From owenfb@easynet.co.uk Sun, 1 Jul 2001 17:15:55 +0100 Date: Sun, 1 Jul 2001 17:15:55 +0100 From: Owen Blacker owenfb@easynet.co.uk Subject: One in Ten Thousand! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Clayton quoth (2001-06-29 T 12:14): > a large ISP such as FreeServe will need to able to tap 200 people > simultaneously... (and that's ten 2Mbit links to NTAC ... or twenty if > FreeServe offer 128K links). Our Freeserve ADSL connexion is 576k :o) - ----- Owen Blacker Senior Internet Software Developer / Information Security Consultant See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - ----- Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 Comment: Due to RIP, check for revocation before use iQA/AwUBOz9MnFVeQSYAA2h0EQJsgwCfe+WL4fXoo4/ig3inerBxnwg1pYwAoOHu lcs80TNBBhyfnhrzdovR0spx =XWNz -----END PGP SIGNATURE----- From cb@fipr.org Sun, 1 Jul 2001 18:27:32 +0100 Date: Sun, 1 Jul 2001 18:27:32 +0100 From: Caspar Bowden cb@fipr.org Subject: Accused: UK behind push for new snooping rights > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > Roland Perry ... > Meanwhile, although the UK would like member states to have > the option > of Data Conservation or not, as a local decision (rather than a > one-size-fits-all across the whole of Europe), they insist that they > have no plans to make that decision in the member state called the UK. > > How very altruistic! (Implied skepticism noted) As Duke of Wellington said on being asked if he was a certain Mr.Smith "if you believe that you'll believe anything". More here... http://www.wired.com/news/privacy/0,1848,44890,00.html EU Ratifies Long Data Retention By Steve Kettmann 11:20 a.m. June 28, 2001 PDT BERLIN -- Privacy advocates are decrying a move this week by the Council of the European Union to give European police broader access to information about the e-mails and Internet-use patterns of the continent's citizens. "It's one more direction toward a police state," said Ilka Schroeder, a Green Party member of the European Parliament who drafted an opinion for the Industry Committee opposing the expansion of surveillance. "They restrict peoples' rights to demonstrate against fortress Europe, as we saw in Gotenborg when street police shot at people," she said. "Now they are also trying to limit any kind of e-protest. By this surveillance they also of course go against political opponents." From jamesd@echeque.com Sun, 1 Jul 2001 11:38:47 -0700 Date: Sun, 1 Jul 2001 11:38:47 -0700 From: jamesd@echeque.com jamesd@echeque.com Subject: Anonymity Snake Oil in JXTA -- On 29 Jun 2001, at 10:44, Pete Chown wrote: > Ben Laurie wrote: > > > JXTA (http://www.jxta.org/) claims to have a payment project which will > > "implement anonymous and secure financial transactions". ... > > I had an idea about micropayment protocols the other day. The usual > "micropayments" business plan says that company X will establish > itself as a bank and take money from everyone wanting to make > payments. Then it will lock everyone into its payment protocol and so > make lots of money. > > I was thinking about a different approach that is more decentralised. > Suppose Alice, Bob and Charlie do business with each other. When it > is time to settle up, it is found that Alice owes Bob and Charlie $1 > each. Bob also owes Charlie $1. Critical mass problem. Such a system is only useful if a large proportion of transactions occur within the group of people using it. So you need a nucleus group that is small enough that they can all agree to start using it, and large enough for it to be useful. Perhaps people smurfing money in columbia might form such a group. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG CP8DcZkp2vq/PfN2KTeyB6YVnrqpjQjuekv1P18O 4Ofi45+rSWyrTERRCQQLQIk0w3pwcR8fS6moMFBLw From davidh@spidacom.co.uk Mon, 2 Jul 2001 17:45:32 +0100 Date: Mon, 2 Jul 2001 17:45:32 +0100 From: davidh@spidacom.co.uk davidh@spidacom.co.uk Subject: One in Ten Thousand! On 29 Jun 01, at 12:14, Richard Clayton wrote: > .... so why are they now planning for a tenfold increase in their > capability ? I see two possibilities only. 1) The sky is about to fall in and the brave people of the Home Office have put on their white hats and are riding into the sunset against the dangerous subversives in places like ukcrypto to get the necessary laws in place before the sky falls in. 2) Officials will always gather to themselves and their supposed masters as many powers as possible, you never know when they might be useful. -- David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E If I revoke this key, the only circumstance in which I will not be prepared to explain my reasons for doing so will be when UK government authorities have stipulated that providing such an explanation would be unlawful. See RIP Act 2000. From mctylr@privacy.nb.ca Tue, 3 Jul 2001 20:18:08 +0100 (BST) Date: Tue, 3 Jul 2001 20:18:08 +0100 (BST) From: M Taylor mctylr@privacy.nb.ca Subject: Proposed abolition of data protection controls on public sector data On Tue, 19 Jun 2001, Ross Anderson wrote: Whitehall plans new checks on citizens By Rachel Sylvester: > [...] > The change could lead to a person's benefit application being > cross-checked with his or her medical record, passport details being > handed to the Inland Revenue, or driving licence details compared with > information on the electoral roll - although the specific areas > affected have not yet been agreed. > [...] > The Data Sharing and Privacy Bill will be introduced as early as > possible. Ministers are aware of the importance of winning over public > opinion. A government project in Canada, which involved compiling a > database of information about individuals, was scrapped last year > after a public backlash amid accusations that it had been undertaken > without people's consent. Canada simply rearranged the government's structure to suit their needs. Immigration and Customs is a division of Revenue Canada (taxation), which means RevCan can monitor all Canadians re-entering the country, looking for people claiming (un)employment benefits while travelling, and compare to their tax profile (i.e. a Canadian with no taxable income declared in the previous year might get extra questioning while re-entering the country) to their travel patterns/ frequency. Of couse its mundane irony is that it takes me, a Canadian citizen, longer to enter my home country answering taxation related questions in disguise than it does to entry an EU country with a new visa, or travelling to any other Western country. Pretty much the opposite of the EU passport/identity card "express" lanes for EU citizens. M Taylor From jamesd@echeque.com Wed, 4 Jul 2001 13:48:01 -0700 Date: Wed, 4 Jul 2001 13:48:01 -0700 From: jamesd@echeque.com jamesd@echeque.com Subject: Anonymity Snake Oil in JXTA -- James A. Donald: > > Perhaps people smurfing money in columbia might form such a > > group. On 4 Jul 2001, at 21:30, Aalvarez@gmx.de wrote: > Why columbia? why not alabama or florida? That should of course have read "Colombia" not "Columbia" According to http://www.apbnews.com/newscenter/breakingnews/1999/10/30/drugmoney 1030_01.html : : Colombian peso brokers, who act as middlemen in the : : scheme, give Colombian importers IOUs in exchange for : : pesos. The pesos are used to buy U.S. dollars from : : drug cartels, providing the cartels with clean, usable : : currency. Then, the brokers use the dollars to buy : : U.S. goods and smuggle them into Colombia on behalf of : : the importers, who thereby avoid high government : : tariffs and taxes on foreign currency exchanges. Any time people are shuffling lots of IOUs around, backed by lots of different people, it provides a good opportunity for computerization. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG QMwsTtJnXxZpW3tPV5Y4lMlNMbYuqePCHeTz85IU 4wlkhLXBeBbQ47R95bqu2s9AoDyHBjhi1HyKQxYOe From Aalvarez@gmx.de Wed, 4 Jul 2001 21:30:27 +0200 (MEST) Date: Wed, 4 Jul 2001 21:30:27 +0200 (MEST) From: Aalvarez@gmx.de Aalvarez@gmx.de Subject: Anonymity Snake Oil in JXTA Why columbia? why not alabama or florida? > Perhaps people smurfing money in columbia might form such a group. > --digsig > James A. Donald -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net GMX Tipp: Machen Sie Ihr Hobby zu Geld bei unserem Partner 1&1! http://profiseller.de/info/index.php3?ac=OM.PS.PS003K00596T0409a From owen.blacker@wheel.co.uk Thu, 5 Jul 2001 10:16:56 +0100 Date: Thu, 5 Jul 2001 10:16:56 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: Echelon Furor Ends in a Whimper -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wired.com/news/politics/0,1283,44984,00.html | Echelon Furor Ends in a Whimper | By Steve Kettmann | 3:00 p.m. July 3, 2001 PDT | | STRASBOURG, France -- In the end, a year of hard work boils down to this: | Echelon exists and the Europeans don't like it, but there isn't much they | can do except wring their hands in impotent fury as the Americans | continue spying on whomever they please. | | The resolution approved Tuesday by a European Parliament committee set up | to investigate the satellite-based surveillance system condemned | Echelon's existence but, aside from agreeing to step up meaningful | rhetorical pressure on the Americans, achieved very little. | | The committee officially wrapped up its inquiry late Tuesday by passing | more than 60 of 160 amendments before approving the entire resolution, | 27 to 5. There were two abstentions. | | Some of the amendments sought to add a harder edge to the language of | committee head Gerhard Schmid of Germany, whose 113-page report was | hailed for its balance and fairness, which is often politician-speak for | blandness. | | Giuseppe di Lello Finuoli of Italy, one of three vice chairmen, protested | that the committee's emphasis on legalisms would not prevent Europeans | from having their e-mail, faxes and phone conversations monitored by nosy | Americans, along with their English-speaking partners, England, | Australia, New Zealand and Canada. | | Di Lello Finuoli believes the system widely known as Echelon -- which | Schmid's report says may or may not be accurate -- will continue to | operate with impunity. | | "That failure to protect European citizens will have been endorsed by the | failure to take action," Di Lello Finuoli said through the official | translator. | | "Everything will continue on as it has in the past. It is possible to | conduct espionage from one country of the European Union on another | without any consequences. This group has done some very good work, but I | think the mountain has given birth to a mouse." | | That's how his remarks were translated, at any rate. | | Schmid defended his support of European investment in decryption, not | just encryption, which some critics see as de facto acknowledgement that | Europe has its own plans for an Echelon-type system. Then he hurried out | of the meeting room, waving off questions and saying his comments would | come at a press conference scheduled for Wednesday morning. | | Nevertheless, committee chairman Carlos Coelho pronounced the year long | inquiry a success, saying that given the parliament's diverse | constituency -- one with a legendary reputation for fractiousness and | squabbling -- he was pleased by the level of consensus. | | "I don't think any of the amendments we approved was anything quite | different," Coelho said. "But there are more references to the United | States than what was in the draft." | | For example, Amendment No 105 "Calls on the Member States to negotiate | with the USA a Code of Conduct similar to that of the EU." | | Not exactly the kind of tough talk expected to cow the Bush | administration, but it may have some symbolic value if the full European | Parliament | approves the committee's resolution in September. | | Then there's Amendment No 94, stating that the committee "regards it as | essential that an agreement should be ... signed between the European | Union and the United States stipulating that each ... should observe ... | the provisions governing the protection of the citizens and the | confidentiality of business communications applicable to its own citizens | and firms...." | | In other words, knock off the industrial espionage, Yank. | | That expands on previous language urging the UN secretary general to push | for Article 17 of the International Covenant on Civil and Political | Rights to be updated so that it "guarantees the protection of privacy, | into line with technical innovations." Article 17 also calls upon the | United States to sign this "Additional Protocol," so that individuals can | submit complaints to the Human Rights Committee set up under the | covenant. | | Language was also added referring to "authoritative sources" confirming a | US congressional report which estimated that economic intelligence | funneled from the government could give US companies up to $7 billion in | added contracts. | | Damning stuff, at least compared with the cautious tone taken by Schmid | in his report, or even in the amendments he offered Tuesday, all of which | were passed. | | One of Schmid's seven amendments, for example, noted that "the US | intelligence services do not merely investigate general economic facts | but also intercept detailed communications between undertakings, | particularly where contracts are being awarded, and they justify this on | the grounds of combating attempted bribery.... (This) detailed | interception poses the risk that information may be used for the purpose | of competitive intelligence- gathering rather than combating corruption, | even though the US and the United Kingdom state that they do not do so." | | This focus on industrial espionage reflects the general thinking of many | in the European Parliament that the threat to commerce is as much a | concern as potential violations of individual privacy rights. But it was | criticized by some committee members, at times quite fiercely. | | "We are being completely hypocritical," said Alain M Krivine of France. | "All countries are engaged in political and (industrial) espionage. It is | just a question of power, and the United States has the most power. It is | part and parcel of globalization. However, the United States are not the | only ones who are promoting capitalism this way." | | Copyright © 1994-2001 Wired Digital Inc. All rights reserved. | - - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO0Qv3lVeQSYAA2h0EQIzZgCcC4jbg1J46QuAjrTv2EQzY/TEzeQAoLWD ZxX3AYUWT1aIAgTKYMjU7GHQ =nhI/ -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From oml@eloka.demon.co.uk Thu, 5 Jul 2001 17:53:23 +0100 Date: Thu, 5 Jul 2001 17:53:23 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Owen Blacker > Sent: 05 July 2001 10:17 > To: UK Crypto list (E-mail) > Subject: Wired: Echelon Furor Ends in a Whimper > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://www.wired.com/news/politics/0,1283,44984,00.html > > | Echelon Furor Ends in a Whimper > | By Steve Kettmann > | 3:00 p.m. July 3, 2001 PDT > | > | STRASBOURG, France -- In the end, a year of hard work boils > down to this: > | Echelon exists and the Europeans don't like it, but there isn't > much they > | can do except wring their hands in impotent fury as the Americans > | continue spying on whomever they please. True, O Wise One. But you might have added that so do the EU states carry on spying as they please (I make an honourable exception for Luxembourg from that generality). > | > | The resolution approved Tuesday by a European Parliament > committee set up > | to investigate the satellite-based surveillance system condemned > | Echelon's existence but, aside from agreeing to step up meaningful > | rhetorical pressure on the Americans, achieved very little. I spy an oxymoron. Is this the first to be spied this year? > | > | The committee officially wrapped up its inquiry late Tuesday by passing > | more than 60 of 160 amendments before approving the entire resolution, > | 27 to 5. There were two abstentions. It would be interesting to know who and of which nationalities the dissenting or abstaining members were. Let's guess that UKG is one and that Spain (now reported to be a recipient of ECHELON take in its struggle with ETA) is another. Interestingly, it is not similarly reported that France (also suffering from the Basque violent separatist threat) is to receive ECHELON take. Of course, this may be because the Franco-German co-operative effort along the same lines is already giving them all the feed they need. | > | Some of the amendments sought to add a harder edge to the language of > | committee head Gerhard Schmid of Germany, whose 113-page report was > | hailed for its balance and fairness, which is often politician-speak for > | blandness. 'Bland' is too kind. The report as someone kindly reproduced hear was unprofessional, wet behind the ears, poor politics and a disservice to European unity. It had all the authoritative ring of a politically correct diatribe from some loony left borough council. > | Di Lello Finuoli believes the system widely known as Echelon -- which > | Schmid's report says may or may not be accurate -- will continue to > | operate with impunity. Hands up those who are surprised. What, no one? > | "Everything will continue on as it has in the past. It is possible to > | conduct espionage from one country of the European Union on another > | without any consequences. This group has done some very good work, but I > | think the mountain has given birth to a mouse." > | > | That's how his remarks were translated, at any rate. Well, its politer that the thunderstorm giving vent to a wet fart, which is how some others might have preferred to describe it. > | Schmid defended his support of European investment in decryption, not > | just encryption, which some critics see as de facto acknowledgement that > | Europe has its own plans for an Echelon-type system. Then he hurried out > | of the meeting room, waving off questions and saying his comments would > | come at a press conference scheduled for Wednesday morning. > | After national and bi-lateral consultations naturally. > | Then there's Amendment No 94, stating that the committee "regards it as > | essential that an agreement should be ... signed between the European > | Union and the United States stipulating that each ... should observe ... > | the provisions governing the protection of the citizens and the > | confidentiality of business communications applicable to its > own citizens > | and firms...." > | > | In other words, knock off the industrial espionage, Yank. Oh, my sides hurt. It's in France, that cradle of republicanism, democracy and political terror, that the VIP suites in 5 star hotels are bugged (q.v. BAE/Aerospatiale negotiations 2000 et al). Eavesdropping is an Italian national sport with some of the most innovative products coming from that fair land of olive oil, pasta, the Borgias, Guelphs and Ghibellines. For the last 50 years, the Germans have been to busy spying on each other to worry much about the rest of us - but that may now change. Well past the height of the Cold War there were over 16,000 *known* Sov bloc agents (mainly STASI for obvious reasons)in the FRG. God knows the number that were not known. The known one's were mainly left alone to save the trouble and expense of having to identify their replacements - like a dog so fleabitten that it no longer sees the point in scratching. And how many BND agents were in the East??? Ah well, the East'lost' and the West 'won' so we talk about the one and not the other, don't we? > | Language was also added referring to "authoritative sources" > confirming a > | US congressional report which estimated that economic intelligence > | funneled from the government could give US companies up to $7 billion in > | added contracts. In the case of France, there is documentation going way back into the '80's, if not before, of their sterling efforts at industrial espionage against allies. > | "We are being completely hypocritical," said Alain M Krivine of France. > | "All countries are engaged in political and (industrial) > espionage. I agree with these frank premises, if not entirely with the conclusion and its corollary. It is > | just a question of power, and the United States has the most > power. It is > | part and parcel of globalization. However, the United States are not the > | only ones who are promoting capitalism this way." > | > | Copyright 1994-2001 Wired Digital Inc. All rights reserved. > | Keywords for the week are: Pot Kettle Black Owen (2) From jtjm@xenoclast.org Fri, 6 Jul 2001 10:21:52 +0100 (BST) Date: Fri, 6 Jul 2001 10:21:52 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: Wired: Echelon Furor Ends in a Whimper On Thu, 5 Jul 2001, Owen Lewis wrote: > > Keywords for the week are: > > Pot Kettle Black Well, maybe, but can you name the listening station (equivalent in capability to Echelon) built on US soil by the Europeans for the sole purpose of giving us access to their communications traffic? I think there's just a hint of lack of reciprocity here... Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From oml@eloka.demon.co.uk Fri, 6 Jul 2001 11:43:20 +0100 Date: Fri, 6 Jul 2001 11:43:20 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T. J. > Midgley > Sent: 06 July 2001 10:22 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > On Thu, 5 Jul 2001, Owen Lewis wrote: > > > > Keywords for the week are: > > > > Pot Kettle Black > > Well, maybe, but can you name the listening station (equivalent in > capability to Echelon) built on US soil by the Europeans for the sole > purpose of giving us access to their communications traffic? Echelon is (supposedly) a system it is not a 'listening station' as such a purported system would use listening station but they do not of necessity have to be on anyone's 'soil' Listening stations may be (and very often are) space borne, airborne or sea borne - not to mention stuffing 40 ton trucks with men and electronics and then sending them on 3000 mile sniffing trips. > > I think there's just a hint of lack of reciprocity here... Any seeming lack of reciprocity comes from a partial and partisan telling of what some consider is or might be. Let me make myself clear. I have no particular love for Uncle Sam and I do believe that this little country of ours has allowed itself to sink too deep, too comfortably and for too long into Uncle Sam's pocket. Overcoming inertia, continuance of obligation and a great reluctance to accept just how small a player we are on the global stage; these face our politicians with some conundrums which, without some unaccustomed outburst of frankness must lead to some pretty interesting contortions in the next ten years. It also needs saying from time to time that in the last half century and in terms of his relations with 'friendly' states, Uncle Sam has, beyond doubt (unless your name is Khomeini or Pinter) been more sinned against than sinning. You note that your gauntlet still lies where you threw it. The challenge is meaningless. The U.S. is a federation of fifty states, just one of which has more economic clout than these fair isles of ours. Now is you were to put in the balance a federation of (say) 50 European states you might offer a reasonable scale to accommodate. You could even try such a balance without federating the European States but simply aggregating their individual efforts (so often, because of central direction and coordination, repetitious or redundant efforts). Owen From brg@gladman.plus.com Fri, 6 Jul 2001 11:51:59 +0100 Date: Fri, 6 Jul 2001 11:51:59 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Julian T. J. Midgley" To: Sent: Friday, July 06, 2001 10:21 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper > On Thu, 5 Jul 2001, Owen Lewis wrote: > > > > Keywords for the week are: > > > > Pot Kettle Black > > Well, maybe, but can you name the listening station (equivalent in > capability to Echelon) built on US soil by the Europeans for the sole > purpose of giving us access to their communications traffic? > > I think there's just a hint of lack of reciprocity here... Correct. Pretty well all nations have capabilities of various kinds to spy on other nations but no other group of nations that I know of comes even close to matching the global electronic surveillance capabilities of the 'anglo-saxon alliance'. And as a founder member of this club it is inevitable that the UK will always have the difficult task of trying to sustain its membership of this club and the 'european club' since there are inevitably some very serious conflicts of interest. Duncan Campbell was kind enough to point me at the original source material for these press reports but I have not yet had time to go through it. But if press reports are to be believed one outcome of the European Parliament study is a conclusion that Echelon is a 'fact of life' and that there is little that the EU nations can do to counter it. If this truly is a conclusion, the European Parliamentary group have been badly briefed since nothing could be further from the truth. But whether it would be in their interests to undermine Echelon is a much more difficult issue since the main need for such assets is in areas where US and European interests largely coincide. The failure of the US and Europe to seriously discuss these issues is dangerous since we need to remove the privacy and industrial/commercial espionage concerns raised by Echelon without undermining its value in other areas. And without dialogue I don't see this happening. Brian Gladman From jya@pipeline.com Fri, 06 Jul 2001 07:23:59 -0700 Date: Fri, 06 Jul 2001 07:23:59 -0700 From: John Young jya@pipeline.com Subject: Wired: Echelon Furor Ends in a Whimper Owen Lewis writes: >It also needs saying from time to time that in the last half century and in >terms of his relations with 'friendly' states, Uncle Sam has, beyond doubt >(unless your name is Khomeini or Pinter) been more sinned against than >sinning. This astonishes. Only a biased understanding of US foreign policy, especially that exercised by way of US intelligence agencies, could produce such a patent falsehood. The small amount of information that come from secret archives and the greater amount that has come from targets of covert operations belies this claim of disproportinately sinned against. A prime argument the intelligence industry uses to resist full disclosure of sustained perfidy is that "means and methods" must be protected. It is these means and methods which are the shame of governments, and not only the US, but it is the US with help from its friends who are by far the investors, inventors, promulgators and users of the technologies of political control. The Wassnaar Agreement and a host of other treaties describe in minute detail what vile means and methods have been wrought to sin against others while denying compensatory access to defenses against predation. Further, it is spill over from these "national security" control technologies that is now flooding internal police organizations to treat citizens as though foreign threats, and while the US leads the way in this, UK and the Echelon puppies are happy to contribute. It cannot be too strongly stated that the great number of former members of intelligence agencies and their supporters are working feverishly to build markets for their skills and tools for internal defense, thus the dramatic invocation of the threat of homeland terrorism pretty muchly aping that once invoked for foreign foes. And, as ever, pretending blamelessness. The best and brightness are alive and well selling self-enriching shinola as if in the national interest. The 1951 Longley-Cook report by the UK Director of Naval Intelligence warning of the threat of US preventive war is highly instructive on how intelligence is warped to fit black agendas. That Churchill saw Longley-Cook as someone to keep an eye on for telling the truth about US warmongering is further indicative of sucking up by ambitious national leaders and their pocket intelligence courtiers. It can't come too soon to indict national leaders for war crimes and compel them to reveal what they were told by their spooks, and, better, vice versa. To make myself clear, the United States over the past 50 years of intelligence guiding foreign and now domestic policy has become extremely dirty-handed and extremely adept at camouflaging underhandedness. Nothing has so corrupted US culture as has secret government and its spread to other nations under guise of open democracy. Examples abound, just ask if you don't know them or believe them secret. Echelon is a mild diversion, and the technology so far revealed of global surveillance and intelligence mongering for political control -- see Steven Wright's 1997 STOA report -- has been cloaked by Echelon hand-wringing. When all the means and methods Wright describes gets the attention Echelon has gotten, a bit of progress will be made. Until then, as the EP report demonstrates, it's all blowing of smoke and, in Owen's case, of sunshine. These whitewashes of black deeds are the favorite means and methods to shape public opinion in the age of spook-led and -fed government/commerce. From oml@eloka.demon.co.uk Fri, 6 Jul 2001 13:40:49 +0100 Date: Fri, 6 Jul 2001 13:40:49 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 06 July 2001 11:52 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > if press reports are to be believed one outcome of the European Parliament > study is a conclusion that Echelon is a 'fact of life' and that there is > little that the EU nations can do to counter it. > > If this truly is a conclusion, the European Parliamentary group have been > badly briefed since nothing could be further from the truth. > > But whether it would be in their interests to undermine Echelon is a much > more difficult issue since the main need for such assets is in areas where > US and European interests largely coincide. Quite so, and not just European and US interests perhaps. That this important point you raise was, seemingly, entirely missed by the EPG - even to mention, let alone evaluate - is one indication of narrowness of vision and of purpose in their study and report. > > The failure of the US and Europe to seriously discuss these issues is > dangerous since we need to remove the privacy and industrial/commercial > espionage concerns raised by Echelon without undermining its > value in other > areas. How would you propose that such a precise sorting of sheep from goats might be effected? This seems to me to be a fundamental issue and very much at the heart of the crypto debate. Owen From oml@eloka.demon.co.uk Fri, 6 Jul 2001 13:40:50 +0100 Date: Fri, 6 Jul 2001 13:40:50 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of John Young > Sent: 06 July 2001 15:24 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > Owen Lewis writes: > > >It also needs saying from time to time that in the last half > century and in > >terms of his relations with 'friendly' states, Uncle Sam has, > beyond doubt > >(unless your name is Khomeini or Pinter) been more sinned against than > >sinning. > > This astonishes. Only a biased understanding of US foreign policy, > especially that exercised by way of US intelligence agencies, > could produce > such a patent falsehood. I did say that there are some who disagree. The small amount of information that come > from secret archives and the greater amount that has come from > targets of covert operations belies this claim of > disproportionately sinned > against. A prime argument the intelligence industry uses to resist > full disclosure of sustained perfidy is that "means and methods" > must be protected. It is these means and methods which are the > shame of governments, and not only the US, but it is the US with > help from its friends who are by far the investors, inventors, > promulgators and users of the technologies of political control. My dear John, if there is bias in an appreciation of this matter, pluck first the beam from thine own eye and resist the call to hyperbole. Whatever dear old Uncle Sam may or may not have got up to in this century, he has not, in the quest of 'political control': - Effectively eliminated one or more races from an entire continent. - Exterminated, by shooting, burning, starvation, disease and slave labour untold millions (20M+) of his own people. - Eliminated political dissent within his own borders or anyone else's. - Preached race or religious hatred as state policy at home and abroad. - Occupied the land of others at the point of a bayonet, claiming some ancient, God given right apparent to none but himself. One could go on but you get the point I think. Balance in all things, mon vieux. Uncle Sam surely is not perfect and - like the rest of us - he makes mistakes from time to time. However, he is not the vicious psychotic thug that some (stand up K & P) would like to depict him as. To begin the search for balance, one might begin with the following properly researched, painstakingly detailed and peer reviewed studies: 'A Study of Tyranny' 'The Gulag Archipelago' 'The Mitrokhin Archive' But you have studied these already, I'm sure. And that makes your view as given above all the more incomprehensible to me. > To make myself clear, the United States over the past 50 years > of intelligence guiding foreign and now domestic policy has > become extremely dirty-handed and extremely adept at > camouflaging underhandedness. Nothing has so corrupted > US culture as has secret government and its spread to > other nations under guise of open democracy. > > Examples abound, just ask if you don't know them or believe > them secret. > > Echelon is a mild diversion, and the technology so far revealed > of global surveillance and intelligence mongering for political > control -- see Steven Wright's 1997 STOA report -- has been > cloaked by Echelon hand-wringing. When all the means and > methods Wright describes gets the attention Echelon has > gotten, a bit of progress will be made. Until then, as the EP > report demonstrates, it's all blowing of smoke and, in > Owen's case, of sunshine. > > These whitewashes of black deeds are the favorite means > and methods to shape public opinion in the age of spook-led > and -fed government/commerce. Somehow I don't think we are going to agree. Some of the issues you raise (snipped here for brevity) may be real enough concerns. However, they are in no way related specifically to Uncle Sam. Rather, the concerns are global and have to do with a combination of technological advances and a growing consensus among people that they prefer to have others (govts in the main) manage their lives for them, relieve them of risk and responsibility and cross their ever-open and outstretched palms with silly sums of money whenever they should suffer harm. Owen From David_Biggins@usermgmt.com Fri, 6 Jul 2001 16:01:23 +0100 Date: Fri, 6 Jul 2001 16:01:23 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: Owen Lewis [mailto:oml@eloka.demon.co.uk] > Sent: Friday, July 06, 2001 01:41 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper Sorry, Owen, but I can't really agree. This is the wrong place for this discussion, and I don't want to upset the moderators, but: > ... Whatever > dear old Uncle Sam may or may not have got up to in this > century, he has not, in the quest of 'political control': > > - Effectively eliminated one or more races from > an entire continent. With a little stretch on the time span, I suspect that the Native Americans may disagree. > > - Exterminated, by shooting, burning, starvation, > disease and slave labour untold millions (20M+) of his own people. Again, the Native Americans may disagree... And within the last couple of hundred, its record on slavery is no better than anyone else's. > - Eliminated political dissent within his own > borders or anyone else's. You must be joking. US attempts to destabilise other (smaller) countries' communist governments (which surely counts as "political control" are a matter of record. US shoring up of capitalist dictators in other (smaller) countries is equally a matter of record. Both of these give clear cases of elimination of political dissent. > - Preached race or religious hatred as state > policy at home and abroad. Preached it, no. Practiced it, yes. Its attitude to the Muslim Arabs has NOT been entirely defensible. And its attitude to China is of increasing concern in this context. > - Occupied the land of others at the point of a > bayonet, claiming some > ancient, God given right apparent to none but himself. Again, not within your hundred years, but... > One could go on but you get the point I think. Balance in all > things, mon vieux. Uncle Sam surely is not perfect and - like > the rest of us - he makes mistakes from time to time. Indeed. > However, he is not the vicious > psychotic thug > that some (stand up K & P) would like to depict him as. No. But he has become un-selfconsciously domineering and arrogant - much as we were perhaps a century ago, and is ignoring many of the lessons of history. From k.brown@ccs.bbk.ac.uk Fri, 06 Jul 2001 16:33:08 +0100 Date: Fri, 06 Jul 2001 16:33:08 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Wired: Echelon Furor Ends in a Whimper Owen Lewis wrote: > Whatever > dear old Uncle Sam may or may not have got up to in this century, I assume you mean the previous century, they haven't had time in t he 21st yet. > he has > not, in the quest of 'political control': > > - Effectively eliminated one or more races from an entire continent. That's because they had all but finished the job in the 19th century. By the 1890s the starving remnants of the native Americans were reduced to a level where they could be kept going as a tourist attraction > - Exterminated, by shooting, burning, starvation, disease and slave labour > untold millions (20M+) of his own people. I'll give you that one. > - Eliminated political dissent within his own borders or anyone else's. I don't think anyone has ever *eliminated* political dissent anywhere. A number of people have tried, including the US establishment. > - Preached race or religious hatred as state policy at home and abroad. Government-sponsored race hatred and segregation was a feature of life over much of the USA as recently as the 1950s and 1960s as you know. Not on the level of South Africa or the Nazis, but it was there, and it was public policy. > - Occupied the land of others at the point of a bayonet, claiming some > ancient, God given right apparent to none but himself. Come off it! Yes they bloody well did and you know it. Nicaragua is the obvious case, but there are others. I'm not saying they were any worse than most other countries but to claim that they were better is egregious. > > One could go on but you get the point I think. Balance in all things, mon > vieux. Uncle Sam surely is not perfect and - like the rest of us - he makes > mistakes from time to time. However, he is not the vicious psychotic thug > that some (stand up K & P) would like to depict him as. K & P? The peanut brand????? Ken From donald@ramsbottom.co.uk Fri, 06 Jul 2001 16:51:56 +0100 Date: Fri, 06 Jul 2001 16:51:56 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Wired: Echelon Furor Ends in a Whimper I think I agree with Owen on this one. Sure the US is not as pure as driven snow, but neither is anyone else. Nicaragua has been quoted, but look what the Spaniards did and before that the Maya and Toltecs. The Native Americans have been quoted, but what was done was pretty much standard Imperial policy of all of Europe at the time. The Indians themselves were not above Genocide. Uncle Sam does what he needs to. We belly ache because we used to and can no longer. The Germans used to be able to, can no longer but want to be able to do the same as the US. And the French, the dear dear French, have always done exactly what they wanted to, when they wanted to. We should not get all huffy, all Nations do it to all other Nations, its just that Uncle Sam is the biggest boy on the block and the rest do not like it, or want to be in his Gang, it makes them feel more important (or more accurately their "Leaders"). So we all know Echelon exists, all "developed Countries" have their own version, and although we can take precautions to minimise its effect, most do not and we are not encouraged to as that would affect our own Gov's ability. So Owen, however un PC this is I stand with you to be shot at:) Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From oml@eloka.demon.co.uk Fri, 6 Jul 2001 17:29:09 +0100 Date: Fri, 6 Jul 2001 17:29:09 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ken Brown > Sent: 06 July 2001 16:33 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Owen Lewis wrote: > > > Whatever > > dear old Uncle Sam may or may not have got up to in this century, > > I assume you mean the previous century, they haven't had time in the > 21st yet. In this hundred years. > > he has > > not, in the quest of 'political control': > > > > - Effectively eliminated one or more races from > an entire continent. > > That's because they had all but finished the job in the 19th century. By > the 1890s the starving remnants of the native Americans were reduced to > a level where they could be kept going as a tourist attraction Were that true, there would not be so many to moan about it today. Besides mankind's views of such things have change more in the last 100 years than in all previous history. Personally, and as an abo Brit, there's nothing I enjoy more of a Summer's evening than squatting outside the local pub with my hand out, complaining about how my forebears were killed, burned, raped and enslaved by the Romans/Angles/Jutes/Saxons/Danes/Vikings/Normans. Frankly, I think the rest of the EU ought to keep me and all my compatriots for the rest of our lives (stress counselling included) for the perfectly horrid things they did to my relations over some thousand years or more. > > > - Exterminated, by shooting, burning, starvation, > disease and slave labour > > untold millions (20M+) of his own people. > > I'll give you that one. > > > - Eliminated political dissent within his own > borders or anyone else's. > > I don't think anyone has ever *eliminated* political dissent anywhere. A > number of people have tried, including the US establishment. Cite? McCarthyism was a weak gesture in that direction, granted - but look at what happened to McCarthy. > > > - Preached race or religious hatred as state > policy at home and abroad. > > Government-sponsored race hatred and segregation was a feature of life > over much of the USA as recently as the 1950s and 1960s as you know. > Not on the level of South Africa or the Nazis, but it was there, and it > was public policy. Your argument is too sloppy to hold together. Race or religious hatred as state policy is quite specific. Your response (excepting the Nazis) is wobbles around the specific, avoiding it. Ruanda, Burundi, the Balkan states (some) and the Indian subcontinent provide much more exact and powerful examples. Cambodia too, if one includes class hatred which is equally illogical, unpleasant and potentially lethal. We are back to consideration of eyes motes and beams once again. > > > - Occupied the land of others at the point of a > bayonet, claiming some > > ancient, God given right apparent to none but himself. > > Come off it! Yes they bloody well did and you know it. Nicaragua is the > obvious case, but there are others. In the 20th Cent? Really? Can you cite? Why they never even popped poor old Jacomo Arbenz's clogs in 1947 (though they may has acted in a consultancy capacity to those who did). > > I'm not saying they were any worse than most other countries but to > claim that they were better is egregious. And I, very carefully, never argued that they were any better. What is true is that Uncle Sam is not the 'Great Satan' of this modern world. I don't find it necessary to admire everything he has done or now does - or even like him over much - to hold to that. The greatest horrors of the modern world have all come from others. > > > > > One could go on but you get the point I think. Balance in all > things, mon > > vieux. Uncle Sam surely is not perfect and - like the rest of > us - he makes > > mistakes from time to time. However, he is not the vicious > psychotic thug > > that some (stand up K & P) would like to depict him as. > > K & P? The peanut brand????? Nah. Khomeini and Pinter (snipped away) Owen From oml@eloka.demon.co.uk Fri, 6 Jul 2001 17:47:10 +0100 Date: Fri, 6 Jul 2001 17:47:10 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Donald > ramsbottom > Sent: 06 July 2001 16:52 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Sure the US is not as pure as driven snow, but neither is anyone else. > > Nicaragua has been quoted, but look what the Spaniards did and before that > the Maya and Toltecs. > > The Native Americans have been quoted, but what was done was pretty much > standard Imperial policy of all of Europe at the time. The Indians > themselves were not above Genocide. > > Uncle Sam does what he needs to. We belly ache because we used to and can > no longer. The Germans used to be able to, can no longer but want to be > able to do the same as the US. And the French, the dear dear French, have > always done exactly what they wanted to, when they wanted to. > > We should not get all huffy, all Nations do it to all other Nations, its > just that Uncle Sam is the biggest boy on the block and the rest do not > like it, or want to be in his Gang, it makes them feel more important (or > more accurately their "Leaders"). > > So we all know Echelon exists, all "developed Countries" have their own > version, and although we can take precautions to minimise its effect, most > do not and we are not encouraged to as that would affect our own Gov's > ability. Amen, amen and amen > So Owen, however un PC this is I stand with you to be shot at:) Thank you. Truth is as one finds it. It should not be malleable according to fashion, whim or to gain some advantage. Of course, a good lawyer understands that perfectly :) Sadly, this is a far from perfect world- but it has some smashing things in it. Owen From phantomink@powersurfr.com Fri, 6 Jul 2001 11:05:54 -0700 Date: Fri, 6 Jul 2001 11:05:54 -0700 From: Phantom Ink phantomink@powersurfr.com Subject: Wired: Echelon Furor Ends in a Whimper Greg wrote: All History is tragedy illegitimate dynasties, treachery. What we do to others is perhaps part of the demiurge of the original matter from the bacteria of the stars, alien creations, with a penchant for hypocrisy. Another mandate is abroad the world making it more like the stars and the burnt out cinder suns of chaos. Think of us as Religious Bacteria. And religion, even religion of the machine is elitism. States are the servants of the Gods. Don't get too concerned with yerself or ethics. It all comes out as lies, defending our little world from economic disaster, repatriating history with explanations to each other or ourselves. We cannot stop ourselves from bending to this force. We are driven by each other to be cold indifferent, hostile, grasping. Just like the bacteria we came from. Gods alright now, he just can't remember which one of us he is. Nenius said that the three stages of language shall be classical, romanic, and finally demotic. We are here in the third circle. Double speak, state lies, men will never know the truth, we will never understand it. So sublime is this absolute. Hegel tells us not to bother looking for it, because we can never know it. 'Course revisionism is very popular right now. Everything is up for grabs when rational thought is threatened, especially history. We are at the end of history if it ever existed, phenomenologically speaking, a new broadsheet is being made, and your name isn't on it. It's called the Techno Dark Ages. Where men shall be murdered without any ill in the police we build in our silence I call it all Virtual Pancakeville. Good hunting GB ----- Original Message ----- From: "Donald ramsbottom" To: Sent: Friday, July 06, 2001 8:51 AM Subject: Re: Wired: Echelon Furor Ends in a Whimper > I think I agree with Owen on this one. > > Sure the US is not as pure as driven snow, but neither is anyone else. > > Nicaragua has been quoted, but look what the Spaniards did and before that > the Maya and Toltecs. > > The Native Americans have been quoted, but what was done was pretty much > standard Imperial policy of all of Europe at the time. The Indians > themselves were not above Genocide. > > Uncle Sam does what he needs to. We belly ache because we used to and can > no longer. The Germans used to be able to, can no longer but want to be > able to do the same as the US. And the French, the dear dear French, have > always done exactly what they wanted to, when they wanted to. > > We should not get all huffy, all Nations do it to all other Nations, its > just that Uncle Sam is the biggest boy on the block and the rest do not > like it, or want to be in his Gang, it makes them feel more important (or > more accurately their "Leaders"). > > So we all know Echelon exists, all "developed Countries" have their own > version, and although we can take precautions to minimise its effect, most > do not and we are not encouraged to as that would affect our own Gov's > ability. > > So Owen, however un PC this is I stand with you to be shot at:) > > > > > Donald Ramsbottom BA LLb (Hons) PGdip > Ramsbottom & Co Solicitors > Internet and Global Encryption Law Specialists & General UK Law Matters > 5 Seagrove Avenue Hayling Island Hampshire UK > Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 > Regulated by the Law Society in the conduct of Investment business > Service by Fax or Email NOT accepted > > > From cb@fipr.org Fri, 6 Jul 2001 23:29:30 +0100 Date: Fri, 6 Jul 2001 23:29:30 +0100 From: Caspar Bowden cb@fipr.org Subject: Fwd: Release from Marco Cappato MEP on European Parliament view on general surveillance of electronic communications This is a Press Release on a European Parliament amendment condemning moves towards general surveillance of electronic communications. Forwarding to the RIPlist and ukcrypto for its obvious relevance to recent Council of Ministers pressure on Commission to abolish current prohibition on indiscriminate long-term retention of traffic data. The excerpt is noteworthy : "the interception and storage of data concerning traffic and location in electronic communications are entirely exceptional measures which must be based on a specific law which is comprehensible to the general public, be authorised by the judicial or competent authorities, be of limited duration, and be proportionate and necessary within a democratic society; points out that, under the European Convention on Human Rights and pursuant to rulings issued by the Court of Human Rights, any form of wide-scale general or exploratory electronic surveillance is prohibited".=20 The URL given doesn't work, but this does http://www.europarl.eu.int/meetdocs/committees/libe/20010710/439506en.pd f -- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media=20 =20 >-----Original Message----- >From: Marco Cappato [mailto:mcappato@europarl.eu.int] >Sent: 06 July 2001 17:20 >To: Marco Cappato >Subject: press release/communiqu=E9 de presse > > >Press release by Marco Cappato (MEP and EP draftsman on privacy in=20 >electronic communications) on the efforts by EU Member States to get=20 >wider powers in intruding in private life of citizens PRIVACY/EP: EUROPEAN PARLIAMENT POSITION AGAINST GENERAL SURVEILLANCE IS A GOOD NEWS IN THE VIEW OF THE VOTE ON THE PRIVACY DIRECTIVE THAT WILL TAKE PLACE NEXT WEDNESDAY IN BRUSSELS (Cappato report) =20 Brussels, 6 July 2001 Declaration by Marco Cappato, Radical MEP of the Bonino List, EP draftsman on the draft directive on privacy in electronic communications: "The adoption of a radical amendment that I had tabled on behalf of the Radicals/ Lista Bonino MEPs on the report on Human Rights in the European Union, the EP has assumed yesterday a clear political position on the issue of intrusions by States' repressive authorities in citizens' private life: "the interception and storage of data concerning traffic and location in electronic communications are entirely exceptional measures which must be based on a specific law which is comprehensible to the general public, be authorised by the judicial or competent authorities, be of limited duration, and be proportionate and necessary within a democratic society; points out that, under the European Convention on Human Rights and pursuant to rulings issued by the Court of Human Rights, any form of wide-scale general or exploratory electronic surveillance is prohibited".=20 The political orientation of the EP is extremely important in the view of the legislative decisions that are to be taken on the revision of the directive on privacy in electronic communications, that opposes the European Commission to the Council of Ministers. As draftsman of the EP on this directive, I express the hope that the EP will support my report when it will be voted in the committee for citizens' freedoms and rights next Wednesday in Brussels: The EP has to oppose to any effort by EU Member States to get wider powers in intruding in private life of citizens, derogating to minimal human rights and fundamental freedoms that are at the base of democracy and Rule of Law". For further information: Marco Cappato's office: EP-Brussels, Tel 0032 2 2847496; Email: mcappato@europarl.eu.int Cappato draft report: http://www.europarl.ep.ec/meetdocs/committees/libe/20010710/439506en.pdf ------------------------------------------------------------------------ --------------------------------------------------- From cb@fipr.org Sat, 7 Jul 2001 11:00:37 +0100 Date: Sat, 7 Jul 2001 11:00:37 +0100 From: Caspar Bowden cb@fipr.org Subject: Australian government says CoE Cybercrime Convention DOES confer GAK powers On 14th November 2000, Peter Csonka of the Council of Europe was reported as denying that the Cybercrime convention conferred powers for government access to encryption keys ("That was never our intention" http://www.zdnet.co.uk/news/2000/45/ns-19057.html) However on the Second Reading of the Australian Cybercrime Bill on 27th June 2001, Attorney General Daryl Williams said "Such a power is contained in the draft Council of Europe Convention on Cybercrime and will assist officers in gaining access to encrypted information." http://search.aph.gov.au/search/ParlInfo.ASP?action=view&item=0&from=bro wse&path=Legislation/Current+Bills+by+Title/Cybercrime+Bill+2001/Second+ reading+speeches&items=1&altbrowse=yes The text of the Australian Cybercrime Bill 2001 is at http://search.aph.gov.au/search/ParlInfo.asp?WCI=Hyperlink&CLASS=BILL&XR efID=R1360&Short=Cybercrime+Bill+2001 -- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media -----Original Message----- To: 'FIPR News Archive' Subject: Computerworld Australia 4/7/2001: "Cybercrime bill 'draconian and dangerous'" http://www.computerworld.com.au/idg.nsf/All/D115FFE5F1AF211DCA256A7F0001 FACE!OpenDocument&NavArea=Home&SelectedCategoryName=News Cybercrime bill 'draconian and dangerous' By Sandra Van Dijk 4 July, 2001 10:07 Australia The IT security industry has been scathing in its attacks this week on the Cybercrime Bill 2001, labelling it "draconianand dangerous". Under the bill, which proposes seven new computer offences carrying jail terms of up to 10 years, it is illegal to possess hacker toolkits, scanners and virus code. These are 'tools of the trade' for security vendors to test systems placing a burden on lawyers drafting ethical hacking agreements with corporations. Bernard Hill, barrister and corporate services manager of Canberra-based security consultancy 90East, said the act complicates the necessary testing undertaken by the company which manages a number of Commonwealth agencies. "It's a burden for lawyers drafting agreements with companies and will prove very tricky legally to test denial-of-service attacks," Hill said. Amendments to the bill will be debated when parliament sits again in August and Hill said 90East is preparing a submission identifying these loopholes. He agreed such tools and information are also required by systems administrators to secure electronic infrastructure. The proposed bill does allow the Defence Signals Directorate (DSD) and Australian Security Intelligence Organisation(ASIS) to hack legally. It also forces companies by law to reveal passwords, keys, codes, cryptographic and steganographic methods used to protect information. Hill said companies may be concerned about intellectual property being compromised, but protecting the national information infrastructure is critical. "There have been allegations made about the Government's use of surveillance networks, such as Echelon, and there being no checks and balances in place when agencies are given such broad ranging powers. It is a vexed issue, but the cyberterrorist threat at this time is too great to ignore," he said. Describing the bill as "draconian"' Unisys e-security architecture director Ajoy Ghosh said the new laws need to be enforceable. The bill will not change the current situation where Australia's enforcement agencies have scant resourcesto tackle investigations seriously, he added. He said the solution is to empower the private sector, allowing it access to information necessary to detect, identify and prosecute. Many private security consultancies already investigate cybercrime but Ghosh said they are hampered by current laws. "For example, the inability to get access to ISP billing records; the private sector could focus on opportunistic crimes while the public sector concentrates on crimes of mass victimisation or those that threaten our economic infrastructure," he said. Internet Industry Association executive director Peter Coroneos supports the proposed bill in principle but said it needs to find a balance between privacy concerns and the need to prosecute illegal hacking activities. A spokesperson for the Minister for Justice and Customers Senator Chris Ellison was unavailable for comment but said ina statement: "The large amount of data that can be stored on computer drives and disks and the complex security measures, such as encryption and passwords, which can be used to protect that information present particular problems for investigators. The legislation will enable police powers to copy computer data and examine computer equipment and disks off-site and enable them to obtain assistance from computer owners." From cb@fipr.org Sat, 7 Jul 2001 14:14:41 +0100 Date: Sat, 7 Jul 2001 14:14:41 +0100 From: Caspar Bowden cb@fipr.org Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof There is a reference to RIP reverse-burden-of-proof in Lord Hope's opinion (para.93) in the following House of Lords appeal (5th July 2001). It appears to be a major rehearsal of arguments about the presumption of innocence in HRA. A little disconcertingly, Lord Hope refers to the "offence of possession" in RIP 53(2), as if possession of a key was the inherent offence (like a controlled drug), rather than the issue of possession arising from non-compliance with a s.49 order. Although the opinions are interesting, they don't seem to clarify much what will suffice to "raise the issue" of no-PANTS (Possession after Notice Time of Serving) in 53(2). Asserting an unusually bad memory ? Through statements or testimony from the witness box ? Asserting a normal memory, but forgetfulness in this instance ? The essential point seems to me that it is not arguable that use of encryption in itself is comparable to possession of drugs, so arguments about "balancing the interests of the individual in achieving justice against the needs of society to protect against abuse of drugs", will be a non-starter in a RIP case. The construction of RIP doesn't allow any consideration of a presumed "underlying" substantive offence in any case, and if there *was* sufficient evidence of a substantive offence then a person should be tried and convicted on that charge. It's totally irrelevant to the issue of PANTS. -- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media Regina v. Lambert (On Appeal From The Court of Appeal (Criminal Division)) http://www.parliament.the-stationery-office.co.uk/pa/ld200102/ldjudgmt/j d010705/regina-4.htm "93. Section 53(3) of the Regulation of Investigatory Powers Act 2000 is to the same effect. It provides a defence to the offence of possession described in section 53(2). It places the onus of proving the contrary beyond a reasonable doubt on the prosecutor if sufficient evidence of that fact is adduced to raise an issue with respect to it. It is not unreasonable to think that, if Parliament were now to have an opportunity of reconsidering the words used in section 28(2) and (3) of the 1971 Act, it would be content to qualify them in precisely the same way" From oml@eloka.demon.co.uk Sat, 7 Jul 2001 19:22:11 +0100 Date: Sat, 7 Jul 2001 19:22:11 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Caspar Bowden > Sent: 07 July 2001 14:15 > To: 'Ukcrypto'; FIPR-AC > Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof > > > There is a reference to RIP reverse-burden-of-proof in Lord Hope's > opinion (para.93) in the following House of Lords appeal (5th July > 2001). It appears to be a major rehearsal of arguments about the > presumption of innocence in HRA. > > A little disconcertingly, Lord Hope refers to the "offence of > possession" in RIP 53(2), as if possession of a key was the inherent > offence (like a controlled drug), rather than the issue of possession > arising from non-compliance with a s.49 order. > > Although the opinions are interesting, they don't seem to clarify much > what will suffice to "raise the issue" of no-PANTS (Possession after > Notice Time of Serving) in 53(2). Asserting an unusually bad memory ? > Through statements or testimony from the witness box ? Asserting a > normal memory, but forgetfulness in this instance ? I think we return to the point that cryptography is neither 'good' nor 'bad' it is (in modern form) a useful bit of technology that takes upon itself the ethical or legal colour of the purpose for which it is used. Where it is used, to conceal evidence of crime or criminal purpose it is not safe to argue that that the concealment it provides should not be forced open under due legal process. We need also to return to the basic matter of whether it is right that a search of a persons belongings may be made lawfully. This is never a pleasant thing but I believe the substantial majority view is that from time to time such a procedure is better to be effected than not. So, premises are entered and there is information in store on two computers. On one the store is encrypted and on the other it is not. The warrant authorising the search permits the seizure and examination of all this information. Can it be right, that the order of the court is thwarted simply because one container is 'locked' and the other container is 'open'? It is also clear that if the enciphered container held incriminating material, it would be much in the interest of its owner to withhold the key, claiming it to be lost or some such. I can see no way to prevent such a course being taken except to ensure that it is likely to lead the owner into a great deal of trouble - albeit perhaps less trouble that he would be in if the contents could be read. It is essential with PKC that secret keys be kept securely. It is much in the interest of the owner that they are never lost or compromised, with the single exception that a 'loss' can thwart a search. It is reasonable therefore to presume that key holders secure their secret keys with care. Nevertheless, keys are lost from time to time; many of us will have lost a key at some time or other. Therefore it seems right that a court listen to a reasoned explanation as to why a key demanded has not been handed over and exercise judgement as to whether the explanation is reasonable in the circumstances. But the purpose of the law will be thwarted if the owner of a key is not required to prove that the loss has occurred and in some way that can be shown to have no connection to a demand for its surrender. So what should be the real effect of this on key owners? Surely, it reinforces their natural inclination to assure that their keys are well secured at all times. There is some miniscule part of the population who may be placed unfairly at risk because of such law. It seems to me that their satisfactory protection should come not from removal of the new offence of not surrendering a key but from ensuring that there is a strong prima facie case to be made against either the key holder or against some person from whom it can be shown he has been in receipt of enciphered information. In sum, the reasons for requiring a search must be of the strongest. If they are, then it is not tolerable that a mechanism be allowed by default whereby any and all such searches can be thwarted at will and without fear or consequence. Therefore, I think that attempts to have such a mechanism allowed as a 'human right' are doomed to failure; the courts are not entirely naive. A tactic that, through test cases or other means, leads to the requirement for a radical strengthening of the grounds for demanding searches (and therefore the surrender of keys) is much more likely to succeed, I think. Owen From gbayley@ausmac.net Sun, 8 Jul 2001 15:06:20 +1000 (EST) Date: Sun, 8 Jul 2001 15:06:20 +1000 (EST) From: Grant Bayley gbayley@ausmac.net Subject: Australian government says CoE Cybercrime Convention DOES confer GAK powers On Sat, 7 Jul 2001, Caspar Bowden wrote: > On 14th November 2000, Peter Csonka of the Council of Europe was > reported as denying that the Cybercrime convention conferred powers for > government access to encryption keys ("That was never our intention" > http://www.zdnet.co.uk/news/2000/45/ns-19057.html) > > However on the Second Reading of the Australian Cybercrime Bill on 27th > June 2001, Attorney General Daryl Williams said "Such a power is > contained in the draft Council of Europe Convention on Cybercrime and > will assist officers in gaining access to encrypted information." > http://search.aph.gov.au/search/ParlInfo.ASP?action=view&item=0&from=bro > wse&path=Legislation/Current+Bills+by+Title/Cybercrime+Bill+2001/Second+ > reading+speeches&items=1&altbrowse=yes > > The text of the Australian Cybercrime Bill 2001 is at > http://search.aph.gov.au/search/ParlInfo.asp?WCI=Hyperlink&CLASS=BILL&XR > efID=R1360&Short=Cybercrime+Bill+2001 Just a followup about this proposed legislation, the following mailing list has been set up to discuss it, the GAK issues raised above, as well as to discuss submissions to the Senate Legal and Constitutional Committee inquiry. To join, send an empty email to: 2600-law-subscribe@wiretapped.net (There's also a digest version (2600-law-digest-subscribe@wiretapped.net) but the traffic is only fairly light at present. (maybe not for much longer)) Information about the Senate Legal and Constitutional Committee inquiry is located at: http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime.htm Written submissions must be made by 20th July, 2001, and public hearings are being held in Sydney on 19th July and in Canberra on 9th August. 