Slashdot Mirror
Ask Cryptome's John Young Whatever You'd Like
John Young of Cryptome, though trained as an architect, has garnered recognition in another field entirely. Since 1996, he's been publishing timely, trenchant news online as the mind behind crypto jya.com and Cryptome. ("Our goal is to be the most disreputable publisher on the Net, just
after the world's governments and other highly reputable bullshitters." ) This has put him on the forefront of various online liberty issues, from the MPAA's DeCSS crackdown on DeCSS (he fought the lawyers -- and won), to Carnivore, to Dmitry Sklyarov's continuing imprisonment, and now the several fronts along which electronic communications are threatened by current and upcoming legislation. He recently posted this to the front page: "Cryptome and a host of other crypto resources are likely to be shutdown if the war panic continues. What methods could be used to assure continued access to crypto for homeland and self-defense by citizens of all nations against communication transgressors?" Now's your chance to ask him about the fight for online freedom. Please pose just one question per post; we'll send 10-15 of the highest moderated ones on to John for his answers.
Immediately after the events of 11 September, lawmakers twiddled with the idea of backdoors in crypto products. Last week I read somewhere (not sure if it was on slashdot or some other news site) that lawmakers were backing down on this for some reason (can't remember why).
Is this 'backing down' accurate? What do you think caused the change of heart? And what is your opinion of backdoors in general? Do you think they would work as lawmakers intend them to?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
The current means of doing public/private key encryption (via large primes) seems pretty much universal. Should we be looking for an alternative if/when someone finds a way to break it?
Let's not stir that bag of worms...
Mr. Young,
Currently the vast majority of email travels unencrypted through the Internet, ripe for eavesdropping by Carnivore/DCS1000/Echelon/etc. This is a bit of a "last mile" problem, as I can't reasonably expect my grandmother on AOL to be able to read my PGP-encrypted messages to her unless encryption is made into a standard part of the infrastructure. Otherwise 99% of the users won't bother and that's the situation we have now.
What do you see as being the catalyst that forces the majority of software and service providers to make encrypted email standard equipment? Will it be public outrage over eavesdropping, bribery of ISPs and Microsoft by Verisign or Thawte, or something else altogether? And do you forsee more success for a decentralized standard, like OpenPGP, or for a centralized standard like S/MIME?
-CT
I do nothing illegal in my life (okay, a little speeding) and don't really care if some government worker who I will never meet reads my e-mail. Should I be concerned about any of this stuff the gov't is trying to push?
Do you believe that it is even possible for any kind of government--be it theocratic, totalitarian, or democratic--to coexist on peaceful terms with the existence of individual and corporate privacy and secure communications?
"Feel a glory in so rolling / on the human heart a stone" --E. A. Poe, "The Bells"
What's your opinion on Alan Cox's recient decision to censor security related fixes in his change log announcements on LKML? He cited the DCMA. Also, given that civil liberties are often the first casuality of war, and given that we're "at war" now with Afganistan, when if ever do you think we will see a sucessful court challange that will get this bad law (the DMCA) overturned?
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
Dear John,
My question has to do with both privacy and encryption. Recently, some web sites have taken to hiding the IP addresses of their visitors using MD5 before storing these IP addresses in a database. This feature exists in order to keep the IP addresses of visitors secure from data mining. Do you believe that using the MD5 signature of an IP address rather than the actual IP address provides real privacy to users? Would an attack to MD5 all known IP addresses be trivial, or extremely difficult?
Thanks for your time.
1. What can normal people do to help out with mirroring important information (e.g., crypto information, documentation on civil liberties threats, reverse engineering and Fair Use securing tools, etc.)? How can we stay out of trouble with the law while we're helping out?
2. Have you ever considered providing a mirroring clearing house? That is, devoting a section of cryptome to listing, in an up-to-date manner, resources which need mirroring in various parts of the world?
Thanks!
