13 April 1998: Add Denning message
10 April 1998: Add message and link
9 April 1998
[Selected messages from the thread] Date: Fri, 3 Apr 1998 12:25:53 +0100 To: ukcrypto@maillist.ox.ac.uk From: T Bruce Tober <octobersdad@reporters.net> Subject: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, R-19.62) FYI ------- Forwarded message follows ------- The statement made by Carl Ellison <cme@cybercash.com>, 06 Mar 1998 (RISKS-19.62), "How come Dorothy Denning didn't find any significant use of crypto by criminals in her survey of law enforcement officers?", is inaccurate. The Denning-Baugh report, referenced below, did find significant use of encryption by criminals, 500 current cases worldwide, over 20 cases were presented in detail, and they estimate that the number is growing at annual rate of 50-100% (some cases from the report are listed below). In more than one of the cases, the encrypted information could not be deciphered by law enforcement. The report does make clear that encryption could pose problems for law enforcement in the future. "Our findings suggest that the total number of criminal cases involving encryption worldwide is at least 500, with an annual growth rate of 50 to 100 percent." And "Quite a few people are technically sophisticated." Instead, the study's main conclusion was that it was unable to find any current incident where the use of cryptography significantly hindered an investigation or prosecution. "Most of the investigators we talked to did not find that encryption was obstructing a large number of investigations. When encryption has been encountered, investigators have usually been able to get the keys from the subject, crack the codes, or use other evidence," states the report. The statements that criminals have not used Crypto AG or CyLink encrypting telephones are also incorrect. The Denning-Baugh report did not even address this topic. But, evidence was presented in the late 1980's that possible foreign Terrorist organizations and Drug Cartels were using Crypto AG Voice Ciphering products. According to an ex-employee's legal filings, and "tell-all" book, Crypto AG was requested to insert flaws and weaknesses into their equipment that could be falling into criminal hands. An interesting observation about the report is that when encryption is encountered by law enforcement, they are unprepared to deal with it and forced to use in-house computer forensic specialists (with little training in cryptography), consultants, academics, and/or private companies to attack the problem. While the U.S. Government spends at least $7 to $10 billion per year on "code breaking" at Military-Defense and Intelligence organizations, under current law ("posse comitatus" on up) it is illegal for these resources to be used for domestic law enforcement. We could change these laws, and increase funding to these agencies to handle their new mission? We could create similar agencies inside domestic law enforcement at equivalent cost? Therefore, the requests by law enforcement, to promote and have access to corporate and local Key Recovery systems, can be seen as a low-cost solution to the problem and an effort to save money for the U.S. taxpayer. The cases examined include: * "The Japanese death cult, Aum Shinrikyo, which used encryption to store records on its computers. Authorities were able to decrypt the files in 1995 after finding the decryption key on a floppy disk. And found evidence of plans to launch attacks in the U.S. and Japan." * The New York subway bomber, Edward Leary, who had created his own encryption system to scramble files on his computer. According to the report, after Manhattan police "failed to break the encryption, the files were sent to outside encryption experts. These experts also failed. Eventually, the encryption was broken by a federal agency. The files contained child pornography and personal information which was not particularly useful to the case." * "A police department in Maryland encountered an encrypted file in a drug case. Allegations were raised that the subject had been involved in document counterfeiting, and file names were consistent with formal documents. Efforts to decrypt the files failed, however, so the conviction was on the drug charges only." * "The head of a California gambling ring kept his records in a commercial accounting program encrypted with a code word. The maker of the program refused to help law enforcement break the code, but access to the files was gained by exploiting a weakness in the computer system. This yielded four years of bookmaking records which resulted in a guilty plea on criminal charges and payment of back taxes." * The espionage case against former CIA employee Aldrich Ames, who was directed by his Soviet handlers to encrypt computer file information that was passed to them, "and was eventually convicted of espionage against the U.S., was aided because the investigator handling the case was able to decrypt Ames's files using AccessData Corp. software (an automatic de-encryption program)." References : * National Strategy Information Center, Dorothy Denning and William Baugh, "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," July, 1997. * The Washington Post - WashTech, Elizabeth Corcoran, "Around the Beltway, Encryption: Who will Hold