2600 Australia has prepared an initial response to the second reading speech at the following URL, and will be making an official submission in due course: http://www.2600.org.au/cybercrime-bill-response.txt Hope this is of interest, Grant ------------------------------------------------------- Grant Bayley gbayley@ausmac.net -Admin @ AusMac Archive, Wiretapped.net, 2600 Australia www.ausmac.net www.wiretapped.net www.2600.org.au ------------------------------------------------------- From jtjm@xenoclast.org Sun, 8 Jul 2001 11:42:42 +0100 (BST) Date: Sun, 8 Jul 2001 11:42:42 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof On Sat, 7 Jul 2001, Owen Lewis wrote: > > It is also clear that if the enciphered container held incriminating > material, it would be much in the interest of its owner to withhold the key, > claiming it to be lost or some such. I can see no way to prevent such a > course being taken except to ensure that it is likely to lead the owner into > a great deal of trouble - albeit perhaps less trouble that he would be in if > the contents could be read. > > It is essential with PKC that secret keys be kept securely. It is much in > the interest of the owner that they are never lost or compromised, with the > single exception that a 'loss' can thwart a search. It is reasonable > therefore to presume that key holders secure their secret keys with care. No it isn't. The fact of its being sensible (or even necessary, for any genuine security) to keep one's keys secure, does not by any stretch of anyone's imagination imply that all those who have created secret keys for whatever purpose will a) have kept them secure, b) still remember where they are, or what the passphrases are. It is sensible not to drive when drunk or extremely tired; it is absolutely not reasonable to presume that every driver one meets on the roads is therefore neither drunk nor extremely tired. A better example (since there's no implied breaking of the law involved): In the interests of ensuring that leather shoes wear well, it is essential that they be polished regularly with a good polish. It is nonsense to suggest that this implies that all those who wear leather shoes polish them regularly. > Nevertheless, keys are lost from time to time; many of us will have lost a > key at some time or other. Therefore it seems right that a court listen to a > reasoned explanation as to why a key demanded has not been handed over and > exercise judgement as to whether the explanation is reasonable in the > circumstances. What does that mean? "Reasonable in the circumstances?" - 'I typed rm -fr * in the wrong directory by accident, and didn't have any backups. Unfortunately I couldn't recover the data from the disk, because by the time I noticed what I'd done, I'd already copied the Netscape source on to the machine, unpacked it, and started compiling it' Sounds reasonable to me (it's not an offence not to have backups). But it could just as easily be a convenient excuse behind which a criminal was hiding. How about trying to prove it? Well, the presence of the Netscape source on the machine corroborates the latter half of the story, but says nothing about whether the keys were actually ever on that box. Impossible to prove either way (though fans of STM disk analysis might disagree). What if the reason given was "the dog ate the floppy"? Would that not be reasonable because it sounds too much like a conventional schoolboy excuse? But dogs can and do chew up floppy disks (I've lost at least one that way myself). I fail to see how anyone can be expected to exercise judgment as to whether the excuse proffered is reasonable or not (or, more usefully, I believe that anyone (with a modicum of intelligence) can concoct an explanation that must be accepted as reasonable since it could quite reasonably have occured). Therefore, I believe that it is nonsensical to suggest that we gain anything by allowing a court to decide whether or not an explanation is "reasonable in the circumstances". Either the court tends towards genuine "reasonableness", in which case the criminals win, or it tends towards requiring "proof", in which case the innocents lose. There is no happy middle ground. Even if there is a significant amount of prima facie evidence that the accused is engaged in some criminal activity, it is wrong for the court to assume that if he claims he no longer has the keys then he is lying. It is quite possible that his dog did eat the floppy that very morning, and he should not be convicted of anything because of that misfortune. > But the purpose of the law will be thwarted if the owner of a > key is not required to prove that the loss has occurred and in some way that > can be shown to have no connection to a demand for its surrender. There is one significant flaw in this argument. How does one prove that one does not have something (or does not remember something)? The simplest case occurs when the secret key itself was on the same machine as the data (and so is now in the hands of the police). In order to make use of this key, they require the passphrase. They ask you for it. You say, "I'm sorry, but I've forgotten it". They respond, "prove it". And you do what, exactly? Surely at the very least the prosecution will need to start by proving that at some point you possessed the key, before you can be asked to prove that you don't any longer. Even then, your failure to be able to prove that you no longer have it should not be deemed incriminating. ("I lost the floppy in a house move." - might be true, might not be, can hardly be proven.) > So what should be the real effect of this on key owners? Surely, it > reinforces their natural inclination to assure that their keys are well > secured at all times. There is some miniscule part of the population who may > be placed unfairly at risk because of such law. It seems to me that their > satisfactory protection should come not from removal of the new offence of > not surrendering a key but from ensuring that there is a strong prima facie > case to be made against either the key holder or against some person from > whom it can be shown he has been in receipt of enciphered information. Careful. It would appear from your above that if I am a known criminal, and am aware that I am being monitored, I can get my own back on someone who has crossed me by sending him some enciphered material (having created a key in his name which I later discard). He then has the devil of a time proving that he didn't have the key. And I don't believe that the possession of strong prima facie case against an individual should have any bearing whatsoever on whether he is guilty of failing to turn over the keys. After all, if we have convincing evidence that someone robbed a pharmacy, and a policeman is discovered dead in the alley next to the pharmacy half an hour after it was robbed, we don't convict the robber of the policeman's murder without requiring evidence for that particular crime. To be honest the only reasonable way that I can think of that will allow the guilty to be convicted without also convicting the innocent is for the police, instead of waltzing in and seizing equipment, to install monitoring software on the suspect's machine (something to capture keystroke's etc), and wait for him to use his key. Not significantly different in nature from a phone tap. Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From oml@eloka.demon.co.uk Sun, 8 Jul 2001 14:56:07 +0100 Date: Sun, 8 Jul 2001 14:56:07 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T. J. > Midgley > Sent: 08 July 2001 11:43 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: R v.Lambert House of Lords and RIP reverse-burden-of-proof > > > On Sat, 7 Jul 2001, Owen Lewis wrote: > > > > > It is also clear that if the enciphered container held incriminating > > material, it would be much in the interest of its owner to > withhold the key, > > claiming it to be lost or some such. I can see no way to prevent such a > > course being taken except to ensure that it is likely to lead > the owner into > > a great deal of trouble - albeit perhaps less trouble that he > would be in if > > the contents could be read. > > > > It is essential with PKC that secret keys be kept securely. It > is much in > > the interest of the owner that they are never lost or > compromised, with the > > single exception that a 'loss' can thwart a search. It is reasonable > > therefore to presume that key holders secure their secret keys > with care. > > No it isn't. The fact of its being sensible (or even necessary, for any > genuine security) to keep one's keys secure, does not by any stretch of > anyone's imagination imply that all those who have created secret keys for > whatever purpose will a) have kept them secure, b) still remember where > they are, or what the passphrases are. It's not a case of any key one ever may have created but of keys which either secure information you continue to store or continue to receive communications requiring that key to read them. Moreover, for the law to take effect, there should be good reason (e.g. evidence of criminality) for the law to be brought into play. The fact remains that it is essential to secure a secret key that is the only means of reading a continuing correspondence or opening a secured store of information. Actually, it's the analogy is with the complete opposite, i.e. it is to be presumed that most drivers do neither at any moment and that they will be committing an offence if they do. You take my point? > > Nevertheless, keys are lost from time to time; many of us will > have lost a > > key at some time or other. Therefore it seems right that a > court listen to a > > reasoned explanation as to why a key demanded has not been > handed over and > > exercise judgement as to whether the explanation is reasonable in the > > circumstances. > > What does that mean? "Reasonable in the circumstances?" - Just what is says. Each case must turn on its merits. Start at the beginning. For the law to come into play there must be fair suspicion of one of three things, being: 1. The subject of an order has engaged in serious criminal activity. 2. He associates with and shares information in common with someone so suspected. 3. Someone so suspected communicates with him in cipher, using a key which causes only he to be able to read the information received. The subject of an order claims to have 'lost' the secret key an cannot comply. A judge must determine whether he cannot or whether he will not comply. > > 'I typed rm -fr * in the wrong directory by accident, and didn't have any > backups. Unfortunately I couldn't recover the data from the disk, > because by the time I noticed what I'd done, I'd already copied the > Netscape source on to the machine, unpacked it, and started compiling it' > > Sounds reasonable to me (it's not an offence not to have backups). But it > could just as easily be a convenient excuse behind which a criminal was > hiding. How about trying to prove it? Well, the presence of the Netscape > source on the machine corroborates the latter half of the story, but says > nothing about whether the keys were actually ever on that box. Impossible > to prove either way (though fans of STM disk analysis might disagree). This, I think, is why the law is framed to require the subject of an order to prove that he could not comply and that the circumstances in which the key was lost were entirely unrelated to any investigation or service of an order. Without belabouring the point, there are many circumstances where that could be should on a straight balance of probability, let alone reasonable doubt. However, criminal behaviour being what it is, there will also be many such claims in response to the serving of an order which are specious. Consider; if the information you hold is revealed, you will, in all probability be sentenced to 30 years. Will you hesitate even for a moment to lose the key? > I fail to see how anyone can be expected to exercise judgment as to > whether the excuse proffered is reasonable or not (or, more usefully, I > believe that anyone (with a modicum of intelligence) can concoct an > explanation that must be accepted as reasonable since it could quite > reasonably have occured). You may indeed so fail. But the fact is that judges exercise continually such a discriminatory power as an essential part of their duties. > Therefore, I believe that it is nonsensical to suggest that we gain > anything by allowing a court to decide whether or not an explanation is > "reasonable in the circumstances". Either the court tends towards genuine > "reasonableness", in which case the criminals win, or it tends towards > requiring "proof", in which case the innocents lose. There is no happy > middle ground. If you truly believe that, then the remedy lies entirely in your own hands. Should you choose to use PKC, you must simply ensure that at least one, preferably two copies of you pass phrase are maintained in non-electro-magnetic form and where they will be safe. These are additional to the third you keep in your own (fallible) memory. It being my turn for an analogy, I claim that not to take some such precaution is as irresponsible as handling a firearm or a car in an unsafe manner. > Even if there is a significant amount of prima facie evidence that the > accused is engaged in some criminal activity, it is wrong for the court to > assume that if he claims he no longer has the keys then he is lying. It > is quite possible that his dog did eat the floppy that very morning, and > he should not be convicted of anything because of that misfortune. The law may say - has said - he can and leaves all ample opportunity to ensure that they can never have misfortune mistaken for defiance. Absolute protective arrangements can be made. Those who choose not to do so expose themselves to a risk of some considerable unpleasantness - and not just at the hands of a court. > Surely at the very least the prosecution will need to start by proving > that at some point you possessed the key, before you can be asked to > prove that you don't any longer. Even then, your failure to be able to > prove that you no longer have it should not be deemed incriminating. ("I > lost the floppy in a house move." - might be true, might not be, can > hardly be proven.) You would only be able to claim one position and never both. You are in possession (or not) of encrypted data. If you are, where's the key? > > > So what should be the real effect of this on key owners? Surely, it > > reinforces their natural inclination to assure that their keys are well > > secured at all times. There is some miniscule part of the > population who may > > be placed unfairly at risk because of such law. It seems to me > that their > > satisfactory protection should come not from removal of the new > offence of > > not surrendering a key but from ensuring that there is a strong > prima facie > > case to be made against either the key holder or against some > person from > > whom it can be shown he has been in receipt of enciphered information. > > Careful. It would appear from your above that if I am a known criminal, > and am aware that I am being monitored, I can get my own back on someone > who has crossed me by sending him some enciphered material (having created > a key in his name which I later discard). This is one reason why PGP as 'strong cryptography for the masses' is a flawed system. You would not be able to do this to me or to many others, only to those who lay themselves open to this form of abuse. Owen From brg@gladman.plus.com Mon, 9 Jul 2001 09:19:50 +0100 Date: Mon, 9 Jul 2001 09:19:50 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Friday, July 06, 2001 1:40 PM Subject: RE: Wired: Echelon Furor Ends in a Whimper > > -----Original Message----- > > From: ukcrypto-admin@chiark.greenend.org.uk > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > > Sent: 06 July 2001 11:52 > > To: UK Crypto Posting > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > if press reports are to be believed one outcome of the European Parliament > > study is a conclusion that Echelon is a 'fact of life' and that there is > > little that the EU nations can do to counter it. > > > > If this truly is a conclusion, the European Parliamentary group have been > > badly briefed since nothing could be further from the truth. > > > > But whether it would be in their interests to undermine Echelon is a much > > more difficult issue since the main need for such assets is in areas where > > US and European interests largely coincide. > > Quite so, and not just European and US interests perhaps. That this > important point you raise was, seemingly, entirely missed by the EPG - even > to mention, let alone evaluate - is one indication of narrowness of vision > and of purpose in their study and report. > > > > The failure of the US and Europe to seriously discuss these issues is > > dangerous since we need to remove the privacy and industrial/commercial > > espionage concerns raised by Echelon without undermining its > > value in other > > areas. > > How would you propose that such a precise sorting of sheep from goats might > be effected? This seems to me to be a fundamental issue and very much at the > heart of the crypto debate. The concerns that have arisen in Europe over Echelon relate largely to whether the US can be trusted to use the information it gains via Echelon only in the way that it says it does. Many in Europe clearly do not trust the US in this respect. And being an issue of trust, it is most unlikely that it can ever be resolved if the parties involved are not prepared to sit down and discuss the concerns and what might be done to remove them. And here the apparent willingness of the US to meet with a European Parliament delegation, followed by a complete refusal to meet with them once they arrived in Washington, is hardly an effective way of building trust. I don't blame the US entirely for this but I do consider that they carry the greater part of the blame. However, to answer your question more directly, the critical factor in building trust is the sharing of the raw intelligence data. One way of removing the lack of trust is hence to make all EU nations fully paid up members of Echelon in this respect. Of course it is not going to happen because the objectives are only partially overlapping, which, of course, is why we have the problem in the first place. But rather than trying to change the behaviour of the US, the EU can easily remove the threat of Echelon if it wishes to do so. All it has to do is to promote the rapid and ***universal*** deployment of end-to-end cryptographic information protection (voice and data). It does not matter that much of this protection will be weak since it is the universal use of end-to-end encryption, not its strength, that will completely devastate Echelon. In my view a determined EU plan to do just this would have created a situation in which the US would have talked to the European Parliament delegation! Brian Gladman From oml@eloka.demon.co.uk Mon, 9 Jul 2001 10:29:51 +0100 Date: Mon, 9 Jul 2001 10:29:51 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 09 July 2001 09:20 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Friday, July 06, 2001 1:40 PM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > > > -----Original Message----- > > > From: ukcrypto-admin@chiark.greenend.org.uk > > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > Brian Gladman > > > Sent: 06 July 2001 11:52 > > > To: UK Crypto Posting > > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > > > .....since we need to remove the privacy and industrial/commercial > > > espionage concerns raised by Echelon without undermining its > > > value in other > > > areas. > > > > How would you propose that such a precise sorting of sheep from goats > might > > be effected? This seems to me to be a fundamental issue and very much at > the > > heart of the crypto debate. I hadn't intended to get into an open ended discussion on the merits/demerits of an open echange of raw intelligence data between the US and the EU states. Therefore, suffice it to say that your views as to the keeping and sharing of ECHELON, here snipped away, rest on an assumption that such a collection system can discriminate between a mass of 'white hats' and a small minority of 'black hats' - or sheep and goats to use the archaic metaphor. It seems to me and many others that this is an intractable issue and I was interested as to whether you had a proposal for a general method by which such discriminatory targeting could be effected. What you wrote above seemed to indicate that you might. > But rather than trying to change the behaviour of the US, the EU > can easily remove the threat of Echelon if it wishes to do so. All it > has to do is to > promote the rapid and ***universal*** deployment of end-to-end > cryptographic > information protection (voice and data). It does not matter that much of > this protection will be weak since it is the universal use of end-to-end > encryption, not its strength, that will completely devastate Echelon. > > In my view a determined EU plan to do just this would have created a > situation in which the US would have talked to the European Parliament > delegation! I do not understand. If one supposes that *all* electronic communication is end-to-end enciphered, how can this help 'remove the privacy and industrial/commercial espionage concerns raised by Echelon without undermining its value in other areas'? Surely all it would do is to reduce - undermine - if you prefer - its value in all its supposed functions? The thing collects and analyses; that is all. It forms no conclusions and makes no judgements legal, moral, social or political. People apply those values to the product of the system. Now, if all the take is in cipher, a result of this will be markedly to reduce the amount of analysis that can be carried out and therefore seriously to reduce the value of the system as a whole. >From what you said, it seemed that this was not your goal and that neither did you believe that such a result would be inevitable. If I am right in this belief, I would like to understand how such a thing can be achieved. But perhaps I simply mistook your meaning? Owen From oml@eloka.demon.co.uk Mon, 9 Jul 2001 10:42:48 +0100 Date: Mon, 9 Jul 2001 10:42:48 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 09 July 2001 09:20 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > But rather than trying to change the behaviour of the US, the EU > can easily > remove the threat of Echelon if it wishes to do so. All it has > to do is to > promote the rapid and ***universal*** deployment of end-to-end > cryptographic > information protection (voice and data). It does not matter that much of > this protection will be weak since it is the universal use of end-to-end > encryption, not its strength, that will completely devastate Echelon. > > In my view a determined EU plan to do just this would have created a > situation in which the US would have talked to the European Parliament > delegation! Alright, I can't resist :-) There will *never* be such a determined plan because few if any at all of the member states would see it as in their interest to bring about such a situation. I think we may agree on this and that therefore also agree that any such wish can never become reality. Individuals are, of course, free to make their own arrangements as they may require. Perhaps that is how it should be. Owen From brg@gladman.plus.com Mon, 9 Jul 2001 16:54:41 +0100 Date: Mon, 9 Jul 2001 16:54:41 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Monday, July 09, 2001 10:42 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper > > In my view a determined EU plan to do just this would have created a > > situation in which the US would have talked to the European Parliament > > delegation! > > There will *never* be such a determined plan because few if any at all of > the member states would see it as in their interest to bring about such a > situation. I think we may agree on this and that therefore also agree that > any such wish can never become reality. > I agree - it has always been clear that encryption use outside of government will come about in spite of rather than because of the wishes of most governments. I see this as inevitable because governments generally place even less trust in the people they are supposed to serve than people do in the governments that are supposed to serve them. Brian From brg@gladman.plus.com Mon, 9 Jul 2001 16:45:32 +0100 Date: Mon, 9 Jul 2001 16:45:32 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Monday, July 09, 2001 10:29 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper [snip] In order to avoid a long debate about this I should make it clear that I am in favour of the universal use of cryptography for end-to-end information protection. I just happen to believe that the case for this is more likely to be undermined rather than strengthened by activities that are too limited in their coverage of the issues involved. Brian From oml@eloka.demon.co.uk Mon, 9 Jul 2001 21:49:18 +0100 Date: Mon, 9 Jul 2001 21:49:18 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 09 July 2001 16:46 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Monday, July 09, 2001 10:29 AM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > [snip] > In order to avoid a long debate about this I should make it clear > that I am > in favour of the universal use of cryptography for end-to-end information > protection. No long debate over that. I quite understand that to be your position. What I do not understand is one is to reconcile that with ".....remove the privacy and industrial/commercial espionage concerns raised by Echelon without undermining its value in other areas". If you have the answer to that, then you have a very powerful idea indeed. > > I just happen to believe that the case for this is more likely to be > undermined rather than strengthened by activities that are too limited in > their coverage of the issues involved. Sounds as though you might have a book in the making :-) However, whilst I can see a book being required properly to cover the ethics of governance and an analysis of realpolitik and social pathology in the 21st century, the crux, the philosopher's stone if there be one, would seem perforce to be a relatively straightforward technical issue. But then, as I was oft reminded in my younger years, 'all things are simple to the simple minded'. I can still struggle with that a bit. Owen From duncan@gn.apc.org Mon, 09 Jul 2001 19:12:02 +0100 Date: Mon, 09 Jul 2001 19:12:02 +0100 From: Duncan Campbell duncan@gn.apc.org Subject: Trading COMSAT Sigint in Europe (Echelon developments) 10 July 2001 Brian Gladman noted his views of the significance of intelligence exchanges and developments within Europe in a recent series of comments. Although the debate is being presented as between the raised voices of Americans who want to believe that nothing like Echelon exists or could possibly be used for economic related purposes, and Europeans who want to believe that it exists only for such purposes, some rather deeper and serious things are happening. A longer version of the account of this I wrote for the Guardian, already posted to cryptome, appears below. Thr original was truncated because of news developments. Duncan Campbell http://cryptome.org/eu-intel-fight.htm 4 July 2001. Thanks to Duncan Campbell. See related European Parliament Motion of Resolution on Echelon, dated July 4, 2001: http://cryptome.org/echelon-epmr.htm This report by Duncan Campbell about unusual developments in Europe related to Echelon appeared in the British Guardian on Tuesday 3 July, but was unfortunately published only in abbreviated form owing to late-breaking news of a verdict in a case of murder of famous British TV celebrity. The published version is at: http://www.guardian.co.uk/comment/story/0,3604,515928,00.htm Fight over Euro-intelligence plans The sudden closure of one of the worlds largest spy stations is a potential harbinger of confrontation between the U.S. and Germany Duncan Campbell Today in Brussels, members of the European Parliament will vote to finalise a report that condemns the use of the British and American run "Echelon" international communications surveillance system as a breach of privacy, sovereignty and human rights. The special report, which is expected to be adopted overwhelmingly by the full European Parliament at the start of September, calls for the European Convention on Human Rights to be amended to enforce the privacy of international communications to the same standard as applies to national communications. And it demands that the British and German government enforce their legal and treaty obligations to ensure proper supervision and accountability for secret US surveillance operations conducted from their territory. "The American authorities have repeatedly tried to justify the interception of telecommunications by accusing the European authorities of corruption and taking bribes", the report claims. But "the USA must leave the task of law enforcement to the host countries". To do otherwise is "a violation of human rights". Both Britain and Germany host giant satellite based listening stations which form the major part of the US international surveillance network. Bad Aibling Station, in a spa town south of Munich, was the worlds first satellite spy base, and started operating in 1968. Menwith Hill Station, near Harrogate, is the largest electronic listening station in the world, and will play a major role in President Bushs controversial missile defence plans. The worlds largest electronic spying system, of which Echelon is a part, is run by the UKUSA alliance of Australia, Britain, Canada, New Zealand and the US It is founded on a still-secret 1948 agreement. The five nations share the take from their global network of surveillance stations. The only other worldwide systems are run by Russia, and by France, which has listening stations in South America and the South Pacific. A new European intelligence agency, in which Germany and France would take leading roles, would be a major challenge to the UKUSA group. The developing spy base controversy has been foreseen as placing Britain under pressure to choose between its historic intelligence links with the US and the new European defence and intelligence initiatives spearheaded by the German government. These already include the construction of a joint European satellite receiving station at Torrejon, Spain. But a series of recent events points to a deeper and different schism being constructed in Europe, in which Washington appears to have moved pre-emptively to prevent British isolation and to undermine a German-led Europe rising over time to become a rival intelligence power. It is a battle that only Bonn seems so far to have anticipated and joined. In a little-reported development two days after the European Parliament report was published, irate US diplomats wrote to the German government to announce that, after lengthy negotiation with the central government and the state of Bavaria, the Bad Aibling base would peremptorily be closed. "We have decided to alter our course and will pursue a total closure .... The US will remove ...all operational equipment under its control, including antennas and computer processing equipment", the German foreign ministry was told. This decision was, according to the US military attache, "driven by the United States' government's desire to maintain good relations with your government, and also with the government of Bavaria". Only last year, the supreme US military commander in Europe testified to the US Senate about his plans to urgently expand Bad Aibling as a regional intelligence co-ordination centre. Then, the US had no intention of leaving. Now, hundreds of tons of top secret equipment will be pulled out by September 2002. The Bad Aibling row is the latest in a series of decisions from Bonn directly challenging the United States on intelligence policy issues. In 1999, Germany was the first major country to break ranks and denounce the US intelligence-inspired attempts to control private and commercial cryptography to levels they could easily break. France and most of the rest of Europe followed suit. By December, the United States government had been forced to abandon its until then successful decade old control policy on commercial and political grounds. Four months ago, an edict from Bonn reported in Der Spiegel specified that German military or foreign service computer systems would be prohibited from using the Microsoft Windows system, on grounds that the program code was not open and could not be checked for security or "back door" flaws. American designed computer operating systems would not be permited for use on "sensitive" German government systems. The American riposte on Echelon came in early June, after President Bush visited Madrid. After the visit, Spanish and US officials openly spoke of new arrangements between the US and Spain to supply communications intelligence from the Echelon network to help fight ETA, the seperatist Basque terrorist organisation. Spanish foreign minister Josep Pique confirmed that the US would be providing Spain with secret intelligence on ETA. "A lot can be done from the point of view of technology, information and detecting communications", he said. Government spokesmen confirmed that "new forms of cooperation with US intelligence services were still being worked on it opens a very promising field of action". Since most ETA terrorists operate from south-western France, the Spanish-American deal effectively endorsed and authorised US intelligences activities in intercepting telephone calls and other communications systems operating in France. The Spanish prime minister, Jose-Maria Aznar, has also alone in Europe - endorsed Bushs plans for new missile defence systems. But the ETA-tracking deal is actually the first visible sign of longer term U.S. plans to set up new bilateral intelligence arrangements with selected European nations. The US has recently developed and extended intelligence links with Norway, Denmark, and Switzerland, and has offered anti-terrorist intelligence sharing to the Italian and Greek government, as well as the Spanish. At the remote village of Skibsbylejren near Hjorring in northern Denmark, and at Heimenschwand and Leuk in central Switzerland, contractors are now putting the finishing touches to a new network of satellite communications interception centres. The data they collect will be routed to processing centres at Zimmerwald and near Copenhagen, and then exchanged with other intelligence agencies. By the time they are complete in 2002, the new stations will be capable of simultaneously intercepting messages from about 25 satellites. This will provide the US with more capacity than is provided by the three smaller members of the current US alliance- Canada, Australia and New Zealand put together. Neither Denmark nor Switzerland has claimed that the new spy bases are being provided for national requirements. According to General Peter Regli, head of the Swiss Untergruppe Nachrichtendienst der Armee (UNA) military intelligence unit, the purpose of the Swiss system called SATOS-3 is to trade information with partner spy agencies. Most significantly, the policy of sharing anti-Echelon intelligence with Spain announced by President Bush is not new. The agreements were put in place under the previous Clinton administration. They were then put into operation on 15 September 2000, when a joint French-Spanish police operation netted 20 high-flying ETA figures, including Ignacio Gracia Arregui, believed to have been ETA's most senior military commander at the time. Back in Washington, administration officials gloated and said that when the right moment came, they would make use of these results and "let the damn Europeans stick this up their Echelon". This and other developments suggest that the U.S. intelligence agencies have long been planning how to overcome the new European intelligence and privacy concerns. Their goal appears to go further than merely protecting existing surveillance operations against privacy campaigners or restrictions proposed by the European Parliament. The greater target appears to be to head off, or at least subvert and minimise the impact of an independent European intelligence capability. Now, in Bavaria and the Basque country, these battle lines have been joined. ENDS From brg@gladman.plus.com Tue, 10 Jul 2001 09:25:04 +0100 Date: Tue, 10 Jul 2001 09:25:04 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Monday, July 09, 2001 9:49 PM Subject: RE: Wired: Echelon Furor Ends in a Whimper [snip] > > -----Original Message----- > > From: ukcrypto-admin@chiark.greenend.org.uk > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > > Sent: 09 July 2001 16:46 > > To: UK Crypto Posting > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > From: "Owen Lewis" > > To: > > Sent: Monday, July 09, 2001 10:29 AM > > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > > [snip] > > In order to avoid a long debate about this I should make it clear > > that I am > > in favour of the universal use of cryptography for end-to-end information > > protection. > > No long debate over that. I quite understand that to be your position. What > I do not understand is one is to reconcile that with ".....remove the > privacy and industrial/commercial espionage concerns raised by Echelon > without undermining its > value in other areas". If you have the answer to that, then you have a very > powerful idea indeed. I really want to avoid a long debate about this but my comment has to be considered in the context in which it was made, namely that of proposals that an EU Parliiamentary group could make to protect commercial/industrial information assets in Europe. My suggestion (a) does this, and (b) does not impact significantly on the value of Echelon unless the content and domain so protected provides a substantial part of the value of Echelon. And in my view it doesn't. My comment about whether it would be sensible for Europe to do this was based on the possible 'domino effect' that such a move might trigger on a wider scale. However, for reasons I am not going to expand on, I don't think this is a significant concern. Brian From lawya@lucs-01.novell.leeds.ac.uk Tue, 10 Jul 2001 11:53:52 +0000 Date: Tue, 10 Jul 2001 11:53:52 +0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: RIPA 2000 updates http://www.homeoffice.gov.uk/ripa/ripact.htm Consultation on section 12 will end on 24 August, 2001 http://www.homeoffice.gov.uk/ripa/section12.htm The Home Office website also states the following, absolutely brilliant: [I have received a few concerned messages from as far as Australia related to this hoax] --- We are aware that an email message is in circulation purporting to notify recipients that they have committed a spurious offence of "Internet Perversion" in apparent contravention of the Regulation of Investigatory Powers Act, referring recipients to a non-existent website for further details. This is a hoax and has no connection whatsoever to the Regulation of Investigatory Powers Act or any other piece of legislation. Anyone receiving this spammed message can safely delete and ignore it. From oml@eloka.demon.co.uk Tue, 10 Jul 2001 20:33:01 +0100 Date: Tue, 10 Jul 2001 20:33:01 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 10 July 2001 09:25 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Monday, July 09, 2001 9:49 PM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > [snip] > > > In order to avoid a long debate about this I should make it clear > > > that I am > > > in favour of the universal use of cryptography for end-to-end > information > > > protection. > > > > No long debate over that. I quite understand that to be your position. > What > > I do not understand is one is to reconcile that with ".....remove the > > privacy and industrial/commercial espionage concerns raised by Echelon > > without undermining its > > value in other areas". If you have the answer to that, then you have a > very > > powerful idea indeed. > > I really want to avoid a long debate about this but my comment has to be > considered in the context in which it was made, namely that of proposals > that an EU Parliiamentary group could make to protect > commercial/industrial > information assets in Europe. > > My suggestion (a) does this, and (b) does not impact significantly on the > value of Echelon unless the content and domain so protected provides a > substantial part of the value of Echelon. > > And in my view it doesn't. I can't follow your train of thought in this matter -which may be a greater sadness to me that it is to you :) You also said: > But rather than trying to change the behaviour of the US, the EU > can easily remove the threat of Echelon if it wishes to do so. All it > has to do is to > promote the rapid and ***universal*** deployment of end-to-end > cryptographic > information protection (voice and data). It does not matter that much of > this protection will be weak since it is the universal use of end-to-end > encryption, not its strength, that will completely devastate Echelon. To me, the your different thoughts will not cohere. Either one might seek to "devastate" Echelon or one seeks to assure the major category of traffic passes unread/unanalysed whilst still facilitating the reading/analysis of selected traffic. 'Universal' end to end encryption might secure the first objective but one cannot see how it will assist the latter (other than by backdoors in all ciphers only operable selectively by user and only by court order etc etc and I'm sure that would not be what you were driving at. Selective hoovering? I think not. Collection systems behave more like a dredge that a drift net with a specified minimum size of mesh. If your two expressions of thought are to interlock, we need to fit a missing piece. You are reluctant to provide that piece and that is that. No one is under any obligation - even of noblesse - to say more that he wishes. In any event, it is clear to both of us that the former objective is unobtainable for practical reasons. An idea for the latter thought would have been interesting though. ATB, Owen From jya@pipeline.com Tue, 10 Jul 2001 16:20:14 -0700 Date: Tue, 10 Jul 2001 16:20:14 -0700 From: John Young jya@pipeline.com Subject: Wired: Echelon Furor Ends in a Whimper A singular type of communication that the NSA is permitted by law to collect and retain indefinitely, no matter the source, even if the sources are otherwise proscribed communications of US persons, is cryptographic data. So the use of encryption in any form increases the odds that it will be collected and studied and/or indefintely stored for future use. And if NSA does this surely do other nations' spooks. Should end-to-end encryption become universal as Brian suggests, the question arises of what would be singular data for the NSA and like-snoops to collect and retain? Will it be all communication, along with burgeoning storage and sorting inventions such as NSA brags it is feverishly developing (Bamford reports), or will other characteristics be used to single out special data (and now used to sort through increasing encrypted data)? There are hints in the regulations governing NSA interception that there are other means to identify special data other than its cryptographic attributes. But only generic terms such as "technical" are used for those hints -- that is, when the terms are not censored altogether as cryptographic and TEMPEST terms once were. These musings come from a 1993 edition of NSA's USSID 18: http://cryptome.org/nsa-ussid18.htm Presumably end-points of end-to-end encryption will be easily identified for black bag jobs of the CIA/NSA's SIS teams and other nations' thieves -- or is it other nations' master bandits targets the US be breaking into just behind. From brg@gladman.plus.com Tue, 10 Jul 2001 23:16:45 +0100 Date: Tue, 10 Jul 2001 23:16:45 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Tuesday, July 10, 2001 8:33 PM Subject: RE: Wired: Echelon Furor Ends in a Whimper > You also said: > > > But rather than trying to change the behaviour of the US, the EU > > can easily remove the threat of Echelon if it wishes to do so. All it > > has to do is to > > promote the rapid and ***universal*** deployment of end-to-end > > cryptographic > > information protection (voice and data). It does not matter that much of > > this protection will be weak since it is the universal use of end-to-end > > encryption, not its strength, that will completely devastate Echelon. > > To me, the your different thoughts will not cohere. I made a proposal for what the Euroepan Parliament could do to protect european information assets. I did not think that I needed to spell out that protecting european information assets in this way would not impact in a direct way on the capabilities of Echelon in respect of non-european information assets. Brian From brg@gladman.plus.com Wed, 11 Jul 2001 09:35:51 +0100 Date: Wed, 11 Jul 2001 09:35:51 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "John Young" To: Sent: Wednesday, July 11, 2001 12:20 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper [snip] > Should end-to-end encryption become universal as Brian suggests, > the question arises of what would be singular data for the NSA > and like-snoops to collect and retain? Will it be all communication, > along with burgeoning storage and sorting inventions such as NSA > brags it is feverishly developing (Bamford reports), or will other > characteristics be used to single out special data (and now used > to sort through increasing encrypted data)? End-to-end encryption, as such, does not hide traffic flow information so I suspect that collection and storage of encrypted traffic will be increasingly selective on the basis of 'who is talking to who' and other more subtle distinguishers. > There are hints in the regulations governing NSA interception that > there are other means to identify special data other than its > cryptographic attributes. But only generic terms such as "technical" > are used for those hints -- that is, when the terms are not censored > altogether as cryptographic and TEMPEST terms once were. When searching for 'needles in haystacks' it pays to use all the help you can get. Paradoxically, as we progressively deploy end-to-end crypto, we force information pirates to apply more energy to illicit data acces in end systems. And since data held in the latter is infinitely less protected than it is when cryptographically protected in transit, we may not see the improvements in information security that we expect from such a deployment. But, perhaps worse than this, system penetration is an active form of attack that poses some really serious safety concerns. If we find that systems penetration is increasingly used, it will not always be obvious before the event whether or not 'interfering' with a target system will pose serious safety risks. It is fairly obvious that enemy penetration of defence systems could be disastrous but increasingly the same is true of many civil systems. It is hence hardly a surprise that governments are now increasingly concerned about civil infrastructure protection but they face a legacy of 50+ years of government investment in insecurity. The consequences of the continuing inbalance of UK government investment in information expolitation and information protection was the primary cause of major disagreements between GCHQ and myself in the late 1980s and early 1990s. Brian From Nic.Alderson@yeg.co.uk Wed, 11 Jul 2001 10:09:33 +0100 Date: Wed, 11 Jul 2001 10:09:33 +0100 From: Nic.Alderson@yeg.co.uk Nic.Alderson@yeg.co.uk Subject: Are basic principles flawed? Consider the following: 1) I am intent on hiding my organisation's activity - for nefarious reasons. 2) I design an encryption tool to encrypt the meaning (not the content) of a document delivering an output in plain text as a readable document. In simplest form this could be no more than word substitution - but this should be vastly more sophisticated. 3) I encrypt this output using a second tool to scramble the content (or maybe I don't bother). 4) I publish the output of 3 in the public domain to Echelon or any other legal/illegal snooping technique. 5) I become the target of intensive surveillance and I am obliged to deliver the key for action 3 and/or the authorities break the encryption unbeknown to me. The purpose of step 3 is obfuscation only. Three things are achieved:- a) I can argue that the output from 2 is the genuine article and has not been encrypted when interrogated under RIPA. b) Echelon (or any like snooper) will be mislead. c) Attempts to decrypt the meaning should sufficiently ambiguous to be meaningless. (i.e. many forms of arguably valid (readable) output could be achieved). This does not help the bona fide user and only works for text - but it is the principle I am after. =20 It undermines the basic tenet of these approaches to snooping and RIPA Nic From oml@eloka.demon.co.uk Wed, 11 Jul 2001 11:36:50 +0100 Date: Wed, 11 Jul 2001 11:36:50 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 11 July 2001 09:36 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > It is hence hardly a surprise that governments are now increasingly > concerned about civil infrastructure protection but they face a legacy of > 50+ years of government investment in insecurity. The consequences of the > continuing inbalance of UK government investment in information > expolitation > and information protection was the primary cause of major disagreements > between GCHQ and myself in the late 1980s and early 1990s. It is an interesting conundrum, isn't it? Moreover it's to be found in all countries and all walks of life. People and organisations will pay more and, in particular, will pay more readily to gain an advantageous position, compared to that which they (with reluctance) will pay to secure properly what they already have. Whereas govts do not think in terms of profit, I'm pretty sure that the universal motivation to the attitudes described is sub-consciously 'profit' driven. Profit is the reward for risk. Where risk is eliminated, profit flies out of the window. Security can never be a profit generator. At best, security diminishes risk. It is a key decision for senior management as to how far risk should be diminished. Those who are technically expert but are not in an organisation's senior management can and should advise on options and possible outcomes. They rarely if ever see sufficient of the whole game plan to evaluate properly their advice against the requirements of the whole game. Then too there is the sheer bumbling inefficiency that many large organisations can demonstrate from time to time. And we should not forget to mention personalities and personal interests interest. It can be hurtful when expert advice is neglected or even ignored. Those of us who peddle advice need thick hides and cups of cocoa at bedtime. Owen From oml@eloka.demon.co.uk Wed, 11 Jul 2001 11:36:49 +0100 Date: Wed, 11 Jul 2001 11:36:49 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 10 July 2001 23:17 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Tuesday, July 10, 2001 8:33 PM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > > You also said: > > > > > But rather than trying to change the behaviour of the US, the EU > > > can easily remove the threat of Echelon if it wishes to do so. All it > > > has to do is to > > > promote the rapid and ***universal*** deployment of end-to-end > > > cryptographic > > > information protection (voice and data). It does not matter that much > of > > > this protection will be weak since it is the universal use of > end-to-end > > > encryption, not its strength, that will completely devastate Echelon. > > > > To me, the your different thoughts will not cohere. > > I made a proposal for what the Euroepan Parliament could do to protect > european information assets. I did not think that I needed to spell out > that protecting european information assets in this way would not > impact in > a direct way on the capabilities of Echelon in respect of non-european > information assets. Then I apologise for my over-literality in failing to equate ***universal*** with 'all European'. However, given the multi-national' nature of most big business, a purely 'all-European' approach to 100% encryption must fail on practical grounds, rather on the 'governance' grounds we had previously discussed? Owen From oml@eloka.demon.co.uk Wed, 11 Jul 2001 11:36:50 +0100 Date: Wed, 11 Jul 2001 11:36:50 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Are basic principles flawed? > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > Nic.Alderson@yeg.co.uk > Sent: 11 July 2001 10:10 > To: ukcrypto@chiark.greenend.org.uk > Subject: Are basic principles flawed? > > > Consider the following: > > 1) I am intent on hiding my organisation's activity - for nefarious > reasons. > 2) I design an encryption tool to encrypt the meaning (not the content) > of a document delivering an output in plain text as a readable document. > In simplest form this could be no more than word substitution - but this > should be vastly more sophisticated. This is commonly referred to as 'veiled speech' and is very widely used. > 3) I encrypt this output using a second tool to scramble the content (or > maybe I don't bother). > 4) I publish the output of 3 in the public domain to Echelon or any > other legal/illegal snooping technique. > 5) I become the target of intensive surveillance and I am obliged to > deliver the key for action 3 and/or the authorities break the encryption > unbeknown to me. > > The purpose of step 3 is obfuscation only. > > Three things are achieved:- > a) I can argue that the output from 2 is the genuine article and has not > been encrypted when interrogated under RIPA. > b) Echelon (or any like snooper) will be mislead. > c) Attempts to decrypt the meaning should sufficiently ambiguous to be > meaningless. (i.e. many forms of arguably valid (readable) output could > be achieved). If I understand you correctly, what you are doing at 2 is not encryption but very simple coding, i.e. the substitution of a word or words for another or others for the purpose of concealing meaning. > > > This does not help the bona fide user and only works for text - but it > is the principle I am after. > It undermines the basic tenet of these approaches to snooping and RIPA I do not see that it does. Word substitution codes are enormously easier to break than are good ciphers, resembling a good crossword puzzle rather more than anything else. A suitable computer analysis will rip through most like a knife through butter. However, it is possible to design one that operates much more akin to a manual one time pad system. Such could raise the level of difficulty in decoding to level close to that of a very good cipher, however, in doing this the content will become entirely scrambles and it can no longer present as normal content. Such a system would be extremely laborious and error-prone. A third approach would be to conceal information in a graphics file in a manner where, the graphic can be viewed and the presence the information is undetectable unless one has the original graphics file to compare against. But this is a cipher system that uses a key. I can't see that any of this affects the current situation re. 