Interim Response from Philip Zimmermann

The little No Regrets about PGP piece from Philip Zimmermann and the associated interview "call for questions" we ran on Sept. 24 seems to have stirred up quite a ruckus. Apparently online crypto has become such a hot button issue that it is impossible to hold a rational conversation on the topic right now. Because of this, instead of answering the interview questions, Philip sent us a brief statement. We'll try to interview him (and other crypto experts) later, after passions die down a bit.

Overreaction to Washington Post Article

It seems that my recent clarification of how I was represented in the 21 September Washington Post article has itself created a deluge of harsh criticism of the Washington Post and the reporter who wrote the article.

People seem to be assuming the Washington Post is part of some grand conspiracy to restrict the availability of strong cryptography. I would like to say that this is an overreaction and a misinterpretation on the part of these critics.

I believe this was an honest misunderstanding by the people at the Post, and I never meant to imply in my previous clarification that this was done on purpose or with any malicious intent. On the contrary, I believe the Post worked hard to be fair in the story and had the best of intentions when they ran it.

Further, I'd like to say that all the individual facts and quotes were reported correctly. But the Post connected the dots in a slightly different way to conclude that I was feeling guilty even though I was simply feeling grief and anger just like everyone else since the attacks occurred. Overall, I thought the article was fine except for that one line that says I was "overwhelmed with guilt."

My purpose for sending out my original clarification was not to criticize the Post but to assure everyone that I am still standing firm on my convictions that PGP and other strong encryption products should be available to the public, with no back doors.

Through the years of coverage the Post has given the issue of cryptography restrictions, I have never detected any bias at the Post to promote restrictions on crypto. In fact, if they have any bias at all, it seems to be in the other direction. They helped me when I needed to keep the Justice Department at bay in 1995. We will need them again in the coming weeks as we in the crypto community attempt to keep the freedoms we have, as legislators try to impose new restrictions on strong crypto.

I find this jihad of criticism of the Post to be inappropriate. I can easily tell from talking with the reporter that her intentions were good. It is grossly unfair to punish her with all this hate mail. It's embarrassing to me and damaging to her. If anyone in the world of journalism wants any further clarification from me on that reporter's competence or journalistic integrity, feel free to call me directly and I will explain it to you in more detail.

I am in London at a data security conference, without as much Internet access as I have at home, so I cannot keep writing about this matter for much longer. I hope this letter is enough to put this matter to rest.

Sincerely,
Philip Zimmermann

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBO7ILqcdGNjmy13leEQLryACfffYuStFXNTC0aWnJStMEAWsbQSgAn0ID d2bqoxnEbABk+1V/edlzC84A =uBHG
-----END PGP SIGNATURE-----

Thank you

[Chris_Pugrud]

It's good to see that many people have a sound head on their shoulders and are not engaging in over-reaching knee-jerk reactions.

Find the time to write your congresscritter, but do it when you are not emotional. Tell them that security research is not cracking, that cracking is not terrorism (if you don't take the time to properly secure your systems, you need to take some liability!), tell them that crypto is free speech, it is the ability of people to have a private conversation! A conversation without big ears, between a limited group of people. Then let the letter sit overnight and read it in fresh light.

If you really want them to listen, take the time to print out your letter, after you have sent it online, address some envelopes and send them hard copy!

If you really wan to stir some feathers, then remind them of the declaration of independence - "But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security"

Chris

Conundrum

[well_jung]

Tis very unfortunate that so many of us are so secluded from the greater society that we help run that we can't stop ourselves from from partaking in venemous "activism". Phil put it nicely when he referred to it as a Jihad. For too many of us, our passions and self-confidence get in the way of being responsible members of a larger community.

Re:hmm.

[nlvp]

He also made it very clear that he thought the mistake was due to overwork, and the general tone of his article was not critical to the Washington Post, but rather trying to clear up a misunderstanding.