the Key? Two Bills Reflect the Split over Restrictions", Aug-04-1997. * Mercury News, Simson Garfinkel, "Denning unable to confirm FBI Assertions; alters her position", 31-Jul-1997. Robert Perillo, CCP, CNE Richmond, VA perillo@dockmaster.ncsc.mil Staff Computer Scientist perillo@gibraltar.ncsc.mil [Usual disclaimers] [The Ames case strikes me as a bad example, and a classic case of trying to oversell the impediments of crypto, considering the long history of incriminating phone calls in the clear and the long trail of other evidence that would seem to have been ignored or perhaps suppressed in an effort to gather more evidence. PGN] tbt -- Sign all messages with non-escrowed keys, don't give in to government tyranny. Commentary at http://www.homeusers.prestel.co.uk/crecon/Escrow.htm -- |Bruce Tober, octobersdad@reporters.net, Birmingham, England +44-121-242-3832| | Freelance PhotoJournalist - IT, Business, The Arts and lots more | | Website - http://www.homeusers.prestel.co.uk/crecon/ | | PGP Key Details follow: | | RSA key ID 0x94F48255 Fingerprint 0907 EBCD 1B37 91F5 D15C 0D2E C617 2671 | | DSS/DH key ID 0xB1445118 | | DSS/DH key Fingerprint CBB5 8BF8 2CCC 9B86 41EB 1788 6930 78FB B144 5118 |
From: "Yaman Akdeniz" <lawya@lucs-01.novell.leeds.ac.uk> To: ukcrypto@maillist.ox.ac.uk Date: Fri, 3 Apr 1998 14:36:13 GMT0BST Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, The Denning-Baugh report, referenced > below, did find significant use of encryption by criminals, 500 > current cases worldwide, over 20 cases were presented in detail, and > they estimate that the number is growing at annual rate of 50-100% > (some cases from the report are listed below). In more than one of > the cases, the encrypted information could not be deciphered by law > enforcement. See http://guru.cosc.georgetown.edu/~denning/crypto/index.html for Denning's articles. The list of cases is at: http://guru.cosc.georgetown.edu/~denning/crypto/cases.html and as October 1997 there are 20 cases cited and a note states that "New cases will be added to the database as we learn about them." So I am not sure about the 500 cases even though that is their findings according to that joint paper (Denning & Baugh) and a summary of that paper is available at: http://guru.cosc.georgetown.edu/~denning/crypto/oc-abs.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yaman Akdeniz <lawya@leeds.ac.uk> Cyber-Rights & Cyber-Liberties (UK) at: http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm Read CR&CL (UK) Report, 'Who Watches the Watchmen' http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 3 Apr 1998 08:52:30 -0500 From: denning@cs.georgetown.edu (Dorothy Denning) To: ukcrypto@maillist.ox.ac.uk Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, This is the most relevant part of our report regarding the number of computer forensics cases involving encryption. We made no estimate for the number of wiretaps involving encryption. Regards, Dorothy -------------- The FBI's Computer Analysis Response Team (CART) forensics lab reported that encryption was encountered in 2% of 350 submissions to the headquarters component in 1994 and 5-6% of 500 submissions (25-30 cases) in 1996. This represents a quadrupling of cases from 1994 to 1996, which averages out to an annual doubling or growth rate of 100%. A submission could be anything ranging from a single floppy disk to several boxes of disks or complete systems. CART also estimated that about 5-6% of the 1,500 cases handled in the field involved encryption, the largest categories being child pornography and computer crime cases. This corresponds to about 75-90 cases. It does not include cases handled by other federal law enforcement agencies, including the Drug Enforcement Administration (DEA), Treasury (Secret Service, Customs, and IRS), or state and local law enforcement agencies. It also excludes national security cases (foreign intelligence, counter-intelligence, and defense cases) and cases involving intercepts of encrypted telephone communications. In his March 19 testimony before the Senate Committee on Commerce, Science, and Transportation, FBI Director Louis Freeh reported that the number of requests for decryption assistance pertaining to communications interceptions had risen steadily over the past several years [Freeh 97]. ... There is no central database recording the number of encryption cases handled nationally or globally, or indeed even the number of computer forensics cases. Mark Pollitt, program manager of CART, estimates there are at least 5,000 computer forensics cases nationally, up to a maximum of 10,000. World-wide, he estimates anywhere from 10,000 up to 20,000 cases. If about 5% of those involve encryption, then the total number of cases would be 250 to 500 nationally and 500 to 1,000 globally. Eric Thompson, president of AccessData Corporation, estimates that the total number of cases involving encryption is on the order of 1,000 to 5,000. The rate of 5,000 would be about a quarter to one half of all computer forensics cases globally. This is a higher percentage than reported by CART for the U.S., but it is lower than the near 100% figure attributed to recent cases in Northern England. Thompson also estimates that at least 100-200 are child pornography cases involving just PGP.