'snooping' or the application of RIPA. The relevant provisions of RIPA are aimed at subverting any sense of inviolability in the use of PKC. Owen From oml@eloka.demon.co.uk Wed, 11 Jul 2001 11:36:48 +0100 Date: Wed, 11 Jul 2001 11:36:48 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of John Young > Sent: 11 July 2001 00:20 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > A singular type of communication that the NSA is permitted by > law to collect and retain indefinitely, no matter the source, even > if the sources are otherwise proscribed communications of US > persons, is cryptographic data. So the use of encryption in > any form increases the odds that it will be collected and studied > and/or indefintely stored for future use. Quite so. > Should end-to-end encryption become universal as Brian suggests, > the question arises of what would be singular data for the NSA > and like-snoops to collect and retain? Will it be all communication, > along with burgeoning storage and sorting inventions such as NSA > brags it is feverishly developing (Bamford reports), or will other > characteristics be used to single out special data (and now used > to sort through increasing encrypted data)? The real problem with "universal end to end encryption" is that its universality must depend on: a. Universal adoption of a single PKC. b. Large public key holding sites where all the public keys for known 'universe' are held and can be freely accessed. Should such a condition ever come about it would represent a most important target, not just to snoop agencies but quite possible also to a major and sophisticated criminal interest. A part of the collective strength that encryption technology affords comes through the fielding of many diverse systems. By definition this prevents a universality of enciphered communication. This in turn adds further operational security. > > There are hints in the regulations governing NSA interception that > there are other means to identify special data other than its > cryptographic attributes. But only generic terms such as "technical" > are used for those hints -- that is, when the terms are not censored > altogether as cryptographic and TEMPEST terms once were. As and when you get to take a look at Silent Runner, you might catch a glimpse or two of what some of these innovations may be. Owen > From brg@gladman.plus.com Wed, 11 Jul 2001 14:37:11 +0100 Date: Wed, 11 Jul 2001 14:37:11 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Wednesday, July 11, 2001 11:36 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper > > -----Original Message----- > > From: ukcrypto-admin@chiark.greenend.org.uk > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > > Sent: 10 July 2001 23:17 > > To: UK Crypto Posting > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > From: "Owen Lewis" > > To: > > Sent: Tuesday, July 10, 2001 8:33 PM > > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > > > You also said: > > > > > > > But rather than trying to change the behaviour of the US, the EU > > > > can easily remove the threat of Echelon if it wishes to do so. All it > > > > has to do is to > > > > promote the rapid and ***universal*** deployment of end-to-end > > > > cryptographic > > > > information protection (voice and data). It does not matter that much > > of > > > > this protection will be weak since it is the universal use of > > end-to-end > > > > encryption, not its strength, that will completely devastate Echelon. > > > > > > To me, the your different thoughts will not cohere. > > > > I made a proposal for what the Euroepan Parliament could do to protect > > european information assets. I did not think that I needed to spell out > > that protecting european information assets in this way would not > > impact in > > a direct way on the capabilities of Echelon in respect of non-european > > information assets. > > Then I apologise for my over-literality in failing to equate ***universal*** > with 'all European'. However, given the multi-national' nature of most big > business, a purely 'all-European' approach to 100% encryption must fail on > practical grounds, rather on the 'governance' grounds we had previously > discussed? Interestingly, however, while I intended universal to mean universal within Europe, I don't think the global deployment of crypto would have as much impact on Echelon as many people think. But I thought you were right in the first place - that is, the idea fails the politics test, not the practicality test. Brian From matthew.pemble@btinternet.com Wed, 11 Jul 2001 10:29:12 +0100 Date: Wed, 11 Jul 2001 10:29:12 +0100 From: Matthew Pemble matthew.pemble@btinternet.com Subject: Are basic principles flawed? Nic.Alderson@yeg.co.uk wrote: > > Consider the following: > > 1) I am intent on hiding my organisation's activity - for nefarious > reasons. > 2) I design an encryption tool to encrypt the meaning (not the content) > of a document delivering an output in plain text as a readable document. > In simplest form this could be no more than word substitution - but this > should be vastly more sophisticated. This is encoding as opposed to encipherment. Codes are difficult to break for very low numbers of short messages, but as the data volume becomes higher, patterns emerge. > 3) I encrypt this output using a second tool to scramble the content (or > maybe I don't bother). > It undermines the basic tenet of these approaches to snooping and RIPA Codes are difficult to generate and use effectively, which is why so much effort is put into ciphers. You are correct that "Send 2 and sixpence, we are going to a dance," is meaningless to automated systems, but if correlated with a move of reserve troops and an attack, the next time a similar message is sent and intercepted, assumptions will be made and automated filters updated. Matthew Pemble Eur Ing CEng MIEE MBCS AIMgt Technical Director Idrach Ltd Tel: + 44 (0) 7050 128620 Fax: + 44 (0) 1324 610367 Email: matthew@idrach.com Web: www.idrach.com From Ross.Anderson@cl.cam.ac.uk Wed, 11 Jul 2001 14:58:39 +0100 Date: Wed, 11 Jul 2001 14:58:39 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Wired: Echelon Furor Ends in a Whimper Owen: > It is an interesting conundrum, isn't it? Moreover it's to be found in all > countries and all walks of life. People and organisations will pay more and, > in particular, will pay more readily to gain an advantageous position, > compared to that which they (with reluctance) will pay to secure properly > what they already have. It's not a conundrum at all, but simple applied economics. Suppose that you head up a U.S. agency with economic intelligence among its objectives, and one of your scientists has just discovered a beautiful new exploit on Windows 2000. If you tell Bill, you might protect 250 million Americans; if you keep quiet, you will be able to conduct operations against 400 million Europeans and 100 million Japanese. What's more, you will get credit for operations you conduct successfully against foreigners, while any operations that they conduct successfully against U.S. targets will probably remain unknown to your superiors. This further emphasizes the motive for attack rather than defense. Finally -- and this appears to be less widely realized -- the balance in favour of attack rather than defense is still more pronounced in smaller countries such as Britain. We have fewer citizens to defend, and more foreigners to attack. For more, see my book, or the paper on economics and information security on my web page. Many of the things that appear to be perpetually frustrating, or just simply perverse, about infosec (and IT policy in general) have straightforward explanations - once you look at them using concepts from applied microeconomics, rather than moralising and handwaving Ross From pleyland@microsoft.com Wed, 11 Jul 2001 08:36:02 -0700 Date: Wed, 11 Jul 2001 08:36:02 -0700 From: Paul Leyland pleyland@microsoft.com Subject: Are basic principles flawed? > From: Matthew Pemble [mailto:matthew.pemble@btinternet.com]=20 > Codes are difficult to generate and use effectively, which is why so > much effort is put into ciphers. You are correct that "Send 2 and > sixpence, we are going to a dance," is meaningless to=20 > automated systems, but if correlated with a move of reserve troops > and an attack, the next time a similar message is sent and > intercepted, assumptions will be made and automated filters updated. Ah, an example of cost-efficiency in the modern army. It was 3s 4d when I were a lad. Paul From jya@pipeline.com Wed, 11 Jul 2001 12:00:25 -0700 Date: Wed, 11 Jul 2001 12:00:25 -0700 From: John Young jya@pipeline.com Subject: Wired: Echelon Furor Ends in a Whimper Brian Gladman wrote: >Interestingly, however, while I intended universal to mean universal within >Europe, I don't think the global deployment of crypto would have as much >impact on Echelon as many people think. Echelon is one of an unknown number of global surveillance programs, as the earliest reports on Echelon obeserved. The undue exaggeration of Echelon has obscured attention to the other programs, again as knowledgeable reporters have repeatedly stated. I understand that attempts to get the EuroParl Echelon committee to investigate the full range of survelliance programs, and not limit its inquiry to Echelon, was stymied by a willful determination not to look at the comprehensive apparatus, to restrict the investigation to what was publicly known already. The report released in May manages to continue diverting attention from the other programs while accurately and redundantly protraying Echelon as less than its exaggeration. To be sure, these other programs are classified and are not likely to be exposed by any party which is officially informed about them and thereby sworn to secrecy, aa no doubt was some or all of the EP committee. It is probable that some classified briefings were given to the committee members who came to the US and then claimed they were rebuffed. Duncan Campbell and Nicky Hager, among others, have described the fuller range of programs and in some cases provided codenames and technical features. The Echelon word has served quite well to dazzle, perhaps blind to closer investigation and public revelation. And there is now a willful attempt to emphasize -- as with the title of this thread -- to proclaim the investigation to end with a whimper when what has occurred is a successful disinformation and defusing campaign. I spoke to the Wired reporter who wrote the story which started this thread and had to fight off his aggressive charge that Echelon had turned out to be less than expected and didn't I agree that was the case. No, I said, I do not agree. He repeated his demand that I agree the program had been exaggerated. I said I agreed that there had been exaggeration but not by knowledgeable reporters, but only by those who failed to do original investigation into global surveillance and merely recycled lurid tidbits of speculation. I complimented the EP committee for making a helpful contribution to broading public understanding of unrestrained global surveillance, but that it was irresponsible to look only at Echelon and not the gamut of programs operated by a slew of international spooks -- government, business and individuals -- well beyond what is commonly reported. I suggested the committee probably had learned enough, or already knew enough, about the other government programs to affirm the policy of keeping secrets out of public sight. No, repeat, no, public committee will ever report fully on governmental global surveillance. At best, reports will affirm what has been reported by journalists and "disruntled" former spooks -- and the counter campaigns to disinform and defuse by the gov-biz-personal spook industry. The crypto angle of this is that one might rightfully suspect that benefits and dangers of encryption have been as exaggerated as Echelon for similar purposes -- to divert attention from far greater threats. Presumably Silent Runner is a tip of those, but it is known by name if not capability. And one characteristic of effective disinformation is to tease, taunt and disparage any accurate finding. From akm@92tr.freeserve.co.uk Wed, 11 Jul 2001 17:21:26 +0100 Date: Wed, 11 Jul 2001 17:21:26 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof From: Owen Lewis >> sending him some enciphered material (having created >> a key in his name which I later discard). > >This is one reason why PGP as 'strong cryptography for the masses' is a >flawed system. You would not be able to do this to me or to many others, >only to those who lay themselves open to this form of abuse. > >Owen That appears to be trivially easy to do, to me. What am I missing? From akm@92tr.freeserve.co.uk Wed, 11 Jul 2001 17:25:11 +0100 Date: Wed, 11 Jul 2001 17:25:11 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia -----BEGIN PGP MESSAGE----- Version: PGPfreeware 6.5.8 for non-commercial use qANQR1DBwU4D5n94LWFwL9cQB/9qZa0fN/zGsjrEBtv1Tee+Vq0452uBf+1fto8Q 705izlJTD/j0/NvfssokoDMD/VEd5rbOCa7B5v+CiEGUJ+wftoJcpHAv1mJlVlqu +u9yIP+zbc14Mge/ThSWb3ELRwoaXQJWcx4x5R7I1jOtS/wzRVSO4INHdCZmTww7 zY702GmeCs8AOKWitbogDBJgrC0U6p6+/EFhIHbajlQVFwiCMEJHuF5GweLmbaej tVBbWnAxXl7BJ8cMdNma3qCED5RUm8J6XV88RjQbVI+VrACiD7QbDM7GmLd37Zv/ EeNB+XAxzS/dQA8W+echR48uBhkspRyORwZsDrzuzrW1+LPXB/oDLib56DjtSB/J 1PdlrUXniUF/t1lJN/hk+8MEM7y/zT3B4rluxZrXPStsqo3K1wa82Pm/20+Pzjgr CfORTcjYFayc8paw/4gHt/19zpb4vZreK+oAUoacykBpQCCyQw1HCvnnicHyxirZ Y2s/2qdsvCGo9HKAkQ6i8uvphWkiiUKg+2o/Fk5E1n496f54Jor0yGozpf5xQAw9 TbTbJCm/PF15Oyx1DeDDe74eigjNzHar63O7NrGD+T96CpD4bMupvndiZh/MDCi6 46FRnG0MKNYBfBSZxw/ZtComR4ikh7FdkvJzd3OyNI/wZDnKW/gTVos63h7/t3rM Lam02GDZyVV1WQevsHjwyjBult8LxhyE9wXZOsrQS7fyXn5v8FwASrKEDOiRWaKW PYSbKm4rnzsMegVXLfqtx/WNQqH+z1Yew83My+f3MJFHBjCcKmXN89B20Hl3 =pT9Q -----END PGP MESSAGE----- From matthew@idrach.com Wed, 11 Jul 2001 17:36:37 +0100 Date: Wed, 11 Jul 2001 17:36:37 +0100 From: Matthew Pemble matthew@idrach.com Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof Adrian Midgley wrote: > > From: Owen Lewis > > >> sending him some enciphered material (having created > >> a key in his name which I later discard). > > > >This is one reason why PGP as 'strong cryptography for the masses' is > a > >flawed system. You would not be able to do this to me or to many > others, > >only to those who lay themselves open to this form of abuse. > > > >Owen > > That appears to be trivially easy to do, to me. What am I missing? Nothing. It is trivial. Unlike a competent CA (or any other mythological creature) PGP does not (and cannot) check that you own the email address you are generating the key for. -- Matthew Pemble Eur Ing CEng MIEE MBCS AIMgt Technical Director Idrach Ltd Tel: + 44 (0) 7050 128620 Fax: + 44 (0) 1324 610367 Email: matthew@idrach.com Web: www.idrach.com From akm@92tr.freeserve.co.uk Wed, 11 Jul 2001 17:39:58 +0100 Date: Wed, 11 Jul 2001 17:39:58 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia From: Matthew Pemble >Is there a magic community key for this? Why should there be? To whom is it encrypted and addressed? Ask them for the key. From David_Biggins@usermgmt.com Wed, 11 Jul 2001 17:58:15 +0100 Date: Wed, 11 Jul 2001 17:58:15 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: Ross Anderson [mailto:Ross.Anderson@cl.cam.ac.uk] > Sent: Wednesday, July 11, 2001 14:59 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper ... ... > Finally -- and this appears to be less widely realized -- the balance > in favour of attack rather than defense is still more pronounced in > smaller countries such as Britain. We have fewer citizens to defend, > and more foreigners to attack. And far less native software industry to offend, or to draw attention to the omissions... ## dave ## From lists@benzo8.org Wed, 11 Jul 2001 17:52:54 +0100 Date: Wed, 11 Jul 2001 17:52:54 +0100 From: John Sullivan lists@benzo8.org Subject: trivia At 05:39 PM 11/07/2001, you wrote: >Why should there be? >To whom is it encrypted and addressed? >Ask them for the key. Why cc it to a public list then? Or was it a mistake about which you're being brashly unapologetic? Me... -- www.sporadica.co.uk - "...a willful squandering of 'Net resources..." - Newsweak From akm@92tr.freeserve.co.uk Wed, 11 Jul 2001 18:08:03 +0100 Date: Wed, 11 Jul 2001 18:08:03 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia From: John Sullivan >Why cc it to a public list then? Or was it a mistake about which you're >being brashly unapologetic? It was deliberate[1] . It follows the thread "Re: R v.Lambert House of Lords and RIP reverse-burden-of-proof" I didn't think it was that opaque. [1] But it would be hard to prove that, of course. From DHowe@Hawkswing.demon.co.uk Wed, 11 Jul 2001 18:18:45 +0100 Date: Wed, 11 Jul 2001 18:18:45 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: trivia > It was deliberate[1] . > It follows the thread > "Re: R v.Lambert House of Lords and RIP reverse-burden-of-proof" > I didn't think it was that opaque. > [1] But it would be hard to prove that, of course. In that case, shouldn't you have uploaded the key to the keyservers so we could see who it was aimed at ?(JackBootStraw@uk.gov would be a good choice :) From akm@92tr.freeserve.co.uk Wed, 11 Jul 2001 19:21:16 +0100 Date: Wed, 11 Jul 2001 19:21:16 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia From: David Howe >In that case, shouldn't you have uploaded the key to the keyservers so we >could see who it was aimed at ? I think that would be going a bit too far for the experiment, but assuming I had, the key would be identified as that of the adressee. I'd send it to you except it is deleted. Apropos of which, if you send an encrypted message to a public list, does RIPA suggest that all members of that list are assumed to have the ability to decrypt the message, unless they can prove that they have never had such ability? How many people would one have to send the chaff to in order to render it embarrassing for an LEA to demand that all for them prove they were not the assumed single real destination of the message? From oml@eloka.demon.co.uk Wed, 11 Jul 2001 19:59:42 +0100 Date: Wed, 11 Jul 2001 19:59:42 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Are basic principles flawed? > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Paul Leyland > Sent: 11 July 2001 16:36 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Are basic principles flawed? > > > > > From: Matthew Pemble [mailto:matthew.pemble@btinternet.com] > > > Codes are difficult to generate and use effectively, which is why so > > much effort is put into ciphers. You are correct that "Send 2 and > > sixpence, we are going to a dance," is meaningless to > > automated systems, but if correlated with a move of reserve troops > > and an attack, the next time a similar message is sent and > > intercepted, assumptions will be made and automated filters updated. > > Ah, an example of cost-efficiency in the modern army. > > It was 3s 4d when I were a lad. Nah. It's an example of the Chinese Whisper code. Owen From oml@eloka.demon.co.uk Wed, 11 Jul 2001 19:59:41 +0100 Date: Wed, 11 Jul 2001 19:59:41 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ross Anderson > Sent: 11 July 2001 14:59 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Owen: > > > It is an interesting conundrum, isn't it? Moreover it's to be > found in all > > countries and all walks of life. People and organisations will > pay more and, > > in particular, will pay more readily to gain an advantageous position, > > compared to that which they (with reluctance) will pay to > secure properly > > what they already have. > > It's not a conundrum at all, but simple applied economics. > > Suppose that you head up a U.S. agency with economic intelligence > among its objectives, and one of your scientists has just discovered a > beautiful new exploit on Windows 2000. If you tell Bill, you might > protect 250 million Americans; if you keep quiet, you will be able to > conduct operations against 400 million Europeans and 100 million > Japanese. > > What's more, you will get credit for operations you conduct > successfully against foreigners, while any operations that they > conduct successfully against U.S. targets will probably remain unknown > to your superiors. This further emphasizes the motive for attack > rather than defense. If 250 million Americans have a generation to a generation and a half lead in the key technologies of the present and future world, will you choose to protect that or maintain your capability to hack the other 6 billion people on this planet, a fair number of whom are not yet far removed from the stone age? To follow your argument, one must. No, it's simpler that you seem to allow. Security never turns a profit. Taking a risk usually does. The trick lies in the gauging of risk and the reward. Security is simply the also-ran that should prevent unforeseen risk becoming catastrophic. It would be interesting to document some case studies along these lines. It's a common experience that when catastrophe has struck, there was no single, glaring omission in the security procedures but rather a general laxness that has allowed several minor and seemingly unrelated lapses to occur. One day, by no more than ill luck, these lapses align into a formation that enables a massive, overwhelming and entirely unforeseen disaster to occur. I think that good security management may be about maintaining a level of efficiency that prevents such situations rather that in constructing some mega-dollar fortress that consumes profit(proponents of SDI please note). Also, there's the useful maxim is that, whatever your endeavour, you should get 80% of the possible benefit for only 20% of the possible spend. Those who seek something substantially better than 80% will see their costs start to rise so that very small increments in gain cost the earth. > Finally -- and this appears to be less widely realized -- the balance > in favour of attack rather than defense is still more pronounced in > smaller countries such as Britain. We have fewer citizens to defend, > and more foreigners to attack. Again, it does not follow. If it did, by the time you scale down to the likes of thee and me, we should be putting all that we have, every day, into the most rabid attacks, ripping off all and sundry. But we do not. In the main, we behave as rational and perhaps even likeable persons. Now, that thought you *can* scale back upwards, if you like. The real point is actually a different one, I believe. If one bothered to do the homework, I think one might find that there is a common ratio between in the balance of commitment of resources to offence and defence. The military have thought so for a long time and indeed the ratio commonly applied has not changed for hundreds of years. That ratio is three to one. As a rule of thumb this means that one could pare down the defensive 'budget' to a third of an offensive budget without any running undue risks. Yet a gifted strateg ist may be continually triumphant in the face of a ratio of eight or even nine to one of a defence over his offensive. Genghis Khan, Napoleon, Von Manstein, MacArthur q.v. So perhaps best trick is to establish correctly whether you are taking on the Great Khan or Gen Westmoreland. In business (some of) the cries are different but the realities of such matters can be remarkably similar. Owen From oml@eloka.demon.co.uk Wed, 11 Jul 2001 19:59:42 +0100 Date: Wed, 11 Jul 2001 19:59:42 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adrian > Midgley > Sent: 11 July 2001 17:21 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: R v.Lambert House of Lords and RIP reverse-burden-of-proof > > > From: Owen Lewis > > >> sending him some enciphered material (having created > >> a key in his name which I later discard). > > > >This is one reason why PGP as 'strong cryptography for the masses' is > a > >flawed system. You would not be able to do this to me or to many > others, > >only to those who lay themselves open to this form of abuse. > > > >Owen > > That appears to be trivially easy to do, to me. What am I missing? I get unsolicited enciphered mail I return it to sender. I get a second I return it with a cease and desist message. A third and mail delivery to me will be blocked. There also requires to be a criminal conspiracy sufficiently convincing to get a notice served on me. Don't think so some how but feel free to put it to the test, if you'd really want to risk the prison sentence that may lie at the end of such a ploy. Owen From oml@eloka.demon.co.uk Wed, 11 Jul 2001 20:33:08 +0100 Date: Wed, 11 Jul 2001 20:33:08 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: trivia > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adrian > Midgley > Sent: 11 July 2001 19:21 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: trivia > > > From: David Howe > > >In that case, shouldn't you have uploaded the key to the keyservers > so we > >could see who it was aimed at ? > > I think that would be going a bit too far for the experiment, but > assuming I had, the key would be identified as that of the adressee. > I'd send it to you except it is deleted. Really? You might be surprised ar what still lurks in the depths of the PC on which you created it? Now, on your honour, did you do it on your own PC or did you, in dark glasses and a bandanna, tab down to a cyber cafe in the next county (on public transport) to create it. Marks to you if you did the latter but the former seems more likely. Tell? Cross you heart and hope to die? Besides, you now need to conspire to pervert the course of justice if you are going to get a notice served on the recipient. If it were me, I'd fold now rather than up the ante but advising people how they should act is usually a sterile activity. We wait with bated breath. Or should that be with baited breath? Owen From steve@greenend.org.uk Wed, 11 Jul 2001 21:03:35 +0100 Date: Wed, 11 Jul 2001 21:03:35 +0100 From: Stephen Early steve@greenend.org.uk Subject: trivia (fwd) --FrB3GAN4Jp Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit You may be amused by this bounce which was received at the ukcrypto-admin address... So, Adrian can't get the relevant subscriber into trouble? Stephen Early UKcrypto mailing list administrator --FrB3GAN4Jp Content-Type: message/rfc822 Content-Description: forwarded message Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="2452102.38.40" Received: from sinister.sinister.greenend.org.uk [192.168.73.4] by myrddin.sinister.greenend.org.uk with esmtp (Exim 3.22 #1 (Debian)) id 15KPBT-0006vs-00; Wed, 11 Jul 2001 19:58:03 +0100 Received: from chiark-tunnel.greenend.org.uk (chiark.greenend.org.uk) [172.31.80.8] (mail) by sinister.sinister.greenend.org.uk (greenend local network mailgate) with esmtp (Exim 3.12 #1 (Debian)) id 15KPBU-00058A-00; Wed, 11 Jul 2001 19:58:04 +0100 Received: from localhost (chiark.greenend.org.uk) [127.0.0.1] (list) by chiark.greenend.org.uk with esmtp (Exim 3.12 #2) id 15KPBT-0005m3-00 (Debian); Wed, 11 Jul 2001 19:58:03 +0100 Received: from mail.yeg.co.uk (yeg.co.uk) [195.92.160.203] by chiark.greenend.org.uk with esmtp (Exim 3.12 #2) id 15KPBQ-0005l1-00 (Debian); Wed, 11 Jul 2001 19:58:00 +0100 Received: from mail.yeg.co.uk ([195.92.160.203]) by chiark.greenend.org.uk (SAUCE v0.7.7) with esmtp id sauce-2532-994877-1; 11 Jul 2001 18:58:00 +0000 (GMT) Message-Id: From: MailScan.Reports@yeg.co.uk To: ukcrypto-admin@chiark.greenend.org.uk Subject: RE:trivia Date: Wed, 11 Jul 2001 18:49:38 +0100 (BST) --2452102.38.40 Content-Type: text/plain; charset=us-ascii Your message contains encrypted data and it has been blocked. Either you or the recipient does not have permission to send\receive encrypted mail. Please contact your system administrator for help. --2452102.38.40-- --FrB3GAN4Jp-- From brg@gladman.plus.com Wed, 11 Jul 2001 21:41:36 +0100 Date: Wed, 11 Jul 2001 21:41:36 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Owen Lewis" To: Sent: Wednesday, July 11, 2001 11:36 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper [snip] > > Should end-to-end encryption become universal as Brian suggests, > > the question arises of what would be singular data for the NSA > > and like-snoops to collect and retain? Will it be all communication, > > along with burgeoning storage and sorting inventions such as NSA > > brags it is feverishly developing (Bamford reports), or will other > > characteristics be used to single out special data (and now used > > to sort through increasing encrypted data)? > > The real problem with "universal end to end encryption" is that its > universality must depend on: > > a. Universal adoption of a single PKC. > b. Large public key holding sites where all the public keys for known > 'universe' are held and can be freely accessed. It was, I hope, clear from what I said that I was suggesting that all information exchanges within a particular domain should be encrypted on an end-to-end basis (I intended the domain to be Europe but some took the domain to be global). But at no time did I suggest that everyone in the domain in question should be able to exchange encrypted information with everyone else in the domain. This is an equally valid but different (and stronger) use of the term 'universal' than the one I employed. And for my use of the term neither (a) nor (b) above is necessary (I don't consider these as necessary for the stronger use of the term either but that's another story). Brian From georgefoot@oxted.demon.co.uk Wed, 11 Jul 2001 22:06:11 +0100 Date: Wed, 11 Jul 2001 22:06:11 +0100 From: George Foot georgefoot@oxted.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper July 11th. 2001 Some further thoughts: Facilities to intercept messages of every kind are important weapons of war for which governments will always make provision and continue to develop further at large expense to try to secure superiority one over another. A form of military alliance is created if such interception facilities are facilitated by sharing them between a few governments and this co- operation may be concealed as long as possible. Various groups of countries may have different arrangements of this kind but assuredly each will also have secrets which they are not prepared to disclose one to the other. It would be unwise to place any credence on statements made by governments concerning arrangements of this stealthy character and in particular any information on overlaps between national and commercial interests can never be fathomed to the full. Any release by a government of a cryptosystem intended and sanctioned for commercial use is suspect inasmuch as suspicions inevitably arise that the government concerned can break it without too much trouble. Thus it may serve its purpose for everyday commercial use but give rise to endless recriminations (some true, some false) if there is a leak or appears to be a leak of confidential commercial information on a particular occasion of importance. The most comfortable situation for a commercial enterprise would be to make use of a cryptosystem devised by itself and revealed to no other organization. This independence would be resisted by governments who would have an exaggerated and paranoiac concern to prevent such liberties of choice. Nevertheless freedom to select and use one's own cryptosystem may come about in practice because of the immense difficulties in government regulation of encryption which have been revealed in strenuous discussions on this subject in recent time. Would it assist, I ask myself, to use a form of escrow which set out full details and passwords of a private cryptosystem in a tamper-evident package which was lodged with a neutral agency and which was only opened in exceptional circumstances on command of the judiciary itself when need arose during judicial proceedings. I suggest that it might be a condition of the issue of a government licence for the use of a private cryptosystem that such a tamper- evident package first be lodged with the neutral agency -- which agency itself would have no authority to open the package but which would have the duty to produce the package at any time to show that it had not been opened. Of course this procedure would be much less restrictive of the use of cryptography than governments would like to impose or by nature have the temperament to permit. But in these days it is as necessary for two business men to discuss commercial matters privately when they are apart as for two diplomats in different countries to conduct government business in private. Apologies if the idea outlined above has been discussed previously. George In message <006f01c109e4$88d4de90$72289fd4@fortytwo>, Brian Gladman writes >End-to-end encryption, as such, does not hide traffic flow information so I >suspect that collection and storage of encrypted traffic will be >increasingly selective on the basis of 'who is talking to who' and other >more subtle distinguishers. > >> There are hints in the regulations governing NSA interception that >> there are other means to identify special data other than its >> cryptographic attributes. But only generic terms such as "technical" >> are used for those hints -- that is, when the terms are not censored >> altogether as cryptographic and TEMPEST terms once were. > >When searching for 'needles in haystacks' it pays to use all the help you >can get. > >Paradoxically, as we progressively deploy end-to-end crypto, we force >information pirates to apply more energy to illicit data acces in end >systems. And since data held in the latter is infinitely less protected >than it is when cryptographically protected in transit, we may not see the >improvements in information security that we expect from such a deployment. > >But, perhaps worse than this, system penetration is an active form of attack >that poses some really serious safety concerns. If we find that systems >penetration is increasingly used, it will not always be obvious before the >event whether or not 'interfering' with a target system will pose serious >safety risks. It is fairly obvious that enemy penetration of defence >systems could be disastrous but increasingly the same is true of many civil >systems. > >It is hence hardly a surprise that governments are now increasingly >concerned about civil infrastructure protection but they face a legacy of >50+ years of government investment in insecurity. The consequences of the >continuing inbalance of UK government investment in information expolitation >and information protection was the primary cause of major disagreements >between GCHQ and myself in the late 1980s and early 1990s. > > Brian > > > > -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk/ http://www.oxted.demon.co.uk/index.html From richard@highwayman.com Wed, 11 Jul 2001 23:24:59 +0100 Date: Wed, 11 Jul 2001 23:24:59 +0100 From: Richard Clayton richard@highwayman.com Subject: trivia -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <156101c10a36$472ce1c0$d400000a@jupiter.92tr.freeserve.co.uk> , Adrian Midgley writes >Apropos of which, if you send an encrypted message to a public list, >does RIPA suggest that all members of that list are assumed to have >the ability to decrypt the message, unless they can prove that they >have never had such ability? RIP S49(2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds- (a) that a key to the protected information is in the possession of any person, (b) that the imposition of a disclosure requirement in respect of the protected information is- (i) necessary on grounds falling within subsection (3), or (ii) necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty, (c) that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and (d) that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section, the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information. so, the S49 notice server would have to reasonably believe that someone on the list had the key... however, having served one notice I don't think they could continue serving notices on anyone else until the first notice had timed out and had failed to provide the information [since the test in (d) wouldn't be met on the second and subsequent notices until the first one had failed]. >How many people would one have to send the chaff to in order to render >it embarrassing for an LEA to demand that all for them prove they were >not the assumed single real destination of the message? I don't think an LEA that had reasonable grounds would ever be embarrassed; and one that did not have reasonable grounds would be acting unlawfully... so I doubt that the count would be relevant - -- richard richard.clayton @ h i g h w a y m a n . com "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO0zSOxfnRQV/feRLEQIg8gCgvtoBSmqyBd6DR+OpJZE6HXcoj4wAniod FR7l6CvD4Xj9drEtt+utgnob =6u5m -----END PGP SIGNATURE----- From georgefoot@oxted.demon.co.uk Wed, 11 Jul 2001 22:06:11 +0100 Date: Wed, 11 Jul 2001 22:06:11 +0100 From: George Foot georgefoot@oxted.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper July 11th. 2001 Some further thoughts: Facilities to intercept messages of every kind are important weapons of war for which governments will always make provision and continue to develop further at large expense to try to secure superiority one over another. A form of military alliance is created if such interception facilities are facilitated by sharing them between a few governments and this co- operation may be concealed as long as possible. Various groups of countries may have different arrangements of this kind but assuredly each will also have secrets which they are not prepared to disclose one to the other. It would be unwise to place any credence on statements made by governments concerning arrangements of this stealthy character and in particular any information on overlaps between national and commercial interests can never be fathomed to the full. Any release by a government of a cryptosystem intended and sanctioned for commercial use is suspect inasmuch as suspicions inevitably arise that the government concerned can break it without too much trouble. Thus it may serve its purpose for everyday commercial use but give rise to endless recriminations (some true, some false) if there is a leak or appears to be a leak of confidential commercial information on a particular occasion of importance. The most comfortable situation for a commercial enterprise would be to make use of a cryptosystem devised by itself and revealed to no other organization. This independence would be resisted by governments who would have an exaggerated and paranoiac concern to prevent such liberties of choice. Nevertheless freedom to select and use one's own cryptosystem may come about in practice because of the immense difficulties in government regulation of encryption which have been revealed in strenuous discussions on this subject in recent time. Would it assist, I ask myself, to use a form of escrow which set out full details and passwords of a private cryptosystem in a tamper-evident package which was lodged with a neutral agency and which was only opened in exceptional circumstances on command of the judiciary itself when need arose during judicial proceedings. I suggest that it might be a condition of the issue of a government licence for the use of a private cryptosystem that such a tamper- evident package first be lodged with the neutral agency -- which agency itself would have no authority to open the package but which would have the duty to produce the package at any time to show that it had not been opened. Of course this procedure would be much less restrictive of the use of cryptography than governments would like to impose or by nature have the temperament to permit. But in these days it is as necessary for two business men to discuss commercial matters privately when they are apart as for two diplomats in different countries to conduct government business in private. Apologies if the idea outlined above has been discussed previously. George In message <006f01c109e4$88d4de90$72289fd4@fortytwo>, Brian Gladman writes >End-to-end encryption, as such, does not hide traffic flow information so I >suspect that collection and storage of encrypted traffic will be >increasingly selective on the basis of 'who is talking to who' and other >more subtle distinguishers. > >> There are hints in the regulations governing NSA interception that >> there are other means to identify special data other than its >> cryptographic attributes. But only generic terms such as "technical" >> are used for those hints -- that is, when the terms are not censored >> altogether as cryptographic and TEMPEST terms once were. > >When searching for 'needles in haystacks' it pays to use all the help you >can get. > >Paradoxically, as we progressively deploy end-to-end crypto, we force >information pirates to apply more energy to illicit data acces in end >systems. And since data held in the latter is infinitely less protected >than it is when cryptographically protected in transit, we may not see the >improvements in information security that we expect from such a deployment. > >But, perhaps worse than this, system penetration is an active form of attack >that poses some really serious safety concerns. If we find that systems >penetration is increasingly used, it will not always be obvious before the >event whether or not 'interfering' with a target system will pose serious >safety risks. It is fairly obvious that enemy penetration of defence >systems could be disastrous but increasingly the same is true of many civil >systems. > >It is hence hardly a surprise that governments are now increasingly >concerned about civil infrastructure protection but they face a legacy of >50+ years of government investment in insecurity. The consequences of the >continuing inbalance of UK government investment in information expolitation >and information protection was the primary cause of major disagreements >between GCHQ and myself in the late 1980s and early 1990s. > > Brian > > > > -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk/ http://www.oxted.demon.co.uk/index.html From k.brown@ccs.bbk.ac.uk Thu, 12 Jul 2001 09:41:01 +0100 Date: Thu, 12 Jul 2001 09:41:01 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Wired: Echelon Furor Ends in a Whimper > If 250 million Americans have a generation to a generation and a half lead > in the key technologies of the present and future world, 30-50 years? Rubbish. For software anyway (which is more or less what we're talking about) we all use the same stuff now. The technological lead of the rich countries is a wealth lead, not a knowledge one. If Pakistan or Iran had the money and the infrastructure they could build the same stuff the Americans can, more or less. Science is international. Software more or less is. > will you choose to > protect that or maintain your capability to hack the other 6 billion people > on this planet, a fair number of whom are not yet far removed from the stone > age? Bollocks. What utter crap. I assume you are exaggerating for effect, and not, as your language seems to indicate, a wizened old racist git who wishes all the darkies would go home. From oml@eloka.demon.co.uk Thu, 12 Jul 2001 10:07:39 +0100 Date: Thu, 12 Jul 2001 10:07:39 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ken Brown > Sent: 12 July 2001 09:41 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Bollocks. What utter crap. I assume you are exaggerating for effect, > and not, as your language seems to indicate, a wizened old racist git > who wishes all the darkies would go home. You are right only insofar as I was not exaggerating for any wizened old racist git who wishes all the darkies would go home. So you can safely get put you pyjamas back on and stop gibbering and waving things around. If we cannot keep contributions strictly on topic, do let's try to contain personal insult within collegial forms. Or better yet, forgo them entirely? Owen From peter.fairbrother@ntlworld.com Thu, 12 Jul 2001 11:32:36 +0100 Date: Thu, 12 Jul 2001 11:32:36 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Wired: Echelon Furor Ends in a Whimper > John Young at jya@pipeline.com wrote: > A singular type of communication that the NSA is permitted by > law Is a USSID law? If not, what law are you referring to? > to collect and retain indefinitely, no matter the source, even > if the sources are otherwise proscribed communications of US > persons, is cryptographic data. What is cryptographic data? Do you mean encrypted data?[snip] > These musings come from a 1993 edition of NSA's USSID 18: > > http://cryptome.org/nsa-ussid18.htm > > Presumably end-points of end-to-end encryption will be easily > identified for black bag jobs of the CIA/NSA's SIS teams and > other nations' thieves -- or is it other nations' master bandits > targets the US be breaking into just behind. ??? -- Peter From k.brown@ccs.bbk.ac.uk Thu, 12 Jul 2001 11:43:13 +0100 Date: Thu, 12 Jul 2001 11:43:13 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Wired: Echelon Furor Ends in a Whimper Owen Lewis wrote: > If we cannot keep contributions strictly on topic, do let's try to contain > personal insult within collegial forms. Or better yet, forgo them entirely? It was you who introduced offensive language, I just escalated it. I really do have "zero tolerance" for the implied nationalism and racism of the language you used, so I replied in anger, and do not regret it. There is a long-lasting line of argument from the establishment which creates demons to scare the rest of us into doing what we are told. The "hardly out of the stone age" nonsense just fits right in with the demonisation of foreigners, the idea that there are hordes of uncivilised savages just over the water, slavering to come in and rape our poor little country, and we had jolly well better stick together and keep th bastards out. It is an older lie that the one about the War on Drugs, or the one about paedophiles, or the one about asylum seekers, or the one about Jews, but it fits into the same pattern. Get people afraid so they obey orders. If you did not realise that you were talking that kind of language, if you thought that the things you were saying were acceptable, then it is time for you to wake up and pay attention. And don't wibble on about "political correctness" or say I am trying to exercise censorship. I think you have every right to say unacceptable things, just as I have every right not to accept them. Ken Brown From oml@eloka.demon.co.uk Thu, 12 Jul 2001 12:50:30 +0100 Date: Thu, 12 Jul 2001 12:50:30 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ken Brown > Sent: 12 July 2001 11:43 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > I really do have "zero tolerance" for the implied nationalism and racism > of the language you used, so I replied in anger, and do not regret it. Taken off list. Owen From jim_bond2000@yahoo.co.uk Thu, 12 Jul 2001 13:41:44 +0100 (BST) Date: Thu, 12 Jul 2001 13:41:44 +0100 (BST) From: =?iso-8859-1?q?Jim=20Bond?= jim_bond2000@yahoo.co.uk Subject: Taken Off List On 12 July 2001 11:43 Owen Lewis wrote: > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > I really do have "zero tolerance" for the implied nationalism and racism > of the language you used, so I replied in anger, and do not regret it. Taken off list. Owen If this means Mr Brown has been taken off of the list then I am appalled. I would be interested to hear your justification (presumably other than "use of bad language"). You have failed to reproduce important aspects of Mr Brown's response particularly: " ..... or say I am trying to exercise censorship. I think you have every right to say unacceptable things, just as I have every right not to accept them." Mr Brown's response (containing the snippet above) was argumentative and had some merit - albeit obviously unacceptable to Owen. The apparent removal of Mr Brown seems to smack of censorship and non acceptance of other people's rights to express an opinion. If the reason is that the response was off topic then perhaps a review of the archive is justified - unfortunately I think that you will find that most contributors will have been guilty on numerous occasions and that equality of treatment requires their removal from the list! The later parts of the debate about echelon, together with numerous peurile postulations, would seem to justify removal from the list under this criteria! It certainly falls within the category of unconstructive waffle! best regards to all - lets return to constructive and rational debate please! Jim - an avid listener but 1st time contributor. ===== Resurgum ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie From steve@greenend.org.uk Thu, 12 Jul 2001 14:58:39 +0100 Date: Thu, 12 Jul 2001 14:58:39 +0100 From: Stephen Early steve@greenend.org.uk Subject: Taken Off List On Thursday, 12 Jul 2001, Jim Bond wrote: > On 12 July 2001 11:43 > Owen Lewis wrote: > > > Taken off list. > > If this means Mr Brown has been taken off of the list > then I am appalled. I would be interested to hear your > justification (presumably other than "use of bad > language"). No, it doesn't mean that. It means that Owen Lewis has decided to carry on his conversation with Ken Brown by private email rather than in public on the mailing list. His comment to the list indicates that he does not consider the matter closed. I am the only person who can remove subscribers from the list, and I have never done so[1]. (Obviously subscribers can remove themselves.) Stephen Early UKcrypto mailing list administrator [1] Except in the usual course of managing the list: when it becomes obvious from the number and type of bounces received that an address has 'gone away' permanently or is suffering a long-term technical problem, that address will be removed. This happens about three or four times per week. From jon+ukcrypto@unequivocal.co.uk Thu, 12 Jul 2001 15:02:43 +0100 Date: Thu, 12 Jul 2001 15:02:43 +0100 From: Jon Ribbens jon+ukcrypto@unequivocal.co.uk Subject: Taken Off List Jim Bond wrote: > Taken off list. > > If this means Mr Brown has been taken off of the list > then I am appalled. I would be interested to hear your > justification (presumably other than "use of bad > language"). No, it means that the *discussion* has been voluntarily taken to private email ;-) From akm@92tr.freeserve.co.uk Thu, 12 Jul 2001 15:15:39 +0100 Date: Thu, 12 Jul 2001 15:15:39 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia From: Owen Lewis >Really? You might be surprised ar what still lurks in the depths of the PC >on which you created it? I might be, however I downloaded and compiled Apache shortly after deleting it, and routinely defragmenting the drive. So SQUIDs apart, I think it is unlikely to be hanging around by accident. Rather more to the point though, it is well known that PGP can encrypt messages to the recipient only, and although we are saying in public that you have never had the key which was labelled with your identiy, and that if it could be found on one of the machines on one of my networks this is not becuase you sent it to me by an unapparent channel... I don't have to prove that, and under RIPA by the meaning I believe is generally agreed on this list _you_ might have to try. >Besides, you now need to conspire to pervert the course of justice if you >are going to get a notice served on the recipient. How so? Seems to me that it would only be necessary for me to commit a crime for you to appear in the list of people with whom I have corresponded, encryptedly, and that is not normally described as perverting the course of justice. Alternatively, if somebody else perverts or otherwise influences justice, they might trigger that notice. Irritated anyone recently? A local doctor was recently arrested in relation to material in storage on his computer, now I know of no reason why anyone should connect me to him, since we have few interests in common, however if they did for reasons only known to themselves, they might then choose to follow that trail onward, might they not. And not from my intention. >If it were me, I'd fold now rather than up the ante but advising people how >they should act is usually a sterile activity. Oh indeed so, but it pays fairly well. >We wait with bated breath. Or should that be with baited breath? I don't advise you to hold your breath. From oml@eloka.demon.co.uk Thu, 12 Jul 2001 15:33:40 +0100 Date: Thu, 12 Jul 2001 15:33:40 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Taken Off List > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Jim Bond > Sent: 12 July 2001 13:42 > To: ukcrypto@chiark.greenend.org.uk > Subject: Taken Off List > > > On 12 July 2001 11:43 > Owen Lewis wrote: > > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > I really do have "zero tolerance" for the implied > nationalism and racism > > of the language you used, so I replied in anger, and > do not regret it. > > Taken off list. > > Owen > > If this means Mr Brown has been taken off of the list > then I am appalled. I would be interested to hear your > justification (presumably other than "use of bad > language"). KB may be off his trolley and my response to him may have been off-list as none of this twaddle belongs here. However, as you will know if you read your list subscription bits and pieces, this list is managed by Stephen Early and hosted by greenend.org. If it helps your cornflakes settle better, do be advised that the pettiness of complaining over a rude, crass, misinformed, irrational and irrelevant outburst would never have occurred to me til prompted by your good self. Life is much too short and, doubtless, none of us is perfect and most of us have off days (or should that be off-days?). > best regards to all - lets return to constructive and > rational debate please! That is the general aim. If you feel another such interjection coming on, it might be best first to ascertain the facts and then, if you must, take up the matter off-list; it contributes nothing here. > > Jim - an avid listener but 1st time contributor. Crypto & relevant law, methinks, though many of us can't seem to resist the odd bit of gossip about general spookery and the wickedness there is in this world. Owen From lists@benzo8.org Thu, 12 Jul 2001 14:56:13 +0100 Date: Thu, 12 Jul 2001 14:56:13 +0100 From: John Sullivan lists@benzo8.org Subject: Taken Off List At 01:41 PM 12/07/2001, Jim Bond wrote: > > Taken off list. > >If this means Mr Brown has been taken off of the list >then I am appalled. I would be interested to hear your >justification (presumably other than "use of bad >language"). It means that Owen has taken the conversation off the list and is continuing it with Ken in private email, which was exactly the right thing to do. Anyhow, welcome yourself (as a first timer), and if that is the coherence of message you produce when you're not sure of your facts, I for one am looking forward to your contributions when you're on home-turf, knowledge-speaking! Me... -- www.sporadica.co.uk - "...a willful squandering of 'Net resources..." - Newsweak From oml@eloka.demon.co.uk Thu, 12 Jul 2001 16:44:43 +0100 Date: Thu, 12 Jul 2001 16:44:43 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: trivia > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adrian > Midgley > Sent: 12 July 2001 15:16 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: trivia > > > From: Owen Lewis > > >Really? You might be surprised ar what still lurks in the depths of > the PC > >on which you created it? > > I might be, however I downloaded and compiled Apache shortly after > deleting it, and routinely defragmenting the drive. So SQUIDs apart, > I think it is unlikely to be hanging around by accident. > Rather more to the point though, it is well known that PGP can encrypt > messages to the recipient only, and although we are saying in public > that you have never had the key which was labelled with your identiy, > and that if it could be found on one of the machines on one of my > networks this is not because you sent it to me by an unapparent > channel... Why *on earth* should I send you my secret key? The fact that there is a *public* key sculling about with my name on it proves nothing whatsoever and their masters, if not junior plods and plodesses, understand that. Of did you destroy the public key as well? I have had for years a public key that claims its association with Bill Clinton. Do you suppose that Bill Clinton knows any thing about it? Do you suppose that a judge is going to take my possession of it as evidence that I an in secret correspondence with Bill Clinton? > I don't have to prove that, and under RIPA by the meaning I believe is > generally agreed on this list _you_ might have to try. > > >Besides, you now need to conspire to pervert the course of justice if > you > >are going to get a notice served on the recipient. > > How so? Seems to me that it would only be necessary for me to commit > a crime for you to appear in the list of people with whom I have > corresponded, encryptedly, and that is not normally described as > perverting the course of justice. Alternatively, if somebody else > perverts or otherwise influences justice, they might trigger that > notice. Irritated anyone recently? Not infrequently and some of them are genuinely to be supped with using a spoon tied to the end of a long bargepole. However I remain unimpressed by the threat you hypothecate. > A local doctor was recently arrested in relation to material in > storage on his computer, now