Zimmerman comes across as constructive and considered precisely because he spends more time trying to clear up the facts rather than point the finger at everyone in sight, blame the establishment and cry conspiracy at the top of his voice. It's precisely because his contributions to discussions are so considered that he has reached a position where his opinions carry a lot of weight.

Anyone who was expecting a similarly considered reaction from Slashdot (as a whole, not individuals), was obviously being a little optimistic. Most of the posts seemed to indicate that the most people got out of Zimmerman's letter was that the Washington Post had misrepresented him - they then went on their (somewhat predictable) anti-WP crusade as they perceived one of their heroes to have been slighted.

Thank goodness the hero himself has the presence of mind to calm things down before they get out of hand. But I doubt the reaction did much to endear the Slashdot crowd to him. At least he knows where to go if he needs to rally some unconsidered fanatical support.

Disclaimer: I am not making comments directed at any individual post, but at a theme that ran through a number of posts in the other thread, so don't take it personally.

What we need is

[wiredog]

A link to the advocacy howto at the top of the page.

Although, given that we usually don't read articles before going totally non-linear, it's probably unrealistic to expect people to read the howto.

Professional Criticism

[_Sprocket_]

I can only imagine what the Washington Post and their reporter had waiting for them in their collective Inbox. And from what I've seen online (and not just Slashdot), I'm sure Phil is completely correct in saying that it was undeserved. I feel bad that Phil should have to feel ashamed over the incident.

But...

The Washington Post DOES deserve critism. Phil is very polite to assure that there were good intentions and that facts were presented properly. Unfortunately, good intentions aren't always enough and the facts reported were not entirely correct.

The issue at hand is the reported guilt that Phil felt. By his own account, he had gone to great lengths to ensure that mistake was not made. And yet the mistake was made and Phil's apparent guilt was reported as fact. Why? Because someone at The Post drew their own incorrect conclusion.

I'm all for reporters putting elements togeather to ferret out the truth of a story. Its part of what makes a good investigative reporter. However, in this case someone put 2 and 2 togeather, got 5... and went ahead with it without any fact checking. Surely Phil wouldn't have been THAT hard to contact for a followup (be it in person, voice, or email).

The Washington Post is a professional, world-class organization. Their reporters are professionals with a great deal of power to direct the attention and impressions of issues held by average citizens. Some of which happen to be in our law enforcement agencies, Congress, and other positions of power and policy. Because of this, the Post and its reporters should be held to a high standard.

The Washington Post failed to meet this standard. They should feel ashamed and are entirely worthy of harsh critism.

Even if they're not deserving of hate mail.

FBIrony

[philipsblows]

After all of this explosion about crypto and backdoors and limiting the civil liberties of Americans and anyone else we can cause trouble for, it is somewhat ironic (and more than a little tragic) to find that a tremendous amount of information has been gathered through understanding relationships and actions of the perpetrators. This according to the butthead press corps in the US.

This has been pointed out elsewhere, possibly by a congressperson even, but what would our law enforcement agencies do with the tremendous amount of information they are asking to have access to, when they can't properly connect the dots that they already have in plain text right in front of them?

When something like 20 foreign nationals from the same general region of the world get truck driver licenses and apply for hazardous materials hauling permits all within a couple of months of each other, somebody in some FBI office somewhere should ask some questions. There was nothing encrypted in that transaction, and they are only now putting that together.

Besides all of this, bin Laden doesn't even use technology to communicate anymore, having resorted to no-tech messangers to avoid CIA/NSA listening posts. At least that's what our news media is telling us...

What's the point of the DS?

[Coot]

What’s the point of posting the PGP signature if you don't also post the text exactly as signed, including the “begin signed” and “end signed” delimiters. The signature is unverifiable without the precise text that was signed.

No point. Except to look cool.

Aren't back doors dangerous?

[mrthoughtful]

Nice to hear from you PZ.
So how does a government restrict access to a back door?