Date: Sat, 4 Apr 1998 6:41 +0000 (GMT) From: hcorn@cix.co.uk (Peter Sommer) Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, To: ukcrypto@maillist.ox.ac.uk The problem with the Denning / Baugh report is that some of the "cases" are very difficult to verify. For example: the London Cryptoviral extortion is attributed to "McCormack96" which turns out to be Elsevier's Computer Fraud & Security newsletter (for which I am listed as an advisor, btw) but the newsletter article is just a rehash of a discredited London Sunday Times piece; few people here in London now believe the story. The "Cali cartel" story, checked back to the cited source, has few details. Nothing is cited for "Terrorist attacks on business". Emma Nicholson, the former UK MP and presenter of the failed Anti-Hacking Bill and cited as a source for a "British blackmailer" never produced her "large dossier" of cases for any scrutiny. There is simply too much unsupported "there is a rumor.." "we have also heard..." Academics, however distinguished, really should do more than simply repeat convenient rumours. On the question of CART's estimates of the numbers of computer forensics cases - how on earth can anyone know? I don't publish the details of most of the ones I handle - some of the criminal defence cases end up as guilty pleas or are dropped by the prosecution before trial so that there is no way anyone can guess whether computer forensics played a part or not. For civil cases it is even more difficult to tell. Even though I know a fair number of people in this field here in the UK I couldn't even begin to make an estimate - there are 44 police forces, Customs & Excise have a large specialist unit, many of the forensics labs now have facilities, there are some private practitioners. As Donn Parker says, why do people persist in providing "statistics" when it is obviously almost impossible to produce anything remotely worthwhile? FWIW: I have come across a few instances of encrypted or partially-encrypted disks but none of encrypted comms. |----> Peter Sommer ------------------------------------------->| |----> hcorn@cix.co.uk P.M.Sommer@lse.ac.uk ------------------>| |----> Academic URL: http://csrc.lse.ac.uk/csrc/pmscv.htm ----->| |----> Commercial URL: http://www.virtualcity.co.uk ----------->|
From: "Brian Gladman" <gladman@seven77.demon.co.uk> To: <ukcrypto@maillist.ox.ac.uk> Cc: "Carl Ellison" <cme@cybercash.com> Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, Date: Sat, 4 Apr 1998 11:40:35 +0100 Thanks now to both Peter and Dorothy for their postings. It now appears that we have an inaccurate response from Robert Perillo to an inaccurate posting by Carl Ellison to an inaccurate study by Denning and Baugh! And this is the ***best*** public evidence that we have to justify cryptography policies that are critical to the development of the information society. This is simply not an acceptable basis for policy development in such an important area. I have little doubt that Dorothy did her best to obtain clear, objective evidence but the problem is that, if there really is any good evidence, the authorities seem extremely unwilling to release it in a form in which we can have any confidence in it. In the UK this has led to government policy formulation on cryptography and TTP services along the lines 'trust us, we know what is best for you, but we can't (or won't) give you any evidence to justify what we intend to do'. Such an approach to policy formulation might have worked in the distant past but it is no longer acceptable in the 1990s - we now have a much better educated population and one that is simply not prepared to be told what is good for it by a series of governments whose policies on matters involving technology make the 'Poll Tax' look like a stunning success. For several years now the US and the UK governments have been pushing for Key Escrow provisions on the thesis that society should accept limitations on the benefits to be derived from cryptography in order to limit the damage it might do to law enforcement. Both governments are asking us to accept these policies 'on trust' with no evidence of any kind to justify them. When the US government did allow some access to such evidence (in their NRC study) the result was hardly a stunning endorsement of the government position but it conveniently ignored these conclusons and continued on regardless with its misguided policies as if nothing had happened. It now seems possible that the UK government is again going to propose some form of Key Escrow (despite their pre-election stance). And once more my guess is that we