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
Due to the current wave of anthrax troubles in the US, do you think a system will be developed somewhere to allow for Certified Email that employes the applications of crpyto to certifying digital signitures, certificate authority, etc? Even if such a service is funneled through a government agent like the Postal Service at like 5 cents per message to be certified, do you think such a service would be useful?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I keep track of the kind of thing Cryptome covers. It affects you, after a while.
Overall, are you optimistic or pessimistic that we will eventually (call it 5-20 years) have a society that you would find reasonably acceptable? Or do you think we're destined for one form or another of effective totalitarianism?
I read Cryptome regularly, generally every day or so, and the only question that I can think of is, Where do you get your information from? I'd like to know os that I canstart researching things much the same way.
"See, we plan ahead! That way, we never have to do anything now."
Supporters of this program claim that such a program will allow day-to-day communications among law-abiding citizens to remain private, whilst still allowing the FBI and CIA to monitor the communications of suspected terrorists(with a warrant, of course).
The liberal media opposition to this initiative is claiming that by installing government accessible backdoors into encryption tools, we are giving up our right to privacy in favor of increased public safety. For the purposes of this post, I'm going to ignore the fact that nowhere in our Constitution or Bill of Rights, are we guaranteed anonimity or absolute privacy. It seems to me that if we cannot trust our policing agencies to be responsible with the power they have been given, the problem is not with the cryptography, but the government itself, and this problem needs to be addressed as such.
My question to you is: What is Cryptome's, and your personal, stance on government accessible backdoors installed in cryptography. Would the benefit to law enforcement, and the increased homeland security outweigh the possible implications to the loss of privacy. Do you think open-sourcing popular cryptographic tools would help alleviate people's fears about the integrity of their data security?
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
I know it's a basic question - but it seems to be at the heart of the Free-Crypto debate. Free speech should be free whether its in English, French, FORTRAN or Perl. What arguments do you hear against programming being protected as free speech? Can you use the First Amendment against DMCA, ITAR, etc?
There are 10 types of people in this world, those who can count in binary and those who can't.
The main problem when dealing with all of these technical/legal issues (legal access to encryption, fair use, privacy, etc.) is that the masses simply don't care. Many people will gladly give up their future rights to ever record a television broadcast again for the chance to watch higher quality (picture-wise, not content-wise) Friends reruns. My question is this - at what point will enough people say "Keep your laws out of my data!" to create a movement that is likely to change the way legislators look at these issues?
Hi John,
What do you think of XP, particularly with regard to Passport and privacy concerns?
Thanks,
Al.
Given modern computing's advances, it's now much easier to encrypt casual traffic than it has been in the past. Have you ever considered providing https:// or some other encrypted form of access to your sites for the general public?
Indie rock lives! b-side!
Despite how everyone on /. talks a big storm about bucking the government, it's got to be pretty damn scary when the feds come knocking at your door. You've no doubt made some powerful, big-time enemies in both the private sector and the government.
Do you ever fear for your own or your family's saftey because of this. Have you ever been threatened? By whom, government agents or private individuals?
If you don't fear for your saftey, what factors about what you do make you feel 'immune' from being 'removed' clandestinely?
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Your efforts (and your unwillingness to flinch in the face of 800-lb. corporate and governmental gorillas) have made cryptome an invaluable resource, for which I certainly thank you. At least once in recent memory you've made a call for mirroring sensitive software and information. 1. What can normal people do to help out with mirroring important information (e.g., crypto information, documentation on civil liberties threats, reverse engineering and Fair Use securing tools, etc.)? How can we stay out of trouble with the law while we're helping out? 2. Have you ever considered providing a mirroring clearing house? That is, devoting a section of cryptome to listing, in an up-to-date manner, resources which need mirroring in various parts of the world? Thanks!
Are you ever worried about being shutdown / arrested / bugged / having a smear campaign run against you?
Do you think that all the muck flinging by both governments and corporations is going to lead to somone developing a virtual, anonymous, secure network running over the Net that will be untouchable by governments (i.e. legally secure from attack by dint of listening to the Harvard Law types and using their knowledge combined with technological solutions)?
