Chinese proverb, "Kill one, frighten a thousand." David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From Q.G.Campbell@newcastle.ac.uk Wed, 12 Apr 2000 14:40:00 +0100 (GMT) Date: Wed, 12 Apr 2000 14:40:00 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Bugging and burglary On Wed, 12 Apr 2000, David Hansen wrote: > On 12 Apr 00, at 12:01, Quentin Campbell wrote: > > > What physical methods are readily available to prevent/detect > > tampering with a keyboard that is attached to your workstation? > > A stick of dynamite inside the case, set off if the correct password > is not entered. The police (and other "agencies" that like to remain > hidden) would be rather more circumspect after the first stick goes > off. It would also be difficult to cover up the fact that an attempted > penetration took place, thus bringing such activities into the light of > day. David At my forgetful age and with my dyslexic typing fingers I am just as likely to type in the wrong password as any spook. I suppose the merit of your solution is that I would certainly be taught a lesson and would be unlikely to make the mistake again. 8-) On the other hand, if we lived in America, such a booby trap would be perfectly lawful. It's a funny old world. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From bdm@fenrir.demon.co.uk Wed, 12 Apr 2000 14:40:41 +0100 Date: Wed, 12 Apr 2000 14:40:41 +0100 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: Bugging and burglary On Wed, 12 Apr 2000 14:22:55 +0100, David Hansen wrote: >On 12 Apr 00, at 12:01, Quentin Campbell wrote: > >> What physical methods are readily available to prevent/detect >> tampering with a keyboard that is attached to your workstation? > >A stick of dynamite inside the case, set off if the correct password >is not entered. The police (and other "agencies" that like to remain >hidden) would be rather more circumspect after the first stick goes >off. It would also be difficult to cover up the fact that an attempted >penetration took place, thus bringing such activities into the light of >day. I'm sure that this would fall in to the 'hidden trap' provisions of what one is allowed to do to protect one's property. A shame, but there it is. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From C.R.Ritson@newcastle.ac.uk Wed, 12 Apr 2000 14:57:07 +0100 Date: Wed, 12 Apr 2000 14:57:07 +0100 From: Chris Ritson C.R.Ritson@newcastle.ac.uk Subject: Bugging and burglary >On Wed, 12 Apr 2000 14:22:55 +0100, David Hansen wrote: > >>On 12 Apr 00, at 12:01, Quentin Campbell wrote: >> >>> What physical methods are readily available to prevent/detect >>> tampering with a keyboard that is attached to your workstation? >> >>A stick of dynamite inside the case, set off if the correct password >>is not entered. > >I'm sure that this would fall in to the 'hidden trap' provisions of >what one is allowed to do to protect one's property. A shame, but there >it is. Don't some of the store merchandise tags have indelible dye in them to wreck the clothes if someone attempts to remove them other than at the cash desk with the correct equipment? Chris Ritson -- EMAIL: C.R.Ritson@newcastle.ac.uk POST: Chris Ritson, PHONE: +44 191 222 8175 Department of Computing Science, FAX : +44 191 222 8232 University of Newcastle upon Tyne, ROOM : 618 Claremont Bridge (the Mill) United Kingdom NE1 7RU. From Richard.Cox@mandarin.org Wed, 12 Apr 2000 15:11 +0100 (BST) Date: Wed, 12 Apr 2000 15:11 +0100 (BST) From: Richard D G Cox Richard.Cox@mandarin.org Subject: Letter to MP: reply from Jack Straw > "Owen Lewis" said: >> There's an interesting non-denial of my suggestion that IoCA 1985 >> contains a loophole which enables HMG to get round the warrant system >> by arranging for a cooperative telco to 'monitor its own network' and >> pass the 'monitored' info to HMG: > > It is no 'loophole'. It is an explicit provision of the terms of grant > of a PSTN provider's licence as set out in the Telecommunications Act > 1984. More likely, to let BT monitor it on their behalf. The relevant clause is S45 of the Telecomms Act 1984 ... /Intentional/ interception requires a warrant, but disclosure of anything intercepted - whether intentional or not - requires only that it be "in connection with the investigation of any criminal offence or for the purposes of any