I know of no reason why anyone should > connect me to him, since we have few interests in common, however if > they did for reasons only known to themselves, they might then choose > to follow that trail onward, might they not. > And not from my intention. I think your fears as unnecessary. As I understand it, there must be good reason to demand a key and no balance of probability that such a demand is being unreasonably defied. How is A to put B into such a position inadvertently? I think that if A is suspected of a serious crime and has been in enciphered correspondence with B, then B might be asked to deliver up correspondence or key. Fair enough. There *has* been correspondence and there *is* (or has been) a secret key that was once in my possession. Were I 'B', I'd have the key and would deliver as demanded (albeit without the best of grace). But you suggest something else. That A will create a secret key and destroy it, using its public twin to send a string of unsolicited correspondence to B with the intention of having him suffer falsely at the hands of the law. Whether A is ever able to do this will depend much on the actions of B. Should you propose that such consequences for B might be brought about by a single mail (rendering quite limited any reaction by B), I suggest that A (mens rea already existing from the creation of the false key pair?) before this point is reached A must elaborate a conspiracy to bring the matter to the attention of the authorities and have them act upon it. Wow! A must want B's scalp badly enough to risk a couple of years in jail for the satisfaction of making waves (for B that still are unlikely to pass close scrutiny). Or else A's as thick as two short planks and doesn't bother to consider the chances that his conspiracy will fail. Since A is clearly of a criminal bent, he should find it direct, certain and with less possibility of comeback to have B found, intoxicated and in bed with his strangled wife. If B were a GP, the whole world knows about doctors and drug abuse and therefore a rich palette of intoxicants makes itself available and the events all the more credible? Yes, people will commit crime. Yes some of those who do get away with it but I think your proposition is definitely high risk. If you think otherwise, let us depersonalise it, lay out a plot and dissect it here. Start with the creation of a key pair with the intent to pervert the course of justice. Next the delivery of an unsolicited mail in furtherance of the conspiracy (containing does it matter what?). What does A do next to develop his plan? Say too A has destroyed one or both parts of the key pair created. Was the public key signed, by whom and do they know A? Is it necessary to buy their perjured evidence in due course? For the moment, the one point that comes across out of your proposition is that it gives yet another reason for why one should ever facilitate enciphered traffic from strangers. Of course B might find that A was his partner and that would be rather more tricky to manage. However, there are enough ideas here for the time being, should you wish to take a scenario further. Owen From jya@pipeline.com Thu, 12 Jul 2001 08:11:33 -0700 Date: Thu, 12 Jul 2001 08:11:33 -0700 From: John Young jya@pipeline.com Subject: Wired: Echelon Furor Ends in a Whimper Peter Fairbrother asks several questions: USSID's are regulations and procedures developed on the basis of law governing NSA. A principal law is the Foreign Intelligence Surveillance Act. Presidential executive orders also undergird the regulations. USSID 18 cites these. I understand "cryptographic data" to mean any interceptions involving cryptology. This too is taken from USSID 18. Previous public releases of USSID 18 censored cryptographic terms. And one version released at about the same time (2000) still censored those terms and other references to retention of such data. The CIA/NSA operates Special Collection Service (SCS, not SIS as I stated), a program to burglarize facilities to obtain information that is otherwise protected against interception. If NSA cannot intercept or gain access to communications it notifies the CIA burglary team which surreptitiously gains physical access. http://www.fas.org/irp/facility/scs_cp.htm http://cryptome.org/cia-nsa-scs.htm The jape was about whether SCS is forever running behind more experienced professional burglars, such as those of the Old World and Really Old World who allegedly sometime taunt the New Worlders with spoof spook-thief devices which hide the good stuff. One such being cryptology material and equipment. Learning from the ancient burglars to hide tracks, loading global communications with spoof cryptographic data, huge bandwidths of it, is underway, so birdie tweets. From DHowe@Hawkswing.demon.co.uk Thu, 12 Jul 2001 17:32:16 +0100 Date: Thu, 12 Jul 2001 17:32:16 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: trivia "Owen Lewis" wrote: > Not infrequently and some of them are genuinely to be supped with using a > spoon tied to the end of a long bargepole. However I remain unimpressed by > the threat you hypothecate. There is always the "degrees of separation" thing. assume you have a provably innocent correspondent. now assume one of THEIR correspondents is now a convicted criminal. if they are investigated, then you will be a known correspondent of a suspect..... > How is A to put B into such a position inadvertently? I think that if A is > suspected of a serious crime and has been in enciphered correspondence with > B, then B might be asked to deliver up correspondence or key. Fair enough. > There *has* been correspondence and there *is* (or has been) a secret key > that was once in my possession. Were I 'B', I'd have the key and would > deliver as demanded (albeit without the best of grace). ok, imagine the following. A and B want to have a encrypted conversation, and have secure (ssh tunnelled) mail. A generates a key he does not upload, in your name; his correspondent does similarly. both change their keys to their own name, and send a copy in that form. mail is saved off WITHOUT headers in a subdirectory, which is simple enough to do, and both correspondents are careful never to use each other's name. now, one gets arrested; the other immediately uploads the public key (in your name) he holds for HIS private key, and the public key (in the others name) to the keyservers, then secure-wipes his private key for that exchange. what is more likely? that they will pursue all the possible correspondents for the suspect, or that they will take the name on the key at face value and come looking for you? From k.brown@ccs.bbk.ac.uk Thu, 12 Jul 2001 18:44:57 +0100 Date: Thu, 12 Jul 2001 18:44:57 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Taken Off List Jim Bond wrote: > > On 12 July 2001 11:43 > Owen Lewis wrote: > > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > I really do have "zero tolerance" for the implied > nationalism and racism > > of the language you used, so I replied in anger, and > do not regret it. > > Taken off list. > > Owen > > If this means Mr Brown has been taken off of the list > then I am appalled. I would be interested to hear your > justification (presumably other than "use of bad > language"). No, no, it is just a jargon way of saying that he replied to me "off list", i.e. by email direct to my address! Ken Brown From ravi.singh@tinyworld.co.uk Thu, 12 Jul 2001 21:31:22 +0100 Date: Thu, 12 Jul 2001 21:31:22 +0100 From: ravi.singh ravi.singh@tinyworld.co.uk Subject: Taken Off List could you please unsubscribe me from your list. thanks ----- Original Message ----- From: "Ken Brown" To: Sent: Thursday, July 12, 2001 6:44 PM Subject: Re: Taken Off List > Jim Bond wrote: > > > > On 12 July 2001 11:43 > > Owen Lewis wrote: > > > > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > > > > I really do have "zero tolerance" for the implied > > nationalism and racism > > > of the language you used, so I replied in anger, and > > do not regret it. > > > > Taken off list. > > > > Owen > > > > If this means Mr Brown has been taken off of the list > > then I am appalled. I would be interested to hear your > > justification (presumably other than "use of bad > > language"). > > No, no, it is just a jargon way of saying that he replied to me "off > list", i.e. by email direct to my address! > > Ken Brown > > From ravi.singh@tinyworld.co.uk Thu, 12 Jul 2001 21:32:33 +0100 Date: Thu, 12 Jul 2001 21:32:33 +0100 From: ravi.singh ravi.singh@tinyworld.co.uk Subject: Taken Off List could you please unsubscribe me from the forum. ----- Original Message ----- From: "Stephen Early" To: Sent: Thursday, July 12, 2001 2:58 PM Subject: Re: Taken Off List > On Thursday, 12 Jul 2001, Jim Bond wrote: > > > On 12 July 2001 11:43 > > Owen Lewis wrote: > > > > > Taken off list. > > > > If this means Mr Brown has been taken off of the list > > then I am appalled. I would be interested to hear your > > justification (presumably other than "use of bad > > language"). > > No, it doesn't mean that. It means that Owen Lewis has decided to > carry on his conversation with Ken Brown by private email rather than > in public on the mailing list. His comment to the list indicates that > he does not consider the matter closed. > > I am the only person who can remove subscribers from the list, and I > have never done so[1]. (Obviously subscribers can remove themselves.) > > Stephen Early > UKcrypto mailing list administrator > > [1] Except in the usual course of managing the list: when it becomes > obvious from the number and type of bounces received that an address > has 'gone away' permanently or is suffering a long-term technical > problem, that address will be removed. This happens about three or > four times per week. > > From steve@greenend.org.uk Thu, 12 Jul 2001 23:27:56 +0100 Date: Thu, 12 Jul 2001 23:27:56 +0100 From: Stephen Early steve@greenend.org.uk Subject: Administrative request etiquette (was Re: Taken Off List) On Thursday, 12 Jul 2001, ravi.singh wrote: > could you please unsubscribe me from the forum. I'd like to take this opportunity to remind everyone who is subscribed to this mailing list that administrative requests should not be sent to the list submission address. Mailing lists almost always provide a different address for administrative requests, usually the list submission address with -admin or -request appended to the local part. When you subscribe to a mailing list you're usually sent a message with general information about the list, including how to manage your subscription. You should save this message, and refer to it when you want to leave the list. (Additionally, some mailing lists [including this one] send you monthly messages as a reminder that you're subscribed, which include details of how to unsubscribe.) I know this is second nature to most people subscribed to UKcrypto, however the message I'm responding to shows it's worth repeating. [The software used to run UKcrypto tries to spot administrative requests sent to list submission addresses, and usually succeeds. Unfortunately this one managed to slip through.] Stephen Early UKcrypto mailing list administrator From donald@ramsbottom.co.uk Fri, 13 Jul 2001 06:52:02 +0100 Date: Fri, 13 Jul 2001 06:52:02 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Inside Windows Product Activation Via Cryptome see: http://www.licenturion.com/xp/ Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From oml@eloka.demon.co.uk Fri, 13 Jul 2001 10:42:01 +0100 Date: Fri, 13 Jul 2001 10:42:01 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: trivia > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of David Howe > Sent: 12 July 2001 17:32 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: trivia > There is always the "degrees of separation" thing. assume you have a > provably innocent correspondent. now assume one of THEIR correspondents is > now a convicted criminal. if they are investigated, then you will > be a known > correspondent of a suspect..... The man who danced with a girl who danced with the Prince of Darkness? > > How is A to put B into such a position inadvertently? I think > > that if A is suspected of a serious crime and has been in > > enciphered correspondence > > with B, then B might be asked to deliver up correspondence or key. > > Fair enough. > > There *has* been correspondence and there *is* (or has been) a > > secret key > > that was once in my possession. Were I 'B', I'd have the key and would > > deliver as demanded (albeit without the best of grace). > ok, imagine the following. > A and B want to have a encrypted conversation, and have secure (ssh > tunnelled) mail. > A generates a key he does not upload, in your name; his correspondent does > similarly. both change their keys to their own name, and send a > copy in that > form. mail is saved off WITHOUT headers in a subdirectory, which is simple > enough to do, and both correspondents are careful never to use > each other's > name. > now, one gets arrested; the other immediately uploads the public key (in > your name) he holds for HIS private key, and the public key (in the others > name) to the keyservers, then secure-wipes his private key for that > exchange. what is more likely? that they will pursue all the possible > correspondents for the suspect, or that they will take the name on the key > at face value and come looking for you? Return to the origins of the thread. I've not claimed that using PKC cannot make trouble for one but only that I would try and act in a way that minimise that risk. In short, I would not act as you describe. We are all different and act according to our different needs, education and experience. In toto, we may know as much and be as experienced as each other but the vector from the sum of our personal knowledge and experience is likely to be different. Much of my education and experience has taught me to be cautious of the motives of others and, as a result, I would never use a cipher system I controlled to communicate with persons other than a selected few. With those selected few, I will conduct my secure communications in a careful and relatively straightforward way. Should there be a case that one of them has been conspiring to blow up Parliament, then as an intimate of his I can fairly expect some questioning and, with the law as it now is, to have my correspondence from him examined. However I still believe that it is by no means certain that it would be. Were it to be so, as I have said I would have the key and would, under order, provide the plaintexts required of me. For the few with whom I communicate in cipher, there is a unique key for every correspondent. Thus, if correspondence with one is compromised it has no effect on the remainder. It suits me well to conduct my business this way. There is no reason why others should find such a way best suited to their needs. That matters not. It suits mine and those of my correspondents. It seems to me that the main risk that requires some thought to damage limitation stems from one's selection of intimates. But this has been well thrashed out here - albeit inconclusively - in the past. Owen Owen From DHowe@Hawkswing.demon.co.uk Fri, 13 Jul 2001 11:22:59 +0100 Date: Fri, 13 Jul 2001 11:22:59 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: trivia "Owen Lewis" wrote: > The man who danced with a girl who danced with the Prince of Darkness? close enough - the point here is that you can be 100% in corresponding only with the innocent - and still end up with a RIPA order on your doorstep. > Return to the origins of the thread. I've not claimed that using PKC cannot > make trouble for one but only that I would try and act in a way that > minimise that risk. In short, I would not act as you describe. Hmm. I may not have explained myself well enough there. A and B are two other individuals - who have picked a email address from an online archive (and yes, this happens; I got spammed by that Lockdown2000 fool who *admitted* he had harvested my email from the UKcrypto archives) for use as an emergency cover. You are unlucky enough to be the cover, and the plod have just found a big stack of correspondence, apparently from and to you, half of which (the from bit) they can read.... > For the few with whom I communicate in cipher, there is a unique key for > every correspondent. Thus, if correspondence with one is compromised it has > no effect on the remainder. It suits me well to conduct my business this > way. There is no reason why others should find such a way best suited to > their needs. That matters not. It suits mine and those of my correspondents. That actually makes things worse - you can't point and say "look officer, this is MY key and everyone knows it" if you have a policy of a separate key per correspondent. even less chance of a "balance of probabilities" defence From akm@92tr.freeserve.co.uk Fri, 13 Jul 2001 00:33:38 +0100 Date: Fri, 13 Jul 2001 00:33:38 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia Owen feels safer than I would in theory. Fortunately, the risk is in any case small in practice unless the provisions of RIPA might apply to the effects on the State of a large departure of GPs from NHS contracts; and discussions, partly encrypted, were going on between significant numbers of GPs; of which I were one. or some other condition which was outwith your control applied; I think the question of mens rea etc is not helpful, not least since IANAL. The original remark was that it was _not possible_ to be put at risk by other peoples antics with PGP. An experiment at demonstrating, or exploring this does not have the appearance of an attempt to pervert anything, from here, but any encrypted traffic might be taken elsewhere as evidence of a link -until proved not to be, by the recipient. -----Original Message----- From: Owen Lewis To: ukcrypto@chiark.greenend.org.uk Date: 12 July 2001 19:54 Subject: RE: trivia > > >> -----Original Message----- >> From: ukcrypto-admin@chiark.greenend.org.uk >> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adrian >> Midgley >> Sent: 12 July 2001 15:16 >> To: ukcrypto@chiark.greenend.org.uk >> Subject: Re: trivia >> >> >> From: Owen Lewis >> >> >Really? You might be surprised ar what still lurks in the depths of >> the PC >> >on which you created it? >> >> I might be, however I downloaded and compiled Apache shortly after >> deleting it, and routinely defragmenting the drive. So SQUIDs apart, >> I think it is unlikely to be hanging around by accident. >> Rather more to the point though, it is well known that PGP can encrypt >> messages to the recipient only, and although we are saying in public >> that you have never had the key which was labelled with your identiy, >> and that if it could be found on one of the machines on one of my >> networks this is not because you sent it to me by an unapparent >> channel... > >Why *on earth* should I send you my secret key? The fact that there is a >*public* key sculling about with my name on it proves nothing whatsoever and >their masters, if not junior plods and plodesses, understand that. Of did >you destroy the public key as well? > >I have had for years a public key that claims its association with Bill >Clinton. Do you suppose that Bill Clinton knows any thing about it? Do you >suppose that a judge is going to take my possession of it as evidence that I >an in secret correspondence with Bill Clinton? > >> I don't have to prove that, and under RIPA by the meaning I believe is >> generally agreed on this list _you_ might have to try. >> >> >Besides, you now need to conspire to pervert the course of justice if >> you >> >are going to get a notice served on the recipient. >> >> How so? Seems to me that it would only be necessary for me to commit >> a crime for you to appear in the list of people with whom I have >> corresponded, encryptedly, and that is not normally described as >> perverting the course of justice. Alternatively, if somebody else >> perverts or otherwise influences justice, they might trigger that >> notice. Irritated anyone recently? > >Not infrequently and some of them are genuinely to be supped with using a >spoon tied to the end of a long bargepole. However I remain unimpressed by >the threat you hypothecate. > >> A local doctor was recently arrested in relation to material in >> storage on his computer, now I know of no reason why anyone should >> connect me to him, since we have few interests in common, however if >> they did for reasons only known to themselves, they might then choose >> to follow that trail onward, might they not. >> And not from my intention. > >I think your fears as unnecessary. As I understand it, there must be good >reason to demand a key and no balance of probability that such a demand is >being unreasonably defied. > >How is A to put B into such a position inadvertently? I think that if A is >suspected of a serious crime and has been in enciphered correspondence with >B, then B might be asked to deliver up correspondence or key. Fair enough. >There *has* been correspondence and there *is* (or has been) a secret key >that was once in my possession. Were I 'B', I'd have the key and would >deliver as demanded (albeit without the best of grace). > >But you suggest something else. That A will create a secret key and destroy >it, using its public twin to send a string of unsolicited correspondence to >B with the intention of having him suffer falsely at the hands of the law. >Whether A is ever able to do this will depend much on the actions of B. > >Should you propose that such consequences for B might be brought about by a >single mail (rendering quite limited any reaction by B), I suggest that A >(mens rea already existing from the creation of the false key pair?) before >this point is reached A must elaborate a conspiracy to bring the matter to >the attention of the authorities and have them act upon it. > >Wow! A must want B's scalp badly enough to risk a couple of years in jail >for the satisfaction of making waves (for B that still are unlikely to pass >close scrutiny). Or else A's as thick as two short planks and doesn't bother >to consider the chances that his conspiracy will fail. > >Since A is clearly of a criminal bent, he should find it direct, certain and >with less possibility of comeback to have B found, intoxicated and in bed >with his strangled wife. If B were a GP, the whole world knows about doctors >and drug abuse and therefore a rich palette of intoxicants makes itself >available and the events all the more credible? > >Yes, people will commit crime. Yes some of those who do get away with it but >I think your proposition is definitely high risk. If you think otherwise, >let us depersonalise it, lay out a plot and dissect it here. Start with the >creation of a key pair with the intent to pervert the course of justice. >Next the delivery of an unsolicited mail in furtherance of the conspiracy >(containing does it matter what?). What does A do next to develop his plan? >Say too A has destroyed one or both parts of the key pair created. Was the >public key signed, by whom and do they know A? Is it necessary to buy their >perjured evidence in due course? > >For the moment, the one point that comes across out of your proposition is >that it gives yet another reason for why one should ever facilitate >enciphered traffic from strangers. Of course B might find that A was his >partner and that would be rather more tricky to manage. However, there are >enough ideas here for the time being, should you wish to take a scenario >further. > >Owen From Q.G.Campbell@newcastle.ac.uk Fri, 13 Jul 2001 13:17:01 +0100 Date: Fri, 13 Jul 2001 13:17:01 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: trivia > -----Original Message----- > From: Adrian Midgley [mailto:akm@92tr.freeserve.co.uk] > Sent: 13 July 2001 00:34 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: trivia >=20 >=20 > Owen feels safer than I would in theory. > Fortunately, the risk is in any case small in practice > unless the provisions of RIPA might apply to the effects on > the State of a large departure of GPs from NHS contracts; and=20 > discussions, partly encrypted, were going on between=20 > significant numbers of GPs; of which I were one. Forget RIPA. If I were one of the GPs involved, I would be more concerned about being pursued under the Terrorism Act, particularly if our actions were likely to bring down the Government and force an election (cf. Ted Heath in 1972). Your actions seem to meet the interpretation of "Terrorism" given in S1(2). You would appear to be acting on ideological/political grounds and pursuing a course of action which might not be violent in itself but "which can, in a modern society, have a devastating impact". Such activity as you describe could, on the face of it, be held to put life, health or safety at risk. It seems to me that a confrontation between a majority of GPs and the Government is a more threatening situation than the one postulated by Ross Anderson in an earlier posting (on possible applications of the Terrorism Act in medical contexts). =20 Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinions expressed above are mine. The University can get its own." =20 From Ross.Anderson@cl.cam.ac.uk Fri, 13 Jul 2001 13:32:36 +0100 Date: Fri, 13 Jul 2001 13:32:36 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: trivia Quentin: > It seems to me that a confrontation between a majority of GPs and the > Government is a more threatening situation than the one postulated by > Ross Anderson in an earlier posting (on possible applications of the > Terrorism Act in medical contexts). To the UK government, sure; but to the Government of Iceland, the IMA boycott (in which I was involved as a technical adviser) was more serious than GP shroud-waving in the UK would be. There was an election coming along; there were allegations floating around of improper finanical deals between the database company and the Prime Minister's family; most doctors disapproved of the scheme, as did most scientific researchers; 11% of the pupulation had opted out; the company's stock price bubble had significant effects on the Icelandic economy; and so on. It was a much bigger deal than anything the BMA is likely to get up to. Part of my point was that by helping the IMA hold the flames to the feet of the Prime Minister of Iceland, by supporting their action at a conference in Phoenix where my speech was absolutely protected by the US constitution, I was committing a serious criminal offence in the UK. BTW I recycled this example on Tuesday when we had a debate in the University's Regent House about email. A new and clueless personnel chap had sent round a circular saying that if we sent email that contained anything criminal, or that could get the University sued, or even annoy anyone, then this could be interpreted as gross misconduct and we could be sacked. Apparently it was a warmed-over version of a standard letter used at his previous employer, a local council. I pointed out that this would stop me exchanging email about Iceland - and much else besides. In fact, given that science is about falsification and the humanities about critique, it's probably fair to say that an academic who has never annoyed anyone should never have been hired in the first place :-) Ross From oml@eloka.demon.co.uk Fri, 13 Jul 2001 14:04:23 +0100 Date: Fri, 13 Jul 2001 14:04:23 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: trivia > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of David Howe > Sent: 13 July 2001 11:23 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: trivia > > > "Owen Lewis" wrote: > > The man who danced with a girl who danced with the Prince of Darkness? > close enough - the point here is that you can be 100% in > corresponding only > with the innocent - and still end up with a RIPA order on your doorstep. True. But as suggested in an earlier post, you an also be innocent and neatly framed for murder. Life is not an entirely safe business and none of us should expect any guarantee that it be made so. A reminder also that such 'framing' is a serious criminal act and a perp found guilty will be looking at a jail sentence - and quite right too. For a complex of reasons, the chances of such a thing ever happening are quite remote and one can reduce those chances much further by exercising some caution in what one does and how one does it. > > > Return to the origins of the thread. I've not claimed that using PKC > cannot > > make trouble for one but only that I would try and act in a way that > > minimise that risk. In short, I would not act as you describe. > Hmm. I may not have explained myself well enough there. > A and B are two other individuals - who have picked a email > address from an > online archive (and yes, this happens; I got spammed by that Lockdown2000 > fool who *admitted* he had harvested my email from the UKcrypto archives) > for use as an emergency cover. You are unlucky enough to be the cover, and > the plod have just found a big stack of correspondence, > apparently from and > to you, half of which (the from bit) they can read.... I'm sorry to hear that. It adds rather to my conviction that one should never enable a personally controlled cipher to be used at the decision of others. E.g. no key servers. > > For the few with whom I communicate in cipher, there is a unique key for > > every correspondent. Thus, if correspondence with one is compromised it > has > > no effect on the remainder. It suits me well to conduct my business this > > way. There is no reason why others should find such a way best suited to > > their needs. That matters not. It suits mine and those of my > >correspondents. > That actually makes things worse - you can't point and say "look officer, > this is MY key and everyone knows it" if you have a policy of a > separate key per correspondent. even less chance of a "balance of > probabilities" defence Perhaps I should have added that I choose not to use a PKC. My needs are small and I manage well using several implementations of XTEA, mainly for transmitting/receiving data dumps or documents. There are both fully automated and manual modes of transmission, depending on the requirement. Works well for a business where a limited number of outstations need to communicate with a hub but have no requirement to correspond directly between themselves. In such a situation PKC has probably more disadvantages than benefits over such a 'wheel-spoke' crypto solution. Keys are ephemeral and, after an initial seeding of the system, are unknown to the operators. This allows for fully automated and enciphered communications. The usual caveats apply to terminal security but that is no more or less a worry than any other aspect of business security. Encryption is used as a means of assuring the integrity of very large quantities of data being communicated regularly and to provide a reasonable assurance that neither will it be intercepted or read at the terminal by unauthorised persons. If security at one of the outstations fails, only its own security is compromised. If security at the hub fails there are measures in place to prevent the effect being catastrophic. Spoof messages should be impossible. In the extraordinarily unlikely event that an outstation should communicate something outside of the normal run of our business, administrative action would follow immediately. No, its not perfect. Nothing in life ever is. What it does is to diminish risks to which I and others believe that our communications may be exposed from time to time and it provided a reasonable assurance of confidentiality. Moreover, it does not create any specific vulnerabilities, such as those we are discussing in this thread. Horses for courses. I see PKC as being a very useful tool, particularly in e-commerce. I believe that one grand, overarching, PK system would bring with it more headaches than it cures. There is room for many different cryptosystems and I would encourage all to flourish. For myself, I do not wish, nor need ever, to facilitate unsolicited enciphered and personal communication from strangers. Which ever of party initiates an exchange, I would never wish to say or hear from a complete stinger what could not be as well said in a room full of people. If a development from earlier exchanges indicates that enciphered communication has become desirable, of course I will use it but it will be at my decision and not allowed by default. Owen From Q.G.Campbell@newcastle.ac.uk Fri, 13 Jul 2001 15:04:08 +0100 Date: Fri, 13 Jul 2001 15:04:08 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: trivia > -----Original Message----- > From: Ross Anderson [mailto:Ross.Anderson@cl.cam.ac.uk]=20 > Sent: 13 July 2001 13:33 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: trivia In response to a posting from Quentin Campbell who said: >=20 > > It seems to me that a confrontation between a majority of=20 > GPs and the=20 > > Government is a more threatening situation than the one=20 > postulated by=20 > > Ross Anderson in an earlier posting (on possible=20 > applications of the=20 > > Terrorism Act in medical contexts). > =20 > To the UK government, sure; but to the Government of Iceland,=20 > the IMA boycott (in which I was involved as a technical=20 > adviser) was more serious than GP shroud-waving in the UK=20 > would be. There was an election coming=20 > along; there were allegations floating around of improper=20 > finanical deals between the database company and the Prime=20 > Minister's family; most=20 > doctors disapproved of the scheme, as did most scientific=20 > researchers; 11% of the pupulation had opted out; the=20 > company's stock price bubble had significant effects on the=20 > Icelandic economy; and so on. It was a much bigger deal than=20 > anything the BMA is likely to get up to. >=20 > Part of my point was that by helping the IMA hold the flames=20 > to the feet of the Prime Minister of Iceland, by supporting=20 > their action at a=20 > conference in Phoenix where my speech was absolutely=20 > protected by the US constitution, I was committing a serious=20 > criminal offence in the UK. Ross I suspect that the Terrorism Act will be used as cynically by Governments as the OSA has been. As your activity (in this regard at least :-)) hardly seems to threaten the UK national interest, it is unlikley to bring a charge under the Terrorism Act.=20 I doubt that the UK Government cares a fig about whether the Prime Minister of Iceland gets his feet burnt. Do we have a multi-billion pounds arm deal at risk, or concerns about Islamic extremism, coming from Iceland? I suspect not. Now if your campaign was directed at, say, the activities of the ruling family in Saudi Arabia then things might be different. Seen in this context, what poses the bigger threat to the UK national interest (ie. The Government's interest): "GP shroud-waving" or the embarrassment of the Icelandic Government and PM by a respected UK academic? Quentin =20 From oml@eloka.demon.co.uk Fri, 13 Jul 2001 15:38:19 +0100 Date: Fri, 13 Jul 2001 15:38:19 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: trivia > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adrian > Midgley > Sent: 13 July 2001 00:34 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: trivia > > > The original remark was that it was _not possible_ to be put at risk > by other peoples antics with PGP. Then, in a nutshell, I would agree that it is possible to cause another some embarrassment or irritation - the more particularly if they are a known to be a PGP user. However, if one conducts oneself reasonably, I believe that the risk of actually suffering harm is well below the risk of harm in other matters that we run every day without giving it a thought. This is not least because to cause such harm maliciously is in itself a serious criminal offence. > An experiment at demonstrating, or exploring this does not have the > appearance of an attempt to pervert anything, from here, but any > encrypted traffic might be taken elsewhere as evidence of a > link -until proved not to be, by the recipient. For the first part, I agree. There can be no harm and some amusement in our little play. The harm starts and the fun stops at the point where, to close the trap, the attention of the authorities needs to be drawn to the victim in connection with the both the concocted key and some criminal activity. The comment re. mens rea was an aside coming from the thought that it might be argued that guilty intent (to pervert etc) would be present from the point of forging a link of the victim's identity with a key pair first created and then destroyed beyond recall by someone other than the victim. Now, many of us have forged keys at some time or other but with care to cause no harm but as part of a learning process. The wickedness really starts with what must follow on from there if a malicious plan to cause harm is to succeed. Hypothecation of criminal activity is of course harmless as well as sometimes informative. ISTR that as long ago as 1991 the State of Georgia (no less) made it a criminal offence to be in possession of a password or crypto key without either due authority or being the owner. Max sentence was 14 years, I recall. I don't recall whether key forging was included; probably not back then but is seems to me sensible that it should be unlawful to forge a ID to a key. Thoughts? Owen Owen From ghira@mistral.co.uk 13 Jul 2001 20:8:49 +0100 Date: 13 Jul 2001 20:8:49 +0100 From: Adam Atkinson ghira@mistral.co.uk Subject: trivia On 13-Jul-01 13:32:36, Ross Anderson said: >BTW I recycled this example on Tuesday when we had a debate in the >University's Regent House about email. A new and clueless personnel chap >had sent round a circular saying that if we sent email that contained >anything criminal, or that could get the University sued, or even annoy >anyone, then this could be interpreted as gross misconduct and we could >be sacked. Surely academics with tenure can't be sacked? I hope Regent House told this person to get lost, anyway. I still think forbidding the receipt of untrue statements via email/web/phone/fax is the most startling one I've seen. -- Adam Atkinson (ghira@mistral.co.uk) Verbing weirds language. (Calvin) From Richard.Cox@mandarin.org Fri, 13 Jul 2001 22:57 +0100 (BST) Date: Fri, 13 Jul 2001 22:57 +0100 (BST) From: Richard D G Cox Richard.Cox@mandarin.org Subject: trivia Adam Atkinson said: > I still think forbidding the receipt of untrue statements > via email/web/phone/fax is the most startling one I've seen. There can hardly be illegality in receiving them: as far as sending them is concerned, S.43b of the Telecommunications Act 84 would seem to apply! Richard From akm@92tr.freeserve.co.uk Sat, 14 Jul 2001 13:26:48 +0100 Date: Sat, 14 Jul 2001 13:26:48 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: trivia From: Q G Campbell > a large departure of GPs from NHS contracts; and >Your actions seem to meet the interpretation of "Terrorism" given in >S1(2). You would appear to be acting on ideological/political grounds Good grief no. While most of us think the citizens should get a better deal from a better funded health service with competent management in a structure in which they are actually able to do sensible things...what we actually want is either much more money to stick around in the current mess, some to keep and some to employ others to do the bits that don't need doctors to do them, and other better working conditions (including such things as rapid secure communications for medical purposes). >and pursuing a course of action which might not be violent in itself but >"which can, in a modern society, have a devastating impact". Such >activity as you describe could, on the face of it, be held to put life, >health or safety at risk. Sounds to me as though you have made a case that Alan Milburn like the last three health secretaries before him is a terrorist. I shall make no such suggestion myself. >It seems to me that a confrontation between a majority of GPs and the Government is a more threatening situation Going off topic a little here, but we are not confronting. We are exactly saying that we are going to cease our existing contracts if things do not improve. IE running away rather than confronting. The day after the NHS collapses, I shall be in my surgery which I own, with my staff who I employ, and _at least_ as able to diagnose and advise as I ever have been. You as citizens might have to make different arrangments for the fulfillment of such advice and prescriptions than are currently in place, but I am sure you'll think of something. Oh, if the NHS wouldn't be meeting your medical bills then you might want to think about that as well, in advance...maybe you would like it to continue to do so, in which case I suggest you take an interest in those arrangements about now. From akm@92tr.freeserve.co.uk Sat, 14 Jul 2001 15:08:39 +0100 Date: Sat, 14 Jul 2001 15:08:39 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof From: Owen Lewis >> >flawed system. You would not be able to do this to me or to many >> others, >> >only to those who lay themselves open to this form of abuse. >I get unsolicited enciphered mail I return it to sender. I get a second I >return it with a cease and desist message. A third and mail delivery to me >will be blocked. But being a clever conspirator, surely you would in any case return the mail which you had separately decrypted and read, so as to back up your statement here and later that you had been unable to read it since you did not have the key {Plod: prove it} and had never had the key {Plod: just to assist us with the enquiries we are making into the apparent sender of that message, sir, I'm sure you won't mind proving you didn't have it.} Cease and desist, yes of course. At least it demonstrates to your putative co-conspirator that you received the message... And blocked. It is technically possible to block email on the ISP mailserver without reading the body, using IMAP or no doubt in other ways, but can you {Plod asks} prove that you used that way, or are you in fact downloading the mail to where your mail client can delete it, leaving only the log files to contain the texts where they could be decrypted. It is the demand in RIPA that all these things be proved, that seems the problem, bearing in mind that in some jurisdictions, not this one of course, the LEA might be more interested in causing trouble than protecting you. Enough of this experiment I think, I've found out two things about PGP that I didn't fully appreciate before, and had the question of how useful the proposed whole NHS and contacts PKI setup is going to be raised. it seems to me that firstly the purpose of the NHS PKI requires that it is actually at least a national PKI, to include gov and patients, and that in fact the number of organisations or even patients I correspond with is quite manageable by the sort of bipolar crypto streams you use. In Exeter for instance there are 21 Practices, plus a few bits and pieces, who deal with about 4 distinct laboratories all of which are physically and logically within the perimeter of the Acute Trust. For this end of Devon it is 75 practices, and no more than 4 hospitals. I suspect the national arrangmenets of being a delaying tactic rather than a clever plan, if there is any distinction between the two in teh NHS administrata, and personally I'd be quite happy with a ssh session to the lab computer. -- Midgley From jya@pipeline.com Sat, 14 Jul 2001 19:54:17 -0700 Date: Sat, 14 Jul 2001 19:54:17 -0700 From: John Young jya@pipeline.com Subject: Ciphers of Elizabeth I The Public Records Office search engine has one listing for "ciphers:" http://www.pro.gov.uk/leaflets/ri2056.htm The citation lists "Ciphers, Elizabeth I to George III (SP 106)." >From Columbia University Library, which led us to the PRO, a catalog entry refers to "Cryptography, Great Britain, History, Elizabeth, 1558-1603, Sources," which points to a reprint of one of the documents listed under "ciphers" at the PRO: Calendar of State Papers Foreign, Elizabeth, 1558-1589, ed. J Stevenson, A J Crosby, A J Butler, S C Lomas, A B Hinds, R B Wernham, 23 volumes (London, 1863-1950). I shall be looking at the Columbia University reprint of the "Calendar of State Papers," and will be curious about what is in "Ciphers, Elizabeth I to George III (SP 106)." My question is whether these documents have been examined by persons here and/or whether the Elizabethan era ciphers described in them have been written about in contemporary works. From peter.fairbrother@ntlworld.com Sun, 15 Jul 2001 05:30:16 +0100 Date: Sun, 15 Jul 2001 05:30:16 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Ciphers of Elizabeth I IIRC there's a description of the Mary, Queen of Scots cypher in Simon Singh's book. I have read about other Elizabethan cyphers, and the work of the Government cryptanalyst who broke the M,QoS cypher, so recent-ish discussion does in general exist, but I'm sorry I can't remember where (or his name) :( -- Peter > John Young at jya@pipeline.com wrote: > The Public Records Office search engine has one listing for "ciphers:" > > http://www.pro.gov.uk/leaflets/ri2056.htm > > The citation lists "Ciphers, Elizabeth I to George III (SP 106)." > > From Columbia University Library, which led us to the PRO, a > catalog entry refers to "Cryptography, Great Britain, History, > Elizabeth, 1558-1603, Sources," which points to a reprint of > one of the documents listed under "ciphers" at the PRO: > > Calendar of State Papers Foreign, Elizabeth, 1558-1589, ed. > J Stevenson, A J Crosby, A J Butler, S C Lomas, A B Hinds, > R B Wernham, 23 volumes (London, 1863-1950). > > I shall be looking at the Columbia University reprint of the > "Calendar of State Papers," and will be curious about what > is in "Ciphers, Elizabeth I to George III (SP 106)." > > My question is whether these documents have been examined > by persons here and/or whether the Elizabethan era ciphers > described in them have been written about in contemporary > works. From ben@algroup.co.uk Sun, 15 Jul 2001 11:07:15 +0100 Date: Sun, 15 Jul 2001 11:07:15 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Ciphers of Elizabeth I John Young wrote: > My question is whether these documents have been examined > by persons here and/or whether the Elizabethan era ciphers > described in them have been written about in contemporary > works. My son (aged 11) had Elizabeth's cipher for homework (I believe there was only one). It was pretty simple minded - a symbolic substitution cipher. It was cracked while she was using it, and used to incriminate her. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From pleyland@microsoft.com Sun, 15 Jul 2001 03:16:08 -0700 Date: Sun, 15 Jul 2001 03:16:08 -0700 From: Paul Leyland pleyland@microsoft.com Subject: Ciphers of Elizabeth I A one-word answer: Kahn. Paul > -----Original Message----- > From: John Young [mailto:jya@pipeline.com] > Sent: 15 July 2001 03:54 > To: ukcrypto@chiark.greenend.org.uk > Subject: Ciphers of Elizabeth I >=20 > The Public Records Office search engine has one listing for "ciphers:" >=20 > http://www.pro.gov.uk/leaflets/ri2056.htm >=20 > The citation lists "Ciphers, Elizabeth I to George III (SP 106)." >=20 > From Columbia University Library, which led us to the PRO, a > catalog entry refers to "Cryptography, Great Britain, History, > Elizabeth, 1558-1603, Sources," which points to a reprint of > one of the documents listed under "ciphers" at the PRO: >=20 > Calendar of State Papers Foreign, Elizabeth, 1558-1589, ed. > J Stevenson, A J Crosby, A J Butler, S C Lomas, A B Hinds, > R B Wernham, 23 volumes (London, 1863-1950). >=20 > I shall be looking at the Columbia University reprint of the > "Calendar of State Papers," and will be curious about what > is in "Ciphers, Elizabeth I to George III (SP 106)." >=20 > My question is whether these documents have been examined > by persons here and/or whether the Elizabethan era ciphers > described in them have been written about in contemporary > works. >=20 >=20 >=20 From Ross.Anderson@cl.cam.ac.uk Sun, 15 Jul 2001 13:22:47 +0100 Date: Sun, 15 Jul 2001 13:22:47 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof Adrian: > it seems to me that firstly the purpose of the NHS PKI requires that > it is actually at least a national PKI, to include gov and patients, > and that in fact the number of organisations or even patients I > correspond with is quite manageable by the sort of bipolar crypto > streams you use. This is yet another case where the issues seem at first sight to be technical security matters, but on a deeper examination come down to economics. At the technical level, bipolar crypto will do for the declared purpose - communicating with path labs. So would plaintext email: the main threat to patient confidentiality is not that Milburn will tap the NHS network (which would be expensive) or tap email at your ISP (see discussions passim on Carnivore) but that he will just compel bulk disclosure from the lab. So a better way of protecting patients would be to use the practice number rather than putting the patient's plaintext name and date of birth on the sample. If the path lab system complains, it's not beyond the wit of people on this list to develop a program that encrypts names and dates of birth into ciphertexts that also look like names and dates of birth. Speaking as a patient, however, I think it's at least as important for you to persuade more GPs to do as you do - have a web site, hosted on a private ISP rather than NHSnet, and a facility to send email to the practice. I note that you use plaintext email. I am fairly relaxed about that; I am more irritated by the fact that most practices with web sites use them for one-way communication only. If I were a GP, I'd go even further down your road. I'd provide web-based forms for ordering repeat prescriptions, making appointments, getting test results, and even supporting interactive care - e.g., where heart patients do INR tests at home weekly and report results. I'd try to build interactive systems for patients on weight reduction and exercise programmes to check in body mass, weekly exercise attainments, resting ventricular rate, and so on - and provide them with suitable encouragement or chastisement. In short, I'd run it like a practice in California. I'd try to get real improvements in outcomes through more efficient health promotion, and I'd certainly save the time of front desk staff - and avoid some unnecessary appointments. I'd engineer all sorts of other hacks; for example, if I ran a surgery from 6-8 once a week for commuters, that would be web bookable only (to encourage the unwaged to use the daytime sessions). I would also hope for marketing gains; with a more modern image I'd have a hope of getting more patients on my NHS list, and more private work. If all else failed, by getting a more techo-savvy patient base I'd have proportionately more young healthy people on my list and so more income for the same amount of effort. Why don't most British GPs do this? Why is innovation is so moribund? Is it a side-effect of the generally low morale? Every other business in Britain, above the level of a corner shop, now communicates electronically with its customers. All too many GPs use the `need for encryption' as one of a number of excuses not to. Having been the person who alerted the medical profession to IT security issues, I feel somewhat frustrated at seeing the issues turned into yet another mechanism for demand suppression and patient avoidance. The problem is that British GPs seem to want it both ways. You want systems provided for free by Milburn, but when you (inevitably) get a network with (at least the potential for) central surveillance and (at best) escrowed encryption, you don't want that either. But the man with the chequebook gets his way in the end. The lesson of GP computing, over the six or seven years I've observed it, is that systems paid for by doctors work, while those paid for by civil servants don't. Thus the civil servants subvert your systems - and where you go wrong is in allowing the promise of relatively small NHS subsidies for computer systems and network capacity to capture your requirements process. The solution is for you to buy the systems _you_ need, using money that comes out of _your_ bank accounts, and instruct your negotiators that under no circumstances will you tolerate any more subsidies. Accept pay rises _only_ if they are added directly to your capitation fees in the main GP contract. Otherwise, as you hint, it's time to start a grown-up debate about how we should organise healthcare in Britain after the collapse of the NHS. Ross From ben@algroup.co.uk Sun, 15 Jul 2001 14:04:20 +0100 Date: Sun, 15 Jul 2001 14:04:20 +0100 From: Ben Laurie ben@algroup.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof Ross Anderson wrote: > If the path lab system > complains, it's not beyond the wit of people on this list to develop a > program that encrypts names and dates of birth into ciphertexts that > also look like names and dates of birth. Should anybody fancy pursuing this, I have a very large (currently 13,000,000) database of real names (transcribed birth, marriage and death records) which I'd be happy to give access to. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From akm@92tr.freeserve.co.uk Sun, 15 Jul 2001 18:00:12 +0100 Date: Sun, 15 Jul 2001 18:00:12 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof From: Ross Anderson Mostly right, agreed. One bugger factor is that for all the talk of paying for quality, there is no way within NHS general practice for us to generate more income by spending money on eg decent technology. Indeed, since staff time is reimbursed at about 70% (being nibbled away at) and computers at 50% of a small ceiling, using people to do stupid repetitive stuff and working inefficiently is cheaper for us. Plus as Ross says, the grip on design of systems from government, and I would add the grip of owners of proprietary and non-verifiable systems that cannot be relied upon to stay available (I call it Ars Longa, IT Brevis) really screws it all up. Basically I see no advances worth noting since 1994, coincidentally the time when the NHS had a conversion to the idea we should all head for Windows-based systems and that this was progress. (EXCEPT the provision of a phone line and router to connect us free to the 'Net, whcih is an advance and arrived about a year after I built the same thing without reference to the NHS.) >... a better way of protecting patients >would be to use the practice number rather than putting the patient's >plaintext name and date of birth on the sample. Age is relevant and lab docs do give advice rather than just numbers, and samples do get mixed up so some redundancy adds safety, but on the whole I agree. I do send an occasional sample with a serial number and name filled out as A. Pseudonym just to keep in practice on it. >Speaking as a patient, however, I think it's at least as important for >you to persuade more GPs to do as you do - have a web site, hosted on >a private ISP rather than NHSnet, and a facility to send email to the >practice. I note that you use plaintext email. I am fairly relaxed >about that; Agreed, it seems to go down well with people who actually use email for work - they know they are sending postcards, and they find it better than not being able to send messages. >If I were a GP, I'd go even further down your road. I'd provide >web-based forms for ordering repeat prescriptions, making >appointments, www.homefieldsurgery.nhs.uk It isn't hosted on an NHS machine, Simon Child, a GP up North set it up using Linux Apache MySQL PHP3 The setup for appointments is a bit cumbersome, but actually the Practice doesn't do appts for doctors, in general, although they do have some attractions. >getting test results, and even supporting interactive >care - e.g., where heart patients do INR tests at home weekly and >report results. I'd try to build interactive systems for patients on >weight reduction and exercise programmes to check in body mass, weekly >exercise attainments, resting ventricular rate, and so on - and >provide them with suitable encouragement or chastisement. Ahmad Risk and Trefor Roscoe and I and others have looked at ways of doing that sort of thing. I think it is a good idea. I have some early extraction stuff that I run in the Practice, and it is heading toward some interactive web-ability, but it is hard to do on your own. And worse if you let other people run it. >In short, I'd run it like a practice in California. Alas, my HMO won't play But yes. My friend in LA pays more for a month of contraception than the NHS pays for a year of contraceptive services, dispensing and supplies in the UK. I would much rather work to that standard of comfort. On the subject of GPs in California, I went over there in Feb this year to Fresno 3 which was a meeting on open source. One system that is running near there is Alex Caldwell's tkFP which seems quite usable albeit it grew in his practice and therefore is not productionised - it would take quite an effort to bring it into mine, but I've got a couple of copies to play with. My view was that the UK could offer improved security, audit trailing etc, whereas the US contingent were in a phase of actually making things that made the work go easier and better. We have passed beyond that phase to one of a scramble for ceommercial advantage, political power, and regulation by regulators who know little of what actually helps. >if I ran a surgery from 6-8 once a week for commuters, that >would be web bookable only (to encourage the unwaged to use the >daytime sessions). I like that. I have been thinking about explicit sessions or slots for people with jobs, but we cannot even accept payment for a premium service, and in the usual British way such are likely to stir up resentment. >Why don't most British GPs do this? Why is innovation is so moribund? >Is it a side-effect of the generally low morale? I am constantly impressed with the effort many of my colleagues will put into preserving their ignorance and by the amount of assistance they get in avoiding working IT from NHS IT droids. >The lesson of GP computing, over the six or seven years I've observed >it, is that systems paid for by doctors work, while those paid for by >civil servants don't. Absolutely. and on funding >Otherwise, >as you hint, it's time to start a grown-up debate about how we should >organise healthcare in Britain after the collapse of the NHS. Yep. Going with the flow and being brought into PMS projects and salaried work will continue to lose the advantage that general practice obtained in the introduction of IT - to quote a consultant colleague: "It took me 3 years to get a computer on my desk, it still doesn't link to the PAS (results etc). B&Q has a more advanced system for tracking pots of paint than this hospital has for keeping track of paitnets." I'd suggested that putting advice notes on a website might be helpful. From Pete.Chown@skygate.co.uk Sun, 15 Jul 2001 19:29:00 +0100 Date: Sun, 15 Jul 2001 19:29:00 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof Adrian, Have you thought of submitting an article to, say, Computer Weekly? I think you would stand a good chance of getting it published. NHS IT from a doctor's point of view would be a pretty interesting story I think. You might even change something... -- Pete From peter.fairbrother@ntlworld.com Sun, 15 Jul 2001 20:49:40 +0100 Date: Sun, 15 Jul 2001 20:49:40 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Ciphers of Elizabeth I > Ben Laurie at ben@algroup.co.uk wrote: > John Young wrote: >> My question is whether these documents have been examined >> by persons here and/or whether the Elizabethan era ciphers >> described in them have been written about in contemporary >> works. > > My son (aged 11) had Elizabeth's cipher for homework (I believe there > was only one). It was pretty simple minded - a symbolic substitution > cipher. > > It was cracked while she was using it, and used to incriminate her. The Mary Queen of Scots cypher was cracked and used to incriminate Mary, not Elizabeth. Mary got her head chopped off because of it. It's a simple symbolic susbtitution cypher with a few tweaks (symbols to double a letter, ignore-this symbols, ignore-last-letter symbols). Elizabeth (in reality Walsingham's codemasters) used and broke many different cyphers. There was a flourishing of crypto and double-dealing in those days. IIRC only a few of hers were broken (by the French), generally to little consequence. Known broken cyphers were used for disinformation. Forged letters were given credibility by being "broken" by the forgers. This accusation was made about the Mary Queen of Scots letter, probably falsely in this case. The broken Mary Queen of Scots cypher was also used to entrap. Mesages were altered by knowing the code. The conspirators were lulled into trusting the broken code. Etc, etc, vanity, vanity, nothin' new, -- Peter From oml@eloka.demon.co.uk Sun, 15 Jul 2001 21:14:28 +0100 Date: Sun, 15 Jul 2001 21:14:28 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adrian > Midgley > Sent: 14 July 2001 15:09 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: R v.Lambert House of Lords and RIP reverse-burden-of-proof > > > From: Owen Lewis > > >> >flawed system. You would not be able to do this to me or to many > >> others, > >> >only to those who lay themselves open to this form of abuse. > > >I get unsolicited enciphered mail I return it to sender. I get a > second I > >return it with a cease and desist message. A third and mail delivery > to me > >will be blocked. > > But being a clever conspirator, surely you would in any case return > the mail which you had separately decrypted and read, so as to back up > your statement here and later that you had been unable to read it > since you did not have the key {Plod: prove it} and had never had the > key {Plod: just to assist us with the enquiries we are making into the > apparent sender of that message, sir, I'm sure you won't mind proving > you didn't have it.