Do you expect show trials by governments to show that the laws they areintroducing now (RIPA in the UK, USA-Patriot in the US etc) are effective, and how long do you think before there will be miscarragies of justice based on political expedeincy?
Any sufficiently advanced man is indistinguishable from God
Thanks for your efforts. My question was discussed recently on a thread regarding the decision by Thawte to discontinue selling CodeSigning certificates to individuals.
What are the biggest obstacles to a public CA which is supported and funded by, say, the FSF? Is such a thing possible for the Free software community? I guess insurance and certification would be the biggest stumbling blocks. Are there other dimensions to such an undertaking which have not been considered?
In your opinion Sir, what would be the best response to those who feel this monitoring should be fully funded and supported? My personal feelings are just if it is my business, it probably isn't any of yours.
Also, since most e-commerce is conducted on so called "secure" connections, how would the installation of government backdoors effect e-commerce. If a government back door was hacked and my credit information stolen and exploited, who would the blame fall on? The credit card company, the business I ordered from, or the government agency who installed a faulty back door?
Note to self: No more arguing with the faithful.
Extremely serious efforts are underway to create artificially intelligent minds, such as at http://sourceforge.net/projects/mind -- just one of 365 open-source projects in artificial intelligence (AI). Do you expect that the World Trade Organization (WTO) or other allances -- either governmental or corporate -- will attempt to control the emergence of AI technology and of an AI-based cybernetic economy?
As an architect, do you have any interest in the architecture of the mind?
Is there any likelihood that AI research will be outlawed or otherwise subjected to illiberal control?
Is there any way you can think of that would help convince people (based on scientific principles) that centralised security services are a bad idea? That convenience should not come before security?
Soko
"Depression is merely anger without enthusiasm." - Anonymous
What do you do all day? From what I've read on Cryptome it's clear you remain interested in Architecture - do you still have any professional involvement (info in the on-site BIO tails off at 98)? If not, how do you pay the bills? How did you get from architecture to cryptome? Do you have any interest in computers and the internet other than as a tool (would you consider yourself a hacker, in the positive sense)?
I know, it's more than one question, but they're all in the same direction. I'm curious about the guy.
http://www.acooke.org
The theory of the panopticon state bounces around on Cryptome and Cartome quite a lot. It is interesting that Cryptome and JYA in a certain sense have been set up to watch the watchers and mitigate the power of the panopticon.
My question is: how aggressive can you/should you be in trying to detail the actions of the (insert three letter acronyms and governments here) pushing panopticonism as the solution to society's problems?
You are clearly willing to put yourself in legal peril, but surely there is a point of diminishing returns. How do you balance things, and have you withheld, or would you ever withhold, information that you would like to publish? (...and yes there are two question marks, but they are pretty related)
And thanks!!
John, I find the service that you provide as Cryptome to be essential. You remind me strongly of the title character in Vonnegut's short story
Report on the Barnhouse Effect. Your reporting keeps the entire world somewhat more honest; and I can't think that it's possible that governments are more careful knowing that someone is watching.
The end of the story, is, of course, of the passing of the torch to Barnhouse's apprentice. I am worried that there's nobody with the combination of integrity, fearlessness, and intelligence to carry on with your work, when your time to perform it is over. Do you worry about that, and are there people to carry the load?
thad
I love Mondays. On a Monday, anything is possible.
I've been watching the United States slow slide towards becoming a police state since the early 90's, when I discovered the Clipper Chip fiasco on comp.org.eff.talk. Thanks for your dedicated work to fight this trend, it won't be forgotten, even if it fails...
So, my question is: If the United States becomes a hostile place for freedom (DMCA, SSSCA, extreme anti-terrorism laws, etc.) where are some good places to flee to?
I write and use free software, and I expect I'll be leaving the US within a couple of years. (I've got a great job, otherwise I'd be leaving already). I don't mind learning a different language... Do you know of any comparative study of different countries of the world, considering at least:
- free speech
- free software
- software patents
- Privacy
- public awareness of the above issues (Most important, perhaps!)