will be asked to accept this without a shred of evidence to justify it. So, DTI, if you really are about to propose a policy with Key Escrow features could we please have the following: 1. a clear, precise and complete statement of the objectives that you are trying to meet by including Key Escrow features in such a policy; 2. evidence to show that these objectives serve the interests of UK citizens; 3. evidence to show that Key Escrow is practical and capable of meeting these objectives given an information society that is global in scope; 4. an assessment of all alternative policies that might meet these objectives, showing clearly that Key Escrow is demonstrably the best option; 5. evidence to show that Key Escrow will provide benefits for society and that these benefits outweigh its costs in individual, social and economic terms; If you can do this I feel sure that you will gain the widespread support of UK citizens. Brian Gladman
Date: Sat, 4 Apr 1998 12:00:41 -0500 From: denning@cs.georgetown.edu (Dorothy Denning) To: ukcrypto@maillist.ox.ac.uk Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, Peter, thanks for the information to the effect that the cryptoviral extortion case had been discredited. Just to clarify a few points about the study. Our objective was not to make or break the case for key escrow. The cases that are presented without a reference and without qualifiers such as "there is a rumor" are based on first-hand accounts from either the law enforcement officers who handled the case or the person who did the decryption. These people wished to remain anonymous, so there is no citation. I expect that most of the cases where encryption is encountered in wiretaps are foreign intelligence cases. We were not able to get any information on these cases, so did not draw any conclusions. Regards, Dorothy
Date: Sat, 04 Apr 1998 19:49:58 -0500 To: ukcrypto@maillist.ox.ac.uk From: Carl Ellison <cme@cybercash.com> Subject: Inaccurate crypto rhetoric (was Re: Inaccurate study quoting, Re: anti-crypto rhetoric) -----BEGIN PGP SIGNED MESSAGE----- Following is my response to Mr. Perillo. I didn't realize until now that UKCrypto was carrying this debate. - Carl - -----BEGIN PGP SIGNED MESSAGE----- Mr. Perillo, Thank you for taking the time to correct the exaggerations in my comp.risks posting of 6 Mar 1998 (19.62). May I assume from your message that you share my belief that the cryptography policy debate is far too important to be conducted in exaggerated, black and white, doom-saying rhetoric? Of course criminals have used cryptography for a very long time. Criminal invention and use of verbal codes is old enough that there is a word in the English language for it: argot. This should not surprise us. My own informal survey of even non-mathematical adults has shown that the vast majority used some code or cipher as teenagers in order to keep secrets from prying adults. In turn, this is consistent with David Kahn's observation: "It must be that as soon as a culture has reached a certain level, probably measured largely by its literacy, cryptography appears spontaneously -- as its parents, language and writing, probably also did. The multiple human needs and desires that demand privacy among two or more people in the midst of social life must inevitably lead to cryptology wherever men thrive and wherever they write." [The Codebreakers, p. 84] As you emphasize, criminals are not limited to inventing their own codes and ciphers. I am not familiar with your evidence that drug cartels and terrorist organizations have used encryption products from international sources (e.g., Crypto AG), but I am not surprised. I have seen Jane's catalog of counterintelligence devices, including military grade cryptography, and I would not be surprised if serious criminals shopped from such catalogs [metaphorically speaking]. [I had heard of course about the Crypto AG weakness allegation, but had understood this to be part of "The Boris Project" by NSA, to weaken cryptographic devices sold to Iran and other governments. It was also my understanding that the techniques for exploiting such a planted weakness would not be shared by the NSA with the FBI. However, you are probably in a better position to know the truth about this last point than I am.] So, instead of stooping to splashy rhetoric and exaggeration as characterized by Director Freeh's testimony before Congress (which I imitated in my RISKS 19.62 posting), let us consider the facts of cryptography without inflammatory rhetoric. The notion that criminals adopt cryptography very rapidly (which is how Director