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.0

iQA/
NSA-OPS:ThEBacKDoORPaSsWorDIS:LETMEIN:bAjmy13len CX XWnJPSJSIDEQLryACfBk+1V/edllzC84A =uBHG
-----END PGP SIGNATURE-----

Slashdot and Crypto

[ichimunki]

Dear Phil,

Do you think you could give the Slashdot crew a quick lesson in using crypto? From the way they've posted the last two missives from you, it's obvious they don't actually use PGP or GnuPG and have no clue how to transfer information in such a way that the digital signature remains valid.

I mean, providing a link to the original text file seems to be too hard for them, so maybe you could walk them through the procedure for verifying a document and then ask them to try and do that on their own postings, to see what they are doing to those of us who verify signatures when we see them?

I mean, what's the point of signing a message if no one can verify it? Not that I think Slashdot would lie, but for all we know they've been duped into posting something that isn't from the real Phil Zimmerman. Or maybe their stories are being tampered with-- it's happened to bigger fish recently (and Slashdot itself has been hacked before).

Thanks!

was crypto even used?

[mikey_boy]

According to this article from the UK's guardian, cryptography wasn't even used, so it's all bunch scaremongering crap anyway ...

"FBI investigators had been able to locate hundreds of email communications, sent 30 to 45 days before the attack. Records had been obtained from internet service providers and from public libraries. The messages, in both English and Arabic, were sent within the US and internationally. They had been sent from personal computers or from public sites such as libraries. They used a variety of ISPs, including accounts on Hotmail.

According to the FBI, the conspirators had not used encryption or concealment methods. Once found, the emails could be openly read."

Re:hmm.

[Roblimo]

The reason for most editorial cuts in newspaper stories is not to give them a "slant" but to make them fit into available space on the page.

Newspapers lay out pages by putting in the ads first, then filling the remaining white space (called the "news hole") with stories. Often there are more stories the boss editors feel are important than there is space to run all of them full length, so some or all of the stories get trimmed to fit. Decisions on what words to cut out of which stories are not made by a group of cackling [liberal; conservative; Zionist; law enforcement] conspirators in a back room, but by overworked (and usually underpaid) wordsmiths watching the clock tick toward the moment when the presses are scheduled to run. These people do not have the power to decide which stories get covered and which do not. They are the hands-on people responsible for getting the paper put together on time every day; the sergeants of the newspaper business, you might say.

Deadline pressure combined with the necessity to make the paper fit as much information as possible onto each (expensive) square inch of newsprint is to blame for at least 99% of all perceived newspaper copyediting errors.

The copyeditor who is making the cuts is also, in most cases, proofreading the stories, checking facts, and writing headlines. It is a brutal job, and out of the hundreds of stories a big newspaper like The Post runs in every edition, chances are approximately 100% that at least a few cuts will be made that are less than perfect.

A big advantage Internet news purveyors have over print news sources, and over broadcast sources too, who have "X" minutes of time to fill, and that's it, is that it costs effectively nothing to run 5 extra paragraphs of text on the WWW if those paragraphs will add more depth or accuracy to a story.

Hands-on, daily deadline copyediting is a brutal job carried out not by "anonymous cowards" but by people who do their best to make stories as accurate and readable as possible in too little time, usually on a copy desk that is a few people short not only because of recent media layoffs, but because competent copyeditors are always in short supply. The job takes an immense range of knowledge, powerful research skills, and a willingness to accept attacks for every mistake made while foregoing public credit when everything goes "just right."

- Robin

Media and conspiracy

[joss]

> People seem to be assuming the Washington Post is part of some grand conspiracy to restrict the availability of strong cryptography.

No, it's not a conspiracy, but it is a symptom of a much deeper problem. The fact remains that the paper blatantly misrepresented Phil's opinions in order to further the current agenda of cracking down on civil liberties. This distortion is not a coincidence, but it's not deliberate either. In fact, it's scarier than that. People who are sufficiently indoctrinated hear what they want to.