- A just and fair, uncorrupted legal system
- Reasonable balance of taxation, government spending on useful things like education, health care, etc.
- High standard of living
Where would you go?
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
John,
At some point you decided to run cryptome and publish controversial materials under your true identity rather than under a pseudonym.
What benefits and detriments have you found to using your real identity for your efforts instead of a pseudonym?
In your opinion, what will it take - either in terms of EFF-style activism or in terms of 1984-style government repression - to make the average person-on-the-street care about our digital freedoms?
In the current environment it seems that most people have adopted the attitude of Britain's John Major who said - as his Tories wired the UK with videocameras - ``If you have nothing to hide, you have nothing to fear.''
-Renard
Many people will undoubtably ask wide and far-reaching questions about civil-liberties, activism, and running cryptome.org. In contrast, I would like to ask a question perhaps trivial in comparison, but also in the hearts of so very many of your fans.
If this is really ask whatever we'd like ...
How in the world do you generate that unique hash of free-association, bafflegab, verbing, just-this-side-of-understandable wording (not sure which side), "Younglish" writing, for which you are reknowned?
Are consciousness-altering substances ever involved? Where they ever involved? Is it effortless, or do you work at it?
This is nowhere in the same league as DMCA, terrorism, and whatnot.
But believe me, inquiring minds want to know.
Sig: What Happened To The Censorware Project (censorware.org)
Invariably the first argument encountered when I go on a tirade about the choking off of our civil liberties, someone responds to the wiretap question with: "So what,? I don't do anything wrong." In my mind I know they are completely missing the point, but I have yet to come up with a quick, pithy, persuasive argument to open up their mind. What are the dangers of widespread monitoring that the average american (that hasn't read 1984)can grasp?
Pretend I said something meaningful or insightful here.
Often people dont quite understand things
Examples such as the FBI having misgivings about mobile phones and crypto
(GSM includes a simple hash which while easy to break the FBI like their plain scanners)
and US politicos asking for back doors in algorithms
(while I can pick up AES or serpent which both do not have US involvement)
you can get crypto and use it rather simply
how do people think they can make me give it back ?
e.g. in the U.K. they say that you can use strong crypto but when asked by a court you must give over your keys or go to jail for up to 19 years !
What they dont say is that the law has yet to be tested, there is a wealth of past history where people have written in secret diaries and they cant make them decode it and these people are not put away under this scheme.
(so IMHO it will fall on its face and I am not giving over any keys !)
my question is what is the stupidest thing you have ever heard of ?
regards
john jones
I've been an avid cryptome reader for some time, even to the extent that I followed most of the USA-vs-UBL trial transcripts - that was a great effort on your behalf.
My question is - do you think that you will be in a position to publish the transcripts for the trial of the Sept.11 events ?
Assuming, of course, that at least some of the perpetrators are brought to trial and that this will probably be well into the future.
"Renowned".
John,
Let me begin by thanking you for your unflinching adherence to the principals of disclosure and freedom of information. I am a great fan of your continuing work. My question follows:
You have in the past, and continue to, post "dangerous" information like names of former intelligence agents, details of government cover-ups, radically contrarian opinions, and open calls for subversive action.
A good example of this is Cryptome's continuing threads on the structural failure of the WTC and potential vulnerabilities of other landmarks. Some would claim that this kind of conversation should take place in closed-door meetings - that open discussion like this could only benefit evil and your support of such discussion is irresponsible.
What are the principals and moral guidelines you use when publishing Cryptome? Are there any lines you would not cross? What are the implications of shifting public opinion (70% favor a national ID card) and mounting US totalitarianism to Cryptome?
As an architecture student who is also a geek - I'm curious as to how you made the transition to the technology sector. What prompted you to make the change and how did you do it? Was there anyone instrumental in providing you an opportunity? Do you still try to make a connection back to your architecture roots?