Freeh summarized it), with the implication that very soon all criminals will be using cryptography to frustrate law enforcement, is stated a little more scientifically by Denning & Baugh in the finding of a 50-100% annual growth rate. However, it is clear that this can not be a product of rapid criminal adoption of new technology, as implied by Director Freeh. If that were true, we could start with a minimum of one criminal organization using cryptography strong enough for the government not to break, in April of 1927 [Kahn, p. 803], and take the minimum annual growth rate of 50% to get 1.5^{71} = 3,180,382,777,245 organized crime groups using cryptography in April of 1998. This is clearly impossible. Therefore, the observed growth rate must be influenced by something other than speed of adoption among criminals. It may, for example, be a side effect of the recent rapid adoption of PCs by the general population. We also do not know what limited the growth of the criminal use of cryptography in the last 71 years, not to mention the hundreds of years before that. These are topics deserving much study, but they show clearly without further study that Director Freeh exaggerates improperly in his claim that soon all criminals will use strong cryptography and all law enforcement will be frustrated. Perhaps the most important conclusion of the Denning-Baugh study was, as you point out quite properly, ``instead, the study's main conclusion was that it was unable to find any current incident where the use of cryptography significantly hindered an investigation or prosecution. "Most of the investigators we talked to did not find that encryption was obstructing a large number of investigations. When encryption has been encountered, investigators have usually been able to get the keys from the subject, crack the codes, or use other evidence," states the report.'' This is a remarkable conclusion and one of which I was well aware. As I have said numerous times in the past, I believe it is our job as good citizens and policy makers to accept reality unemotionally and make plans to help law enforcement: We need to help Director Freeh accept that he will never have an FBI keyhole into the cryptography of criminals. They can always make their own strong cryptography. The usual counter-argument to that is that even criminals will need to use cryptography to talk with their bank or the IRS -- but the implied false assumption behind that argument is that people will use only one kind of cryptography. Cryptography is effectively free and there is no limitation on the number of different systems one might keep on his PC and employ. Each application will be specific to its use (banking, tax returns, ...) and each will include its own cryptography. We must resist with great effort the attempt to force honest citizens to accept FBI keyholes, just as we would resist an attempt to force honest citizens to leave house and car keys at the local police station or to plant FBI microphones in all private bedrooms or other places where some criminal might, someday, have an incriminating conversation. We must follow up on the Denning-Baugh study and attempt to discover the true limits to growth of criminal adoption of cryptography. Why wasn't the world flooded with it decades ago? We must also pursue their very encouraging conclusion that even when cryptography was used, it did not interfere seriously with investigations. Why was this true and how can we help law enforcement continue this record? We should probably start a real research project to help the FBI find ways to gain the intelligence it needs even in the unlikely disasterized case that all criminals use strong cryptography with no government access. I have a number of such thoughts and have offered to share these with the FBI, to no avail so far. I will not publish them, for obvious reasons. We should keep in mind the NRC study conclusions that compared the positives and negatives of strong cryptography. In particular, strong cryptography helps thwart crime and that will become ever more true as our lives move ever more on-line. At the same time, any government keyhole into civilian privacy would become a more inviting criminal target as this change in society progresses. Mostly, I believe we need to do what we can to correct what appears to me to be an inability on the FBI's part to withstand the childish taunt, "Nyah, nyah, I've got a secret and I won't tell you." - Carl - -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.3 iQCVAwUBNRXYFxN3Wx8QwqUtAQEU5AP/aBPUGeLFg3E7Sbnx+yMA3Dmg/QBc9lT0 