} Sigh.... I'm not a conspirator and I can't possibly decrypt and read it. I have no key with which to do so. Bigger sigh... Plod is not going to knock on my door and serve a notice without prima facie evidence of criminal activity. The sender has to supply that evidence, real or fake. If real it won't involve me beyond the fact that someone I don't know once sent me a cipher text which I bounced. > > Cease and desist, yes of course. At least it demonstrates to your > putative co-conspirator that you received the message... Plod Major is knows well how to sniff out a conspiracy and has some smashing tools for doing so. No, to stir the sh*t for me with one unsolicited mail, the sender is going to have to fake evidence of criminal activity involving me. We have already covered this ground. > > Enough of this experiment I think, I've found out two things about PGP > that I didn't fully appreciate before, and had the question of how > useful the proposed whole NHS and contacts PKI setup is going to be > raised. > > it seems to me that firstly the purpose of the NHS PKI requires that > it is actually at least a national PKI, to include gov and patients, As already intimated, I would walk smartly away from a national PKI and would recommend other to do likewise. If such comes into being, it will rapidly become much broader in use than simply for the NHS. If such a system comes into being, I will either refuse to use it or, depending on the form it takes, use it only as an outer wrapper for such a cryptosystem as I choose to use fo my security needs. > and that in fact the number of organisations or even patients I > correspond with is quite manageable by the sort of bipolar crypto > streams you use. Yes, it would be. But there are no free lunches. Each practice would have to set up its own 'wheel' with itself at the managing hub - another administrative task. Moreover, a major hospital could find that it was an 'outstation' on hundreds of GPs wheels and at the same time having to manage at least one and possibly three or more much larger wheels of its own. No, I think for the NHS, PKI should be a more manageable solution but it probably requires also centralised key management (for which read escrowed keys). Now if it were for the benefit of the medical service and its patients only, I wouldn't mind too much. As far as I'm concerned, any doctor may read my note if he find that useful to him. I also want any clinician to be able to access anything about me in the records and without requiring my express permission (which I may be in no condition to give). But we know that it is not intended to restrict content - and therefore access to keys - to the NHS and patients. There lies the rub. > Owen From jya@pipeline.com Sun, 15 Jul 2001 17:52:48 -0700 Date: Sun, 15 Jul 2001 17:52:48 -0700 From: John Young jya@pipeline.com Subject: Ciphers of Elizabeth I Well, yes, Kahn's account and the cinema's. Is that all there is in the PRO? Seems a bit pat, if not hoarily pre-fabricated. To be sure, little about cryptology is worth believing if your life depends on it. That story is as old as secret writing, not to say non-secret encryption. Where does one get an unadulterated assessment of cryptology when all accounts are purposefully corrupt? Is open source crypto truly any safer than the hidden kind, or that a modern Elizabethan trick? Cryptologists are a dirty treacherous lot the haute French claim, as with spies, hardly worth serious consideration when grave problems of state are to be addressed -- the guttersnipes are too obsessed with tradecraft and absolutely paranoid about their mirror-image peers. (That's not my view, some of both appear personally hygienic.) From pwt@iosis.co.uk Sun, 15 Jul 2001 23:15:56 +0100 Date: Sun, 15 Jul 2001 23:15:56 +0100 From: Peter Tomlinson pwt@iosis.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof On 15 July 2001 Owen Lewis wrote: > > As already intimated, I would walk smartly away from a national PKI and > would recommend other to do likewise. If such comes into being, it will > rapidly become much broader in use than simply for the NHS. If such a system > comes into being, I will either refuse to use it or, depending on the form > it takes, use it only as an outer wrapper for such a cryptosystem as I > choose to use fo my security needs. > At a recent Eddie Bleasdale Netproject seminar, one speaker showed a diagram of the proposed central govt PKI, with a captive (private) CA providing certificates for about half a million govt users. How far into, for example, the NHS, is that likely to stretch? The CITU 'Framework for Information Age Government: Smart Cards' is mandatory guidance for central govt depts, and states that the Digital certificate 'should be in accordance with X.509 Version 3' and 'will be issued, and digitally signed by, the issuing party or a trusted third party'. The private key is to be held in a smart card, and that card itself must do the signing. This all permits a set of trusted third parties to be involved in a national PKI scheme - and tScheme has been set up to give credence to the CAs. Note that this document is due for revision very soon. Peter From ben@algroup.co.uk Mon, 16 Jul 2001 18:53:54 +0100 Date: Mon, 16 Jul 2001 18:53:54 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Ciphers of Elizabeth I Peter Fairbrother wrote: > > > Ben Laurie at ben@algroup.co.uk wrote: > > > John Young wrote: > >> My question is whether these documents have been examined > >> by persons here and/or whether the Elizabethan era ciphers > >> described in them have been written about in contemporary > >> works. > > > > My son (aged 11) had Elizabeth's cipher for homework (I believe there > > was only one). It was pretty simple minded - a symbolic substitution > > cipher. > > > > It was cracked while she was using it, and used to incriminate her. > > The Mary Queen of Scots cypher was cracked and used to incriminate Mary, not > Elizabeth. Mary got her head chopped off because of it. It's a simple > symbolic susbtitution cypher with a few tweaks (symbols to double a letter, > ignore-this symbols, ignore-last-letter symbols). > > Elizabeth (in reality Walsingham's codemasters) used and broke many > different cyphers. There was a flourishing of crypto and double-dealing in > those days. IIRC only a few of hers were broken (by the French), generally > to little consequence. You are right, I was confused. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From akm@92tr.freeserve.co.uk Tue, 17 Jul 2001 00:33:43 +0100 Date: Tue, 17 Jul 2001 00:33:43 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof From: Pete Chown >Have you thought of submitting an article to, say, Computer Weekly? They have on occasion published stuff from their own writers which seems to have had the benefit of good briefing. >NHS IT >from a doctor's point of view would be a pretty interesting story I >think. You might even change something... I did have a quote in Private Eye, on NHS Net at the time, and the NHS telecommunications branch seems to have gone away recently. (They liked X.400 and all sorts of strange stories circulated about how systems that use other stacks lose mail. The strangest story was that X.400 was working reliably somewhere in the NHS) -- AKM From akm@92tr.freeserve.co.uk Tue, 17 Jul 2001 00:30:41 +0100 Date: Tue, 17 Jul 2001 00:30:41 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof From: Peter Tomlinson >certificates for about half a million govt users. How far into, for example, >the NHS, is that likely to stretch? NHS claims 1 000 000 employees. It may be a little confused there in that GPs are not employees, mostly, this year, and neither are their staff, but I suspect are rolled in. Never mind. There are 30 000-40 000 GPs, in 10 000 Pracitces, plus a load of individuals who are locums. Each GP has about 2 whole time equivalnet staff, most of whom are say half time. OTOH, maybe one has a key for the practice, and one for the hospital, and one for the HA etc. Entrust and various companies are interested, Baltimore seemed flavour of the month a while back, but their stock has fallen for reasons I don't understand in detail. Too much to hope it was because of the reception their report on NHS crypto got from the BMA; GPs and others here. From jtjm@xenoclast.org Tue, 17 Jul 2001 11:18:08 +0100 (BST) Date: Tue, 17 Jul 2001 11:18:08 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: trivia On Fri, 13 Jul 2001, Richard D G Cox wrote: > Adam Atkinson said: > > I still think forbidding the receipt of untrue statements > > via email/web/phone/fax is the most startling one I've seen. > > There can hardly be illegality in receiving them: as far as sending them > is concerned, S.43b of the Telecommunications Act 84 would seem to apply! Would it indeed? Doubtless you will also be heartened to hear that S. 12(a)i.2 of the Just Invented Act of 2001 applies in full force, and that the case of DeMarco v. Kopka has an interesting bearing on the matter. Furthermore, I had a very interesting conversation on this subject last night with a friend, which conversation I shall hereinafter refer to as Conv.160701.2136-58, and about which I refuse to tell you any more than that. Perhaps I am merely supremely ignorant, and everyone else on this list knows precisely what is contained in Section 43b of the Telecommunications Act 1984; I think this unlikely, however. In the interests of clear communication, please don't quote references without at least a cursory explanation of the contents of the reference. Oh, and having just looked it up, I assume you actually meant S. 43(1)(b). There is no 43(b). For those who are interested, Section 43(1)(b) of the Telecommunications Act 1984 reads as follows: A person who-- (b) sends by those means, for the purpose of causing annoyance, inconvenience or needless anxiety to another, a message that he knows to be false or persistently makes use for that purpose of a public telecommunication system, shall be guilty of an offence and liable on summary conviction to a fine not exceeding level 3 on the standard scale. Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From owen.blacker@wheel.co.uk Tue, 17 Jul 2001 14:41:42 +0100 Date: Tue, 17 Jul 2001 14:41:42 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: US Location Privacy Bill Introduced -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > allNetDevices: - Location Privacy Bill Introduced > allNetDevices > 07/13/2001 > > This article can be found online at the following location: > www.allnetdevices.com/wireless/news/2001/07/13/location_privacy.html > > > A bill was introduced in the U.S. Senate this week that aims > to protect the privacy of users of Net-ready wireless devices > that pinpoint their location. > > The Location Privacy Protection Act was introduced by Senator > John Edwards, a North Carolina Democrat. The bill requires > companies that provide wireless location-based services to > notify users when they collect information about their > location. The bill also prohibits the use or sale of the > information without permission of the user. > > "If you have a cell phone in your pocket or Onstar in your > car, somebody knows where you are at all times," Edwards > said. "This bill is designed to make sure that no one misuses > your personal information. We need to get ahead of the curve > on what will soon be a real problem." > > Location-based services are considered by many to be a major > potential revenue generator for wireless operators and > service providers. Under the provisions of the bill, > consumers must be told what information was collected. They > also must be provided with a way to correct errors. > > Edwards said the bill would not hamper collection of location > information for public safety. Wireless operators and handset > manufacturers are being required by the U.S. Federal > Communications Commission (FCC) to include so-called E-911 > emergency service location capabilities by this October. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > For information on reprinting or linking to internet.com content: > http://www.internet.com/corporate/permissions.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Copyright (c) 2001 internet.com Corporation > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO1Q/3FVeQSYAA2h0EQLl0gCg2mqVmtHyjE7Z9Sqo3GhmL/C78IwAoItv TEgOOVVz5mbBKNA0/XWYh9E1 =GBWJ -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Tue, 17 Jul 2001 16:18:35 +0100 Date: Tue, 17 Jul 2001 16:18:35 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: The Register: WinXP product activation cracked: totally, horribly , fatally =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.theregister.co.uk/content/4/20433.html | WinXP product activation cracked: totally, horribly, fatally |=20 | By John Lettice | Posted: 17/07/2001 at 12:35 GMT |=20 | Since Microsoft introduced Windows Product Activation (WPA) the = crackers | have gone through a series of WinXP beta builds, finding new ways to = at | least circumvent the protection system. But now, taking an entirely | different approach, Germany's Tecchannel has demonstrated that WPA as | shipped in RC1 is full of gaping holes, and can be fooled almost | completely. =20 |=20 | Tecchannel's report available in English | , or in = German | ) = demonstrates | that WPA can be compromised via numerous hardware-related routes; it = all | centres on the file wpa.dbl, which WinXP keeps in the system32 = directory. | =20 |=20 | This file stores information on the nature of the hardware at the = time of | activation, and when Windows XP notices more than three items of = hardware | have changed, it deletes it. Then you need to activate again. You'll | also, Tecchannel notes, need to activate ~immediately~ if you = installed | more than 30 days (or 14 with RC1) ago, as that's when the clock = starts | ticking. This, incidentally, is also the case if you do a 'repair' to = fix | a bust system -- not exactly friendly. =20 |=20 | So first of all Tecchannel saved the file then started changing = hardware. | Two items OK, but replacing a third -- the CPU -- triggered the = deletion. | Although you'd think the CPU is only one component, it's actually = tallied | up as two. Switching off the CPU serial number in the bios and = therefore | knocking it down to one doesn't get the earlier wpa.dbl back -- this = has | been restored in a non-activated state. =20 |=20 | Copy the saved version back? That surely shouldn't work -- but it = does. | Next, Tecchannel tried a completely new installation using the same | product key. This produces a new product ID, but nevertheless copying = the | wpa.dbl file back again works. =20 |=20 | They also use this file on another computer, altering the computer's | volume ID first, which is easily enough done. They can also use = forged | network cards MAC addresses, so now they've taken two parts of the | hardware ID out of the picture. Next, use the hardware profile to = tell | the computer it's a notebook with a docking station. This works, and | tells WPA to stop counting the IDE/SCSI controller and the graphics = card. | =20 |=20 | That gets the differences counted down to three, hard disk, CPU and = CDROM | ID, which is within the limit, so WPA is effectively toast. =20 |=20 | What does this mean? Tecchannel's investigation shows that, at the = very | least, you can use the same wpa.dbl file to activate as many = computers as | you like, provided the RAM size is the same. A 'universal' file that | didn't even require the same RAM might be a possibility, but it's = more | likely that people will simply swap files to get one appropriate for | their hardware. If Microsoft doesn't change WPA before WinXP ships, = then | it's pointless. But changing it when RC2 is looming, and when the = holes | are so obviously huge, would be difficult. =20 |=20 | So farewell then, Windows Product Activation -- for the moment? =AE - --=20 Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO1RWkFVeQSYAA2h0EQINpACdGkSkOwI865YLmyz5EJIAUvcO9rcAoNYf xy6YlIrvwY6AF/ula59TXG/G =3DaZLs -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From chl@clw.cs.man.ac.uk Tue, 17 Jul 2001 19:14:22 +0100 (BST) Date: Tue, 17 Jul 2001 19:14:22 +0100 (BST) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: trivia On Tue, 17 Jul 2001 11:18:08 +0100 (BST) "Julian T. J. Midgley" said... > For those who are interested, Section 43(1)(b) of the Telecommunications > Act 1984 reads as follows: > > A person who-- > > (b) sends by those means, for the purpose of causing annoyance, > inconvenience or needless anxiety to another, a message that he knows to > be false or persistently makes use for that purpose of a public > telecommunication system, shall be guilty of an offence and liable on > summary conviction to a fine not exceeding level 3 on the standard scale. > Hey! Could that be used against trolls such as Caruthers Carstairs McKraken? It sure looks easier to invoke than that toothless Computer Misuse Act. Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ghira@mistral.co.uk 17 Jul 2001 19:58:31 +0100 Date: 17 Jul 2001 19:58:31 +0100 From: Adam Atkinson ghira@mistral.co.uk Subject: trivia On 13-Jul-01 22:57:00, Richard D G Cox said: >> I still think forbidding the receipt of untrue statements >> via email/web/phone/fax is the most startling one I've seen. >There can hardly be illegality in receiving them: as far as sending them >is concerned, S.43b of the Telecommunications Act 84 would seem to apply! I'm not suggesting it's illegal. I'm suggesting it's worrying for an AUP to forbid such things. Violation of an AUP could be grounds for dismissal. -- Adam Atkinson (ghira@mistral.co.uk) "That's the biggest shark I've ever seen" he said, superficially. From mk270@cam.ac.uk Wed, 18 Jul 2001 14:37:09 +0100 (BST) Date: Wed, 18 Jul 2001 14:37:09 +0100 (BST) From: Martin Keegan mk270@cam.ac.uk Subject: trivia On Tue, 17 Jul 2001, Charles Lindsey wrote: > > (b) sends by those means, for the purpose of causing annoyance, > > inconvenience or needless anxiety to another, a message that he knows to > > be false or persistently makes use for that purpose of a public > > telecommunication system, shall be guilty of an offence and liable on > > summary conviction to a fine not exceeding level 3 on the standard scale. Does the Internet count as a public telecommunication system for the purposes of that section of the Act? > Hey! Could that be used against trolls such as Caruthers Carstairs > McKraken? It sure looks easier to invoke than that toothless Computer > Misuse Act. The CMA is far from toothless. According to my reading of CMA1990, if I have a computer and a VCR, and I authorise you to use neither, you commit a criminal offence by using the computer, but not the VCR. I'd much prefer it if only the legislature could determine what amounted to criminal behaviour, and didn't delegate that to my local sysadmin. Mk From oml@eloka.demon.co.uk Wed, 18 Jul 2001 16:16:52 +0100 Date: Wed, 18 Jul 2001 16:16:52 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: trivia > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Martin Keegan > Sent: 18 July 2001 14:37 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: trivia > > > The CMA is far from toothless. According to my reading of CMA1990, if I > have a computer and a VCR, and I authorise you to use neither, you commit > a criminal offence by using the computer, but not the VCR. I'd much prefer > it if only the legislature could determine what amounted to criminal > behaviour, and didn't delegate that to my local sysadmin. And I would sooner that the legislature (for which read the sheep herded by an Executive-of-the-Day) did not try to tinker constantly with the application of justice through continual (and usually unhelpful) attempts at micro management of our law. Owen From kbarry@snaz.com Thu, 19 Jul 2001 11:57:33 +0100 Date: Thu, 19 Jul 2001 11:57:33 +0100 From: Kieran Barry kbarry@snaz.com Subject: UKcrypto Glossary Hi, I have encountered a problem from time to time due to intermittent reading of the list. What has happened is that I've found myself wondering "What the hell is ( PANTS | RIPA | GAK | Acronym or phrase du jour)?" Because I'm sure that I'm not the only person yet to get an acronym babbelfish, I was wondering if we should introduce a UKcrypto glossary posted at regular intervals. (I say glossary rather than an FAQ, since any really interesting answers would have to deal with charges of bias.) Has this question been brought up before? If not, to start the ball rolling, here are some which spring to mind. (Please, no flames for my fearful ignorance....) A5 Encryption algorithm for GSM phones AES Encryption algorithm standard adopted last year by the US to replace DES. Actual algorithm is called Rijndael. DES Data Encryption Standard. Encryption algorithm designed in the 70s by IBM. Short key length means that it is now easily broken by exhaustive search. FIPR Foundation for Information Policy Research. British net policy think tank headed by Casper Bowden GAK Government Access to Keys. Frontline issue between Law enforcement and civil liberties lobby GCHQ Britain's Government Communications HeadQuarters. GSM Global System for Mobiles. To a first approximation, the European phone standard. LEA Law enforcement authority PANTS Possesion At Notice Time of Service. The condition needed before it is an offence not to comply with a RIP order to disclose information (key or plaintext). Possession refers to possession of a relevant decryption key. (This could probably be reworded...) PKI Public key infrastructure. RIP Regulation of Investigatory Powers. UK law dealing with government interception rights. RIPA Regulation of Investigatory Powers Act. See above. (Act is UK legalese for a law that has been passed by parliament and signed by the Queen. TEMPEST US government codeword for technology to control the radio emissions of electronic machinery. Wassenaar International treaty under which the signatories were required to control traffick in weapons. It was used to limit the export of cryptographic software. Wassenaar may not be relevant, and there are definitely other crypto FAQs out there. And until a decision is made over whether there is a role for such a glossary, I'm not going to devote too much time to this. Is there a role? Anyway, thoughts? Kieran From daw@mozart.cs.berkeley.edu 22 Jul 2001 00:35:25 GMT Date: 22 Jul 2001 00:35:25 GMT From: David Wagner daw@mozart.cs.berkeley.edu Subject: Wired: Echelon Furor Ends in a Whimper Owen Lewis wrote: >The real problem with "universal end to end encryption" is that its >universality must depend on: > a. Universal adoption of a single PKC. I think it might not be so hard as you imagine, in some contexts. Consider what it would take to institute universal end-to-end encryption for cellphones to protect against passive eavesdropping. The technological infrastructure is well within our reach, and it doesn't require a global PKI where every cellphone user must have a certified public key. From peter.fairbrother@ntlworld.com Sun, 22 Jul 2001 09:17:33 +0100 Date: Sun, 22 Jul 2001 09:17:33 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Wired: Echelon Furor Ends in a Whimper > David Wagner at daw@mozart.cs.berkeley.edu wrote: > Owen Lewis wrote: >> The real problem with "universal end to end encryption" is that its >> universality must depend on: >> a. Universal adoption of a single PKC. > > I think it might not be so hard as you imagine, in some contexts. > Consider what it would take to institute universal end-to-end > encryption for cellphones to protect against passive eavesdropping. > The technological infrastructure is well within our reach, and it doesn't > require a global PKI where every cellphone user must have a certified > public key. Implementing protections against passive-only interception is a bit like installing a reinforced, fortified door and leaving the windows unlocked. It might deter the casual passerby from theft but it's not going to seriously inconvenience determined thieves. Without meaning to give offence, I generally regard honest advocates of such systems as either babes in the woods or ********* ******. Universal end-to-end encryption for cellphones can be implemented protecting against both active and passive eavesdropping by a second negotiation based on the shared DH secret. This can prevent MITM completely, without a global PKI. PK's may be needed so people can use a 'phone directory with confidence, or to defeat spoofing or meaconing, but they aren't needed to extend anti-eavesdropping measures from passive to active. -- Peter From roland@linx.net Sun, 22 Jul 2001 09:42:45 +0100 Date: Sun, 22 Jul 2001 09:42:45 +0100 From: Roland Perry roland@linx.net Subject: trivia In message , Martin Keegan writes >> > (b) sends by those means, for the purpose of causing annoyance, >> > inconvenience or needless anxiety to another, a message that he knows to >> > be false or persistently makes use for that purpose of a public >> > telecommunication system, shall be guilty of an offence and liable on >> > summary conviction to a fine not exceeding level 3 on the standard scale. > >Does the Internet count as a public telecommunication system for the >purposes of that section of the Act? It most certainly will, after these provisions of the old Act are absorbed into the much awaited Communications Bill. IANAL, but at the moment they probably only apply to the ISP networks run by licenced PTOs. But as that includes BT, NTL, Energis, Worldcom, Thus, C&W, Tiscali and several other networks, it's actually a very high proportion already. Whether you could find anyone to start an investigation under these powers for anything other than voice or SMS is another matter entirely. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From brg@gladman.plus.com Sun, 22 Jul 2001 10:18:03 +0100 Date: Sun, 22 Jul 2001 10:18:03 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper From: "Peter Fairbrother" To: Sent: Sunday, July 22, 2001 9:17 AM Subject: Re: Wired: Echelon Furor Ends in a Whimper > > David Wagner at daw@mozart.cs.berkeley.edu wrote: > > > Owen Lewis wrote: > >> The real problem with "universal end to end encryption" is that its > >> universality must depend on: > >> a. Universal adoption of a single PKC. > > > > I think it might not be so hard as you imagine, in some contexts. > > Consider what it would take to institute universal end-to-end > > encryption for cellphones to protect against passive eavesdropping. > > The technological infrastructure is well within our reach, and it doesn't > > require a global PKI where every cellphone user must have a certified > > public key. > > > Implementing protections against passive-only interception is a bit like > installing a reinforced, fortified door and leaving the windows unlocked. It > might deter the casual passerby from theft but it's not going to seriously > inconvenience determined thieves. Without meaning to give offence, I > generally regard honest advocates of such systems as either babes in the > woods or ********* ******. Well, I guess that makes me a ********* ****** since I doubt that I am a 'babe in the woods' and I am certainly an advocate of such systems as one component within our overall security approach. Of course I agree that other weaknesses can be more important in many threat scenarios. Brian Gladman From oml@eloka.demon.co.uk Sun, 22 Jul 2001 22:21:53 +0100 Date: Sun, 22 Jul 2001 22:21:53 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of David Wagner > Sent: 22 July 2001 01:35 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Owen Lewis wrote: > >The real problem with "universal end to end encryption" is that its > >universality must depend on: > > a. Universal adoption of a single PKC. > > I think it might not be so hard as you imagine, in some contexts. > Consider what it would take to institute universal end-to-end > encryption for cellphones to protect against passive eavesdropping. > The technological infrastructure is well within our reach, and it doesn't > require a global PKI where every cellphone user must have a certified > public key. You are thinking of using Diffie-Hellmann for the session key exchange? OK, but how on a *universal* scale does one make the system proof against spoofing? Voice authentication? I don't think so. As I see it, a single all-purpose (+universal) PKI with certified keys could provide what is necessary. Owen From elva.perkins@talk21.com Mon, 23 Jul 2001 09:28:13 BST Date: Mon, 23 Jul 2001 09:28:13 BST From: elva.perkins@talk21.com elva.perkins@talk21.com Subject: Confused - Elva-Louise Perkins What=20is=20this=3F Best,=20Elva >=20Send=20ukcrypto=20mailing=20list=20submissions=20to > ukcrypto@chiark.greenend.org.uk > >To=20subscribe=20or=20unsubscribe=20via=20the=20web,=20visit > http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto >or,=20via=20email,=20send=20a=20message=20with=20subject=20or=20body=20'help'=20to > ukcrypto-request@chiark.greenend.org.uk >You=20can=20reach=20the=20person=20managing=20the=20list=20at > ukcrypto-admin@chiark.greenend.org.uk > >When=20replying,=20please=20edit=20your=20Subject=20line=20so=20it=20is=20more=20specific=20than "Re:=20Contents=20of=20ukcrypto=20digest..." > >--------------- > >Send=20ukcrypto=20mailing=20list=20submissions=20to > ukcrypto@chiark.greenend.org.uk > >To=20subscribe=20or=20unsubscribe=20via=20the=20web,=20visit > http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto >or,=20via=20email,=20send=20a=20message=20with=20subject=20or=20body=20'help'=20to > ukcrypto-request@chiark.greenend.org.uk >You=20can=20reach=20the=20person=20managing=20the=20list=20at > ukcrypto-admin@chiark.greenend.org.uk > >When=20replying,=20please=20edit=20your=20Subject=20line=20so=20it=20is=20more=20specific=20than "Re:=20Contents=20of=20ukcrypto=20digest..." > >--------------- > >Send=20ukcrypto=20mailing=20list=20submissions=20to > ukcrypto@chiark.greenend.org.uk > >To=20subscribe=20or=20unsubscribe=20via=20the=20web,=20visit > http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto >or,=20via=20email,=20send=20a=20message=20with=20subject=20or=20body=20'help'=20to > ukcrypto-request@chiark.greenend.org.uk >You=20can=20reach=20the=20person=20managing=20the=20list=20at > ukcrypto-admin@chiark.greenend.org.uk > >When=20replying,=20please=20edit=20your=20Subject=20line=20so=20it=20is=20more=20specific=20than "Re:=20Contents=20of=20ukcrypto=20digest..." > >--------------- > >Send=20ukcrypto=20mailing=20list=20submissions=20to > ukcrypto@chiark.greenend.org.uk > >To=20subscribe=20or=20unsubscribe=20via=20the=20web,=20visit > http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto >or,=20via=20email,=20send=20a=20message=20with=20subject=20or=20body=20'help'=20to > ukcrypto-request@chiark.greenend.org.uk >You=20can=20reach=20the=20person=20managing=20the=20list=20at > ukcrypto-admin@chiark.greenend.org.uk > >When=20replying,=20please=20edit=20your=20Subject=20line=20so=20it=20is=20more=20specific=20than "Re:=20Contents=20of=20ukcrypto=20digest..." > >--------------- > >Send=20ukcrypto=20mailing=20list=20submissions=20to > ukcrypto@chiark.greenend.org.uk > >To=20subscribe=20or=20unsubscribe=20via=20the=20web,=20visit > http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto >or,=20via=20email,=20send=20a=20message=20with=20subject=20or=20body=20'help'=20to > ukcrypto-request@chiark.greenend.org.uk >You=20can=20reach=20the=20person=20managing=20the=20list=20at > ukcrypto-admin@chiark.greenend.org.uk > >When=20replying,=20please=20edit=20your=20Subject=20line=20so=20it=20is=20more=20specific=20than "Re:=20Contents=20of=20ukcrypto=20digest..." > >--------------- > >Send=20ukcrypto=20mailing=20list=20submissions=20to > ukcrypto@chiark.greenend.org.uk > >To=20subscribe=20or=20unsubscribe=20via=20the=20web,=20visit > http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto >or,=20via=20email,=20send=20a=20message=20with=20subject=20or=20body=20'help'=20to > ukcrypto-request@chiark.greenend.org.uk >You=20can=20reach=20the=20person=20managing=20the=20list=20at > ukcrypto-admin@chiark.greenend.org.uk > >When=20replying,=20please=20edit=20your=20Subject=20line=20so=20it=20is=20more=20specific=20than "Re:=20Contents=20of=20ukcrypto=20digest..." Please=20copy=20any=20reply=20to=20elvalouise.perkins@uk.royalsun.com=20and=20elva.perkins@talk21.com.=20Thanks. Elva-Louise=20Perkins Legal=20Department Royal=20SunAlliance=20 T/F=200208=20409=208103 M=20=20=2007796=20833876 This=20email=20is=20privileged=20and=20is=20confidential.=20If=20you=20receive=20it=20in=20error,=20please=20reply=20to=20inform=20me,=20and=20delete=20it=20and=20your=20reply.=20Many=20thanks. -------------------- talk21=20your=20FREE=20portable=20and=20private=20address=20on=20the=20net=20at=20http://www.talk21.com From nexus@patrol.i-way.co.uk Mon, 23 Jul 2001 20:04:43 +0100 Date: Mon, 23 Jul 2001 20:04:43 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Adobe fallout ? Hi folks, Though not pertaining to UK law per se, perhaps a somewhat dangerous precedent being set for non US citizens visiting their country ? Or kneejerk reaction ? http://www.theregister.co.uk/content/55/20575.html Andrew Orlowski andrew.orlowski@theregister.co.uk Angry users were getting ready to lay siege to Adobe's San Jose HQ this morning, one of several rallies around the United States in protest at the arrest of Russian cryptographer Dmitry Skylarov. Skylarov demonstrated the feeble 'security' in Adobe's eBook file format at DefCon in Las Vegas last week, and found himself arrested under the US DMCA (Digital Millenium Copyright Act). Skylarov's employer develops a version that circumvents the encryption on Adobe eBooks for the benefit of partially sighted computers, but only works on paid-for eBooks. So it's difficult to see what Adobe is losing here, except for its ability to rob the blind. Literally. Linux kernel developer Alan Cox resigned his Usenix post at the weekend, urging non-US companies to boycott events in the land of the free until the draconian DMCA is repealed. [snip] From daw@mozart.cs.berkeley.edu 23 Jul 2001 21:09:18 GMT Date: 23 Jul 2001 21:09:18 GMT From: David Wagner daw@mozart.cs.berkeley.edu Subject: Wired: Echelon Furor Ends in a Whimper Peter Fairbrother wrote: >Implementing protections against passive-only interception is a bit like >installing a reinforced, fortified door and leaving the windows unlocked. If your goal is to protect European communications from being intercepted by Echelon-like systems (and that was the context of this thread, after all), it might be plenty good enough. I failed to grok the rest of your note. You cannot deter active MITM attacks without some authenticated, shared information (whether shared key material, or authenticated public keys for the participants). From owen.blacker@wheel.co.uk Tue, 24 Jul 2001 11:27:46 +0100 Date: Tue, 24 Jul 2001 11:27:46 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Adobe fallout ? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The latest edition of EFFector (v14.15) has a lot about this too. To quote from the email: | Back issues are available at: | http://www.eff.org/effector | | To get the latest issue, send any message to | effector-reflector@eff.org (or er@eff.org), and it will be mailed to | you automagically. You can also get, via the Web: | http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html I can forward it, if anyone has pticlr problems getting it. It seems that Adobe's lawyers are being a little over-eager in using the DMCA *shocker* :o( O x - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - -- Opinions are mine. My employer and their clients can get their own! > -----Original Message----- > From: Nexus [mailto:nexus@patrol.i-way.co.uk] > Sent: Monday, July 23, 2001 8:05 PM > To: UK Crypto list > Subject: Adobe fallout ? > > > Hi folks, > Though not pertaining to UK law per se, perhaps a somewhat dangerous > precedent being set for non US citizens visiting their country ? Or > kneejerk reaction ? > > http://www.theregister.co.uk/content/55/20575.html > Andrew Orlowski andrew.orlowski@theregister.co.uk > > Angry users were getting ready to lay siege to Adobe's San Jose HQ this > morning, one of several rallies around the United States in protest at > the arrest of Russian cryptographer Dmitry Skylarov. > > Skylarov demonstrated the feeble 'security' in Adobe's eBook file format > at DefCon in Las Vegas last week, and found himself arrested under the US > DMCA (Digital Millenium Copyright Act). Skylarov's employer develops a > version that circumvents the encryption on Adobe eBooks for the benefit > of partially sighted computers, but only works on paid-for eBooks. So > it's difficult to see what Adobe is losing here, except for its ability > to rob the blind. > Literally. > > Linux kernel developer Alan Cox resigned his Usenix post at the weekend, > urging non-US companies to boycott events in the land of the free until > the draconian DMCA is repealed. > > [snip] -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO11M5lVeQSYAA2h0EQKB1wCfUGMRh+v0vJHGaWjNGtPym0l9ax4AoN32 c4EBnjBHKkrr1lZktNxUOquK =wHWh -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From Q.G.Campbell@newcastle.ac.uk Tue, 24 Jul 2001 12:03:36 +0100 Date: Tue, 24 Jul 2001 12:03:36 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: Adobe fallout ? > -----Original Message----- > From: Owen Blacker [mailto:owen.blacker@wheel.co.uk]=20 > Sent: 24 July 2001 11:28 > To: 'ukcrypto@chiark.greenend.org.uk' > Subject: RE: Adobe fallout ? >=20 >=20 > =20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > The latest edition of EFFector (v14.15) has a lot about this=20 > too. To quote from the email: >=20 > | Back issues are available at: > | http://www.eff.org/effector > | > | To get the latest issue, send any message to =20 > | effector-reflector@eff.org (or er@eff.org), and it will be=20 > mailed to =20 > | you automagically. You can also get, via the Web: > | http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html In the latter URL, the EFF's attorney says "The U.S. government for the first time is prosecuting a programmer for building a tool that may be used for many purposes, including those that legitimate purchasers need in order to exercise their fair use rights."=20 Surely this must be good news because in the name of consistency and fairness one can expect the FBI to start arresting all the gun manufacturers and suppliers in the States? Quentin From adam@cypherspace.org Sat, 21 Jul 2001 21:18:04 -0400 Date: Sat, 21 Jul 2001 21:18:04 -0400 From: Adam Back adam@cypherspace.org Subject: end-to-end crypto for mobile voice (Re: Wired: Echelon Furor Ends in a Whimper) I always thought cell phones with Infra Red transceivers such as Nokia 6110 series would be an interesting and very practical way to build a WoT. You would build up WoT binding phone numbers and names to keys by key signing done in person phone to phone via the IR link. You can already beam and SMS (I think) phone book entries, which would then have the additional property of acting as a signed introducer. The real problem is political I suspect. The wireless industry is proably politically unwilling to provide end-to-end crypto due to closed door secret service lobbying. I figure the first moderately wide spread end-to-end crypto for mobile voice will be when there is enough computing power, bandwidth available and sufficiently open development platform for such devices as we move towards the merge of PDAs, laptops and cell-phones. If someone got lucky perhaps an exploit in remote update security on such devices could even be used as a grass-roots deployment vector to upgrade the crypto, and fix the exploit (to prevent subsequent crypto downgrade). Adam On Sun, Jul 22, 2001 at 12:35:25AM +0000, David Wagner wrote: > I think it might not be so hard as you imagine, in some contexts. Consider > what it would take to institute universal end-to-end encryption for > cellphones to protect against passive eavesdropping. The technological > infrastructure is well within our reach, and it doesn't require a global > PKI where every cellphone user must have a certified public key. From David_Biggins@usermgmt.com Tue, 24 Jul 2001 12:54:13 +0100 Date: Tue, 24 Jul 2001 12:54:13 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Adobe fallout ? Nah. The only consistency we can expect is consistent support of whoever has the biggest bank account. ## dave ## > -----Original Message----- > From: Q G Campbell [mailto:Q.G.Campbell@newcastle.ac.uk] > Sent: Tuesday, July 24, 2001 12:04 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Adobe fallout ? > > > > -----Original Message----- > > From: Owen Blacker [mailto:owen.blacker@wheel.co.uk] > > Sent: 24 July 2001 11:28 > > To: 'ukcrypto@chiark.greenend.org.uk' > > Subject: RE: Adobe fallout ? > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > The latest edition of EFFector (v14.15) has a lot about this > > too. To quote from the email: > > > > | Back issues are available at: > > | http://www.eff.org/effector > > | > > | To get the latest issue, send any message to > > | effector-reflector@eff.org (or er@eff.org), and it will be > > mailed to > > | you automagically. You can also get, via the Web: > > | http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html > > In the latter URL, the EFF's attorney says "The U.S. > government for the > first time is prosecuting a programmer for building a tool that may be > used for many purposes, including those that legitimate > purchasers need > in order to exercise their fair use rights." > > Surely this must be good news because in the name of consistency and > fairness one can expect the FBI to start arresting all the gun > manufacturers and suppliers in the States? > > Quentin > > From oml@eloka.demon.co.uk Wed, 25 Jul 2001 12:31:40 +0100 Date: Wed, 25 Jul 2001 12:31:40 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: end-to-end crypto for mobile voice (Re: Wired: Echelon Furor Ends in a Whimper) > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Adam Back > Sent: 22 July 2001 02:18 > To: ukcrypto@chiark.greenend.org.uk > Subject: end-to-end crypto for mobile voice (Re: Wired: Echelon Furor > Ends in a Whimper) > > > I always thought cell phones with Infra Red transceivers such as > Nokia 6110 > series would be an interesting and very practical way to build a WoT. You > would build up WoT binding phone numbers and names to keys by key signing > done in person phone to phone via the IR link. You can already > beam and SMS > (I think) phone book entries, which would then have the > additional property > of acting as a signed introducer. Won't help you talk securely to that human rights activist in Papua New Guinea though, will it? > I figure the first moderately wide spread end-to-end crypto for > mobile voice > will be when there is enough computing power, bandwidth available and > sufficiently open development platform for such devices as we move towards > the merge of PDAs, laptops and cell-phones. I have little doubt that such thoughts were part of the process leading to a requirement to surrender keys built into RIPA. My guess is that other countries will be watching closely the effectiveness (or otherwise) of that type of legislation and may well decide to copy it. It's essential intent is to make secrecy in communication strictly conditional according to the laws of one or more countries. > > Adam > > On Sun, Jul 22, 2001 at 12:35:25AM +0000, David Wagner wrote: > > I think it might not be so hard as you imagine, in some > contexts. Consider > > what it would take to institute universal end-to-end encryption for > > cellphones to protect against passive eavesdropping. The technological > > infrastructure is well within our reach, and it doesn't require a global > > PKI where every cellphone user must have a certified public key. No, it doesn't *require* a global PKI. Nevertheless, it my guess that it is in that way that things will develop, given time. I do not advocate reliance on any such system; quite the reverse in fact. However, I do believe that risks to confidentiality and, particularly, of the misuse of personally identifiable secure communications to effect a scam would be no worse than with WoT. Owen From oml@eloka.demon.co.uk Thu, 26 Jul 2001 12:36:08 +0100 Date: Thu, 26 Jul 2001 12:36:08 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Trading COMSAT Sigint in Europe (Echelon developments) I finally got around to reading this and it seemed to me that one or two of its underlying premises are worth discussion. > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Duncan > Campbell > Sent: 09 July 2001 19:12 > To: ukcrypto@chiark.greenend.org.uk > Subject: Trading COMSAT Sigint in Europe (Echelon developments) > > > 10 July 2001 > > Fight over Euro-intelligence plans > > The sudden closure of one of the worlds largest spy stations is a > potential > harbinger of confrontation between the U.S. and Germany. Why so? Since 1945 Germany has been required to host hundreds of thousands of foreign troops armed to the gills and having with them the full supporting paraphernalia that operational military forces require. This presence, first established by force majeure and maintained since 1956 by agreement and a commonality of interests, always had a finite life; its life being more or less defined by continuance of a Russian domination of Eastern and Central Europe. With the collapse of that domination - and the consequent re-unification of Germany - the commonality of interest which in recent years has alone underpinned the presence on German soil of large forces of foreign troops. For the last ten years, the removal of all forces of Germany's NATO allies from German soil has proceeded apace. The last of them are now preparing to go home at last. With the purpose for which they were built ended, the continued basis operation of any infrastructure facilities of foreign forces on German soil would rely on some new agreement wherein Germany found it sufficiently in her national interest to promote such a continuance. There may have been a period of bargaining but if so then we know that: - The US no longer regarded any extension of the life of the Bad Aibling facility as essential at any price. - That the price for its extension that was set by the German authorities was well beyond the worth of its continuance to the US. > Today in Brussels, members of the European Parliament will vote > to finalise > a report that condemns the use of the British and American run "Echelon" > international communications surveillance system as a breach of privacy, > sovereignty and human rights. It would be a more interesting and worthwhile document if it included in its balance the chain of SIGINT stations maintained on German soil by the German government and which focus on Germany's neighbours, especially France and into Eastern Europe. No mention either of Spanish, Italian, French, Czech, Norwegian etc. etc facilities of a similar type. The report, as reported here, is fatally blinkered, biased and risibly anti-American in tone. It can serve little of interest other than its sponsors egos. However, it may do some harm by appearing to have a solid imprimatur and serving as a source of public disinformation. > The worlds largest electronic spying system, of which Echelon is > a part, is > run by the UKUSA alliance..... The only > other worldwide systems are run by Russia, and by France, which has > listening stations in South America and the South Pacific. This misses a crucial fact. Many countries operate regional rather than global listening stations. Where lies the complaint of the privacy fanaticists? Is it in the essential nature of the activity or merely in the scale of its reach? The blinkered approach adopted simply uses the latter as a smoke screen for the underlying anti-Americanism whilst actually bleating noisily and with bias about the former. Tsk, tsk. It also entirely ignores the level of electronic eavesdropping of their own people, even in their own homes, carried out by the authorities in many states in this world, albeit not so much in Europe or North America. In some electronic eavesdropping is as near total as the state can devise. Not a cheep from the privacy fanatics about this either. One does need to ask why and not to accept silence in lieu of an answer. Their priorities are ill-chosen and require full explanation and justification. > ....A new European > intelligence agency, in which Germany and France would take leading roles, > would be a major challenge to the UKUSA group. This is the merest wishful thinking. Intelligence services are policy servants, to be given clear direction and to be delegated their authority directly from a state's chief executive. He alone carries the responsibility for what he chooses - for better or ill - to authorise. It is likely to be at least another ten years - perhaps much more before the European Union has either developed its political controls and Federal policies to the point where it can sensibly employ and direct its own intelligence services. Until that time and as particularly European intelligence requirements may arise, the mature member states who already have and control such agencies will decide what, when and within what limits intelligence support will be given to European goals and in response to well formulated EU requests. This is precisely as it should me and no one should wish for anything else. The creation of EU intelligence agencies before there is a federated political structure and clear federal economic, foreign and defence policy goals is childish talk, albeit dangerous and perhaps mischievous also. Fortunately, all the Western European states are politically mature and well understand both the need and the means for the control of intelligence services. The Euro MP's may bray and gesticulate as they will; none of these states is about to give them the toy box to play with until they have well and truly demonstrated that they can play nicely, constructively and responsibly. We are some way away from that point yet as this present display of irrational emotion serves to make clear. > > But the ETA-tracking deal is actually the first visible sign of > longer term > U.S. plans to set up new bilateral intelligence arrangements with selected > European nations. The US has recently developed and extended intelligence > links with Norway, Denmark, and Switzerland, and has offered > anti-terrorist > intelligence sharing to the Italian and Greek government, as well as the > Spanish. > > At the remote village of Skibsbylejren near Hjorring in northern Denmark, > and at Heimenschwand and Leuk in central Switzerland, contractors are now > putting the finishing touches to a new network of satellite communications > interception centres. The data they collect will be routed to processing > centres at Zimmerwald and near Copenhagen, and then exchanged with other > intelligence agencies. > > By the time they are complete in 2002, the new stations will be capable of > simultaneously intercepting messages from about 25 satellites. This will > provide the US with more capacity than is provided by the three smaller > members of the current US alliance- Canada, Australia and New Zealand put > together. Mmmmm... capacity for what? A bit meaningless as given here. > Neither Denmark nor Switzerland has claimed that the new spy bases are > being provided for national requirements. According to General > Peter Regli, > head of the Swiss Untergruppe Nachrichtendienst der Armee (UNA) military > intelligence unit, the purpose of the Swiss system called SATOS-3 is to > trade information with partner spy agencies. And that is a simple sophistry. Whether or not what is written is true, the reason such stations are built is to serve a national interest. Or is it some vast, subversive US plan to buy intelligence facilities for greasy dollars? I rather think not. > This and other developments suggest that the U.S. intelligence agencies > have long been planning how to overcome the new European intelligence and > privacy concerns. Their goal appears to go further than merely protecting > existing surveillance operations against privacy campaigners or > restrictions proposed by the European Parliament. The greater target > appears to be to head off, or at least subvert and minimise the impact of > an independent European intelligence capability. Not so. To anyone who understands the control of the arms of state, it must be a nonsense for reasons outlined. The most if not all of the present EU states will assure that no such capability is brought into being before there are Federal structures and policy goals for its proper employment. Were US interests to be pointedly anti-European federation, they would give every encouragement to such dangerous (to EU interests) and foolish nonsense. > Now, in Bavaria and the > Basque country, these battle lines have been joined. A mountain has been made out of a molehill, methinks. In Bavaria, the US has sensibly decided that it is cheaper to take its toys elsewhere and the only losers are, economically, the Bavarian govt and in terms of what it might have got had it asked for less, The German federal government. In Spain, as the article itself eventually points out- the anti-ETA cooperation is much older that the current little EUP spat about Echelon. Really, it's a windmill, Don Quixote. Owen From owen.blacker@wheel.co.uk Fri, 27 Jul 2001 15:00:56 +0100 Date: Fri, 27 Jul 2001 15:00:56 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: FW: Sircam infects the Feds -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, ordinarily I wouldn't forward stuff like this, but it made me smile, and it's possibly of interest, if a little off-topic :o) > -----Original Message----- > From: Java_Security@itw.itworld.com > Sent: Friday, July 27, 2001 12:22 PM > > > JAVA SECURITY --- July 27, 2001 > Published by ITworld.com -- changing the way you view IT > http://www.itworld.com/newsletters > ______________________________________________________________ > > [deletia] > > Sircam Hits FBI Cybersecurity Group > By Sam Costello > > The Sircam virus has struck what may seem like one of the most unlikely > places: The National Infrastructure Protection Center, the cybersecurity > organization created by the U.S. Federal Bureau of Investigation, > according to a report by the Wall Street Journal Online. > > The worm infected the PC of a researcher at the NIPC, and though it did > not spread throughout the NIPC, Sircam did send eight internal documents > marked "official use only" to outsiders, the Journal reported. The > Journal also reported that no classified or sensitive information was > released, according to FBI spokeswoman Debbie Weierman. Weierman did not > return repeated calls for comment from the IDG News Service Wednesday > morning. > > Sircam is an e-mail worm that has been spreading at speedy clip over the > past week. The worm arrives as an e-mail in either English or Spanish > bearing the message "Hi! How are you? I send you this file in order to > have your advice. See you later. Thanks." > > Sircam will either grab a document off the hard drive of the infected > system and resend it when the worm spreads, thus potentially spreading > sensitive or confidential files, or, in some cases, delete all files on > the system's hard drive. When the attachment sent with an infected e-mail > is double-clicked, the worm searches the PC's Windows Address Book for > e-mail addresses and sends itself to all addresses listed there. > > [deletia] > > Copyright 2001 ITworld.com, Inc., All Rights Reserved. > http://www.itworld.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO2FzUVVeQSYAA2h0EQIKGACg7Ak+I2x03drS7xvKaSMy1bUxEQ4AniWw Zr+3I44gdf52S5nn0mKcnVfX =FhhW -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From martinh@solid-state-logic.com Fri, 27 Jul 2001 16:46:00 +0100 Date: Fri, 27 Jul 2001 16:46:00 +0100 From: Martin hepworth martinh@solid-state-logic.com Subject: FW: Sircam infects the Feds well like all things you take a risk when using it. Admittedly the risk from stuff like this happening with M$ products is higher and you need quite a bit of technology and mechanisms to protect yourself but its still risk based. I note that Sophos put out an alert and update 18th July. The whole thing went crazy 25th. So everyone had 6 days to update their AV technology to catch this before it hit bad. Shame on the feds for not doing basic stuff. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 Owen Blacker wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry, ordinarily I wouldn't forward stuff like this, but it made me smile, > and it's possibly of interest, if a little off-topic :o) > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From octobersdad@reporters.net Fri, 27 Jul 2001 23:14:16 +0100 Date: Fri, 27 Jul 2001 23:14:16 +0100 From: T Bruce Tober octobersdad@reporters.net Subject: FW: Sircam infects the Feds -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <3B618CB8.5513890C@solid-state-logic.com>, Martin hepworth writes >I note that Sophos put out an alert and update 18th July. The whole >thing went crazy 25th. So everyone had 6 days to update their AV >technology to catch this before it hit bad. Shame on the feds for not >doing basic stuff. OTOH, AV software isn't perfect: Symantec fails to stop SirCam By John Leyden Posted: 27/07/2001 at 12:30 GMT http://www.theregister.co.uk/content/56/20696.html The SirCam worm has revealed weaknesses in anti-virus protection relied on by many firms as a first line of defence against viral infection. It's been discovered that both Baltimore Technologies MIMEsweeper content filtering software and Symantec's perimeter protection product, Norton Antivirus for Gateways v2.x, fail to block the prolific virus. Norton Antivirus for Gateways fails to see email with attachments contaminated by the virus, even if the correct settings have been applied and the latest versions of virus-identfying signature files have been downloaded. - -- | Bruce Tober, , | *.* *.* *.* *.* | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2HnuElMGg3Z3q20EQL29QCg7MQY3DrsVe5quPdkXTsW9kqc27kAmwQV 5Z+0huytbXgDjlz4lJLOw5S1 =G36I -----END PGP SIGNATURE----- From nexus@patrol.i-way.co.uk Sat, 28 Jul 2001 02:07:12 +0100 Date: Sat, 28 Jul 2001 02:07:12 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: FW: Sircam infects the Feds Personally, I think that both issues are as a result of the human factor - the first for being the twit that ran an attachment without checking it first and the second for the AV developers making the false assumption that worms containing their own SMTP client would obey RFC and construct correct MIME headers - like duuuuhhhhhhhhh..... OK Fred ! Email gateways using AV software should have the ethos of "if in doubt, quarantine the little bleeder" - hence the other current fave of sending that little 42.zip file that kills certain AV/content filtering email gateways ;-) (42.zip is a specially constructed zip file that is 42K in size, but when fully expanded end up at about 4Gb) Since I'm rapidly drifting off of the list mandate, I'll stop there.. Cheers, JJ ----- Original Message ----- From: "T Bruce Tober" To: Sent: Friday, July 27, 2001 11:14 PM Subject: Re: FW: Sircam infects the Feds [snip] > OTOH, AV software isn't perfect: [snip] From richard@highwayman.com Sat, 28 Jul 2001 14:49:04 +0100 Date: Sat, 28 Jul 2001 14:49:04 +0100 From: Richard Clayton richard@highwayman.com Subject: FW: Sircam infects the Feds -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <00f701c11701$a239aee0$1e01320a@Drizzt>, Nexus writes >hence the other current fave of sending that little 42.zip file >that kills certain AV/content filtering email gateways ;-) >(42.zip is a specially constructed zip file that is 42K in size, but when >fully expanded end up at about 4Gb) nothing new under the sun :-( this attack was used against the MIT anon remailer prior to 1998 ftp://cag.lcs.mit.edu/pub/dm/papers/mazieres:pnym.pdf >Since I'm rapidly drifting off of the list mandate, I'll stop there.. "The only thing we learn from history is that we learn nothing from history." Hegel ... though I see that a fair number of web sites ascribe it to Cicero ! - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2LC0BfnRQV/feRLEQKDYgCfWQDLWT42wpNGRcRvCmABy9u6yWgAoMlo PHn/XJQnp5ogm/o0aiLJin4o =bVmW -----END PGP SIGNATURE----- From ben@algroup.co.uk Sat, 28 Jul 2001 16:52:59 +0100 Date: Sat, 28 Jul 2001 16:52:59 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Confused - Elva-Louise Perkins elva.perkins@talk21.com wrote: > This email is privileged and is confidential. If you receive it in error, please reply to inform me, and delete it and your reply. Many thanks. Hehe. New heights of stupidity! Delete my reply? Sez who? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From tbt@star-dot-star.co.uk Sat, 28 Jul 2001 18:03:09 +0100 Date: Sat, 28 Jul 2001 18:03:09 +0100 From: Bruce Tober tbt@star-dot-star.co.uk Subject: FW: Sircam infects the Feds -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <3B618CB8.5513890C@solid-state-logic.com>, Martin hepworth writes >I note that Sophos put out an alert and update 18th July. The whole >thing went crazy 25th. So everyone had 6 days to update their AV >technology to catch this before it hit bad. Shame on the feds for not >doing basic stuff. OTOH, AV software isn't perfect: Symantec fails to stop SirCam By John Leyden Posted: 27/07/2001 at 12:30 GMT http://www.theregister.co.uk/content/56/20696.html The SirCam worm has revealed weaknesses in anti-virus protection relied on by many firms as a first line of defence against viral infection. It's been discovered that both Baltimore Technologies MIMEsweeper content filtering software and Symantec's perimeter protection product, Norton Antivirus for Gateways v2.x, fail to block the prolific virus. Norton Antivirus for Gateways fails to see email with attachments contaminated by the virus, even if the correct settings have been applied and the latest versions of virus-identfying signature files have been downloaded. - -- | Bruce Tober, , Freelance Journalist, | | My Website | | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2LwTccIpTh0zLu1EQJevQCgq9Jd3QX0G5z3jcKGRpu/NbvxHKAAnjYC FpWG+TJ4kzf4HmbLamH1jK4E =NVnE -----END PGP SIGNATURE----- From nexus@patrol.i-way.co.uk Sat, 28 Jul 2001 21:08:52 +0100 Date: Sat, 28 Jul 2001 21:08:52 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: FW: Sircam infects the Feds Here we go again.... If you feel the need to have a go at me, at least have the bottle, backbone, balls and common fucking courtesy to tell me directly, not the list - guess not. Then neither will I as I can be just as childish if forced. ----- Original Message ----- From: "Richard Clayton" To: Sent: Saturday, July 28, 2001 2:49 PM Subject: Re: FW: Sircam infects the Feds [snip] > nothing new under the sun :-( [snip] Being a total and complete moron, may I please request that you point this total fuckwit at the section of the email that this total fuckwit wrote, typed, said, implied, or even inferred that this was new ? I only wrote it, so buggered if I know at which point I stated that this was a new thing - Mea Culpa. Your point is ? Please speak slowly as I'm a bear of very little brain and long words puzzle me. [snip] >this attack was used against the MIT anon remailer prior to 1998 > ftp://cag.lcs.mit.edu/pub/dm/papers/mazieres:pnym.pdf [snip] And similar has been done since Morris - nothing new under the sun. Bugger, some God already said that, pathetic little worm that I am. [snip] > >Since I'm rapidly drifting off of the list mandate, I'll stop there.. > > "The only thing we learn from history is that we learn nothing from > history." > Hegel ... though I see that a fair number > of web sites ascribe it to Cicero ! [snip] "There are eyes that see nothing at all, there are ears that hear but they don't recall" The Hunt, New Model Army, from the Album "Ghost of Cain" [snip] > - -- > richard @ highwayman . com "Nothing seems the same > Still you never see the change from day to day > And no-one notices the customs slip away" [snip] Tip for the day, lose the blinkers and arrogance and try and deal with your fellow man as you would have them deal with you. From pwt@iosis.co.uk Sat, 28 Jul 2001 21:33:28 +0100 Date: Sat, 28 Jul 2001 21:33:28 +0100 From: Peter Tomlinson pwt@iosis.co.uk Subject: FW: Sircam infects the Feds Well, having deleted the incoming hostilities on this thread, I warn anyone using Norton AV on a single system that the update that I downloaded only 3 days ago does not catch Sircam - one just got through to me without Norton catching it. Peter T Britol UK From richard@highwayman.com Sun, 29 Jul 2001 11:33:10 +0100 Date: Sun, 29 Jul 2001 11:33:10 +0100 From: Richard Clayton richard@highwayman.com Subject: ASSISTANCE FOR MUTUAL BENEFITS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <20010729053206.PGEB18323.mta09.onebox.com@onebox.com>, junior kabila writes >JUNIOR KABILA >29 FERRET AVENUE >SANTON >JOHANNESBURG >SOUTH Africa. [419 scam snipped] the best place for reporting this I am aware of is: http://www.africaservice.com/fraud/reporting.html though US subscribers can report it to USSS at: http://www.state.gov/www/regions/africa/naffpub.pdf Perhaps our readers from the Home Office could comment on who in the UK accepts reports of these scams ... I got the impression from the NHTCU that it might not be their patch! - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2PmZhfnRQV/feRLEQL+3gCgxN0Ua82GILVWVmigFA92NJdu22IAnjHh 9oOuP90WFGWjIbGGWEjOh2tJ =QY8T -----END PGP SIGNATURE----- From nexus@patrol.i-way.co.uk Sun, 29 Jul 2001 15:16:03 +0100 Date: Sun, 29 Jul 2001 15:16:03 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: FW: Sircam infects the Feds - Apologies Let's try that one again folks. I would like to apologise to Richard and the list members for my outburst, that was both unnecessary and uncalled for and I am seriously annoyed with myself. I'm not going into the details as to why, suffice to say that I'm not really myself atm due to other ummm... things. That will probably explain the very out-of-character comments I made, for which I again apologise. I'm not making excuses nor intimating for mitigating circumstances, just trying to explain myself as best I can as to why it occurred. Regards, JJ From dave@xemu.demon.co.uk Sat, 28 Jul 2001 17:58:07 +0100 Date: Sat, 28 Jul 2001 17:58:07 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Peter Fairbrother writes >> I think it might not be so hard as you imagine, in some contexts. >> Consider what it would take to institute universal end-to-end >> encryption for cellphones to protect against passive eavesdropping. >> The technological infrastructure is well within our reach, and it doesn't >> require a global PKI where every cellphone user must have a certified >> public key. > > >Implementing protections against passive-only interception is a bit like >installing a reinforced, fortified door and leaving the windows unlocked. It >might deter the casual passerby from theft but it's not going to seriously >inconvenience determined thieves. Without meaning to give offence, I >generally regard honest advocates of such systems as either babes in the >woods or ********* ******. No, it is simply a matter of shifting the balance of power. I have to depend on phone and other switches operated by large businesses who can be corrupted without my having any say: end to end crypto resolves this problem. It means eavesdropping must be done by targeting the end nodes, homes or offices, of particular participants. This is more labour intensive at the moment so must be done more selectively. It is also seen as more offensive by innocent targets and their contacts.... people are less happy at the idea of being bugged in their own houses and may get rather unhappy with police who do it. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2LvH38v/Y5zkfRPEQLabwCdEdsagNZFr9/5Z4DOiFC2b38/D4AAn2eb lEz6kbcqdHixD5T0vCXJ9xcL =nQmg -----END PGP SIGNATURE----- From richard@highwayman.com Sun, 29 Jul 2001 20:58:53 +0100 Date: Sun, 29 Jul 2001 20:58:53 +0100 From: Richard Clayton richard@highwayman.com Subject: FW: Sircam infects the Feds - Apologies -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <001101c11839$1f491410$1e01320a@Drizzt>, Nexus writes >I would like to apologise to Richard and the list members for my outburst, no problem... I probably made my point rather crassly I was trying to add yet another illustration to a general theme that because the computer industry changes so fast and because the developers tend to be so young, there is a feeling that there is no point learning anything about the past because it was far too different then --- whereas many things recur. Those who remember the furore about BBS's in the 80's might recognise common themes in the current interest in chat rooms... Those who remember tape protection schemes (and how they fared in the marketplace) may recognise common themes in what the record industry is doing.... Those who remember US encryption policies from a few years ago may recognise what our government is doing now... plus ca change, plus la meme chose - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2Rq/RfnRQV/feRLEQK2iQCgzGW2e55LqK9Kws9trOdFYAFYa/QAoKot bTy2777J4ps0v5Rik39kezGY =HtA/ -----END PGP SIGNATURE----- From oml@eloka.demon.co.uk Sun, 29 Jul 2001 21:18:13 +0100 Date: Sun, 29 Jul 2001 21:18:13 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Richard > Clayton > Sent: 29 July 2001 11:33 > To: UKcrypto@chiark.greenend.org.uk > Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In article <20010729053206.PGEB18323.mta09.onebox.com@onebox.com>, > junior kabila writes > > >JUNIOR KABILA > >29 FERRET AVENUE > >SANTON > >JOHANNESBURG > >SOUTH Africa. > > [419 scam snipped] > > the best place for reporting this I am aware of is: > > http://www.africaservice.com/fraud/reporting.html > > though US subscribers can report it to USSS at: > > http://www.state.gov/www/regions/africa/naffpub.pdf > > > Perhaps our readers from the Home Office could comment on who in the UK > accepts reports of these scams ... I got the impression from the NHTCU > that it might not be their patch! I just forwarded one of my two copies to a chum in RSA who is placed to bring down the Curse of Gnome on Junior if he is so minded. N.B. Junior can't spell Sandton (quite possibly because his temporary financial embarrassment prevents him from affording the bus fare to visit it). Wouldn't expect to find a Ferret Avenue there either :-) Owen From oml@eloka.demon.co.uk Sun, 29 Jul 2001 21:18:14 +0100 Date: Sun, 29 Jul 2001 21:18:14 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Dave Bird > Sent: 28 July 2001 17:58 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > ..... I have to > depend on phone and other switches operated by large businesses who can > be corrupted without my having any say: end to end crypto resolves > this problem. It means eavesdropping must be done by targeting the > end nodes, homes or offices, of particular participants. This is more > labour intensive at the moment so must be done more selectively. It is > also seen as more offensive by innocent targets and their contacts.... > people are less happy at the idea of being bugged in their own houses > and may get rather unhappy with police who do it. Which is, I have little doubt, what many of those who advocate such a course would like to bring about. However, it is also the prime reason why such an entire shift in the methodology will never come about. Owen From oml@eloka.demon.co.uk Sun, 29 Jul 2001 21:27:05 +0100 Date: Sun, 29 Jul 2001 21:27:05 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: FW: Sircam infects the Feds - Apologies > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Richard > Clayton > Sent: 29 July 2001 20:59 > To: UKcrypto@chiark.greenend.org.uk > Subject: Re: FW: Sircam infects the Feds - Apologies > > I was trying to add yet another illustration to a general theme that > because the computer industry changes so fast and because the developers > tend to be so young, there is a feeling that there is no point learning > anything about the past because it was far too different then --- > whereas many things recur. > > Those who remember the furore about BBS's in the 80's might recognise > common themes in the current interest in chat rooms... > > Those who remember tape protection schemes (and how they fared in the > marketplace) may recognise common themes in what the record industry is > doing.... > > Those who remember US encryption policies from a few years ago may > recognise what our government is doing now... > > plus ca change, plus la meme chose Toujours, mon vieux :-) And, every now and again, those of us who are old enough to know how to wright a wheel, make some money when it time for it (yet again) to be re-invented. The world was ever thus; the comfort of it is one of the few pleasures of advancing years, once one is past the magic number 30, when any self respecting person has either had the sense to die or be shut up, out of sight and out of mind, in 'sheltered accommodation'. Owen From brg@gladman.plus.com Sun, 29 Jul 2001 23:20:01 +0100 Date: Sun, 29 Jul 2001 23:20:01 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: Echelon Furor Ends in a Whimper ----- Original Message ----- From: "Dave Bird" To: Sent: Saturday, July 28, 2001 5:58 PM Subject: Re: Wired: Echelon Furor Ends in a Whimper > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In article , Peter > Fairbrother writes > >> I think it might not be so hard as you imagine, in some contexts. > >> Consider what it would take to institute universal end-to-end > >> encryption for cellphones to protect against passive eavesdropping. > >> The technological infrastructure is well within our reach, and it doesn't > >> require a global PKI where every cellphone user must have a certified > >> public key. > > > > > >Implementing protections against passive-only interception is a bit like > >installing a reinforced, fortified door and leaving the windows unlocked. It > >might deter the casual passerby from theft but it's not going to seriously > >inconvenience determined thieves. Without meaning to give offence, I > >generally regard honest advocates of such systems as either babes in the > >woods or ********* ******. > > No, it is simply a matter of shifting the balance of power. I agree entirely - the most significant point about end-to-end encryption is that it puts real power in the hands of end users. Which is, of course, precisely why past governments have fought so hard to prevent its spread. Brian From dave@xemu.demon.co.uk Sun, 29 Jul 2001 21:37:52 +0100 Date: Sun, 29 Jul 2001 21:37:52 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: Wired: Echelon Furor Ends in a Whimper -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Owen Lewis writes >> -----Original Message----- >> From: ukcrypto-admin@chiark.greenend.org.uk >> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Dave Bird >> Sent: 28 July 2001 17:58 >> To: ukcrypto@chiark.greenend.org.uk >> Subject: Re: Wired: Echelon Furor Ends in a Whimper >> >> >> ..... I have to >> depend on phone and other switches operated by large businesses who can >> be corrupted without my having any say: end to end crypto resolves >> this problem. It means eavesdropping must be done by targeting the >> end nodes, homes or offices, of particular participants. This is more >> labour intensive at the moment so must be done more selectively. It is >> also seen as more offensive by innocent targets and their contacts.... >> people are less happy at the idea of being bugged in their own houses >> and may get rather unhappy with police who do it. > >Which is, I have little doubt, what many of those who advocate such a course >would like to bring about. However, it is also the prime reason why such an >entire shift in the methodology will never come about. But of course it is open to individual users to choose such end-to-end systems as are directly available from them, and they should do so. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2R0IH8v/Y5zkfRPEQJ6rwCfTmeM9xh5QmXdK5hQboCK+p/XRv8AoO23 0cMAplXkVcj6rp5h/eYfMJGw =owZv -----END PGP SIGNATURE----- From Simon.Watkin@homeoffice.gsi.gov.uk Mon, 30 Jul 2001 09:10:03 +0100 Date: Mon, 30 Jul 2001 09:10:03 +0100 From: Watkin Simon Simon.Watkin@homeoffice.gsi.gov.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS Q. Who in the UK can you report 419 letters or e-mails to? A. Forward them to the National Criminal Intelligence Service, PO Box 8000, London SE11 5EN or mailto:419@spring39.demon.co.uk For more go to: http://www.ncis.co.uk/press/24_01.html Simon Watkin Hi-Tech Crime Team Policing Organised Crime Unit Home Office LONDON mailto:simon.watkin@homeoffice.gsi.gov.uk -----Original Message----- From: Richard Clayton [mailto:richard@highwayman.com] Sent: 29 July 2001 11:33 To: UKcrypto@chiark.greenend.org.uk Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS Perhaps our readers from the Home Office could comment on who in the UK accepts reports of these scams ... I got the impression from the NHTCU that it might not be their patch! - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" ********************************************************************** This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. This email message has been swept for computer viruses. ********************************************************************** From Q.G.Campbell@newcastle.ac.uk Mon, 30 Jul 2001 11:09:18 +0100 Date: Mon, 30 Jul 2001 11:09:18 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: FW: U.K. anti-terrorism law imperils hackers, privacy,property An interesting U.S. commentary on aspects of the UK Terrorism Act 2000.=20 Appaers to be wrong in attributing the Act to the current "uneasy situation" in Northern Ireland. As the Explantory Notes of the Act show, its history and antecedents are rather older. Supports suggestion that Terrorism Act may be used to tackle computer hacking and related crimes that should be dealt with by the CMU Act 1990. To be classed as a "terrorist" rather than a petty criminal under the CMU gives rise to questions about proportionality?=20 Cites comments by Ross Anderson (on this list?), among others souces, and raises issues about reverse burden of proof in certain situations. =20 Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinions expressed above are mine. The University can get its own." =20 > -----Original Message----- >Delivered-To: ip-sub-1-outgoing@admin.listbox.com >Delivered-To: ip-sub-1@majordomo.pobox.com >X-Sender: farber@linc.cis.upenn.edu >Date: Sun, 29 Jul 2001 09:06:29 -0400 >To: ip-sub-1@majordomo.pobox.com >From: David Farber >Subject: IP: U.K. anti-terrorism law imperils hackers, privacy,=20 >property >Sender: owner-ip-sub-1@admin.listbox.com >Reply-To: farber@cis.upenn.edu >X-Filter-Version: 2.3 (cheviot2.ncl.ac.uk) > > >>Date: Sat, 28 Jul 2001 20:51:49 -0400 >>From: Declan McCullagh >> >> >>http://www.cluebot.com/article.pl?sid=3D01/07/28/2336239&mode=3Dnested >> >> U.K. Anti-Terrorism Law Imperils Hackers, Privacy >> posted by cicero on Saturday July 28, @06:34PM >> from the how-nice-that-hackers-are-covered-too dept. >> >> >> A U.K. law that took effect this year gives police >> far-ranging powers >> to make warrantless arrests, enter buildings without >> court orders, and >> punish people for having information that could be useful to >> terrorists. >> >> The measure, called the Terrorism Act of 2000, received >> royal assent >> in July 2000. It became law in February 2001. >> >> Parliament, after lengthy debate, defined "terrorism"=20 >> as any threat to >> influence any government (U.K. or other) or group "for >> the purpose of >> advancing a political, religious or ideological cause." >> Actions that >> are punishable include those that threaten or carry out "serious >> damage to property," endanger public safety, or are are >> "designed >> seriously to interfere with or seriously to disrupt an >> electronic >> system." >> >> If you think that covers hackers, well, you're right. >> And it's no >> accident. >> >> A ZDNET article reports that: "Computer hackers could >> be classed as >> terrorists under a U.K. law." So does this Register writeup. >> >> An IDG article in February confirmed that the Home >> Office plans to >> prosecute hackers under the Terrorism Act. >> >> Unfortunately, the reporter never mentioned some of the more >> disturbing aspects of the law. >> >> It allows police to randomly stop people on streets, >> who are then >> required to give their names (so much for anonymity) or >. go to prison. >> Cops can seize any cash that they believe "is intended >> to be used for >> the purposes of terrorism," with no court authorization >> required. Gone >> is the traditional burden of proof: Judges are required >> to assume that >> contraband in the same building as the accused is owned >> by the accused >> "unless he proves that he did not know of its presence >> on the premises >> or that he had no control over it." >> >> Perhaps the most fascinating section restricts even >> owning information >> that could be useful to "a person committing or >> preparing an act of >> terrorism." If hackers are terrorists, better delete >> your copy of Back >> Orifice and bugtraq archives now. >> >> This Draconian law can be explained by the uneasy situation in >> Northern Ireland, which has been marked by recent car bombs and >> grenade attacks reportedly performed by IRA factions. >> (The law is, >> according to the Home Office, designed to be one >> uniform measure "to >> replace the existing, separate pieces of temporary >> legislation for >> Northern Ireland and Great Britain.") >> >> Americans, be warned. Congress is spending more and >> more time talking >> about bio-chem, Internet, and nuclear attacks. Soon you could be >> facing the same invasions of privacy and property. >> >> At least the spirit of John Locke isn't completely dead >> in his native >> land. >> >> "The legislation which gives the authorities extra >> powers should have >> to be renewed by parliament regularly rather than being >> permanent >> legislation. The definition of terrorism is also far >> too wide, in >> spite of significant efforts by Liberal Democrats and others in >> parliament to improve it," Simon Hughes, Liberal >> Democrat Shadow Home >> Secretary, said in a statement. The Liberal Democrats >> are the third >> largest political party. >> >> In a discussion on a U.K. mailing list, Ross Anderson >> of Cambridge >> University said that the law was written so broadly >> that it could >> imperil his computer security work. Predicted Anderson: >> "So now we >> know. We are all terrorists now!" >> >> Another list member chimed in: "So interfering with an=20 >> electronic >> system in order to advance a political cause seems to me to be >> covered, or at least it could be argued that it was covered. Is >> defacing a website 'terrorism?' Or distributing a >> stupid word macro by >> email? It looks as if, had the 'love bug' mail message contain a >> political or religious slogan it could be defined as >> terrorism by this >> standard. >> >> Below are some excerpts from the law. You can find the >> complete text >> at www.legislation.hmso.gov.uk/acts/acts2000/20000011.htm, and a >> protest site at=20 >> http://www.blagged.freeserve.co.uk/ta2000/index.htm. >> >> =20 >> _________________________________________________________________ >> >> >>EXCERPTS FROM TERRORISM ACT: > >> > >> > >>Arrest of suspected terrorists power of entry. 81. A constable may=20 > >>enter and search any premises if he reasonably suspects that a=20 > >>terrorist, within the meaning of section 40(1)(b), is to be found=20 > >>there. > >> > >> > >>Terrorist information. 103. - (1) A person commits an=20 > offence if- (a)=20 > >>he collects, makes a record of, publishes, communicates or=20 > attempts to=20 > >>elicit information about a person to whom this section=20 > applies which=20 > >>is of a kind likely to be useful to a person committing or=20 > preparing=20 > >>an act of terrorism, or (b) he possesses a document or record=20 > >>containing information of that kind. > >> > >> > >>Arrest without warrant. 41. - (1) A constable may arrest without a=20 > >>warrant a person whom he reasonably suspects to be a=20 > terrorist. (2)=20 > >>Where a person is arrested under this section the provisions of=20 > >>Schedule 8 (detention treatment, review and extension) shall apply. > >> > >> > >>Search of persons. 43. - (1) A constable may stop and search a > >>person whom he reasonably suspects to be a terrorist to discover=20 > >>whether he has in his possession anything which may constitute=20 > >>evidence that he is a terrorist. > >> > >> > >>Power to stop and search > >>Authorisations. 44. - (1) An authorisation under this subsection > >>authorises any constable in uniform to stop a vehicle in an=20 > area or at=20 > >>a place specified in the authorisation and to search=20 > [vehicle, driver,=20 > >>passenger, etc.] > >> > >> > >>Possession onus of proof. 77. - (1) This section applies=20 > to a trial=20 > >>on indictment for a scheduled offence where the accused is charged=20 > >>with possessing an article in such circumstances as to=20 > constitute an=20 > >>offence under any of the enactments listed in subsection (3). > >> (2) If it is proved that the article- > >> (a) was on any premises at the same time as the accused, or > >> (b) was on premises of which the accused was the=20 > occupier or which=20 > >>he habitually used otherwise than as a member of the=20 > public, the court=20 > >>may assume that the accused possessed (and, if relevant, knowingly=20 > >>possessed) the article, unless he proves that he did not=20 > know of its=20 > >>presence on the premises or that he had no control over it. > >> > >> > >>Explosives inspectors. 85. - (1) An explosives inspector may enter=20 > >>and search any premises for the purpose of ascertaining whether any=20 > >>explosive is unlawfully there. (2) The power under=20 > subsection (1) may=20 > >>not be exercised in relation to a dwelling. > >> > >> > >>Power of entry. 90. - (1) An officer may enter any premises if he=20 > >>considers it necessary in the course of operations for the=20 > >>preservation of the peace or the maintenance of order. > >> > >> > >>Penalties. 22. A person guilty of an offence under any of=20 > sections 15=20 > >>to 18 shall be liable- (a) on conviction on indictment, to=20 > >>imprisonment for a term not exceeding 14 years, to a fine=20 > or to both,=20 > >>or (b) on summary conviction, to imprisonment for a term=20 > not exceeding=20 > >>six months, to a fine not exceeding the statutory maximum=20 > or to both. > >> > >> > >>Seizure and detention. 25. - (1) An authorised officer may=20 > seize and=20 > >>detain any cash to which this section applies if he has reasonable=20 > >>grounds for suspecting that- (a) it is intended to be used for the=20 > >>purposes of terrorism, > >> > >> > >>Weapons training. 54. - (1) A person commits an offence if he=20 > >>provides instruction or training in the making or use of- > >> (a) firearms, > >> (b) explosives, or > >> (c) chemical, biological or nuclear weapons. > >>It is a defence for a person charged with an offence under this=20 > >>section in relation to instruction or training to prove that his=20 > >>action or involvement was wholly for a purpose other than=20 > assisting,=20 > >>preparing for or participating in terrorism. > >> > >> > >>Collection of information. 58. - (1) A person commits=20 > an offence if- > >> (a) he collects or makes a record of information of a=20 > kind likely=20 > >>to be useful to a person committing or preparing an act of=20 > terrorism, or > >> (b) he possesses a document or record containing information of=20 > >>that kind. > >> (2) In this section "record" includes a photographic or > >>electronic record. > >> (3) It is a defence for a person charged with an offence under > >>this section to prove that he had a reasonable excuse for his action > >>or possession. > >> > >> > >>Power to stop and question. 89. - (1) An officer may stop a=20 > person for=20 > >>so long as is necessary to question him to ascertain- > >>(a) his identity and movements; > >>(b) what he knows about a recent explosion or another=20 > recent incident=20 > >>endangering life; > >>(c) what he knows about a person killed or injured in a recent=20 > >>explosion or incident. > >>(2) A person commits an offence if he- > >>(a) fails to stop when required to do so under this section, > >>(b) refuses to answer a question addressed to him under=20 > this section,=20 > >>or > >>(c) fails to answer to the best of his knowledge and ability a > >>question addressed to him under this section. > >>(3) A person guilty of an offence under this section shall be liable > >>on summary conviction to a fine not exceeding level 5 on=20 > the standard > >>scale. > >>(4) In this section "officer" means- > >>(a) a member of Her Majesty's forces on duty, or > >>(b) a constable. > >> > >>### > > > > > > > >For archives see: http://www.interesting-people.org/ >=20 From ben@algroup.co.uk Mon, 30 Jul 2001 13:13:02 +0100 Date: Mon, 30 Jul 2001 13:13:02 +0100 From: Ben Laurie ben@algroup.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS Watkin Simon wrote: > > Q. Who in the UK can you report 419 letters or e-mails to? > > A. Forward them to the National Criminal Intelligence Service, PO Box 8000, > London SE11 5EN or mailto:419@spring39.demon.co.uk The NCIS has a Demon mailbox??? > For more go to: http://www.ncis.co.uk/press/24_01.html > > Simon Watkin > Hi-Tech Crime Team > Policing Organised Crime Unit > Home Office > LONDON > mailto:simon.watkin@homeoffice.gsi.gov.uk > > -----Original Message----- > From: Richard Clayton [mailto:richard@highwayman.com] > Sent: 29 July 2001 11:33 > To: UKcrypto@chiark.greenend.org.uk > Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS > > Perhaps our readers from the Home Office could comment on who in the UK > accepts reports of these scams ... I got the impression from the NHTCU > that it might not be their patch! BTW, I've been trying to figure out how these scams actually work - my assumption is that if you are stupid enough to bite, they will then hit you for some money required to process paperwork or some such - but is there anything more cunning going on? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From nexus@patrol.i-way.co.uk Mon, 30 Jul 2001 13:30:53 +0100 Date: Mon, 30 Jul 2001 13:30:53 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS It would seem so... and a static dialup user account as well... Name: spring39.demon.co.uk Address: 193.237.36.193 inetnum: 193.237.0.0 - 193.237.255.255 netname: UK-DEMON-970724 descr: DEMON INTERNET descr: Provider Local Registry descr: allocation for very small assignments descr: for static dial-up descr: contact info refers to ISP descr: DEMON country: GB Please send your details to this 3rd party ISP ;-) Still, at least the NCIS website is on another provider, as is homeoffice.gsi.gov.uk Cheers. ----- Original Message ----- From: "Ben Laurie" To: Sent: Monday, July 30, 2001 1:13 PM Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS [snip] > > A. Forward them to the National Criminal Intelligence Service, PO Box 8000, > > London SE11 5EN or mailto:419@spring39.demon.co.uk > > The NCIS has a Demon mailbox??? > From Q.G.Campbell@newcastle.ac.uk Mon, 30 Jul 2001 15:45:18 +0100 Date: Mon, 30 Jul 2001 15:45:18 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS [snip]=20 > BTW, I've been trying to figure out how these scams actually=20 > work - my assumption is that if you are stupid enough to=20 > bite, they will then hit you for some money required to=20 > process paperwork or some such - but is there anything more=20 > cunning going on? Ben You are correct. There is nothing more cunning involved than exploiting simple greed and gullibility and knowing how to play people along. Once people are hooked there may also be a measure of threat involved as well.=20 It was the BBC (I think) who did a documentary on this scam. It focused particularly on a UK couple who ran their own business and who had paid out something like =A330,000 ISR for "processing paperwork" and other costs. They still believed that it would all come good in the end. =20 The documentary team also spoke to Customs and Excise who showed bags full of mail from Nigeria that they routinely open and examine looking for letters operating the scam. I am more used to seeing the e-mail version of these letters through the copies forwarded to me by worried recipients at this site. The NCIS contact address could be useful in future. Quentin Campbell (Postmaster) -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinions expressed above are mine. The University can get its own." =20 From ben@algroup.co.uk Mon, 30 Jul 2001 17:16:22 +0100 Date: Mon, 30 Jul 2001 17:16:22 +0100 From: Ben Laurie ben@algroup.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS Q G Campbell wrote: > > [snip] > > BTW, I've been trying to figure out how these scams actually > > work - my assumption is that if you are stupid enough to > > bite, they will then hit you for some money required to > > process paperwork or some such - but is there anything more > > cunning going on? > > Ben > > You are correct. There is nothing more cunning involved than exploiting > simple greed and gullibility and knowing how to play people along. Once > people are hooked there may also be a measure of threat involved as > well. > > It was the BBC (I think) who did a documentary on this scam. It focused > particularly on a UK couple who ran their own business and who had paid > out something like £30,000 ISR for "processing paperwork" and other > costs. They still believed that it would all come good in the end. > > The documentary team also spoke to Customs and Excise who showed bags > full of mail from Nigeria that they routinely open and examine looking > for letters operating the scam. Glad we've got that one cleared up - so my other question has always been: why Nigeria? The vast majority of them seem to come from there - what's so special about it? > I am more used to seeing the e-mail version of these letters through the > copies forwarded to me by worried recipients at this site. The NCIS > contact address could be useful in future. I get a vast number of these (several a day some days) - do the NCIS actually want them? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From owen.blacker@wheel.co.uk Mon, 30 Jul 2001 17:26:52 +0100 Date: Mon, 30 Jul 2001 17:26:52 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > I am more used to seeing the e-mail version of these letters through > > the copies forwarded to me by worried recipients at this site. The NCIS > > contact address could be useful in future. > > I get a vast number of these (several a day some days) - do the NCIS > actually want them? Equally, mine get filtered straight into Outlook's Deleted Items folder or my trash folder in Pine. O x - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO2WKClVeQSYAA2h0EQIdkACg7JyxsOkUK2Dt+lvnPG2IZqAi/aQAnjJ+ 4Hl78SY1x2t0s6llSqSFPCDB =ULQC -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From cryptlist@ubik.demon.co.uk Mon, 30 Jul 2001 15:06:30 +0100 Date: Mon, 30 Jul 2001 15:06:30 +0100 From: Anthony Naggs cryptlist@ubik.demon.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS In message <3B654F4E.A8B3B626@algroup.co.uk>, Ben Laurie wrote > >BTW, I've been trying to figure out how these scams actually work - my I've been getting quite a lot by email in the last month or so, particularly via some email lists, which I just bin. I've also, a long time ago, seen the telexed and faxed ones. >assumption is that if you are stupid enough to bite, they will then hit >you for some money required to process paperwork or some such - but is >there anything more cunning going on? The proposal as far as I remember is that you should pay some amount (a few thousand pounds) into a foreign bank account. This will then be used to facilitate (fees/bribes) the transfer of a large amount of money out of, most often, Nigeria, and you will get a big slice of this (e.g. ten times as much as you originally paid). The message also asks for details of your bank account, (to transfer the money into, of course), and a copy of your company letter paper. If you transfer the money requested you will certainly not see it again. If you give out your company's bank details with all the signatures and letter paper that usually enough for your bank to take their instructions. There was dozy old chap from Norwich (I think) a couple of weeks ago, who obviously thought at the time he was being clever in going out to South Africa to meet someone who had sent such an email. He was kidnapped, held for ransom for several days and rescued by the SA Police's Flying Squad. Not an experience I would wish on anyone, but it is hard to believe that a former business owner and town mayor could be so credulous that a complete stranger in a foreign country could really offer 100 or 1000 times return on 5000 pounds in a few days. ttfn, Tony From tbt@star-dot-star.co.uk Mon, 30 Jul 2001 18:42:32 +0100 Date: Mon, 30 Jul 2001 18:42:32 +0100 From: Bruce Tober tbt@star-dot-star.co.uk Subject: FYI: Red Code -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Contacts: Tinabeth Burton, 703-284-5305, tburton@itaa.org - PCIS & ITAA Keith Nahigian, 703-622-4494, keithnahigian@yahoo.com - CIAO Deborah Weierman, 202-324-8055, dweierman@fbi.gov - NIPC Code Red Worm: Frequently Asked Questions: Question: Why is this important today? Answer: Only through quick response to notify the public can risks to the Internet be minimised. The government and the private sector are here today to provide this warning. This is similar to when people are warned about travel abroad and threatening weather conditions. This is not the last of these threats and the partners assembled here today would like the public to be aware of the possibilities and precaution options available, and take whatever steps they deem necessary. Question: When did it start and when did it become a concern? Answer: This worm appeared two weeks ago and many steps have been taken to try to stop it. Unfortunately, the infestation continues, mutations of the worm have already begun to appear, and the worm is timed to begin hyper-growth late on July 31. The initial worm had a seven-day incubation period; the new version may incubate in an even shorter period. This malicious code, a clear and present threat, needs to be stopped before it does real harm to electronic commerce and other uses of the Internet. Question: How does this affect business and government? Answer: It floods the Internet with probes looking for additional machines to infect. The flooding slows the Internet down. As it slows, transactions that depend on timeliness begin to fail. People take longer to get results, and more importantly, some sites just disappear from the Internet as the worm's probes overwhelm networks or damage routers or both. Consumers will see the Internet slow down or they may lose connectivity if their ISP is overwhelmed with probes. From a technical perspective, it doesn't matter who the target of the attack is. The real power of the worm is the amount of bandwidth generated by all the systems attacking at once. The attack is really against the Internet infrastructure, regardless of the actual targeted site. Question: What types of machines are affected? Answer: Machines running Windows 2000 or Windows NT 4.0 and the IIS web server software. IIS is not installed by default (or automatically) on Windows NT 4.0 (you have to install it from the option pack) nor on Windows 2000 Professional (the workstation). It is installed by default on Windows 2000 server packages. Question: Can "Code Red" be turned off? Answer: Yes, but it will require the concerted action of everyone who operates a Microsoft IIS Web server to follow the procedures we have outlined and to do it expeditiously. There is no MASTER SWITCH to turn off the Code Red worm. History shows that such exploits are not single events but harbingers of trends. The only real solution is for users to fix the vulnerability. Question: Why doesn't industry do something about it? Answer: Industry is doing a great deal, starting with Microsoft. The company identified the vulnerability, published an effective remedy, and worked closely with its partners in the public and private sector to spread the word. The industry representation on the stage today is testament to the high level of industry commitment to solving this problem. Question: How quickly will Internet performance degrade? Answer: Between July 12 and July 19, the Code Red worm infected more than 350,000 systems and, on the 19th, slowed Internet performance by 40%. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT, and it has mutated. The newest version could scan and infect all vulnerable systems on the Internet even more quickly than the original, possibly in as little as two or three days. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Question: Does this attack steal information or documents? Answer: The known version of the "Code Red" worm does not "steal" information or documents from a system. It is possible that a variant of this worm could steal, modify or delete documents and information. - -- | Bruce Tober, , Freelance Journalist, | | My Website | | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2WciMcIpTh0zLu1EQKJqACgjDjpZVX2/dMmGBQ5TIaBnf47vZ4AoI59 HKtJdhOAt6g0PtC9Md/Or0k5 =JsU+ -----END PGP SIGNATURE----- From ben@algroup.co.uk Mon, 30 Jul 2001 18:48:15 +0100 Date: Mon, 30 Jul 2001 18:48:15 +0100 From: Ben Laurie ben@algroup.co.uk Subject: FYI: Red Code I presume this was sent in error, and was actually meant for ukostriches? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From tbt@star-dot-star.co.uk Mon, 30 Jul 2001 19:02:50 +0100 Date: Mon, 30 Jul 2001 19:02:50 +0100 From: Bruce Tober tbt@star-dot-star.co.uk Subject: FYI: Red Code -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <3B659DDF.5F0A9774@algroup.co.uk>, Ben Laurie writes >I presume this was sent in error, and was actually meant for >ukostriches? "-} Actually I meant to add a note saying that it had been sent to me by a pr guy from ISS Reading and soliciting comments. You've just provided one of the types I expected. I take it you've seen silicon.com's coverage and its leader. If not, you should: Enjoy > >Cheers, > >Ben. > >-- >http://www.apache-ssl.org/ben.html > >"There is no limit to what a man can do or how far he can go if he >doesn't mind who gets the credit." - Robert Woodruff > > - -- | Bruce Tober, , Freelance Journalist, | | My Website | | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2WhSscIpTh0zLu1EQIHNgCeIgW8XO/6q/Cw066/SVg8Xr1hHGQAnin+ Eb3TFoL5o27nfRBMo+i3Dwfb =u/ez -----END PGP SIGNATURE----- From oml@eloka.demon.co.uk Mon, 30 Jul 2001 20:09:48 +0100 Date: Mon, 30 Jul 2001 20:09:48 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ben Laurie > Sent: 30 July 2001 17:16 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS > > > Q G Campbell wrote: > > > > [snip] > Glad we've got that one cleared up - so my other question has always > been: why Nigeria? The vast majority of them seem to come from there - > what's so special about it? Because so many emanate from there that it is known as the Nigerian Scam. Why Nigeria? Possibly because of its popular international reputation for 'different' business ethics. > > I get a vast number of these (several a day some days) - do the NCIS > actually want them? Probably not - though they should be polite enough about it. Firstly they're a national squad. Secondly. a customer of mine who was being hit in a telephone scam for > 250K per year were advised by the Met to employ a private consultant. They would not wish to be involved in any matter where the loss was less then £1M. ISTR that the FBI has some similar rule. Thirdly, what would you have them do? Send an Armed Response Team with a spare chair leg or two just in case Junior should be found empty handed? Owen From nexus@patrol.i-way.co.uk Mon, 30 Jul 2001 20:31:28 +0100 Date: Mon, 30 Jul 2001 20:31:28 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: FYI: Red Code I'd file it under UKFUD, just before "Ragnarok - what it means for your business" and after "What do I do when the sky falls down ?" Surprised they didn't quote Steve Gibson. Me ? I'm in the sandpit humming "99 Red Worms go by"... Cheers, JJ ----- Original Message ----- From: "Ben Laurie" To: Sent: Monday, July 30, 2001 6:48 PM Subject: Re: FYI: Red Code > I presume this was sent in error, and was actually meant for > ukostriches? > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff > > From pwt@iosis.co.uk Mon, 30 Jul 2001 22:18:07 +0100 Date: Mon, 30 Jul 2001 22:18:07 +0100 From: Peter Tomlinson pwt@iosis.co.uk Subject: FW: Sircam infects the Feds Symantec (Norton) have just replied to my query with the news that they cannot yet detect the SirCam virus in a MIME encoded file - but they promise that they will catch it if I try to move or copy or open the attached file. But a file with a double extension (.doc.pif in my case) is fairly easy to spot. Peter T Bristol UK ----- Original Message ----- From: "T Bruce Tober" To: Sent: Friday, July 27, 2001 11:14 PM Subject: Re: FW: Sircam infects the Feds > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In message <3B618CB8.5513890C@solid-state-logic.com>, Martin hepworth > writes > >I note that Sophos put out an alert and update 18th July. The whole > >thing went crazy 25th. So everyone had 6 days to update their AV > >technology to catch this before it hit bad. Shame on the feds for not > >doing basic stuff. > > > OTOH, AV software isn't perfect: > > Symantec fails to stop SirCam > By John Leyden > Posted: 27/07/2001 at 12:30 GMT > > http://www.theregister.co.uk/content/56/20696.html > > The SirCam worm has revealed weaknesses in anti-virus protection relied > on by many firms as a first line of defence against viral infection. > It's been discovered that both Baltimore Technologies MIMEsweeper > content filtering software and Symantec's perimeter protection product, > Norton Antivirus for Gateways v2.x, fail to block the prolific virus. > Norton Antivirus for Gateways fails to see email with attachments > contaminated by the virus, even if the correct settings have been > applied and the latest versions of virus-identfying signature files have > been downloaded. > - -- > > | Bruce Tober, , | > *.* *.* *.* *.* > > | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | > > > -----BEGIN PGP SIGNATURE----- > Version: PGPsdk version 1.7.1 > > iQA/AwUBO2HnuElMGg3Z3q20EQL29QCg7MQY3DrsVe5quPdkXTsW9kqc27kAmwQV > 5Z+0huytbXgDjlz4lJLOw5S1 > =G36I > -----END PGP SIGNATURE----- > > > From richard@highwayman.com Tue, 31 Jul 2001 00:11:30 +0100 Date: Tue, 31 Jul 2001 00:11:30 +0100 From: Richard Clayton richard@highwayman.com Subject: ASSISTANCE FOR MUTUAL BENEFITS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Owen Lewis writes >> Q G Campbell wrote: >> I get a vast number of these (several a day some days) - do the NCIS >> actually want them? > >Probably not - though they should be polite enough about it. I received a similar but different 419 letter today (to an ancient email address - so a coincidence). So I sent it off to the NCIS address Simon recommended. They send back an acknowledgement email containing a Word document -- which doesn't inspire much confidence :( [perhaps they feel that seeing their logo in colour and being able to see a pretty layout will matter!] The document explains that it's really just a stats gathering exercise - though there is a phone number to call if you've been dim enough to lose money (or have had an extended correspondence with the bad guys). - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2XpohfnRQV/feRLEQJiJwCbBVCO8GXjWJJH3O+HkxE7mI0VtJ4AoKZ1 qbH45tU2OFl/FHDTipwdGyyW =zAuW -----END PGP SIGNATURE----- From roland@linx.net Tue, 31 Jul 2001 09:55:10 +0100 Date: Tue, 31 Jul 2001 09:55:10 +0100 From: Roland Perry roland@linx.net Subject: ASSISTANCE FOR MUTUAL BENEFITS In message , Owen Lewis writes >>do the NCIS >> actually want them? > >Probably not - though they should be polite enough about it. http://www.ncis.co.uk/press/24_01.html 10/7/01 The National Criminal Intelligence Service (NCIS) today warned British businesses and individuals to be on their guard against a surge in fraudulent letters and emails promising large cash payouts in exchange for a small upfront investment, commonly known as '419' Advanced Fee fraud. Churches and charities have also been targeted. Recent successes in combating the fraud have forced a change of tactics by the organised criminals behind it, mostly operating from West Africa and NCIS is today seeking the public's help in fighting one of the most profitable areas of organised crime. >Firstly they're a national squad. They are also the agency which handles co-ordination with overseas police forces. http://www.ncis.co.uk/international.html -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From jtjm@xenoclast.org Tue, 31 Jul 2001 12:06:30 +0100 (BST) Date: Tue, 31 Jul 2001 12:06:30 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: Press Release: UK Free Dmitry Sklyarov Protest (fwd) Not strictly on topic, but possibly of interest to several here. For Immediate Release: There will be a protest held outside the US Embassy in London, on Friday 3 August, calling for the immediate release of Dmitry Sklyarov, a Russian programmer who was arrested by the FBI for creating software which circumvented the copyright protection mechanism in Adobe's eBook Reader. Adobe has since issued a joint statement with the Electronic Frontier Foundation calling for Mr Sklyarov's release, but the US Department of Justice still has Mr Sklyarov in custody, and appears to intend to proceed with the trial. The UK protestors strongly believe that Mr Sklyarov's arrest was unlawful and unnecessary. He is charged with trafficking in a copyright circumvention mechanism, despite the fact that the software he wrote was sold by the company he worked for (through a US reseller) and not by him himself. Furthermore, the law he is alleged to have broken, the DMCA (Digital Millenium Copyright Act) makes illegal in the US activities considered entirely lawful in most other nations, including Britain and Mr Sklyarov's native Russia. The DMCA destroys the right to fair use, and makes those who point out flaws in the security algorithms and protocols of other companies liable to prosecution. It is clear that the DMCA needs revision (in a separate case, a Professor Felten is suing to have parts of it declared unconstitutional), and it is quite unreasonable to leave Dmitry Sklyarov languishing in a US prison whilst the Americans resolve the problems with this ill-thought law. Dmitry Sklyarov should not be a test case, he should be a free man! Those interested in joining the protest on Friday will find more details on the web at: http://uk.freesklyarov.org/ and are encouraged to join the UK Free Sklyarov mailing list at: http://mailman.xenoclast.org/cgi-bin/mailman/listinfo/free-sklyarov-uk -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From richard@highwayman.com Tue, 31 Jul 2001 12:16:53 +0100 Date: Tue, 31 Jul 2001 12:16:53 +0100 From: Richard Clayton richard@highwayman.com Subject: FYI: Red Code -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Bruce Tober writes >Code Red Worm: Frequently Asked Questions: [assorted bits of FUD] > Unfortunately, the infestation continues, mutations of >the >worm have already begun to appear, and the worm is timed to begin >hyper-growth late on July 31. The initial worm had a seven-day >incubation >period; the new version may incubate in an even shorter period. This >malicious code, a clear and present threat, needs to be stopped before >it >does real harm to electronic commerce and other uses of the Internet. For some rather more factually based information (the worms in machines that were infected in July are now in a permanent sleep mode; it was probably variants that caused the major growth on the 19th; and the worm doesn't have an incubation period as such) see: http://xforce.iss.net/alerts/advise89.php >Question: Can "Code Red" be turned off? >Answer: Yes, but it will require the concerted action of everyone who >operates a Microsoft IIS Web server to follow the procedures we have >outlined and to do it expeditiously. some other products are affected as well, it's not just IIS per se: http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml >There is no MASTER SWITCH to turn >off >the Code Red worm. History shows that such exploits are not single >events >but harbingers of trends. The only real solution is for users to fix the >vulnerability. I think these last two sentences are the only useful contribution of this particular FAQ... I am also of the opinion that we're going to see many more such worms (and this is far from being the first anyway); and we're going to get far more interested in scalable ways of safely distributing security patches to the masses. ObUKCrypto: Rather perversely, I hope that there is some real damage done in the next few days. There's been so much hype on this topic (making it onto the main news bulletins) that if very little actually happens then it will be much harder to convince the journalists to run Internet stories in the future.... After all, the time to get people excited wasn't today but all last week when patching the systems could be properly scheduled and not done in a panic! but of course it wasn't a story last week if people took action to stop the "disaster" happening. - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBO2aTpRfnRQV/feRLEQL2PQCfdNvUZMdv1wByJIYA6Ty+Gj1FNWIAnRiF Maxabr1aqZwOmwsS1jCH0Cb4 =5Sgy -----END PGP SIGNATURE----- From oml@eloka.demon.co.uk Tue, 31 Jul 2001 13:15:24 +0100 Date: Tue, 31 Jul 2001 13:15:24 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Roland Perry > Sent: 31 July 2001 09:55 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS > > > In message , Owen > Lewis writes > >>do the NCIS > >> actually want them? > > > > >Probably not - though they should be polite enough about it. > > >Firstly they're a national squad. > > They are also the agency which handles co-ordination with overseas > police forces. You mean that they are the national interface for the exchange of criminal intelligence? AIR Interpol is the coordinating body. I think Richard's post sums up the position perfectly. ....'I received a similar but different 419 letter today (to an ancient email address - so a coincidence). So I sent it off to the NCIS address Simon recommended. They send back an acknowledgement email containing a Word document -- which doesn't inspire much confidence :( [perhaps they feel that seeing their logo in colour and being able to see a pretty layout will matter!] The document explains that it's really just a stats gathering exercise - though there is a phone number to call if you've been dim enough to lose money (or have had an extended correspondence with the bad guys). - -- richard @ highwayman . com ' It is interesting though that NCIS has put out a press release claiming that 'it has warned British businesses and individuals'. I received no warning nor did my company; nor it would seem did Richard or his company; nor perhaps did you and yours? Still a press release always looks good. The truth is that those caught in these scams are foolish and greedy to the point where: - They are prepared to subordinate commonsense to their greed (most hunter's prey is caught by one variety or another of this age old and non-species specific mechanism). - They are prepared to perform or conspire to perform one or more unlawful acts to service their greed. If not clear from the outset (as with Junior's letter?) it must become clear before any money is parted with (as a 'gesture of good faith', 'facilitating fund' etc.) that criminal acts are involved. The element of criminal involvement is by no means coincidental. It is a considerable incentive for the target not to make a complaint about his loss but to sneak away quietly. It's true that those foolish, greedy and willing to enter a criminal conspiracy are not deprived of protection of law as such protection may apply. However, one can see why no one busts a gut to bring their fraudulent 'co-conspirators' to justice. Tracing down some of those operating such scams really should not be too hard and one would imagine that with or even without international cooperation, several concurrent 'sting' operations would have a high probability of a successful outcome and do much (repeated as necessary) to discourage further activity of this sort. The fact that the press release mumbles about 'warnings' rather than blazoning the successful arrest and prosecution of a slack handful of the current operators speaks volumes, I think. What will NCIS be 'warning' about next? That promiscuous sex may lead to venereal disease? Or that giving your money every week to the National Lottery makes a few other people very rich? Owen From roland@linx.net Tue, 31 Jul 2001 14:55:55 +0100 Date: Tue, 31 Jul 2001 14:55:55 +0100 From: Roland Perry roland@linx.net Subject: ASSISTANCE FOR MUTUAL BENEFITS In message , Owen Lewis writes >You mean that they are the national interface for the exchange of criminal >intelligence? AIR Interpol is the coordinating body. Interpol is not a one-stop-shop. There's also Europol and plenty of direct links between national police forces. "The International Division incorporates the UK National Central Bureau of Interpol, the UK Europol National Unit, the UK European Drug Liaison Officer network and plays host to foreign liaison officers." -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From oml@eloka.demon.co.uk Tue, 31 Jul 2001 15:46:20 +0100 Date: Tue, 31 Jul 2001 15:46:20 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS We are agreed then that NCIS incorporates the UK national interface with Interpol. We may also agree that, in the case of Nigerian Scams which are truly international in their scope, Interpol might be the appropriate coordinating body for countermeasure operations, rather than any other coordinating group of limited regional or single-issue scope. The only one of these where I ever got into any of the detail involved five countries: two West African, two European and the RSA. The operation was seemingly run out of Africa, the target was in the UK and Belgium (Antwerp, AIR) was designated as the place where the deal was to be done and (doubtless) money should have changed hands. The target on that occasion was a UK company which was to make its services available in what was ostensibly a large money laundering exercise, with the target's 'cut' being taken by way of 'payment for services rendered' payable 100% up front on a sizeable 10 year contract which no one would ever check to see was fulfilled. However, I think the point is that NCIS may 'play host' to whosoever it likes but there is no evidence that it (or anyone else) is spending the required effort to close these scams down. ObCrypto: After the fashion of all the best MPs, I should now declare a personal interest. In 1992, after writing a series of articles on crypto and its then current and future application outside of govt control, I was invited to Spring Gardens for a 'little chat'. But I left the premises uncorrupted; even then a cup of cold coffee didn't buy too much :-) Owen > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Roland Perry > Sent: 31 July 2001 14:56 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: ASSISTANCE FOR MUTUAL BENEFITS > > > In message , Owen > Lewis writes > >You mean that they are the national interface for the exchange > of criminal > >intelligence? AIR Interpol is the coordinating body. > > Interpol is not a one-stop-shop. There's also Europol and plenty of > direct links between national police forces. > > "The International Division incorporates the UK National Central Bureau > of Interpol, the UK Europol National Unit, the UK European Drug Liaison > Officer network and plays host to foreign liaison officers." > -- > Roland Perry | tel: +44 1733 207705 | roland@linx.org > Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net > London Internet Exchange | mbl: +44 7050 604080 | /contact/roland > > From Rodney.Tillotson@ukerna.ac.uk Tue, 31 Jul 2001 12:32:44 +0100 Date: Tue, 31 Jul 2001 12:32:44 +0100 From: Rodney Tillotson Rodney.Tillotson@ukerna.ac.uk Subject: ASSISTANCE FOR MUTUAL BENEFITS At 00:11 31/07/2001, Richard Clayton wrote: > [The reply document from NCIS] explains that it's really just a > stats gathering exercise - though there is a phone number to call > if you've been dim enough to lose money (or have had an extended > correspondence with the bad guys). I send my reports to a nice man in the CCU. He doesn't even claim they will count them ... I understand that the anti-spam approach to 419 scams has some effect. Apparently West African ISPs (notably GS Telecom) have ways of tracing originators, sometimes even from cybercafes which is where they often start. What money then changes hands and whether the outcome delays or lessens the next attempt, I do not know. The scam must work or it wouldn't survive in the wild. Rodney Tillotson, JANET-CERT 01235 822 255. From nbohm@ernest.net Tue, 31 Jul 2001 15:43:00 +0100 Date: Tue, 31 Jul 2001 15:43:00 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: ASSISTANCE FOR MUTUAL BENEFITS At 15:06 30/07/2001 +0100, Anthony Naggs wrote: >In message <3B654F4E.A8B3B626@algroup.co.uk>, Ben Laurie > wrote >> >>BTW, I've been trying to figure out how these scams actually work - my > >I've been getting quite a lot by email in the last month or so, >particularly via some email lists, which I just bin. I've also, a long >time ago, seen the telexed and faxed ones. > >>assumption is that if you are stupid enough to bite, they will then hit >>you for some money required to process paperwork or some such - but is >>there anything more cunning going on? > >The proposal as far as I remember is that you should pay some amount (a >few thousand pounds) into a foreign bank account. This will then be >used to facilitate (fees/bribes) the transfer of a large amount of money >out of, most often, Nigeria, and you will get a big slice of this (e.g. >ten times as much as you originally paid). > >The message also asks for details of your bank account, (to transfer the >money into, of course), and a copy of your company letter paper. > >If you transfer the money requested you will certainly not see it again. >If you give out your company's bank details with all the signatures and >letter paper that usually enough for your bank to take their >instructions. But the bank carries the risk of forgery, so has to reverse the debit when challenged. I suspect that the banks' exposure is one of the reasons these scams get a fair amount of publicity from time to time. >There was dozy old chap from Norwich (I think) a couple of weeks ago, >who obviously thought at the time he was being clever in going out to >South Africa to meet someone who had sent such an email. He was >kidnapped, held for ransom for several days and rescued by the SA >Police's Flying Squad. Not an experience I would wish on anyone, but it >is hard to believe that a former business owner and town mayor could be >so credulous that a complete stranger in a foreign country could really >offer 100 or 1000 times return on 5000 pounds in a few days. Many would say this is par for the course in East Anglia. Regards Nicholas Salkyns, Great Canfield, Takeley, Bishop’s Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From Owen Blacker Sun Jul 1 17:15:55 2001 From: Owen Blacker (Owen Blacker) Date: Sun, 1 Jul 2001 17:15:55 +0100 Subject: One in Ten Thousand! In-Reply-To: References: Message-ID: <178690721605.20010701171555@owens-place.