I'm out of my mind right now, but feel free to leave a message.....
You are channeling Dr. Bronner?
Encrypt! Encrypt! OK!
"Trademarks are the heraldry of the new feudalism."
Also, during your talk at USENIX Security '01 you talked about different ways that you are keeping backups of your data. Including having other sites ready to host the data at a moment's notice, and sending out backups of the site to whoever wants copies. You had also mentioned work on a distributed storage system that would be more resistant to having one node shut off. Have you made any progress with this?
actually, no ... I'm looking for some more
What strategy do you think will be the most effective in preserving privacy rights in the future? To be more precise, should the proponents of electronic freedom fight as strongly as possible against attempts to restrict those freedoms, or do you think it would be more effective to have some flexibility? I have often wondered whether the gun manufacturers and the NRA (for example) might be more effective in preserving gun rights if they took some effective actions on their own to keep guns away from wackos.
In the case of electronic freedoms, I wonder whether fighting will only result in a complete collapse of our rights. It might be better to fight the worst proposals vigorously, and to assist the Feds (in some appropriate way) to catch the bad guys. This latter approach might erode some privacy, but might preserve the body of rights better in the long run.
By about 10:15am on Sept 11, someone in DoJ was talking about banning strong cryptography for individuals, or at least only allowing key-escrowed crypto. It's pretty clear to me that factions in the US government (NSA? DoJ? DoD?) don't really like the idea of strong cryptography used on a daily basis on a large part of the Internet, and the events of Sept 11 merely provided an emotionally-charged fog in which to go after demonized targets.
But why? After about 30 seconds of reflection, it's pretty clear that terrorists/Russian Mafia/Red Chinese Communists/drug smugglers/money launderers/Swiss Bankers wouldn't use key-escrowed or US-government sponsored crypto products in the first place - why should the bad guys trust the US government? The bad guys don't play by the rules in the first place, so "safe" encryption won't apply to them. After 30 more seconds, it becomes apparent that key-escrowed crypto isn't crypto at all - whoever has the keys must use them constantly to determine whether the encrypted data isn't doubly-encrypted: once with a non-approved/non-key-escrowed scheme, the 2nd time with the "official" key-escrowed scheme.
One has to arrive at the conclusion that the only people that key-escrowed, or semi-weakened crypto applies to are regular, law-abiding US citizens and businesses.
Given that conclusion, why has the US government (and UK and French governments, too for that matter) tried so hard and for so long to prohibit law-abiding use of strong crypto? Feel free to speculate, I won't mind.
In recent years we have seen a raft of laws that, under one guise or another, act to limit speech and dissemination of information. Your own experience with DeCSS is a prime example. Since September 11 there has been a renewed push in Governmental circles not only to restrict information by refusing to comply with FOIA requests but to demand information by increasing surveillance.
As someone who has dealt with this and won, how do you see it progressing? Do you think that this will pass and these laws will be overturned? Or do you see this as only the beginning?
With recent legal pushes such as the DMCA and proposed SSSCA, what do you see in the future of our legal system? Do you see more pro-corporate laws being passed or do you see potential for a change in the government's traditional bend towards protecting corporate interests? It seems that you are in a position that would grant more insight into this than most of us would have.
I pledge allegiance to the flag...
of the Corporate States of America...
Mr Young,
:)
I appreciate your site a lot (not only because you have posted some of my own material on it
Your site hosts obvious controversial papers. Yet you clearly don't want to have your site mirrored. You state so on your website and your robots.txt disallows it. Why don't you want the information on cryptome and jya to be mirrored? I noticed you changed this policy briefly after the sep 11 attacks,and ofcourse immediately grabbed a copy.
But I'd still like to have a synchronised copy. Not even to publish now, but just to have in case cryptome disappears for whatever reasons.
Paul Wouters
Hi John,
I've gone to cryptome on a regular basis - it's always an interesting read.
However, do you have any internal guidelines or a gut reaction for stuff you wont host?
Andrew
Andrew van der Stock