zCfhzq301EMCtfUkhLDoXjOO+nt45/RhxNtVV9Aw1OlURtbz4XSGSsosHEE3VRVV V1NIfAen6tZrlgvuM5oc/0hokpmTZlIZzj8RUnyYoa0+7Gw64VgDRFIlvluT2n6I U2TmV14rzKY= =kxVO - -----END PGP SIGNATURE----- +------------------------------------------------------------------+ |Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme | |CyberCash, Inc. http://www.cybercash.com/ | |207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | |Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 | +------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.3 iQCVAwUBNSbVNRN3Wx8QwqUtAQFSnAP/QAvMTNjM/pjWbkFpyRbYGocMMQgrsA6f LJDWfOBf4KQ6pkbGozHBEwgDcmm1GQG8SjNJCVKeq+ETCjiVf7UA6cHHooqDjSAd oIMAYHE2kU7gmqH5rJuhvqmuG/I36XuKzL+xMdDFBotc5ubt52B4Zmy3kNKU/aJW 0upCzQP8HFg= =bqqs -----END PGP SIGNATURE----- +------------------------------------------------------------------+ |Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme | |CyberCash, Inc. http://www.cybercash.com/ | |207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | |Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 | +------------------------------------------------------------------+
Date: Sun, 5 Apr 1998 8:26 +0100 (BST) From: hcorn@cix.co.uk (Peter Sommer) Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, To: ukcrypto@maillist.ox.ac.uk Dorothy: Thank you for the clarification about your sources for your study. I am not unsympathetic to the problem; I am always pleased when I have the opportunity to talk to people "behind the veil" and not only for reasons of self-importance - I think some of them need to be exposed to the perspectives of those of us who operate in the open world. But there is always a difficulty: ultimately what they tell you is often unverifiable. They could be telling the truth, they could be telling what they believe to be true but is the result of misdiagnosis or misinformation, or they could be bending the truth in the never-ending battle to create a policy climate favourable to them and the government budgets they need to survive. In particular I don't think one should under-estimate the extent to which the spooks can get things wrong; quite apart from the well-known history of "intelligence mistakes" I have my own experiences in the occasional instruction as an expert in criminal proceedings to draw on. If I compare the claims of Jim Christy and others in the matter of the Rome Labs hackers with what I saw as evidence in the resulting UK cases, for example, or compare the certainty with which commentators state that Vladimir Levin was able to hack into Citibank without inside help with the actual evidence tendered in London for his extradition ...... Both these cases of course feature high in the ever-expanding, ever-shriller "information warfare" agenda. And all of this is why so many of us are asking for the specifics of the need for LAK. Here is the UK the total open budget for monitoring serious crime - the annual budget of the National Criminal Intelligence Service is only £30m. Its remit includes narcotics trafficking, money laundering (it receives and collates the reports of unusual transactions), organised crime including the Turkish, Russian, Italian and other mafias as well as our own local heroes, paedophilia, extortion and soccer hooliganism. That's under a $1 for every inhabitant of the UK. What puzzles me is this: if on the one hand the problems of organised crime are so small to rate such a low budget, why, on the other, are we being asked to accept such an instrusive policy in relation to crypto? Is there really a case-book of instances which, if revealed, would persuade us to accept the intrusion as a necessary price for freedom? As one of the many cliches in Private Eye has it: I think we should be told. The issue of what happens when digital evidence is seized in the ordinary way (that is, through regular warrant) and turns out to be encrypted should be distinct from LA requests to have LAK for intelligence fishing expeditions. As you say, all your cases seem to refer to the former situation. I have no difficulty in accepting the existence of encrypted files and disks and the problems they create for law enforcement. Interestingly enough, the "old" DTI TTP proposals specifically excluded many of the devices / technologies that are used for file and disk encryption. The alternative legal route here is to allow / extend the ability of the court to issue orders for decryption keys to be released (under certain conditions) or to allow adverse comment to be made if someone refuses to do so. (This takes us into the tricky area of the right against self-incrimination etc, of course). The absence of discussion of these matters is quite surprising. rgds Peter |----> Peter Sommer ------------------------------------------->| |----> hcorn@cix.co.uk P.M.Sommer@lse.ac.uk ------------------>| |----> Academic URL: http://csrc.lse.ac.uk/csrc/pmscv.htm ----->| |----> Commercial URL: http://www.virtualcity.co.uk ----------->|