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Clayton quoth (2001-06-29 T 12:14): > a large ISP such as FreeServe will need to able to tap 200 people > simultaneously... (and that's ten 2Mbit links to NTAC ... or twenty if > FreeServe offer 128K links). Our Freeserve ADSL connexion is 576k :o) - ----- Owen Blacker Senior Internet Software Developer / Information Security Consultant See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - ----- Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 Comment: Due to RIP, check for revocation before use iQA/AwUBOz9MnFVeQSYAA2h0EQJsgwCfe+WL4fXoo4/ig3inerBxnwg1pYwAoOHu lcs80TNBBhyfnhrzdovR0spx =XWNz -----END PGP SIGNATURE----- From cb at fipr.org Sun Jul 1 18:27:32 2001 From: cb at fipr.org (Caspar Bowden) Date: Sun, 1 Jul 2001 18:27:32 +0100 Subject: Accused: UK behind push for new snooping rights In-Reply-To: Message-ID: <000f01c10253$52d5d0d0$79ce87d4@cpsb> > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > Roland Perry ... > Meanwhile, although the UK would like member states to have > the option > of Data Conservation or not, as a local decision (rather than a > one-size-fits-all across the whole of Europe), they insist that they > have no plans to make that decision in the member state called the UK. > > How very altruistic! (Implied skepticism noted) As Duke of Wellington said on being asked if he was a certain Mr.Smith "if you believe that you'll believe anything". More here... http://www.wired.com/news/privacy/0,1848,44890,00.html EU Ratifies Long Data Retention By Steve Kettmann 11:20 a.m. June 28, 2001 PDT BERLIN -- Privacy advocates are decrying a move this week by the Council of the European Union to give European police broader access to information about the e-mails and Internet-use patterns of the continent's citizens. "It's one more direction toward a police state," said Ilka Schroeder, a Green Party member of the European Parliament who drafted an opinion for the Industry Committee opposing the expansion of surveillance. "They restrict peoples' rights to demonstrate against fortress Europe, as we saw in Gotenborg when street police shot at people," she said. "Now they are also trying to limit any kind of e-protest. By this surveillance they also of course go against political opponents." From jamesd at echeque.com Sun Jul 1 19:38:47 2001 From: jamesd at echeque.com (jamesd@echeque.com) Date: Sun, 1 Jul 2001 11:38:47 -0700 Subject: Anonymity Snake Oil in JXTA In-Reply-To: <20010629104459.D11652@hyena.skygate.co.uk> References: <3B3B6C87.7786281A@algroup.co.uk>; from ben@algroup.co.uk on Thu, Jun 28, 2001 at 06:42:31PM +0100 Message-ID: <3B3F0BC7.12053.78EE1B@localhost> -- On 29 Jun 2001, at 10:44, Pete Chown wrote: > Ben Laurie wrote: > > > JXTA (http://www.jxta.org/) claims to have a payment project which will > > "implement anonymous and secure financial transactions". ... > > I had an idea about micropayment protocols the other day. The usual > "micropayments" business plan says that company X will establish > itself as a bank and take money from everyone wanting to make > payments. Then it will lock everyone into its payment protocol and so > make lots of money. > > I was thinking about a different approach that is more decentralised. > Suppose Alice, Bob and Charlie do business with each other. When it > is time to settle up, it is found that Alice owes Bob and Charlie $1 > each. Bob also owes Charlie $1. Critical mass problem. Such a system is only useful if a large proportion of transactions occur within the group of people using it. So you need a nucleus group that is small enough that they can all agree to start using it, and large enough for it to be useful. Perhaps people smurfing money in columbia might form such a group. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG CP8DcZkp2vq/PfN2KTeyB6YVnrqpjQjuekv1P18O 4Ofi45+rSWyrTERRCQQLQIk0w3pwcR8fS6moMFBLw From davidh at spidacom.co.uk Mon Jul 2 17:45:32 2001 From: davidh at spidacom.co.uk (davidh@spidacom.co.uk) Date: Mon, 2 Jul 2001 17:45:32 +0100 Subject: One in Ten Thousand! In-Reply-To: Message-ID: <20010702165014.581A7178@liszt-02.ednet.co.uk> On 29 Jun 01, at 12:14, Richard Clayton wrote: > .... so why are they now planning for a tenfold increase in their > capability ? I see two possibilities only. 1) The sky is about to fall in and the brave people of the Home Office have put on their white hats and are riding into the sunset against the dangerous subversives in places like ukcrypto to get the necessary laws in place before the sky falls in. 2) Officials will always gather to themselves and their supposed masters as many powers as possible, you never know when they might be useful. -- David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E If I revoke this key, the only circumstance in which I will not be prepared to explain my reasons for doing so will be when UK government authorities have stipulated that providing such an explanation would be unlawful. See RIP Act 2000. From mctylr at privacy.nb.ca Tue Jul 3 20:18:08 2001 From: mctylr at privacy.nb.ca (M Taylor) Date: Tue, 3 Jul 2001 20:18:08 +0100 (BST) Subject: Proposed abolition of data protection controls on public sector data In-Reply-To: Message-ID: On Tue, 19 Jun 2001, Ross Anderson wrote: Whitehall plans new checks on citizens By Rachel Sylvester: > [...] > The change could lead to a person's benefit application being > cross-checked with his or her medical record, passport details being > handed to the Inland Revenue, or driving licence details compared with > information on the electoral roll - although the specific areas > affected have not yet been agreed. > [...] > The Data Sharing and Privacy Bill will be introduced as early as > possible. Ministers are aware of the importance of winning over public > opinion. A government project in Canada, which involved compiling a > database of information about individuals, was scrapped last year > after a public backlash amid accusations that it had been undertaken > without people's consent. Canada simply rearranged the government's structure to suit their needs. Immigration and Customs is a division of Revenue Canada (taxation), which means RevCan can monitor all Canadians re-entering the country, looking for people claiming (un)employment benefits while travelling, and compare to their tax profile (i.e. a Canadian with no taxable income declared in the previous year might get extra questioning while re-entering the country) to their travel patterns/ frequency. Of couse its mundane irony is that it takes me, a Canadian citizen, longer to enter my home country answering taxation related questions in disguise than it does to entry an EU country with a new visa, or travelling to any other Western country. Pretty much the opposite of the EU passport/identity card "express" lanes for EU citizens. M Taylor From jamesd at echeque.com Wed Jul 4 21:48:01 2001 From: jamesd at echeque.com (jamesd@echeque.com) Date: Wed, 4 Jul 2001 13:48:01 -0700 Subject: Anonymity Snake Oil in JXTA In-Reply-To: <3309.994275027@www49.gmx.net> Message-ID: <3B431E91.13871.F7BB51@localhost> -- James A. Donald: > > Perhaps people smurfing money in columbia might form such a > > group. On 4 Jul 2001, at 21:30, Aalvarez@gmx.de wrote: > Why columbia? why not alabama or florida? That should of course have read "Colombia" not "Columbia" According to http://www.apbnews.com/newscenter/breakingnews/1999/10/30/drugmoney 1030_01.html : : Colombian peso brokers, who act as middlemen in the : : scheme, give Colombian importers IOUs in exchange for : : pesos. The pesos are used to buy U.S. dollars from : : drug cartels, providing the cartels with clean, usable : : currency. Then, the brokers use the dollars to buy : : U.S. goods and smuggle them into Colombia on behalf of : : the importers, who thereby avoid high government : : tariffs and taxes on foreign currency exchanges. Any time people are shuffling lots of IOUs around, backed by lots of different people, it provides a good opportunity for computerization. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG QMwsTtJnXxZpW3tPV5Y4lMlNMbYuqePCHeTz85IU 4wlkhLXBeBbQ47R95bqu2s9AoDyHBjhi1HyKQxYOe From Aalvarez at gmx.de Wed Jul 4 20:30:27 2001 From: Aalvarez at gmx.de (Aalvarez@gmx.de) Date: Wed, 4 Jul 2001 21:30:27 +0200 (MEST) Subject: Anonymity Snake Oil in JXTA References: <3B3F0BC7.12053.78EE1B@localhost> Message-ID: <3309.994275027@www49.gmx.net> Why columbia? why not alabama or florida? > Perhaps people smurfing money in columbia might form such a group. > --digsig > James A. Donald -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net GMX Tipp: Machen Sie Ihr Hobby zu Geld bei unserem Partner 1&1! http://profiseller.de/info/index.php3?ac=OM.PS.PS003K00596T0409a From owen.blacker at wheel.co.uk Thu Jul 5 10:16:56 2001 From: owen.blacker at wheel.co.uk (Owen Blacker) Date: Thu, 5 Jul 2001 10:16:56 +0100 Subject: Wired: Echelon Furor Ends in a Whimper Message-ID: <55ED5FD3B4D2D41193E60002A5090BCD01B3D313@clerkenwell.pres.co> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wired.com/news/politics/0,1283,44984,00.html | Echelon Furor Ends in a Whimper | By Steve Kettmann | 3:00 p.m. July 3, 2001 PDT | | STRASBOURG, France -- In the end, a year of hard work boils down to this: | Echelon exists and the Europeans don't like it, but there isn't much they | can do except wring their hands in impotent fury as the Americans | continue spying on whomever they please. | | The resolution approved Tuesday by a European Parliament committee set up | to investigate the satellite-based surveillance system condemned | Echelon's existence but, aside from agreeing to step up meaningful | rhetorical pressure on the Americans, achieved very little. | | The committee officially wrapped up its inquiry late Tuesday by passing | more than 60 of 160 amendments before approving the entire resolution, | 27 to 5. There were two abstentions. | | Some of the amendments sought to add a harder edge to the language of | committee head Gerhard Schmid of Germany, whose 113-page report was | hailed for its balance and fairness, which is often politician-speak for | blandness. | | Giuseppe di Lello Finuoli of Italy, one of three vice chairmen, protested | that the committee's emphasis on legalisms would not prevent Europeans | from having their e-mail, faxes and phone conversations monitored by nosy | Americans, along with their English-speaking partners, England, | Australia, New Zealand and Canada. | | Di Lello Finuoli believes the system widely known as Echelon -- which | Schmid's report says may or may not be accurate -- will continue to | operate with impunity. | | "That failure to protect European citizens will have been endorsed by the | failure to take action," Di Lello Finuoli said through the official | translator. | | "Everything will continue on as it has in the past. It is possible to | conduct espionage from one country of the European Union on another | without any consequences. This group has done some very good work, but I | think the mountain has given birth to a mouse." | | That's how his remarks were translated, at any rate. | | Schmid defended his support of European investment in decryption, not | just encryption, which some critics see as de facto acknowledgement that | Europe has its own plans for an Echelon-type system. Then he hurried out | of the meeting room, waving off questions and saying his comments would | come at a press conference scheduled for Wednesday morning. | | Nevertheless, committee chairman Carlos Coelho pronounced the year long | inquiry a success, saying that given the parliament's diverse | constituency -- one with a legendary reputation for fractiousness and | squabbling -- he was pleased by the level of consensus. | | "I don't think any of the amendments we approved was anything quite | different," Coelho said. "But there are more references to the United | States than what was in the draft." | | For example, Amendment No 105 "Calls on the Member States to negotiate | with the USA a Code of Conduct similar to that of the EU." | | Not exactly the kind of tough talk expected to cow the Bush | administration, but it may have some symbolic value if the full European | Parliament | approves the committee's resolution in September. | | Then there's Amendment No 94, stating that the committee "regards it as | essential that an agreement should be ... signed between the European | Union and the United States stipulating that each ... should observe ... | the provisions governing the protection of the citizens and the | confidentiality of business communications applicable to its own citizens | and firms...." | | In other words, knock off the industrial espionage, Yank. | | That expands on previous language urging the UN secretary general to push | for Article 17 of the International Covenant on Civil and Political | Rights to be updated so that it "guarantees the protection of privacy, | into line with technical innovations." Article 17 also calls upon the | United States to sign this "Additional Protocol," so that individuals can | submit complaints to the Human Rights Committee set up under the | covenant. | | Language was also added referring to "authoritative sources" confirming a | US congressional report which estimated that economic intelligence | funneled from the government could give US companies up to $7 billion in | added contracts. | | Damning stuff, at least compared with the cautious tone taken by Schmid | in his report, or even in the amendments he offered Tuesday, all of which | were passed. | | One of Schmid's seven amendments, for example, noted that "the US | intelligence services do not merely investigate general economic facts | but also intercept detailed communications between undertakings, | particularly where contracts are being awarded, and they justify this on | the grounds of combating attempted bribery.... (This) detailed | interception poses the risk that information may be used for the purpose | of competitive intelligence- gathering rather than combating corruption, | even though the US and the United Kingdom state that they do not do so." | | This focus on industrial espionage reflects the general thinking of many | in the European Parliament that the threat to commerce is as much a | concern as potential violations of individual privacy rights. But it was | criticized by some committee members, at times quite fiercely. | | "We are being completely hypocritical," said Alain M Krivine of France. | "All countries are engaged in political and (industrial) espionage. It is | just a question of power, and the United States has the most power. It is | part and parcel of globalization. However, the United States are not the | only ones who are promoting capitalism this way." | | Copyright © 1994-2001 Wired Digital Inc. All rights reserved. | - - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBO0Qv3lVeQSYAA2h0EQIzZgCcC4jbg1J46QuAjrTv2EQzY/TEzeQAoLWD ZxX3AYUWT1aIAgTKYMjU7GHQ =nhI/ -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From oml at eloka.demon.co.uk Thu Jul 5 17:53:23 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Thu, 5 Jul 2001 17:53:23 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <55ED5FD3B4D2D41193E60002A5090BCD01B3D313@clerkenwell.pres.co> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Owen Blacker > Sent: 05 July 2001 10:17 > To: UK Crypto list (E-mail) > Subject: Wired: Echelon Furor Ends in a Whimper > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://www.wired.com/news/politics/0,1283,44984,00.html > > | Echelon Furor Ends in a Whimper > | By Steve Kettmann > | 3:00 p.m. July 3, 2001 PDT > | > | STRASBOURG, France -- In the end, a year of hard work boils > down to this: > | Echelon exists and the Europeans don't like it, but there isn't > much they > | can do except wring their hands in impotent fury as the Americans > | continue spying on whomever they please. True, O Wise One. But you might have added that so do the EU states carry on spying as they please (I make an honourable exception for Luxembourg from that generality). > | > | The resolution approved Tuesday by a European Parliament > committee set up > | to investigate the satellite-based surveillance system condemned > | Echelon's existence but, aside from agreeing to step up meaningful > | rhetorical pressure on the Americans, achieved very little. I spy an oxymoron. Is this the first to be spied this year? > | > | The committee officially wrapped up its inquiry late Tuesday by passing > | more than 60 of 160 amendments before approving the entire resolution, > | 27 to 5. There were two abstentions. It would be interesting to know who and of which nationalities the dissenting or abstaining members were. Let's guess that UKG is one and that Spain (now reported to be a recipient of ECHELON take in its struggle with ETA) is another. Interestingly, it is not similarly reported that France (also suffering from the Basque violent separatist threat) is to receive ECHELON take. Of course, this may be because the Franco-German co-operative effort along the same lines is already giving them all the feed they need. | > | Some of the amendments sought to add a harder edge to the language of > | committee head Gerhard Schmid of Germany, whose 113-page report was > | hailed for its balance and fairness, which is often politician-speak for > | blandness. 'Bland' is too kind. The report as someone kindly reproduced hear was unprofessional, wet behind the ears, poor politics and a disservice to European unity. It had all the authoritative ring of a politically correct diatribe from some loony left borough council. > | Di Lello Finuoli believes the system widely known as Echelon -- which > | Schmid's report says may or may not be accurate -- will continue to > | operate with impunity. Hands up those who are surprised. What, no one? > | "Everything will continue on as it has in the past. It is possible to > | conduct espionage from one country of the European Union on another > | without any consequences. This group has done some very good work, but I > | think the mountain has given birth to a mouse." > | > | That's how his remarks were translated, at any rate. Well, its politer that the thunderstorm giving vent to a wet fart, which is how some others might have preferred to describe it. > | Schmid defended his support of European investment in decryption, not > | just encryption, which some critics see as de facto acknowledgement that > | Europe has its own plans for an Echelon-type system. Then he hurried out > | of the meeting room, waving off questions and saying his comments would > | come at a press conference scheduled for Wednesday morning. > | After national and bi-lateral consultations naturally. > | Then there's Amendment No 94, stating that the committee "regards it as > | essential that an agreement should be ... signed between the European > | Union and the United States stipulating that each ... should observe ... > | the provisions governing the protection of the citizens and the > | confidentiality of business communications applicable to its > own citizens > | and firms...." > | > | In other words, knock off the industrial espionage, Yank. Oh, my sides hurt. It's in France, that cradle of republicanism, democracy and political terror, that the VIP suites in 5 star hotels are bugged (q.v. BAE/Aerospatiale negotiations 2000 et al). Eavesdropping is an Italian national sport with some of the most innovative products coming from that fair land of olive oil, pasta, the Borgias, Guelphs and Ghibellines. For the last 50 years, the Germans have been to busy spying on each other to worry much about the rest of us - but that may now change. Well past the height of the Cold War there were over 16,000 *known* Sov bloc agents (mainly STASI for obvious reasons)in the FRG. God knows the number that were not known. The known one's were mainly left alone to save the trouble and expense of having to identify their replacements - like a dog so fleabitten that it no longer sees the point in scratching. And how many BND agents were in the East??? Ah well, the East'lost' and the West 'won' so we talk about the one and not the other, don't we? > | Language was also added referring to "authoritative sources" > confirming a > | US congressional report which estimated that economic intelligence > | funneled from the government could give US companies up to $7 billion in > | added contracts. In the case of France, there is documentation going way back into the '80's, if not before, of their sterling efforts at industrial espionage against allies. > | "We are being completely hypocritical," said Alain M Krivine of France. > | "All countries are engaged in political and (industrial) > espionage. I agree with these frank premises, if not entirely with the conclusion and its corollary. It is > | just a question of power, and the United States has the most > power. It is > | part and parcel of globalization. However, the United States are not the > | only ones who are promoting capitalism this way." > | > | Copyright 1994-2001 Wired Digital Inc. All rights reserved. > | Keywords for the week are: Pot Kettle Black Owen (2) From jtjm at xenoclast.org Fri Jul 6 10:21:52 2001 From: jtjm at xenoclast.org (Julian T. J. Midgley) Date: Fri, 6 Jul 2001 10:21:52 +0100 (BST) Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: Message-ID: On Thu, 5 Jul 2001, Owen Lewis wrote: > > Keywords for the week are: > > Pot Kettle Black Well, maybe, but can you name the listening station (equivalent in capability to Echelon) built on US soil by the Europeans for the sole purpose of giving us access to their communications traffic? I think there's just a hint of lack of reciprocity here... Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From oml at eloka.demon.co.uk Fri Jul 6 11:43:20 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Fri, 6 Jul 2001 11:43:20 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T. J. > Midgley > Sent: 06 July 2001 10:22 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > On Thu, 5 Jul 2001, Owen Lewis wrote: > > > > Keywords for the week are: > > > > Pot Kettle Black > > Well, maybe, but can you name the listening station (equivalent in > capability to Echelon) built on US soil by the Europeans for the sole > purpose of giving us access to their communications traffic? Echelon is (supposedly) a system it is not a 'listening station' as such a purported system would use listening station but they do not of necessity have to be on anyone's 'soil' Listening stations may be (and very often are) space borne, airborne or sea borne - not to mention stuffing 40 ton trucks with men and electronics and then sending them on 3000 mile sniffing trips. > > I think there's just a hint of lack of reciprocity here... Any seeming lack of reciprocity comes from a partial and partisan telling of what some consider is or might be. Let me make myself clear. I have no particular love for Uncle Sam and I do believe that this little country of ours has allowed itself to sink too deep, too comfortably and for too long into Uncle Sam's pocket. Overcoming inertia, continuance of obligation and a great reluctance to accept just how small a player we are on the global stage; these face our politicians with some conundrums which, without some unaccustomed outburst of frankness must lead to some pretty interesting contortions in the next ten years. It also needs saying from time to time that in the last half century and in terms of his relations with 'friendly' states, Uncle Sam has, beyond doubt (unless your name is Khomeini or Pinter) been more sinned against than sinning. You note that your gauntlet still lies where you threw it. The challenge is meaningless. The U.S. is a federation of fifty states, just one of which has more economic clout than these fair isles of ours. Now is you were to put in the balance a federation of (say) 50 European states you might offer a reasonable scale to accommodate. You could even try such a balance without federating the European States but simply aggregating their individual efforts (so often, because of central direction and coordination, repetitious or redundant efforts). Owen From Brian Gladman" Message-ID: <001301c10609$b7cafb50$83289fd4@fortytwo> From: "Julian T. J. Midgley" To: Sent: Friday, July 06, 2001 10:21 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper > On Thu, 5 Jul 2001, Owen Lewis wrote: > > > > Keywords for the week are: > > > > Pot Kettle Black > > Well, maybe, but can you name the listening station (equivalent in > capability to Echelon) built on US soil by the Europeans for the sole > purpose of giving us access to their communications traffic? > > I think there's just a hint of lack of reciprocity here... Correct. Pretty well all nations have capabilities of various kinds to spy on other nations but no other group of nations that I know of comes even close to matching the global electronic surveillance capabilities of the 'anglo-saxon alliance'. And as a founder member of this club it is inevitable that the UK will always have the difficult task of trying to sustain its membership of this club and the 'european club' since there are inevitably some very serious conflicts of interest. Duncan Campbell was kind enough to point me at the original source material for these press reports but I have not yet had time to go through it. But if press reports are to be believed one outcome of the European Parliament study is a conclusion that Echelon is a 'fact of life' and that there is little that the EU nations can do to counter it. If this truly is a conclusion, the European Parliamentary group have been badly briefed since nothing could be further from the truth. But whether it would be in their interests to undermine Echelon is a much more difficult issue since the main need for such assets is in areas where US and European interests largely coincide. The failure of the US and Europe to seriously discuss these issues is dangerous since we need to remove the privacy and industrial/commercial espionage concerns raised by Echelon without undermining its value in other areas. And without dialogue I don't see this happening. Brian Gladman From jya at pipeline.com Fri Jul 6 15:23:59 2001 From: jya at pipeline.com (John Young) Date: Fri, 06 Jul 2001 07:23:59 -0700 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: References: Message-ID: <200107061124.HAA01148@barry.mail.mindspring.net> Owen Lewis writes: >It also needs saying from time to time that in the last half century and in >terms of his relations with 'friendly' states, Uncle Sam has, beyond doubt >(unless your name is Khomeini or Pinter) been more sinned against than >sinning. This astonishes. Only a biased understanding of US foreign policy, especially that exercised by way of US intelligence agencies, could produce such a patent falsehood. The small amount of information that come from secret archives and the greater amount that has come from targets of covert operations belies this claim of disproportinately sinned against. A prime argument the intelligence industry uses to resist full disclosure of sustained perfidy is that "means and methods" must be protected. It is these means and methods which are the shame of governments, and not only the US, but it is the US with help from its friends who are by far the investors, inventors, promulgators and users of the technologies of political control. The Wassnaar Agreement and a host of other treaties describe in minute detail what vile means and methods have been wrought to sin against others while denying compensatory access to defenses against predation. Further, it is spill over from these "national security" control technologies that is now flooding internal police organizations to treat citizens as though foreign threats, and while the US leads the way in this, UK and the Echelon puppies are happy to contribute. It cannot be too strongly stated that the great number of former members of intelligence agencies and their supporters are working feverishly to build markets for their skills and tools for internal defense, thus the dramatic invocation of the threat of homeland terrorism pretty muchly aping that once invoked for foreign foes. And, as ever, pretending blamelessness. The best and brightness are alive and well selling self-enriching shinola as if in the national interest. The 1951 Longley-Cook report by the UK Director of Naval Intelligence warning of the threat of US preventive war is highly instructive on how intelligence is warped to fit black agendas. That Churchill saw Longley-Cook as someone to keep an eye on for telling the truth about US warmongering is further indicative of sucking up by ambitious national leaders and their pocket intelligence courtiers. It can't come too soon to indict national leaders for war crimes and compel them to reveal what they were told by their spooks, and, better, vice versa. To make myself clear, the United States over the past 50 years of intelligence guiding foreign and now domestic policy has become extremely dirty-handed and extremely adept at camouflaging underhandedness. Nothing has so corrupted US culture as has secret government and its spread to other nations under guise of open democracy. Examples abound, just ask if you don't know them or believe them secret. Echelon is a mild diversion, and the technology so far revealed of global surveillance and intelligence mongering for political control -- see Steven Wright's 1997 STOA report -- has been cloaked by Echelon hand-wringing. When all the means and methods Wright describes gets the attention Echelon has gotten, a bit of progress will be made. Until then, as the EP report demonstrates, it's all blowing of smoke and, in Owen's case, of sunshine. These whitewashes of black deeds are the favorite means and methods to shape public opinion in the age of spook-led and -fed government/commerce. From oml at eloka.demon.co.uk Fri Jul 6 13:40:49 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Fri, 6 Jul 2001 13:40:49 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <001301c10609$b7cafb50$83289fd4@fortytwo> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 06 July 2001 11:52 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > if press reports are to be believed one outcome of the European Parliament > study is a conclusion that Echelon is a 'fact of life' and that there is > little that the EU nations can do to counter it. > > If this truly is a conclusion, the European Parliamentary group have been > badly briefed since nothing could be further from the truth. > > But whether it would be in their interests to undermine Echelon is a much > more difficult issue since the main need for such assets is in areas where > US and European interests largely coincide. Quite so, and not just European and US interests perhaps. That this important point you raise was, seemingly, entirely missed by the EPG - even to mention, let alone evaluate - is one indication of narrowness of vision and of purpose in their study and report. > > The failure of the US and Europe to seriously discuss these issues is > dangerous since we need to remove the privacy and industrial/commercial > espionage concerns raised by Echelon without undermining its > value in other > areas. How would you propose that such a precise sorting of sheep from goats might be effected? This seems to me to be a fundamental issue and very much at the heart of the crypto debate. Owen From oml at eloka.demon.co.uk Fri Jul 6 13:40:50 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Fri, 6 Jul 2001 13:40:50 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <200107061124.HAA01148@barry.mail.mindspring.net> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of John Young > Sent: 06 July 2001 15:24 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > Owen Lewis writes: > > >It also needs saying from time to time that in the last half > century and in > >terms of his relations with 'friendly' states, Uncle Sam has, > beyond doubt > >(unless your name is Khomeini or Pinter) been more sinned against than > >sinning. > > This astonishes. Only a biased understanding of US foreign policy, > especially that exercised by way of US intelligence agencies, > could produce > such a patent falsehood. I did say that there are some who disagree. The small amount of information that come > from secret archives and the greater amount that has come from > targets of covert operations belies this claim of > disproportionately sinned > against. A prime argument the intelligence industry uses to resist > full disclosure of sustained perfidy is that "means and methods" > must be protected. It is these means and methods which are the > shame of governments, and not only the US, but it is the US with > help from its friends who are by far the investors, inventors, > promulgators and users of the technologies of political control. My dear John, if there is bias in an appreciation of this matter, pluck first the beam from thine own eye and resist the call to hyperbole. Whatever dear old Uncle Sam may or may not have got up to in this century, he has not, in the quest of 'political control': - Effectively eliminated one or more races from an entire continent. - Exterminated, by shooting, burning, starvation, disease and slave labour untold millions (20M+) of his own people. - Eliminated political dissent within his own borders or anyone else's. - Preached race or religious hatred as state policy at home and abroad. - Occupied the land of others at the point of a bayonet, claiming some ancient, God given right apparent to none but himself. One could go on but you get the point I think. Balance in all things, mon vieux. Uncle Sam surely is not perfect and - like the rest of us - he makes mistakes from time to time. However, he is not the vicious psychotic thug that some (stand up K & P) would like to depict him as. To begin the search for balance, one might begin with the following properly researched, painstakingly detailed and peer reviewed studies: 'A Study of Tyranny' 'The Gulag Archipelago' 'The Mitrokhin Archive' But you have studied these already, I'm sure. And that makes your view as given above all the more incomprehensible to me. > To make myself clear, the United States over the past 50 years > of intelligence guiding foreign and now domestic policy has > become extremely dirty-handed and extremely adept at > camouflaging underhandedness. Nothing has so corrupted > US culture as has secret government and its spread to > other nations under guise of open democracy. > > Examples abound, just ask if you don't know them or believe > them secret. > > Echelon is a mild diversion, and the technology so far revealed > of global surveillance and intelligence mongering for political > control -- see Steven Wright's 1997 STOA report -- has been > cloaked by Echelon hand-wringing. When all the means and > methods Wright describes gets the attention Echelon has > gotten, a bit of progress will be made. Until then, as the EP > report demonstrates, it's all blowing of smoke and, in > Owen's case, of sunshine. > > These whitewashes of black deeds are the favorite means > and methods to shape public opinion in the age of spook-led > and -fed government/commerce. Somehow I don't think we are going to agree. Some of the issues you raise (snipped here for brevity) may be real enough concerns. However, they are in no way related specifically to Uncle Sam. Rather, the concerns are global and have to do with a combination of technological advances and a growing consensus among people that they prefer to have others (govts in the main) manage their lives for them, relieve them of risk and responsibility and cross their ever-open and outstretched palms with silly sums of money whenever they should suffer harm. Owen From David_Biggins at usermgmt.com Fri Jul 6 16:01:23 2001 From: David_Biggins at usermgmt.com (David_Biggins@usermgmt.com) Date: Fri, 6 Jul 2001 16:01:23 +0100 Subject: Wired: Echelon Furor Ends in a Whimper Message-ID: > -----Original Message----- > From: Owen Lewis [mailto:oml@eloka.demon.co.uk] > Sent: Friday, July 06, 2001 01:41 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Wired: Echelon Furor Ends in a Whimper Sorry, Owen, but I can't really agree. This is the wrong place for this discussion, and I don't want to upset the moderators, but: > ... Whatever > dear old Uncle Sam may or may not have got up to in this > century, he has not, in the quest of 'political control': > > - Effectively eliminated one or more races from > an entire continent. With a little stretch on the time span, I suspect that the Native Americans may disagree. > > - Exterminated, by shooting, burning, starvation, > disease and slave labour untold millions (20M+) of his own people. Again, the Native Americans may disagree... And within the last couple of hundred, its record on slavery is no better than anyone else's. > - Eliminated political dissent within his own > borders or anyone else's. You must be joking. US attempts to destabilise other (smaller) countries' communist governments (which surely counts as "political control" are a matter of record. US shoring up of capitalist dictators in other (smaller) countries is equally a matter of record. Both of these give clear cases of elimination of political dissent. > - Preached race or religious hatred as state > policy at home and abroad. Preached it, no. Practiced it, yes. Its attitude to the Muslim Arabs has NOT been entirely defensible. And its attitude to China is of increasing concern in this context. > - Occupied the land of others at the point of a > bayonet, claiming some > ancient, God given right apparent to none but himself. Again, not within your hundred years, but... > One could go on but you get the point I think. Balance in all > things, mon vieux. Uncle Sam surely is not perfect and - like > the rest of us - he makes mistakes from time to time. Indeed. > However, he is not the vicious > psychotic thug > that some (stand up K & P) would like to depict him as. No. But he has become un-selfconsciously domineering and arrogant - much as we were perhaps a century ago, and is ignoring many of the lessons of history. From k.brown at ccs.bbk.ac.uk Fri Jul 6 16:33:08 2001 From: k.brown at ccs.bbk.ac.uk (Ken Brown) Date: Fri, 06 Jul 2001 16:33:08 +0100 Subject: Wired: Echelon Furor Ends in a Whimper References: Message-ID: <3B45DA34.3E190E3C@ccs.bbk.ac.uk> Owen Lewis wrote: > Whatever > dear old Uncle Sam may or may not have got up to in this century, I assume you mean the previous century, they haven't had time in t he 21st yet. > he has > not, in the quest of 'political control': > > - Effectively eliminated one or more races from an entire continent. That's because they had all but finished the job in the 19th century. By the 1890s the starving remnants of the native Americans were reduced to a level where they could be kept going as a tourist attraction > - Exterminated, by shooting, burning, starvation, disease and slave labour > untold millions (20M+) of his own people. I'll give you that one. > - Eliminated political dissent within his own borders or anyone else's. I don't think anyone has ever *eliminated* political dissent anywhere. A number of people have tried, including the US establishment. > - Preached race or religious hatred as state policy at home and abroad. Government-sponsored race hatred and segregation was a feature of life over much of the USA as recently as the 1950s and 1960s as you know. Not on the level of South Africa or the Nazis, but it was there, and it was public policy. > - Occupied the land of others at the point of a bayonet, claiming some > ancient, God given right apparent to none but himself. Come off it! Yes they bloody well did and you know it. Nicaragua is the obvious case, but there are others. I'm not saying they were any worse than most other countries but to claim that they were better is egregious. > > One could go on but you get the point I think. Balance in all things, mon > vieux. Uncle Sam surely is not perfect and - like the rest of us - he makes > mistakes from time to time. However, he is not the vicious psychotic thug > that some (stand up K & P) would like to depict him as. K & P? The peanut brand????? Ken From donald at ramsbottom.co.uk Fri Jul 6 16:51:56 2001 From: donald at ramsbottom.co.uk (Donald ramsbottom) Date: Fri, 06 Jul 2001 16:51:56 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <3B45DA34.3E190E3C@ccs.bbk.ac.uk> References: Message-ID: <3.0.2.32.20010706165156.01367604@10.0.0.254> I think I agree with Owen on this one. Sure the US is not as pure as driven snow, but neither is anyone else. Nicaragua has been quoted, but look what the Spaniards did and before that the Maya and Toltecs. The Native Americans have been quoted, but what was done was pretty much standard Imperial policy of all of Europe at the time. The Indians themselves were not above Genocide. Uncle Sam does what he needs to. We belly ache because we used to and can no longer. The Germans used to be able to, can no longer but want to be able to do the same as the US. And the French, the dear dear French, have always done exactly what they wanted to, when they wanted to. We should not get all huffy, all Nations do it to all other Nations, its just that Uncle Sam is the biggest boy on the block and the rest do not like it, or want to be in his Gang, it makes them feel more important (or more accurately their "Leaders"). So we all know Echelon exists, all "developed Countries" have their own version, and although we can take precautions to minimise its effect, most do not and we are not encouraged to as that would affect our own Gov's ability. So Owen, however un PC this is I stand with you to be shot at:) Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From oml at eloka.demon.co.uk Fri Jul 6 17:29:09 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Fri, 6 Jul 2001 17:29:09 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <3B45DA34.3E190E3C@ccs.bbk.ac.uk> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ken Brown > Sent: 06 July 2001 16:33 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Owen Lewis wrote: > > > Whatever > > dear old Uncle Sam may or may not have got up to in this century, > > I assume you mean the previous century, they haven't had time in the > 21st yet. In this hundred years. > > he has > > not, in the quest of 'political control': > > > > - Effectively eliminated one or more races from > an entire continent. > > That's because they had all but finished the job in the 19th century. By > the 1890s the starving remnants of the native Americans were reduced to > a level where they could be kept going as a tourist attraction Were that true, there would not be so many to moan about it today. Besides mankind's views of such things have change more in the last 100 years than in all previous history. Personally, and as an abo Brit, there's nothing I enjoy more of a Summer's evening than squatting outside the local pub with my hand out, complaining about how my forebears were killed, burned, raped and enslaved by the Romans/Angles/Jutes/Saxons/Danes/Vikings/Normans. Frankly, I think the rest of the EU ought to keep me and all my compatriots for the rest of our lives (stress counselling included) for the perfectly horrid things they did to my relations over some thousand years or more. > > > - Exterminated, by shooting, burning, starvation, > disease and slave labour > > untold millions (20M+) of his own people. > > I'll give you that one. > > > - Eliminated political dissent within his own > borders or anyone else's. > > I don't think anyone has ever *eliminated* political dissent anywhere. A > number of people have tried, including the US establishment. Cite? McCarthyism was a weak gesture in that direction, granted - but look at what happened to McCarthy. > > > - Preached race or religious hatred as state > policy at home and abroad. > > Government-sponsored race hatred and segregation was a feature of life > over much of the USA as recently as the 1950s and 1960s as you know. > Not on the level of South Africa or the Nazis, but it was there, and it > was public policy. Your argument is too sloppy to hold together. Race or religious hatred as state policy is quite specific. Your response (excepting the Nazis) is wobbles around the specific, avoiding it. Ruanda, Burundi, the Balkan states (some) and the Indian subcontinent provide much more exact and powerful examples. Cambodia too, if one includes class hatred which is equally illogical, unpleasant and potentially lethal. We are back to consideration of eyes motes and beams once again. > > > - Occupied the land of others at the point of a > bayonet, claiming some > > ancient, God given right apparent to none but himself. > > Come off it! Yes they bloody well did and you know it. Nicaragua is the > obvious case, but there are others. In the 20th Cent? Really? Can you cite? Why they never even popped poor old Jacomo Arbenz's clogs in 1947 (though they may has acted in a consultancy capacity to those who did). > > I'm not saying they were any worse than most other countries but to > claim that they were better is egregious. And I, very carefully, never argued that they were any better. What is true is that Uncle Sam is not the 'Great Satan' of this modern world. I don't find it necessary to admire everything he has done or now does - or even like him over much - to hold to that. The greatest horrors of the modern world have all come from others. > > > > > One could go on but you get the point I think. Balance in all > things, mon > > vieux. Uncle Sam surely is not perfect and - like the rest of > us - he makes > > mistakes from time to time. However, he is not the vicious > psychotic thug > > that some (stand up K & P) would like to depict him as. > > K & P? The peanut brand????? Nah. Khomeini and Pinter (snipped away) Owen From oml at eloka.demon.co.uk Fri Jul 6 17:47:10 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Fri, 6 Jul 2001 17:47:10 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <3.0.2.32.20010706165156.01367604@10.0.0.254> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Donald > ramsbottom > Sent: 06 July 2001 16:52 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > Sure the US is not as pure as driven snow, but neither is anyone else. > > Nicaragua has been quoted, but look what the Spaniards did and before that > the Maya and Toltecs. > > The Native Americans have been quoted, but what was done was pretty much > standard Imperial policy of all of Europe at the time. The Indians > themselves were not above Genocide. > > Uncle Sam does what he needs to. We belly ache because we used to and can > no longer. The Germans used to be able to, can no longer but want to be > able to do the same as the US. And the French, the dear dear French, have > always done exactly what they wanted to, when they wanted to. > > We should not get all huffy, all Nations do it to all other Nations, its > just that Uncle Sam is the biggest boy on the block and the rest do not > like it, or want to be in his Gang, it makes them feel more important (or > more accurately their "Leaders"). > > So we all know Echelon exists, all "developed Countries" have their own > version, and although we can take precautions to minimise its effect, most > do not and we are not encouraged to as that would affect our own Gov's > ability. Amen, amen and amen > So Owen, however un PC this is I stand with you to be shot at:) Thank you. Truth is as one finds it. It should not be malleable according to fashion, whim or to gain some advantage. Of course, a good lawyer understands that perfectly :) Sadly, this is a far from perfect world- but it has some smashing things in it. Owen From phantomink at powersurfr.com Fri Jul 6 19:05:54 2001 From: phantomink at powersurfr.com (Phantom Ink) Date: Fri, 6 Jul 2001 11:05:54 -0700 Subject: Wired: Echelon Furor Ends in a Whimper References: <3.0.2.32.20010706165156.01367604@10.0.0.254> Message-ID: <000501c10646$4cff1f30$8f056c18@PHINKX> Greg wrote: All History is tragedy illegitimate dynasties, treachery. What we do to others is perhaps part of the demiurge of the original matter from the bacteria of the stars, alien creations, with a penchant for hypocrisy. Another mandate is abroad the world making it more like the stars and the burnt out cinder suns of chaos. Think of us as Religious Bacteria. And religion, even religion of the machine is elitism. States are the servants of the Gods. Don't get too concerned with yerself or ethics. It all comes out as lies, defending our little world from economic disaster, repatriating history with explanations to each other or ourselves. We cannot stop ourselves from bending to this force. We are driven by each other to be cold indifferent, hostile, grasping. Just like the bacteria we came from. Gods alright now, he just can't remember which one of us he is. Nenius said that the three stages of language shall be classical, romanic, and finally demotic. We are here in the third circle. Double speak, state lies, men will never know the truth, we will never understand it. So sublime is this absolute. Hegel tells us not to bother looking for it, because we can never know it. 'Course revisionism is very popular right now. Everything is up for grabs when rational thought is threatened, especially history. We are at the end of history if it ever existed, phenomenologically speaking, a new broadsheet is being made, and your name isn't on it. It's called the Techno Dark Ages. Where men shall be murdered without any ill in the police we build in our silence I call it all Virtual Pancakeville. Good hunting GB ----- Original Message ----- From: "Donald ramsbottom" To: Sent: Friday, July 06, 2001 8:51 AM Subject: Re: Wired: Echelon Furor Ends in a Whimper > I think I agree with Owen on this one. > > Sure the US is not as pure as driven snow, but neither is anyone else. > > Nicaragua has been quoted, but look what the Spaniards did and before that > the Maya and Toltecs. > > The Native Americans have been quoted, but what was done was pretty much > standard Imperial policy of all of Europe at the time. The Indians > themselves were not above Genocide. > > Uncle Sam does what he needs to. We belly ache because we used to and can > no longer. The Germans used to be able to, can no longer but want to be > able to do the same as the US. And the French, the dear dear French, have > always done exactly what they wanted to, when they wanted to. > > We should not get all huffy, all Nations do it to all other Nations, its > just that Uncle Sam is the biggest boy on the block and the rest do not > like it, or want to be in his Gang, it makes them feel more important (or > more accurately their "Leaders"). > > So we all know Echelon exists, all "developed Countries" have their own > version, and although we can take precautions to minimise its effect, most > do not and we are not encouraged to as that would affect our own Gov's > ability. > > So Owen, however un PC this is I stand with you to be shot at:) > > > > > Donald Ramsbottom BA LLb (Hons) PGdip > Ramsbottom & Co Solicitors > Internet and Global Encryption Law Specialists & General UK Law Matters > 5 Seagrove Avenue Hayling Island Hampshire UK > Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 > Regulated by the Law Society in the conduct of Investment business > Service by Fax or Email NOT accepted > > > From cb at fipr.org Fri Jul 6 23:29:30 2001 From: cb at fipr.org (Caspar Bowden) Date: Fri, 6 Jul 2001 23:29:30 +0100 Subject: Fwd: Release from Marco Cappato MEP on European Parliament view on general surveillance of electronic communications Message-ID: <000101c1066b$20215fd0$72ce87d4@boxer> This is a Press Release on a European Parliament amendment condemning moves towards general surveillance of electronic communications. Forwarding to the RIPlist and ukcrypto for its obvious relevance to recent Council of Ministers pressure on Commission to abolish current prohibition on indiscriminate long-term retention of traffic data. The excerpt is noteworthy : "the interception and storage of data concerning traffic and location in electronic communications are entirely exceptional measures which must be based on a specific law which is comprehensible to the general public, be authorised by the judicial or competent authorities, be of limited duration, and be proportionate and necessary within a democratic society; points out that, under the European Convention on Human Rights and pursuant to rulings issued by the Court of Human Rights, any form of wide-scale general or exploratory electronic surveillance is prohibited".=20 The URL given doesn't work, but this does http://www.europarl.eu.int/meetdocs/committees/libe/20010710/439506en.pd f -- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media=20 =20 >-----Original Message----- >From: Marco Cappato [mailto:mcappato@europarl.eu.int] >Sent: 06 July 2001 17:20 >To: Marco Cappato >Subject: press release/communiqu=E9 de presse > > >Press release by Marco Cappato (MEP and EP draftsman on privacy in=20 >electronic communications) on the efforts by EU Member States to get=20 >wider powers in intruding in private life of citizens PRIVACY/EP: EUROPEAN PARLIAMENT POSITION AGAINST GENERAL SURVEILLANCE IS A GOOD NEWS IN THE VIEW OF THE VOTE ON THE PRIVACY DIRECTIVE THAT WILL TAKE PLACE NEXT WEDNESDAY IN BRUSSELS (Cappato report) =20 Brussels, 6 July 2001 Declaration by Marco Cappato, Radical MEP of the Bonino List, EP draftsman on the draft directive on privacy in electronic communications: "The adoption of a radical amendment that I had tabled on behalf of the Radicals/ Lista Bonino MEPs on the report on Human Rights in the European Union, the EP has assumed yesterday a clear political position on the issue of intrusions by States' repressive authorities in citizens' private life: "the interception and storage of data concerning traffic and location in electronic communications are entirely exceptional measures which must be based on a specific law which is comprehensible to the general public, be authorised by the judicial or competent authorities, be of limited duration, and be proportionate and necessary within a democratic society; points out that, under the European Convention on Human Rights and pursuant to rulings issued by the Court of Human Rights, any form of wide-scale general or exploratory electronic surveillance is prohibited".