criminal proceedings" (S45(3). -- Richard D G Cox Mandarin Technology, Penarth - Phone (029) 2031 1131, Fax (029) 2031 1110 From Q.G.Campbell@newcastle.ac.uk Wed, 12 Apr 2000 15:19:06 +0100 (GMT) Date: Wed, 12 Apr 2000 15:19:06 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Letter to MP: reply from Jack Straw On Wed, 12 Apr 2000, Owen Lewis wrote in response to Richard Lamont: [snip from Richard] > > There's an interesting non-denial of my suggestion that IoCA > > 1985 contains a loophole which enables HMG to get round the > > warrant system by arranging for a cooperative telco to 'monitor > > its own network' and pass the 'monitored' info to HMG: > > It is no 'loophole'. It is an explicit provision of the terms of grant of a > PSTN provider's licence as set out in the Telecommunications Act 1984. > > >...."This > > scenario has no application to the current provisions of the > > Bill." > > True. TA 84 being the relevant statute. > > Owen Lewis Owen For the purposes of the RIP Bill clause 2(1), a University LAN/WAN appears to be a "private telecommunications system". IANAL and it is not clear to me now on re-reading clause 1(2) and 1(3) whether I would be committing the criminal offence and/or tort of "unlawful interception" (see "Explanatory Note" of RIP Bill and clause 1) if in the future I were to be instructed by the University's Registrar to intercept e-mail. I assume that he is the person who "is a person with a right to control the operation or use of the system" [clause 1(6)]. The difficult RIP situations seem to be: 1. The interception is done entirely for internal reasons. 2. The interception is being carried out for a person defined in clause 6(1) but without an interception warrant being issued. To what extent do I, as an employee, need to ensure that the interception activity I am being instructed to carry out is lawful? Donald Ramsbottom has answered a similar enquiry of mine in relation to the Computer Misuse Act. However the RIP Bill creates a number of new problems in this area and Richard Lamont's posting caused me to look again at the "Unlawful and authorised interception" provisions of the RIP Bill. Note that the situations I outline above are hypothetical. Quentin Campbell (postmaster) -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From oml@eloka.demon.co.uk Wed, 12 Apr 2000 14:24:17 +0100 Date: Wed, 12 Apr 2000 14:24:17 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Bugging and burglary ----- Original Message ----- From: "Quentin Campbell" To: Sent: 12 April 2000 12:01 Subject: Bugging and burglary > That favoured method of Peter Wright, bugging and burglary, to obtain > clear text and other intelligence information seems destined to make a > comeback (if it hasn't already arrived?). Why do you think it ever went away :-) > Will we all need security safes to lock computers away in each night, in > much the same way as people who deal with classified material have to do > each night with their papers and files? One approach favoured by those who do care about PC security, is to use easily removeable harddrives. These are removed at the end of each work session and are held in a safe when not in use. This simplistic approach effectively deals with many of the security weaknesses in a desktop or portable computer. > Perhaps new WAP devices that you always carry with you, rather like your > wallet, will provide a greater measure of protection from bugging in the > future. Protected from whom? If you mean protected from servants of the state, forget it. There is already common use of GSM and, more latterly, DECT technology for near-perfectly camouflaged bugging. Bluetooth and, most particularly, 3G will provide an even better bugger's amusement park. Neither is the exploitation of such systems to be confined to govt and police only. Most people's ideas of bugging are centred around James Bond type devices of c.1960's technology. The truth is that the much of the future of bugging lies in a combinaton of hacking techniques and exploitation of very sophisticated forms of mass communication that are now made the basis of very effective and hard to detect bugging systems. Owen Lewis From bdm@fenrir.demon.co.uk Wed, 12 Apr 2000 15:28:11 +0100 Date: Wed, 12 Apr 2000 15:28:11 +0100 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: Bugging and burglary On Wed, 12 Apr 2000 14:57:07 +0100, Chris Ritson wrote: >Don't some of the store merchandise tags have indelible dye in them to >wreck the clothes if someone attempts to remove them other than at the cash >desk with the correct equipment? That's non-lethal though. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From Q.G.Campbell@newcastle.ac.uk Wed, 12 Apr 2000 16:17:44 +0100 (GMT) Date: Wed, 12 Apr 2000 16:17:44 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Bugging and burglary On Wed, 12 Apr 2000, Owen Lewis wrote: [snip] > Most people's ideas of bugging are centred around James Bond type devices of > c.1960's technology. The truth is that the much of the future of bugging > lies in a combinaton of hacking techniques and exploitation of very > sophisticated forms of mass communication that are now made the basis of > very effective and hard to detect bugging systems. That may be true to a certain extent but older techniques are still perfectly practical otherwise there would be no business for the suppliers of protective TEMPEST kit. Installing bugs in keyboards, telephone handsets, rooms, etc, must still be the cheapest way to to get the clear text of any message/conversation before down-line encryption tries to disguise it. As a BTW, your reference to "James Bond" reminded me of the pleasant two weeks of reading, including many spy thrillers (but not 007!), that I did while on holidays in March. I mention this because two of the authors (Ted Allebury was one) were British and had worked in Military Intelligence during the War. Both had, it seems, maintained a connection with intelligence agencies subsequently. In the context of recent revelations about ECHELON it was interesting to see in one of their books, written in the 1980's, a description of a GCHQ-like organisation that used computers and "check words" (as the author called them) to monitor and select international telex and data traffic. This was relevant to the plot and the author went on to describe how this monitoring was done routinely to gather economic intelligence from friend and foe alike! I am sure such a facility was all a figment of his imagination, like the plot. 8-) Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From Rodney.Tillotson@ukerna.ac.uk Wed, 12 Apr 2000 16:42:41 +0100 Date: Wed, 12 Apr 2000 16:42:41 +0100 From: Rodney Tillotson Rodney.Tillotson@ukerna.ac.uk Subject: Bugging and burglary At 15:28 12/04/2000, Brian Morrison replied to Chris Ritson: > > Don't some of the store merchandise tags have indelible dye in > > them ... > That's non-lethal though. I see it all now. All over the UK there are safe houses discreetly guarded and serviced so that no-one can ever know there's someone in there who used to 'work in computers' for the Government and now has purple dye all over them. Swallowed by UFOs? Fell off the edge of the flat earth? No need for those exotic explanations any more ... Rodney. From oml@eloka.demon.co.uk Wed, 12 Apr 2000 15:54:07 +0100 Date: Wed, 12 Apr 2000 15:54:07 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Letter to MP: reply from Jack Straw ----- Original Message ----- From: "Richard D G Cox" To: Sent: 12 April 2000 15:11 Subject: Re: Letter to MP: reply from Jack Straw > > "Owen Lewis" said: > >> There's an interesting non-denial of my suggestion that IoCA 1985 > >> contains a loophole which enables HMG to get round the warrant system > >> by arranging for a cooperative telco to 'monitor its own network' and > >> pass the 'monitored' info to HMG: > > > > It is no 'loophole'. It is an explicit provision of the terms of grant > > of a PSTN provider's licence as set out in the Telecommunications Act > > 1984. > > More likely, to let BT monitor it on their behalf. Quite so. See S20 (2)(3) and (4) > > The relevant clause is S45..... of the Telecomms Act 1984 ... (3) That too. Owen Lewis From oml@eloka.demon.co.uk Wed, 12 Apr 2000 16:45:05 +0100 Date: Wed, 12 Apr 2000 16:45:05 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Letter to MP: reply from Jack Straw ----- Original Message ----- From: "Quentin Campbell" To: Sent: 12 April 2000 15:19 Subject: Re: Letter to MP: reply from Jack Straw > On Wed, 12 Apr 2000, Owen Lewis wrote in response to Richard Lamont: > > [snip from Richard] > > > There's an interesting non-denial