Date: Fri, 10 Apr 1998 00:40:03 +0200 From: Anonymous <anonymous@netassist.se> Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, To: ukcrypto@maillist.ox.ac.uk Peter Sommer says: > The problem with the Denning / Baugh report is that some of the "cases" > are very difficult to verify. For example: the London Cryptoviral At least one entry was verifiably wrong: http://infinity.nus.sg/cypherpunks/dir.97.07.10-97.07.16/msg00003.html [Copy of the referenced cypherpunks message:] To: Kevin.L.Prigge-2@tc.umn.edu Subject: Re: Jim Bell reference From: Eric Murray <ericm@lne.com> Date: Wed, 9 Jul 1997 11:09:32 -0700 (PDT) Cc: cypherpunks@cyberpass.net Kevin L Prigge writes:> > Dorothy Denning taught a class (COSC 511) "Information Warfare" > Spring 97. Apparently as an assignment, several students put > together an infowar incident database at: > > http://www.georgetown.edu/users/samplem/iw/ > > Jim Bell's case is mentioned under: > > http://www.georgetown.edu/users/samplem/iw/html/iw_database_92.html Wow. This is the most blatant propaganda I've seen in a long time. It's full of so much inaccurate info that it can't be an accident. Their blurb on Bell says: "In his "Assassination Politics," Bell suggests that IRS agents are not protected against violent acts, because they have stolen taxpayers' money. He also initiates a betting pool as to what government employees and officeholders would be assassinated." If I remember correctly, Bell never 'initiates'[sic] anything, he just talked about it. They cites a Netly News article by Declan McCullagh (http://cgi.pathfinder.com/netly/editorial/0,1012,800,00.html) Declan's article doesn't say, or even imply, that Bell actually set up his AP betting pool. The "database" authors apparently wanted to make a point by making his crime seem to be real, and were willing to stretch the truth to do so. This fits in with the rest of the "database". Take a look at the 'terrorisim' category. Most of the 'terrorists' crimes (or more correctly, arrests- this database seems to assume that being arrested or charged with a crime makes one guilty) are horrible terrorist crimes like sending hate email, or suggesting that a state senator who vociferously supports mountain lion hunting be "hunted down and skinned and mounted". In that one the California state senator somehow becomes a US senator... (http://www.georgetown.edu/users/samplem/iw/html/iw_database_90.html) The "database" is filled with inaccurately-labeled "data". I'd be willing to bet that it will be used to support the "Info war" military-industrial-complex money grab: "Look, a study at Gorgetown shows that we've had three incidents of Internet terrorisom in 1997 alone, one against a US senator!" Feh. "Research" like this makes me puke. BTW, you can add you own "IW incidents" via a form at http://www.georgetown.edu/users/samplem/iw/html/feedback.html -- Eric Murray ericm@lne.com Security and cryptography applications consulting. PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
[JYA Note:] See also Professor Denning's course schedule and readings for Spring 1998 for an informative overview: COSC 511 Information Warfare: Terrorism, Crime, and National Security http://guru.cosc.georgetown.edu/~denning/cosc511/spring98/schedule.html
Date: Mon, 13 Apr 1998 08:26:36 -0400 From: denning@cs.georgetown.edu (Dorothy Denning) To: ukcrypto@maillist.ox.ac.uk Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, The citation below is to something that some of my students wrote, not to the Denning/Baugh report. When the students learned of their mistake, they promptly corrected their error. The anonymous poster evidently did not even bother to see what we had written or what was in the student's database. The clip in our study was based on the court document and a conversation with a law enforcement officer involved with the case. Dorothy Denning Date: Fri, 10 Apr 1998 00:40:03 +0200 From: Anonymous <anonymous@netassist.se> Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, To: ukcrypto@maillist.ox.ac.uk Peter Sommer says: > The problem with the Denning / Baugh report is that some of the "cases" > are very difficult to verify. For example: the London Cryptoviral At least one entry was verifiably wrong: http://infinity.nus.sg/cypherpunks/dir.97.07.10-97.07.16/msg00003.html