[112] in libertarians
Re: A semi-social cyber-event idea?
daemon@ATHENA.MIT.EDU (Vernon Imrich)
Tue Aug 16 03:36:49 1994
Date: Tue, 16 Aug 94 03:31:05 -0400
From: vimrich@flying-cloud.mit.edu (Vernon Imrich)
To: sethf@MIT.EDU
Cc: libertarians@MIT.EDU
Interestingly enough, we had quite a debate going for some time on
whether "intellectual property" existed at all. It was a while
back on this list (last IAP I think).
As for the patent/copywrite issue, I think the PGP people realised the
same kind of thing that Apple did. Excluding software hurts the
producers often more than it helps. This is particularly true for
non-centralized encryption standards. I sort of thought that PGP 2.6 with
all the blessings of MIT (for non-commercial use) came out as a way to
counteract Clipper and get everyone using PGP in private (so that
naturally when their companies wanted to use it they'd have to buy
it from the offical source. Like Homer Simpson falling for the
free sample cookie deal.)
>But to do a lot of trading, you need a key
>server of some sort. That requires some skill and hardware (and a
>network connection). However, I think the biggest problem will be
>getting the world at large computer-comfortable enough to both be able
>to use PGP, and see the need for it.
I think we'd be content to build up a small file of certified public keys
and to introduce new members to using PGP. Is there a "MIT encryption
club" already out there? (I would guess SIPB people would be the obvious
place to look, but they're very general).
"If we can help just a few people use PGP it will have been worth it" :)
BTW, I am a big fan of security/defeating security in general (not
just electronic) though I concentrate mostly on strategy rather than
particular skills involved (and have never even tried any hacking).
Though I don't know much about the mathematics of cryptography, I'd
guess right away the weak link will be the same weak link in all security
systems -- people get tired of using them wisely. If I were the NSA I'd be
spending effort listening in to telnet feeds for passwords, then going
to various user accounts to get their keyring files and so on. The biggest
flaw I've seen is that they can still monitor where messages come from.
Monitor ALL mail to the "bad" site you wish to watch and you'll eventually
find out where its coming from. Sending mail to remailers or anonymous
servers doesn't seem particularly reliable either as the phone lines to
such sites can also be monitored. (I hear the NSA already monitors all
posts to anon.penet.fi). Once you know where things are coming from, just
camp out in the computer room or a van across the street and watch the guy
type in his secret codes. Or, simply forge yourself as a potential ally,
subscriber, or whatever, and have him send you incimrinating stuff directly
(ala the AA-BBS case).
Anyway, I've read the PGP docs twice now and I still forget some aspects
of key management. Being the cautious type, I'd refuse to accept anyone's
public key until I got this better set in my mind, but still it's a pain
particularly when I don't even have any nasty secrets I want to send.
Like the padlock on the gate at home. Lots of times it just gets
left unlocked.
Vernon