=20 The political orientation of the EP is extremely important in the view of the legislative decisions that are to be taken on the revision of the directive on privacy in electronic communications, that opposes the European Commission to the Council of Ministers. As draftsman of the EP on this directive, I express the hope that the EP will support my report when it will be voted in the committee for citizens' freedoms and rights next Wednesday in Brussels: The EP has to oppose to any effort by EU Member States to get wider powers in intruding in private life of citizens, derogating to minimal human rights and fundamental freedoms that are at the base of democracy and Rule of Law". For further information: Marco Cappato's office: EP-Brussels, Tel 0032 2 2847496; Email: mcappato@europarl.eu.int Cappato draft report: http://www.europarl.ep.ec/meetdocs/committees/libe/20010710/439506en.pdf ------------------------------------------------------------------------ --------------------------------------------------- From cb at fipr.org Sat Jul 7 11:00:37 2001 From: cb at fipr.org (Caspar Bowden) Date: Sat, 7 Jul 2001 11:00:37 +0100 Subject: Australian government says CoE Cybercrime Convention DOES confer GAK powers Message-ID: <000001c106cb$ac9072c0$72ce87d4@boxer> On 14th November 2000, Peter Csonka of the Council of Europe was reported as denying that the Cybercrime convention conferred powers for government access to encryption keys ("That was never our intention" http://www.zdnet.co.uk/news/2000/45/ns-19057.html) However on the Second Reading of the Australian Cybercrime Bill on 27th June 2001, Attorney General Daryl Williams said "Such a power is contained in the draft Council of Europe Convention on Cybercrime and will assist officers in gaining access to encrypted information." http://search.aph.gov.au/search/ParlInfo.ASP?action=view&item=0&from=bro wse&path=Legislation/Current+Bills+by+Title/Cybercrime+Bill+2001/Second+ reading+speeches&items=1&altbrowse=yes The text of the Australian Cybercrime Bill 2001 is at http://search.aph.gov.au/search/ParlInfo.asp?WCI=Hyperlink&CLASS=BILL&XR efID=R1360&Short=Cybercrime+Bill+2001 -- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media -----Original Message----- To: 'FIPR News Archive' Subject: Computerworld Australia 4/7/2001: "Cybercrime bill 'draconian and dangerous'" http://www.computerworld.com.au/idg.nsf/All/D115FFE5F1AF211DCA256A7F0001 FACE!OpenDocument&NavArea=Home&SelectedCategoryName=News Cybercrime bill 'draconian and dangerous' By Sandra Van Dijk 4 July, 2001 10:07 Australia The IT security industry has been scathing in its attacks this week on the Cybercrime Bill 2001, labelling it "draconianand dangerous". Under the bill, which proposes seven new computer offences carrying jail terms of up to 10 years, it is illegal to possess hacker toolkits, scanners and virus code. These are 'tools of the trade' for security vendors to test systems placing a burden on lawyers drafting ethical hacking agreements with corporations. Bernard Hill, barrister and corporate services manager of Canberra-based security consultancy 90East, said the act complicates the necessary testing undertaken by the company which manages a number of Commonwealth agencies. "It's a burden for lawyers drafting agreements with companies and will prove very tricky legally to test denial-of-service attacks," Hill said. Amendments to the bill will be debated when parliament sits again in August and Hill said 90East is preparing a submission identifying these loopholes. He agreed such tools and information are also required by systems administrators to secure electronic infrastructure. The proposed bill does allow the Defence Signals Directorate (DSD) and Australian Security Intelligence Organisation(ASIS) to hack legally. It also forces companies by law to reveal passwords, keys, codes, cryptographic and steganographic methods used to protect information. Hill said companies may be concerned about intellectual property being compromised, but protecting the national information infrastructure is critical. "There have been allegations made about the Government's use of surveillance networks, such as Echelon, and there being no checks and balances in place when agencies are given such broad ranging powers. It is a vexed issue, but the cyberterrorist threat at this time is too great to ignore," he said. Describing the bill as "draconian"' Unisys e-security architecture director Ajoy Ghosh said the new laws need to be enforceable. The bill will not change the current situation where Australia's enforcement agencies have scant resourcesto tackle investigations seriously, he added. He said the solution is to empower the private sector, allowing it access to information necessary to detect, identify and prosecute. Many private security consultancies already investigate cybercrime but Ghosh said they are hampered by current laws. "For example, the inability to get access to ISP billing records; the private sector could focus on opportunistic crimes while the public sector concentrates on crimes of mass victimisation or those that threaten our economic infrastructure," he said. Internet Industry Association executive director Peter Coroneos supports the proposed bill in principle but said it needs to find a balance between privacy concerns and the need to prosecute illegal hacking activities. A spokesperson for the Minister for Justice and Customers Senator Chris Ellison was unavailable for comment but said ina statement: "The large amount of data that can be stored on computer drives and disks and the complex security measures, such as encryption and passwords, which can be used to protect that information present particular problems for investigators. The legislation will enable police powers to copy computer data and examine computer equipment and disks off-site and enable them to obtain assistance from computer owners." From cb at fipr.org Sat Jul 7 14:14:41 2001 From: cb at fipr.org (Caspar Bowden) Date: Sat, 7 Jul 2001 14:14:41 +0100 Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof Message-ID: <000001c106e6$c95c5200$72ce87d4@boxer> There is a reference to RIP reverse-burden-of-proof in Lord Hope's opinion (para.93) in the following House of Lords appeal (5th July 2001). It appears to be a major rehearsal of arguments about the presumption of innocence in HRA. A little disconcertingly, Lord Hope refers to the "offence of possession" in RIP 53(2), as if possession of a key was the inherent offence (like a controlled drug), rather than the issue of possession arising from non-compliance with a s.49 order. Although the opinions are interesting, they don't seem to clarify much what will suffice to "raise the issue" of no-PANTS (Possession after Notice Time of Serving) in 53(2). Asserting an unusually bad memory ? Through statements or testimony from the witness box ? Asserting a normal memory, but forgetfulness in this instance ? The essential point seems to me that it is not arguable that use of encryption in itself is comparable to possession of drugs, so arguments about "balancing the interests of the individual in achieving justice against the needs of society to protect against abuse of drugs", will be a non-starter in a RIP case. The construction of RIP doesn't allow any consideration of a presumed "underlying" substantive offence in any case, and if there *was* sufficient evidence of a substantive offence then a person should be tried and convicted on that charge. It's totally irrelevant to the issue of PANTS. -- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media Regina v. Lambert (On Appeal From The Court of Appeal (Criminal Division)) http://www.parliament.the-stationery-office.co.uk/pa/ld200102/ldjudgmt/j d010705/regina-4.htm "93. Section 53(3) of the Regulation of Investigatory Powers Act 2000 is to the same effect. It provides a defence to the offence of possession described in section 53(2). It places the onus of proving the contrary beyond a reasonable doubt on the prosecutor if sufficient evidence of that fact is adduced to raise an issue with respect to it. It is not unreasonable to think that, if Parliament were now to have an opportunity of reconsidering the words used in section 28(2) and (3) of the 1971 Act, it would be content to qualify them in precisely the same way" From oml at eloka.demon.co.uk Sat Jul 7 19:22:11 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Sat, 7 Jul 2001 19:22:11 +0100 Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof In-Reply-To: <000001c106e6$c95c5200$72ce87d4@boxer> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Caspar Bowden > Sent: 07 July 2001 14:15 > To: 'Ukcrypto'; FIPR-AC > Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof > > > There is a reference to RIP reverse-burden-of-proof in Lord Hope's > opinion (para.93) in the following House of Lords appeal (5th July > 2001). It appears to be a major rehearsal of arguments about the > presumption of innocence in HRA. > > A little disconcertingly, Lord Hope refers to the "offence of > possession" in RIP 53(2), as if possession of a key was the inherent > offence (like a controlled drug), rather than the issue of possession > arising from non-compliance with a s.49 order. > > Although the opinions are interesting, they don't seem to clarify much > what will suffice to "raise the issue" of no-PANTS (Possession after > Notice Time of Serving) in 53(2). Asserting an unusually bad memory ? > Through statements or testimony from the witness box ? Asserting a > normal memory, but forgetfulness in this instance ? I think we return to the point that cryptography is neither 'good' nor 'bad' it is (in modern form) a useful bit of technology that takes upon itself the ethical or legal colour of the purpose for which it is used. Where it is used, to conceal evidence of crime or criminal purpose it is not safe to argue that that the concealment it provides should not be forced open under due legal process. We need also to return to the basic matter of whether it is right that a search of a persons belongings may be made lawfully. This is never a pleasant thing but I believe the substantial majority view is that from time to time such a procedure is better to be effected than not. So, premises are entered and there is information in store on two computers. On one the store is encrypted and on the other it is not. The warrant authorising the search permits the seizure and examination of all this information. Can it be right, that the order of the court is thwarted simply because one container is 'locked' and the other container is 'open'? It is also clear that if the enciphered container held incriminating material, it would be much in the interest of its owner to withhold the key, claiming it to be lost or some such. I can see no way to prevent such a course being taken except to ensure that it is likely to lead the owner into a great deal of trouble - albeit perhaps less trouble that he would be in if the contents could be read. It is essential with PKC that secret keys be kept securely. It is much in the interest of the owner that they are never lost or compromised, with the single exception that a 'loss' can thwart a search. It is reasonable therefore to presume that key holders secure their secret keys with care. Nevertheless, keys are lost from time to time; many of us will have lost a key at some time or other. Therefore it seems right that a court listen to a reasoned explanation as to why a key demanded has not been handed over and exercise judgement as to whether the explanation is reasonable in the circumstances. But the purpose of the law will be thwarted if the owner of a key is not required to prove that the loss has occurred and in some way that can be shown to have no connection to a demand for its surrender. So what should be the real effect of this on key owners? Surely, it reinforces their natural inclination to assure that their keys are well secured at all times. There is some miniscule part of the population who may be placed unfairly at risk because of such law. It seems to me that their satisfactory protection should come not from removal of the new offence of not surrendering a key but from ensuring that there is a strong prima facie case to be made against either the key holder or against some person from whom it can be shown he has been in receipt of enciphered information. In sum, the reasons for requiring a search must be of the strongest. If they are, then it is not tolerable that a mechanism be allowed by default whereby any and all such searches can be thwarted at will and without fear or consequence. Therefore, I think that attempts to have such a mechanism allowed as a 'human right' are doomed to failure; the courts are not entirely naive. A tactic that, through test cases or other means, leads to the requirement for a radical strengthening of the grounds for demanding searches (and therefore the surrender of keys) is much more likely to succeed, I think. Owen From gbayley at ausmac.net Sun Jul 8 06:06:20 2001 From: gbayley at ausmac.net (Grant Bayley) Date: Sun, 8 Jul 2001 15:06:20 +1000 (EST) Subject: Australian government says CoE Cybercrime Convention DOES confer GAK powers In-Reply-To: <000001c106cb$ac9072c0$72ce87d4@boxer> Message-ID: On Sat, 7 Jul 2001, Caspar Bowden wrote: > On 14th November 2000, Peter Csonka of the Council of Europe was > reported as denying that the Cybercrime convention conferred powers for > government access to encryption keys ("That was never our intention" > http://www.zdnet.co.uk/news/2000/45/ns-19057.html) > > However on the Second Reading of the Australian Cybercrime Bill on 27th > June 2001, Attorney General Daryl Williams said "Such a power is > contained in the draft Council of Europe Convention on Cybercrime and > will assist officers in gaining access to encrypted information." > http://search.aph.gov.au/search/ParlInfo.ASP?action=view&item=0&from=bro > wse&path=Legislation/Current+Bills+by+Title/Cybercrime+Bill+2001/Second+ > reading+speeches&items=1&altbrowse=yes > > The text of the Australian Cybercrime Bill 2001 is at > http://search.aph.gov.au/search/ParlInfo.asp?WCI=Hyperlink&CLASS=BILL&XR > efID=R1360&Short=Cybercrime+Bill+2001 Just a followup about this proposed legislation, the following mailing list has been set up to discuss it, the GAK issues raised above, as well as to discuss submissions to the Senate Legal and Constitutional Committee inquiry. To join, send an empty email to: 2600-law-subscribe@wiretapped.net (There's also a digest version (2600-law-digest-subscribe@wiretapped.net) but the traffic is only fairly light at present. (maybe not for much longer)) Information about the Senate Legal and Constitutional Committee inquiry is located at: http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime.htm Written submissions must be made by 20th July, 2001, and public hearings are being held in Sydney on 19th July and in Canberra on 9th August. 2600 Australia has prepared an initial response to the second reading speech at the following URL, and will be making an official submission in due course: http://www.2600.org.au/cybercrime-bill-response.txt Hope this is of interest, Grant ------------------------------------------------------- Grant Bayley gbayley@ausmac.net -Admin @ AusMac Archive, Wiretapped.net, 2600 Australia www.ausmac.net www.wiretapped.net www.2600.org.au ------------------------------------------------------- From jtjm at xenoclast.org Sun Jul 8 11:42:42 2001 From: jtjm at xenoclast.org (Julian T. J. Midgley) Date: Sun, 8 Jul 2001 11:42:42 +0100 (BST) Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof In-Reply-To: Message-ID: On Sat, 7 Jul 2001, Owen Lewis wrote: > > It is also clear that if the enciphered container held incriminating > material, it would be much in the interest of its owner to withhold the key, > claiming it to be lost or some such. I can see no way to prevent such a > course being taken except to ensure that it is likely to lead the owner into > a great deal of trouble - albeit perhaps less trouble that he would be in if > the contents could be read. > > It is essential with PKC that secret keys be kept securely. It is much in > the interest of the owner that they are never lost or compromised, with the > single exception that a 'loss' can thwart a search. It is reasonable > therefore to presume that key holders secure their secret keys with care. No it isn't. The fact of its being sensible (or even necessary, for any genuine security) to keep one's keys secure, does not by any stretch of anyone's imagination imply that all those who have created secret keys for whatever purpose will a) have kept them secure, b) still remember where they are, or what the passphrases are. It is sensible not to drive when drunk or extremely tired; it is absolutely not reasonable to presume that every driver one meets on the roads is therefore neither drunk nor extremely tired. A better example (since there's no implied breaking of the law involved): In the interests of ensuring that leather shoes wear well, it is essential that they be polished regularly with a good polish. It is nonsense to suggest that this implies that all those who wear leather shoes polish them regularly. > Nevertheless, keys are lost from time to time; many of us will have lost a > key at some time or other. Therefore it seems right that a court listen to a > reasoned explanation as to why a key demanded has not been handed over and > exercise judgement as to whether the explanation is reasonable in the > circumstances. What does that mean? "Reasonable in the circumstances?" - 'I typed rm -fr * in the wrong directory by accident, and didn't have any backups. Unfortunately I couldn't recover the data from the disk, because by the time I noticed what I'd done, I'd already copied the Netscape source on to the machine, unpacked it, and started compiling it' Sounds reasonable to me (it's not an offence not to have backups). But it could just as easily be a convenient excuse behind which a criminal was hiding. How about trying to prove it? Well, the presence of the Netscape source on the machine corroborates the latter half of the story, but says nothing about whether the keys were actually ever on that box. Impossible to prove either way (though fans of STM disk analysis might disagree). What if the reason given was "the dog ate the floppy"? Would that not be reasonable because it sounds too much like a conventional schoolboy excuse? But dogs can and do chew up floppy disks (I've lost at least one that way myself). I fail to see how anyone can be expected to exercise judgment as to whether the excuse proffered is reasonable or not (or, more usefully, I believe that anyone (with a modicum of intelligence) can concoct an explanation that must be accepted as reasonable since it could quite reasonably have occured). Therefore, I believe that it is nonsensical to suggest that we gain anything by allowing a court to decide whether or not an explanation is "reasonable in the circumstances". Either the court tends towards genuine "reasonableness", in which case the criminals win, or it tends towards requiring "proof", in which case the innocents lose. There is no happy middle ground. Even if there is a significant amount of prima facie evidence that the accused is engaged in some criminal activity, it is wrong for the court to assume that if he claims he no longer has the keys then he is lying. It is quite possible that his dog did eat the floppy that very morning, and he should not be convicted of anything because of that misfortune. > But the purpose of the law will be thwarted if the owner of a > key is not required to prove that the loss has occurred and in some way that > can be shown to have no connection to a demand for its surrender. There is one significant flaw in this argument. How does one prove that one does not have something (or does not remember something)? The simplest case occurs when the secret key itself was on the same machine as the data (and so is now in the hands of the police). In order to make use of this key, they require the passphrase. They ask you for it. You say, "I'm sorry, but I've forgotten it". They respond, "prove it". And you do what, exactly? Surely at the very least the prosecution will need to start by proving that at some point you possessed the key, before you can be asked to prove that you don't any longer. Even then, your failure to be able to prove that you no longer have it should not be deemed incriminating. ("I lost the floppy in a house move." - might be true, might not be, can hardly be proven.) > So what should be the real effect of this on key owners? Surely, it > reinforces their natural inclination to assure that their keys are well > secured at all times. There is some miniscule part of the population who may > be placed unfairly at risk because of such law. It seems to me that their > satisfactory protection should come not from removal of the new offence of > not surrendering a key but from ensuring that there is a strong prima facie > case to be made against either the key holder or against some person from > whom it can be shown he has been in receipt of enciphered information. Careful. It would appear from your above that if I am a known criminal, and am aware that I am being monitored, I can get my own back on someone who has crossed me by sending him some enciphered material (having created a key in his name which I later discard). He then has the devil of a time proving that he didn't have the key. And I don't believe that the possession of strong prima facie case against an individual should have any bearing whatsoever on whether he is guilty of failing to turn over the keys. After all, if we have convincing evidence that someone robbed a pharmacy, and a policeman is discovered dead in the alley next to the pharmacy half an hour after it was robbed, we don't convict the robber of the policeman's murder without requiring evidence for that particular crime. To be honest the only reasonable way that I can think of that will allow the guilty to be convicted without also convicting the innocent is for the police, instead of waltzing in and seizing equipment, to install monitoring software on the suspect's machine (something to capture keystroke's etc), and wait for him to use his key. Not significantly different in nature from a phone tap. Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From oml at eloka.demon.co.uk Sun Jul 8 14:56:07 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Sun, 8 Jul 2001 14:56:07 +0100 Subject: R v.Lambert House of Lords and RIP reverse-burden-of-proof In-Reply-To: Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T. J. > Midgley > Sent: 08 July 2001 11:43 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: R v.Lambert House of Lords and RIP reverse-burden-of-proof > > > On Sat, 7 Jul 2001, Owen Lewis wrote: > > > > > It is also clear that if the enciphered container held incriminating > > material, it would be much in the interest of its owner to > withhold the key, > > claiming it to be lost or some such. I can see no way to prevent such a > > course being taken except to ensure that it is likely to lead > the owner into > > a great deal of trouble - albeit perhaps less trouble that he > would be in if > > the contents could be read. > > > > It is essential with PKC that secret keys be kept securely. It > is much in > > the interest of the owner that they are never lost or > compromised, with the > > single exception that a 'loss' can thwart a search. It is reasonable > > therefore to presume that key holders secure their secret keys > with care. > > No it isn't. The fact of its being sensible (or even necessary, for any > genuine security) to keep one's keys secure, does not by any stretch of > anyone's imagination imply that all those who have created secret keys for > whatever purpose will a) have kept them secure, b) still remember where > they are, or what the passphrases are. It's not a case of any key one ever may have created but of keys which either secure information you continue to store or continue to receive communications requiring that key to read them. Moreover, for the law to take effect, there should be good reason (e.g. evidence of criminality) for the law to be brought into play. The fact remains that it is essential to secure a secret key that is the only means of reading a continuing correspondence or opening a secured store of information. Actually, it's the analogy is with the complete opposite, i.e. it is to be presumed that most drivers do neither at any moment and that they will be committing an offence if they do. You take my point? > > Nevertheless, keys are lost from time to time; many of us will > have lost a > > key at some time or other. Therefore it seems right that a > court listen to a > > reasoned explanation as to why a key demanded has not been > handed over and > > exercise judgement as to whether the explanation is reasonable in the > > circumstances. > > What does that mean? "Reasonable in the circumstances?" - Just what is says. Each case must turn on its merits. Start at the beginning. For the law to come into play there must be fair suspicion of one of three things, being: 1. The subject of an order has engaged in serious criminal activity. 2. He associates with and shares information in common with someone so suspected. 3. Someone so suspected communicates with him in cipher, using a key which causes only he to be able to read the information received. The subject of an order claims to have 'lost' the secret key an cannot comply. A judge must determine whether he cannot or whether he will not comply. > > 'I typed rm -fr * in the wrong directory by accident, and didn't have any > backups. Unfortunately I couldn't recover the data from the disk, > because by the time I noticed what I'd done, I'd already copied the > Netscape source on to the machine, unpacked it, and started compiling it' > > Sounds reasonable to me (it's not an offence not to have backups). But it > could just as easily be a convenient excuse behind which a criminal was > hiding. How about trying to prove it? Well, the presence of the Netscape > source on the machine corroborates the latter half of the story, but says > nothing about whether the keys were actually ever on that box. Impossible > to prove either way (though fans of STM disk analysis might disagree). This, I think, is why the law is framed to require the subject of an order to prove that he could not comply and that the circumstances in which the key was lost were entirely unrelated to any investigation or service of an order. Without belabouring the point, there are many circumstances where that could be should on a straight balance of probability, let alone reasonable doubt. However, criminal behaviour being what it is, there will also be many such claims in response to the serving of an order which are specious. Consider; if the information you hold is revealed, you will, in all probability be sentenced to 30 years. Will you hesitate even for a moment to lose the key? > I fail to see how anyone can be expected to exercise judgment as to > whether the excuse proffered is reasonable or not (or, more usefully, I > believe that anyone (with a modicum of intelligence) can concoct an > explanation that must be accepted as reasonable since it could quite > reasonably have occured). You may indeed so fail. But the fact is that judges exercise continually such a discriminatory power as an essential part of their duties. > Therefore, I believe that it is nonsensical to suggest that we gain > anything by allowing a court to decide whether or not an explanation is > "reasonable in the circumstances". Either the court tends towards genuine > "reasonableness", in which case the criminals win, or it tends towards > requiring "proof", in which case the innocents lose. There is no happy > middle ground. If you truly believe that, then the remedy lies entirely in your own hands. Should you choose to use PKC, you must simply ensure that at least one, preferably two copies of you pass phrase are maintained in non-electro-magnetic form and where they will be safe. These are additional to the third you keep in your own (fallible) memory. It being my turn for an analogy, I claim that not to take some such precaution is as irresponsible as handling a firearm or a car in an unsafe manner. > Even if there is a significant amount of prima facie evidence that the > accused is engaged in some criminal activity, it is wrong for the court to > assume that if he claims he no longer has the keys then he is lying. It > is quite possible that his dog did eat the floppy that very morning, and > he should not be convicted of anything because of that misfortune. The law may say - has said - he can and leaves all ample opportunity to ensure that they can never have misfortune mistaken for defiance. Absolute protective arrangements can be made. Those who choose not to do so expose themselves to a risk of some considerable unpleasantness - and not just at the hands of a court. > Surely at the very least the prosecution will need to start by proving > that at some point you possessed the key, before you can be asked to > prove that you don't any longer. Even then, your failure to be able to > prove that you no longer have it should not be deemed incriminating. ("I > lost the floppy in a house move." - might be true, might not be, can > hardly be proven.) You would only be able to claim one position and never both. You are in possession (or not) of encrypted data. If you are, where's the key? > > > So what should be the real effect of this on key owners? Surely, it > > reinforces their natural inclination to assure that their keys are well > > secured at all times. There is some miniscule part of the > population who may > > be placed unfairly at risk because of such law. It seems to me > that their > > satisfactory protection should come not from removal of the new > offence of > > not surrendering a key but from ensuring that there is a strong > prima facie > > case to be made against either the key holder or against some > person from > > whom it can be shown he has been in receipt of enciphered information. > > Careful. It would appear from your above that if I am a known criminal, > and am aware that I am being monitored, I can get my own back on someone > who has crossed me by sending him some enciphered material (having created > a key in his name which I later discard). This is one reason why PGP as 'strong cryptography for the masses' is a flawed system. You would not be able to do this to me or to many others, only to those who lay themselves open to this form of abuse. Owen From Brian Gladman" Message-ID: <000f01c1084f$f68feab0$6d219fd4@fortytwo> From: "Owen Lewis" To: Sent: Friday, July 06, 2001 1:40 PM Subject: RE: Wired: Echelon Furor Ends in a Whimper > > -----Original Message----- > > From: ukcrypto-admin@chiark.greenend.org.uk > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > > Sent: 06 July 2001 11:52 > > To: UK Crypto Posting > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > if press reports are to be believed one outcome of the European Parliament > > study is a conclusion that Echelon is a 'fact of life' and that there is > > little that the EU nations can do to counter it. > > > > If this truly is a conclusion, the European Parliamentary group have been > > badly briefed since nothing could be further from the truth. > > > > But whether it would be in their interests to undermine Echelon is a much > > more difficult issue since the main need for such assets is in areas where > > US and European interests largely coincide. > > Quite so, and not just European and US interests perhaps. That this > important point you raise was, seemingly, entirely missed by the EPG - even > to mention, let alone evaluate - is one indication of narrowness of vision > and of purpose in their study and report. > > > > The failure of the US and Europe to seriously discuss these issues is > > dangerous since we need to remove the privacy and industrial/commercial > > espionage concerns raised by Echelon without undermining its > > value in other > > areas. > > How would you propose that such a precise sorting of sheep from goats might > be effected? This seems to me to be a fundamental issue and very much at the > heart of the crypto debate. The concerns that have arisen in Europe over Echelon relate largely to whether the US can be trusted to use the information it gains via Echelon only in the way that it says it does. Many in Europe clearly do not trust the US in this respect. And being an issue of trust, it is most unlikely that it can ever be resolved if the parties involved are not prepared to sit down and discuss the concerns and what might be done to remove them. And here the apparent willingness of the US to meet with a European Parliament delegation, followed by a complete refusal to meet with them once they arrived in Washington, is hardly an effective way of building trust. I don't blame the US entirely for this but I do consider that they carry the greater part of the blame. However, to answer your question more directly, the critical factor in building trust is the sharing of the raw intelligence data. One way of removing the lack of trust is hence to make all EU nations fully paid up members of Echelon in this respect. Of course it is not going to happen because the objectives are only partially overlapping, which, of course, is why we have the problem in the first place. But rather than trying to change the behaviour of the US, the EU can easily remove the threat of Echelon if it wishes to do so. All it has to do is to promote the rapid and ***universal*** deployment of end-to-end cryptographic information protection (voice and data). It does not matter that much of this protection will be weak since it is the universal use of end-to-end encryption, not its strength, that will completely devastate Echelon. In my view a determined EU plan to do just this would have created a situation in which the US would have talked to the European Parliament delegation! Brian Gladman From oml at eloka.demon.co.uk Mon Jul 9 10:29:51 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Mon, 9 Jul 2001 10:29:51 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <000f01c1084f$f68feab0$6d219fd4@fortytwo> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 09 July 2001 09:20 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Friday, July 06, 2001 1:40 PM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > > > -----Original Message----- > > > From: ukcrypto-admin@chiark.greenend.org.uk > > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > Brian Gladman > > > Sent: 06 July 2001 11:52 > > > To: UK Crypto Posting > > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > > > .....since we need to remove the privacy and industrial/commercial > > > espionage concerns raised by Echelon without undermining its > > > value in other > > > areas. > > > > How would you propose that such a precise sorting of sheep from goats > might > > be effected? This seems to me to be a fundamental issue and very much at > the > > heart of the crypto debate. I hadn't intended to get into an open ended discussion on the merits/demerits of an open echange of raw intelligence data between the US and the EU states. Therefore, suffice it to say that your views as to the keeping and sharing of ECHELON, here snipped away, rest on an assumption that such a collection system can discriminate between a mass of 'white hats' and a small minority of 'black hats' - or sheep and goats to use the archaic metaphor. It seems to me and many others that this is an intractable issue and I was interested as to whether you had a proposal for a general method by which such discriminatory targeting could be effected. What you wrote above seemed to indicate that you might. > But rather than trying to change the behaviour of the US, the EU > can easily remove the threat of Echelon if it wishes to do so. All it > has to do is to > promote the rapid and ***universal*** deployment of end-to-end > cryptographic > information protection (voice and data). It does not matter that much of > this protection will be weak since it is the universal use of end-to-end > encryption, not its strength, that will completely devastate Echelon. > > In my view a determined EU plan to do just this would have created a > situation in which the US would have talked to the European Parliament > delegation! I do not understand. If one supposes that *all* electronic communication is end-to-end enciphered, how can this help 'remove the privacy and industrial/commercial espionage concerns raised by Echelon without undermining its value in other areas'? Surely all it would do is to reduce - undermine - if you prefer - its value in all its supposed functions? The thing collects and analyses; that is all. It forms no conclusions and makes no judgements legal, moral, social or political. People apply those values to the product of the system. Now, if all the take is in cipher, a result of this will be markedly to reduce the amount of analysis that can be carried out and therefore seriously to reduce the value of the system as a whole. From what you said, it seemed that this was not your goal and that neither did you believe that such a result would be inevitable. If I am right in this belief, I would like to understand how such a thing can be achieved. But perhaps I simply mistook your meaning? Owen From oml at eloka.demon.co.uk Mon Jul 9 10:42:48 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Mon, 9 Jul 2001 10:42:48 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <000f01c1084f$f68feab0$6d219fd4@fortytwo> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 09 July 2001 09:20 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > But rather than trying to change the behaviour of the US, the EU > can easily > remove the threat of Echelon if it wishes to do so. All it has > to do is to > promote the rapid and ***universal*** deployment of end-to-end > cryptographic > information protection (voice and data). It does not matter that much of > this protection will be weak since it is the universal use of end-to-end > encryption, not its strength, that will completely devastate Echelon. > > In my view a determined EU plan to do just this would have created a > situation in which the US would have talked to the European Parliament > delegation! Alright, I can't resist :-) There will *never* be such a determined plan because few if any at all of the member states would see it as in their interest to bring about such a situation. I think we may agree on this and that therefore also agree that any such wish can never become reality. Individuals are, of course, free to make their own arrangements as they may require. Perhaps that is how it should be. Owen From Brian Gladman" Message-ID: <000301c1088f$d3e23f50$ac299fd4@fortytwo> From: "Owen Lewis" To: Sent: Monday, July 09, 2001 10:42 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper > > In my view a determined EU plan to do just this would have created a > > situation in which the US would have talked to the European Parliament > > delegation! > > There will *never* be such a determined plan because few if any at all of > the member states would see it as in their interest to bring about such a > situation. I think we may agree on this and that therefore also agree that > any such wish can never become reality. > I agree - it has always been clear that encryption use outside of government will come about in spite of rather than because of the wishes of most governments. I see this as inevitable because governments generally place even less trust in the people they are supposed to serve than people do in the governments that are supposed to serve them. Brian From Brian Gladman" Message-ID: <000201c1088f$d3663180$ac299fd4@fortytwo> From: "Owen Lewis" To: Sent: Monday, July 09, 2001 10:29 AM Subject: RE: Wired: Echelon Furor Ends in a Whimper [snip] In order to avoid a long debate about this I should make it clear that I am in favour of the universal use of cryptography for end-to-end information protection. I just happen to believe that the case for this is more likely to be undermined rather than strengthened by activities that are too limited in their coverage of the issues involved. Brian From oml at eloka.demon.co.uk Mon Jul 9 21:49:18 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Mon, 9 Jul 2001 21:49:18 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <000201c1088f$d3663180$ac299fd4@fortytwo> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 09 July 2001 16:46 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Monday, July 09, 2001 10:29 AM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > [snip] > In order to avoid a long debate about this I should make it clear > that I am > in favour of the universal use of cryptography for end-to-end information > protection. No long debate over that. I quite understand that to be your position. What I do not understand is one is to reconcile that with ".....remove the privacy and industrial/commercial espionage concerns raised by Echelon without undermining its value in other areas". If you have the answer to that, then you have a very powerful idea indeed. > > I just happen to believe that the case for this is more likely to be > undermined rather than strengthened by activities that are too limited in > their coverage of the issues involved. Sounds as though you might have a book in the making :-) However, whilst I can see a book being required properly to cover the ethics of governance and an analysis of realpolitik and social pathology in the 21st century, the crux, the philosopher's stone if there be one, would seem perforce to be a relatively straightforward technical issue. But then, as I was oft reminded in my younger years, 'all things are simple to the simple minded'. I can still struggle with that a bit. Owen From duncan at gn.apc.org Mon Jul 9 19:12:02 2001 From: duncan at gn.apc.org (Duncan Campbell) Date: Mon, 09 Jul 2001 19:12:02 +0100 Subject: Trading COMSAT Sigint in Europe (Echelon developments) In-Reply-To: References: <000f01c1084f$f68feab0$6d219fd4@fortytwo> Message-ID: <5.0.2.1.2.20010709151821.00a688b0@pop.gn.apc.org> 10 July 2001 Brian Gladman noted his views of the significance of intelligence exchanges and developments within Europe in a recent series of comments. Although the debate is being presented as between the raised voices of Americans who want to believe that nothing like Echelon exists or could possibly be used for economic related purposes, and Europeans who want to believe that it exists only for such purposes, some rather deeper and serious things are happening. A longer version of the account of this I wrote for the Guardian, already posted to cryptome, appears below. Thr original was truncated because of news developments. Duncan Campbell http://cryptome.org/eu-intel-fight.htm 4 July 2001. Thanks to Duncan Campbell. See related European Parliament Motion of Resolution on Echelon, dated July 4, 2001: http://cryptome.org/echelon-epmr.htm This report by Duncan Campbell about unusual developments in Europe related to Echelon appeared in the British Guardian on Tuesday 3 July, but was unfortunately published only in abbreviated form owing to late-breaking news of a verdict in a case of murder of famous British TV celebrity. The published version is at: http://www.guardian.co.uk/comment/story/0,3604,515928,00.htm Fight over Euro-intelligence plans The sudden closure of one of the worlds largest spy stations is a potential harbinger of confrontation between the U.S. and Germany Duncan Campbell Today in Brussels, members of the European Parliament will vote to finalise a report that condemns the use of the British and American run "Echelon" international communications surveillance system as a breach of privacy, sovereignty and human rights. The special report, which is expected to be adopted overwhelmingly by the full European Parliament at the start of September, calls for the European Convention on Human Rights to be amended to enforce the privacy of international communications to the same standard as applies to national communications. And it demands that the British and German government enforce their legal and treaty obligations to ensure proper supervision and accountability for secret US surveillance operations conducted from their territory. "The American authorities have repeatedly tried to justify the interception of telecommunications by accusing the European authorities of corruption and taking bribes", the report claims. But "the USA must leave the task of law enforcement to the host countries". To do otherwise is "a violation of human rights". Both Britain and Germany host giant satellite based listening stations which form the major part of the US international surveillance network. Bad Aibling Station, in a spa town south of Munich, was the worlds first satellite spy base, and started operating in 1968. Menwith Hill Station, near Harrogate, is the largest electronic listening station in the world, and will play a major role in President Bushs controversial missile defence plans. The worlds largest electronic spying system, of which Echelon is a part, is run by the UKUSA alliance of Australia, Britain, Canada, New Zealand and the US It is founded on a still-secret 1948 agreement. The five nations share the take from their global network of surveillance stations. The only other worldwide systems are run by Russia, and by France, which has listening stations in South America and the South Pacific. A new European intelligence agency, in which Germany and France would take leading roles, would be a major challenge to the UKUSA group. The developing spy base controversy has been foreseen as placing Britain under pressure to choose between its historic intelligence links with the US and the new European defence and intelligence initiatives spearheaded by the German government. These already include the construction of a joint European satellite receiving station at Torrejon, Spain. But a series of recent events points to a deeper and different schism being constructed in Europe, in which Washington appears to have moved pre-emptively to prevent British isolation and to undermine a German-led Europe rising over time to become a rival intelligence power. It is a battle that only Bonn seems so far to have anticipated and joined. In a little-reported development two days after the European Parliament report was published, irate US diplomats wrote to the German government to announce that, after lengthy negotiation with the central government and the state of Bavaria, the Bad Aibling base would peremptorily be closed. "We have decided to alter our course and will pursue a total closure .... The US will remove ...all operational equipment under its control, including antennas and computer processing equipment", the German foreign ministry was told. This decision was, according to the US military attache, "driven by the United States' government's desire to maintain good relations with your government, and also with the government of Bavaria". Only last year, the supreme US military commander in Europe testified to the US Senate about his plans to urgently expand Bad Aibling as a regional intelligence co-ordination centre. Then, the US had no intention of leaving. Now, hundreds of tons of top secret equipment will be pulled out by September 2002. The Bad Aibling row is the latest in a series of decisions from Bonn directly challenging the United States on intelligence policy issues. In 1999, Germany was the first major country to break ranks and denounce the US intelligence-inspired attempts to control private and commercial cryptography to levels they could easily break. France and most of the rest of Europe followed suit. By December, the United States government had been forced to abandon its until then successful decade old control policy on commercial and political grounds. Four months ago, an edict from Bonn reported in Der Spiegel specified that German military or foreign service computer systems would be prohibited from using the Microsoft Windows system, on grounds that the program code was not open and could not be checked for security or "back door" flaws. American designed computer operating systems would not be permited for use on "sensitive" German government systems. The American riposte on Echelon came in early June, after President Bush visited Madrid. After the visit, Spanish and US officials openly spoke of new arrangements between the US and Spain to supply communications intelligence from the Echelon network to help fight ETA, the seperatist Basque terrorist organisation. Spanish foreign minister Josep Pique confirmed that the US would be providing Spain with secret intelligence on ETA. "A lot can be done from the point of view of technology, information and detecting communications", he said. Government spokesmen confirmed that "new forms of cooperation with US intelligence services were still being worked on it opens a very promising field of action". Since most ETA terrorists operate from south-western France, the Spanish-American deal effectively endorsed and authorised US intelligences activities in intercepting telephone calls and other communications systems operating in France. The Spanish prime minister, Jose-Maria Aznar, has also alone in Europe - endorsed Bushs plans for new missile defence systems. But the ETA-tracking deal is actually the first visible sign of longer term U.S. plans to set up new bilateral intelligence arrangements with selected European nations. The US has recently developed and extended intelligence links with Norway, Denmark, and Switzerland, and has offered anti-terrorist intelligence sharing to the Italian and Greek government, as well as the Spanish. At the remote village of Skibsbylejren near Hjorring in northern Denmark, and at Heimenschwand and Leuk in central Switzerland, contractors are now putting the finishing touches to a new network of satellite communications interception centres. The data they collect will be routed to processing centres at Zimmerwald and near Copenhagen, and then exchanged with other intelligence agencies. By the time they are complete in 2002, the new stations will be capable of simultaneously intercepting messages from about 25 satellites. This will provide the US with more capacity than is provided by the three smaller members of the current US alliance- Canada, Australia and New Zealand put together. Neither Denmark nor Switzerland has claimed that the new spy bases are being provided for national requirements. According to General Peter Regli, head of the Swiss Untergruppe Nachrichtendienst der Armee (UNA) military intelligence unit, the purpose of the Swiss system called SATOS-3 is to trade information with partner spy agencies. Most significantly, the policy of sharing anti-Echelon intelligence with Spain announced by President Bush is not new. The agreements were put in place under the previous Clinton administration. They were then put into operation on 15 September 2000, when a joint French-Spanish police operation netted 20 high-flying ETA figures, including Ignacio Gracia Arregui, believed to have been ETA's most senior military commander at the time. Back in Washington, administration officials gloated and said that when the right moment came, they would make use of these results and "let the damn Europeans stick this up their Echelon". This and other developments suggest that the U.S. intelligence agencies have long been planning how to overcome the new European intelligence and privacy concerns. Their goal appears to go further than merely protecting existing surveillance operations against privacy campaigners or restrictions proposed by the European Parliament. The greater target appears to be to head off, or at least subvert and minimise the impact of an independent European intelligence capability. Now, in Bavaria and the Basque country, these battle lines have been joined. ENDS From Brian Gladman" Message-ID: <001201c10919$ddcf7e80$63209fd4@fortytwo> From: "Owen Lewis" To: Sent: Monday, July 09, 2001 9:49 PM Subject: RE: Wired: Echelon Furor Ends in a Whimper [snip] > > -----Original Message----- > > From: ukcrypto-admin@chiark.greenend.org.uk > > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > > Sent: 09 July 2001 16:46 > > To: UK Crypto Posting > > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > > > > From: "Owen Lewis" > > To: > > Sent: Monday, July 09, 2001 10:29 AM > > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > > [snip] > > In order to avoid a long debate about this I should make it clear > > that I am > > in favour of the universal use of cryptography for end-to-end information > > protection. > > No long debate over that. I quite understand that to be your position. What > I do not understand is one is to reconcile that with ".....remove the > privacy and industrial/commercial espionage concerns raised by Echelon > without undermining its > value in other areas". If you have the answer to that, then you have a very > powerful idea indeed. I really want to avoid a long debate about this but my comment has to be considered in the context in which it was made, namely that of proposals that an EU Parliiamentary group could make to protect commercial/industrial information assets in Europe. My suggestion (a) does this, and (b) does not impact significantly on the value of Echelon unless the content and domain so protected provides a substantial part of the value of Echelon. And in my view it doesn't. My comment about whether it would be sensible for Europe to do this was based on the possible 'domino effect' that such a move might trigger on a wider scale. However, for reasons I am not going to expand on, I don't think this is a significant concern. Brian From lawya at lucs-01.novell.leeds.ac.uk Tue Jul 10 12:53:52 2001 From: lawya at lucs-01.novell.leeds.ac.uk (Yaman Akdeniz) Date: Tue, 10 Jul 2001 11:53:52 +0000 Subject: RIPA 2000 updates Message-ID: <200107101054.f6AAsd519365@mps2.leeds.ac.uk> http://www.homeoffice.gov.uk/ripa/ripact.htm Consultation on section 12 will end on 24 August, 2001 http://www.homeoffice.gov.uk/ripa/section12.htm The Home Office website also states the following, absolutely brilliant: [I have received a few concerned messages from as far as Australia related to this hoax] --- We are aware that an email message is in circulation purporting to notify recipients that they have committed a spurious offence of "Internet Perversion" in apparent contravention of the Regulation of Investigatory Powers Act, referring recipients to a non-existent website for further details. This is a hoax and has no connection whatsoever to the Regulation of Investigatory Powers Act or any other piece of legislation. Anyone receiving this spammed message can safely delete and ignore it. From oml at eloka.demon.co.uk Tue Jul 10 20:33:01 2001 From: oml at eloka.demon.co.uk (Owen Lewis) Date: Tue, 10 Jul 2001 20:33:01 +0100 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: <001201c10919$ddcf7e80$63209fd4@fortytwo> Message-ID: > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman > Sent: 10 July 2001 09:25 > To: UK Crypto Posting > Subject: Re: Wired: Echelon Furor Ends in a Whimper > > > From: "Owen Lewis" > To: > Sent: Monday, July 09, 2001 9:49 PM > Subject: RE: Wired: Echelon Furor Ends in a Whimper > > > [snip] > > > In order to avoid a long debate about this I should make it clear > > > that I am > > > in favour of the universal use of cryptography for end-to-end > information > > > protection. > > > > No long debate over that. I quite understand that to be your position. > What > > I do not understand is one is to reconcile that with ".....remove the > > privacy and industrial/commercial espionage concerns raised by Echelon > > without undermining its > > value in other areas". If you have the answer to that, then you have a > very > > powerful idea indeed. > > I really want to avoid a long debate about this but my comment has to be > considered in the context in which it was made, namely that of proposals > that an EU Parliiamentary group could make to protect > commercial/industrial > information assets in Europe. > > My suggestion (a) does this, and (b) does not impact significantly on the > value of Echelon unless the content and domain so protected provides a > substantial part of the value of Echelon. > > And in my view it doesn't. I can't follow your train of thought in this matter -which may be a greater sadness to me that it is to you :) You also said: > But rather than trying to change the behaviour of the US, the EU > can easily remove the threat of Echelon if it wishes to do so. All it > has to do is to > promote the rapid and ***universal*** deployment of end-to-end > cryptographic > information protection (voice and data). It does not matter that much of > this protection will be weak since it is the universal use of end-to-end > encryption, not its strength, that will completely devastate Echelon. To me, the your different thoughts will not cohere. Either one might seek to "devastate" Echelon or one seeks to assure the major category of traffic passes unread/unanalysed whilst still facilitating the reading/analysis of selected traffic. 'Universal' end to end encryption might secure the first objective but one cannot see how it will assist the latter (other than by backdoors in all ciphers only operable selectively by user and only by court order etc etc and I'm sure that would not be what you were driving at. Selective hoovering? I think not. Collection systems behave more like a dredge that a drift net with a specified minimum size of mesh. If your two expressions of thought are to interlock, we need to fit a missing piece. You are reluctant to provide that piece and that is that. No one is under any obligation - even of noblesse - to say more that he wishes. In any event, it is clear to both of us that the former objective is unobtainable for practical reasons. An idea for the latter thought would have been interesting though. ATB, Owen From jya at pipeline.com Wed Jul 11 00:20:14 2001 From: jya at pipeline.com (John Young) Date: Tue, 10 Jul 2001 16:20:14 -0700 Subject: Wired: Echelon Furor Ends in a Whimper In-Reply-To: References: <001201c10919$ddcf7e80$63209fd4@fortytwo> Message-ID: A singular type of communication that the NSA is permitted by law to collect and retain indefinitely, no matter the source, even if the sources are otherwise proscribed communications of US persons, is cryptographic data. So the use of encryption in any form increases the odds that it will be collected and studied and/or indefintely stored for future use. And if NSA does this surely do other nations' spooks. Should end-to-end encryption become universal as Brian suggests, the question arises of what would be singular data for the NSA and like-snoops to collect and retain? Will it be all communication, along with burgeoning storage and sorting inventions such as NSA brags it is feverishly developing (Bamford reports), or will other characteristics be used to single out special data (and now used to sort through increasing encrypted data)? There are hints in the regulations governing NSA interception that there are other means to identify special data other than its cryptographic attributes. But only generic terms such as "technical" are used for those hints -- that is, when the terms are not censored altogether as cryptographic and TEMPEST terms once were. These musings come from a 1993 edition of NSA's USSID 18: http://cryptome.org/nsa-ussid18.htm Presumably end-points of end-to-end encryption will be easily identified for black bag jobs of the CIA/NSA's SIS teams and other nations' thieves -- or is it other nations' master bandits targets the US be breaking