of my suggestion that IoCA > > > 1985 contains a loophole which enables HMG to get round the > > > warrant system by arranging for a cooperative telco to 'monitor > > > its own network' and pass the 'monitored' info to HMG: > > > > It is no 'loophole'. It is an explicit provision of the terms of grant of a > > PSTN provider's licence as set out in the Telecommunications Act 1984. > > > > >...."This > > > scenario has no application to the current provisions of the > > > Bill." > > > > True. TA 84 being the relevant statute. > > For the purposes of the RIP Bill clause 2(1), a University LAN/WAN > appears to be a "private telecommunications system". > > IANAL M'aussi. and it is not clear to me now on re-reading clause 1(2) and 1(3) > whether I would be committing the criminal offence and/or tort of > "unlawful interception" (see "Explanatory Note" of RIP Bill and clause 1) > if in the future I were to be instructed by the University's Registrar to > intercept e-mail. > > I assume that he is the person who "is a person with a right to control > the operation or use of the system" [clause 1(6)]. Let's proceed on that assumption. > The difficult RIP situations seem to be: > > 1. The interception is done entirely for internal reasons. > > 2. The interception is being carried out for a person defined in > clause 6(1) but without an interception warrant being issued. > > To what extent do I, as an employee, need to ensure that the interception > activity I am being instructed to carry out is lawful? My understanding is that you have none at all since such monitoring is lawful (and widespread). At this time, you would be in breach of the law only if you effect such unwarranted monitoring on any part of the system which comprises a part of a PSTN. This AIUI includes leased lines and associated leased terminal equipment. This is the loophole in IoCA 85 through which all wishing to undertake electronic surveillance or similar can drive a dozen horse and carts in line abreast. There was, as you may know, an IoCA consultation paper published in June 1999 which stated that UKG intends to address specifically this issue in legislation that will revise or replace the 85 Act.Specifically, the paper stated in the preamble (page3 para3) that 'This legislation will provide a clear framework governing the interception of private networks..' We shall see. Owen Lewis From Q.G.Campbell@newcastle.ac.uk Wed, 12 Apr 2000 16:59:49 +0100 (GMT) Date: Wed, 12 Apr 2000 16:59:49 +0100 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Letter to MP: reply from Jack Straw On Wed, 12 Apr 2000, Owen Lewis wrote: [snip] > Let's proceed on that assumption. > > > The difficult RIP situations seem to be: > > > > 1. The interception is done entirely for internal reasons. > > > > 2. The interception is being carried out for a person defined in > > clause 6(1) but without an interception warrant being issued. > > > > To what extent do I, as an employee, need to ensure that the interception > > activity I am being instructed to carry out is lawful? > > My understanding is that you have none at all since such monitoring is > lawful (and widespread). At this time, you would be in breach of the law [snip] Owen Thank's for the reply. However there is supposed to be specific provision in the RIP Bill to deal with the ECHR finding in the Halford case. This is supposed to prevent employers monitoring their employees communications in the way that Merseyside Police did. These provisions seem to be covered by clause 1(2), 1(3) and 1(6). However I cannot reconcile the meaning of 1(2) and 1(3). 1(2) seems to allow interception of a private telecommunications system and 1(3) to preclude it. I find the "...by, " in the first sentence of 1(3) confusing because it means the sentence can be read in two ways. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From bdm@fenrir.demon.co.uk Wed, 12 Apr 2000 17:23:27 +0100 Date: Wed, 12 Apr 2000 17:23:27 +0100 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: Bugging and burglary On Wed, 12 Apr 2000 16:42:41 +0100, Rodney Tillotson wrote: >I see it all now. All over the UK there are safe houses discreetly >guarded and serviced so that no-one can ever know there's someone in >there who used to 'work in computers' for the Government and now has >purple dye all over them. ROFLMAO -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From M.Wells@leeds.ac.uk Wed, 12 Apr 2000 17:52:02 +0100 Date: Wed, 12 Apr 2000 17:52:02 +0100 From: M.Wells@leeds.ac.uk M.Wells@leeds.ac.uk Subject: Letter to MP: reply from Jack Straw Richard Lamont wrote: > > This morning I received a letter from my MP, Bill Cash, > containing a reply to my letter to him about RIP. Well, you have done better than I did; I wrote to mine some weeks ago, so far with no response. > > As one might expect, it seems to be a cut-and-paste job > containing a mixture of familiar spin and some paragraphs which > purport, rather feebly, to address the specific concerns I > raised. It will be interesting to see whether the reply I get (assuming that I do) bears any resemblance to the one you get!! Mike Wells SNIP From oml@eloka.demon.co.uk Wed, 12 Apr 2000 17:15:14 +0100 Date: Wed, 12 Apr 2000 17:15:14 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Bugging and burglary ----- Original Message ----- From: "Quentin Campbell" To: Sent: 12 April 2000 16:17 Subject: Re: Bugging and burglary > On Wed, 12 Apr 2000, Owen Lewis wrote: > > [snip] > > Most people's ideas of bugging are centred around James Bond type devices of > > c.1960's technology. The truth is that the much of the future of bugging > > lies in a combinaton of hacking techniques and exploitation of very > > sophisticated forms of mass communication that are now made the basis of > > very effective and hard to detect bugging systems. > > That may be true to a certain extent but older techniques are still > perfectly practical Of course. But they are relatively easily detected and/or countered. >....otherwise there would be no business for the suppliers > of protective TEMPEST kit. Collection of involuntary E-M radiation is an exception but is a complex and expensive form of attack. It is not suited to all circumstances or for short term objectives. > > Installing bugs in keyboards, telephone handsets, rooms, etc, must still > be the cheapest way to to get the clear text of any message/conversation > before down-line encryption tries to disguise it. Yea, verily. But my point was that was that the narrow band VHF FM transmitter is likely to be replaced for serious use by: - Modified GSM, DECT or (soon) 3G portable units. How will you detect a GSM bug in premises stuffed with persons using simultaneously the same channels and transmission mode for legitimate purposes? - Modified WLAN equipment, facilitating store and forward of speech or data. > In the context of recent revelations about ECHELON it was interesting to > see in one of their books, written in the 1980's, a description of a > GCHQ-like organisation that used computers and "check words" (as the > author called them) to monitor and select international telex and data > traffic. This was relevant to the plot and the author went on to describe > how this monitoring was done routinely to gather economic intelligence > from friend and foe alike! > > I am sure such a facility was all a figment of his imagination, like the > plot. 8-) Aber naturlich :-) Owen From k.townsend@itsecurity.com Wed, 12 Apr 2000 19:09:05 +0100 Date: Wed, 12 Apr 2000 19:09:05 +0100 From: Kevin Townsend k.townsend@itsecurity.com Subject: Letter to MP: reply from Jack Straw At 03:19 PM 4/12/00 +0100, Quentin Campbell wrote: >...For the purposes of the RIP Bill clause 2(1), a University LAN/WAN >appears to be a "private telecommunications system"... If, in 18 months time, BT unbundles the local loop and I switch to ADSL (or some other 'always on' Internet connection), will that make me and my PC a private telecommunications system? Kev From cb@fipr.org Wed, 12 Apr 2000 19:31:00 +0100 Date: Wed, 12 Apr 2000 19:31:00 +0100 From: Caspar Bowden cb@fipr.org Subject: Express 5/4/2000: "INTERNET PROWLERS USING A SECRET CODE" THE EXPRESS: INTERNET PROWLERS USING A SECRET CODE 83% match; The Express ; 05-Apr-2000 12:00:00 am ; 458 words CUNNING child-sex perverts are using Internet technology to outwit the police and prey on new young victims. Evidence shows that because tens of thousands of children now tune in to the Net every day, paedophiles are using cyber space as a hunting ground. Police have previously been able to catch them by intercepting their e-mails and downloading information stored on