We don't need any controlling evil mastermind to produce the appearance of a conspiracy. All we need is a set of implicit and unstated tendancies where most people do what they think ought to be done, and the mass moves inexhorably in a particular direction, irrespective of a few free thinkers trying to throw a spanner in the works. This group concensus serves the interest of those in power (the rich, via corporations, media - which is corporate owned, and politicians - who are also corporate owned), and pushes the rest of the population in that direction.

Mainstream media is even more laughably distorted than normal at the moment. Suddenly the media is full of convenient statistics "80% of US population favors back-doors in encryption". And what percentage of the US population has any idea what the hell that means ? What was the queston "Do you favor laws that make it harder for terrorists to communicate in private ?" or "Should it be illegal for people to try to stop others from monitoring their communication ?"

Corporations and politicians have a vested interest in eliminating free speach from the population. They don't want you talking to each other, they want you listening to them. They definitely don't want you saying stuff to each other without them being able to monitor it and punish you for saying stuff that makes them uncomfortable. The real reasons for the desire to restrict and monitor may not even be apparant to the "group mind", but everyone has a huge capacity for self-delusion.

The media is just as accurate about other stuff. They laud George Jr's "bravery" without a trace of irony, like the jester in the Holy Grail "When danger reared its ugly head,
He bravely turned his tail and fled...." Meanwhile the cowardly terrorists were cowardly
giving their lives for their beliefs. Fanatical assholes, sure, but cowardly ?

The distortion is much worse than you think. The entire language is adjusted in a thoroughly Orwellian fashion. When people on our side die, the "terrorists" cause the "murder of innocent, men, women and children". Fine, this is accurate. However, when we do start beating up on Afghanistan. "Military commanders" will replace "terrorists" and "inevitable collateral damage during surgical strikes" will replace "bombing civilans". It's very difficult to reason about something when the terms are properly loaded.

The language molesters will be hard at work over the next few months. The funny thing is that when we hear blatant distortions in the other direction, (eg "The great satan") we laugh at the stupidity and talk about how these people have been brainwashed into believing all sorts of nonsense. Yeah, "they" hate us because they're jealous and they're victims of brainwashing and propoganda. Meanwhile, we're going to destroy civil liberties, escalate corporate welfare (through "defense" spending), slaughter innocent civilians and risk our own soldiers fighting people across the world who previously had no serious quarrel with us, because we're all well informed and logical.

Re:Is this really Phil?

[Quila]

Well, he PGP signed it. You check it.

France tried it.

[Aceticon]

They banned all use of cryptography, except for properly registered institutions, which had to provide their keys to the French government.
(This was done with the intention of allowing eavesdroping of all comunications in France by the French authorities)

Since then they totally reversed their positions, up to the point of actually promoting the use of Open Source products because they can be checked for the existence of backdoors.

Why?

1. Foreign companies started avoiding doing business in France (they rather have their head-quarters or european head-quarters where they can protect their trade secrets)
2. The French government sudenly discovered that the US Information Services were using electronic interception technologies (Echelon) to intercept business comunications of French companies. Any relevant business information so discovered was then provided to American companies thus giving them competitive advantage over French companies

Or puting things in a different way:

Any nation that adopts a ban on cryptography runs the risk of placing their own companies at a competitive disadvantage to companies in other countries (the US is not the only country doing electronic surveilance) and scaring off foreign companies. Even the mandatory use of back doors in cryptography products has the same risk (eventualy somebody will discover the key that opens the back door, and from there onwards it's the same as if the comunications are unencrypted).

Plus, even if the US adopted laws against the use of cryptograpy or mandating back doors in cryptography products, i doubt very much that the French government would adopt it (specially after having sufered the efects of such a decision in the past). If in such situation the US tried a Trade Embargo against France, it would have to do so against the whole of the EC. You DON'T do a Trade Embargo against the second largest world market (it would be as idiotic as a Trade Embargo against the US)