[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Singaporean control freaks & CMR (Re: puff pieces vs tough crypto issues)

To: [email protected]
Subject: Singaporean control freaks & CMR (Re: puff pieces vs tough crypto issues)
From: Adam Back <[email protected]>
Date: Wed, 22 Oct 1997 19:38:40 +0100
CC: [email protected], [email protected]
In-reply-to: <v03007808b073c711fcb1@[204.254.22.221]> (message from DeclanMcCullagh on Wed, 22 Oct 1997 12:17:09 -0400)
Sender: [email protected]

Declan McCullagh <[email protected]> writes:
> The relevance? Another example of Singapore's loony politics. Strict social
> controls and relative economic freedom. I find it fascinating in light of
> Net-filtering and other attempts at restricting information flow; if you
> don't, well, you can always delete it. :)

The net-filtering and social control aspects of Singapore are very
interesting.  Seems that somewhere like Singapore might be an earlier
adopter of mandatory GAK -- social ills have hugely disproportionate
treatment over there.  I hear (and our Singaporean contributer
confirms) that chewing gum is illegal, jay walking too.  (Hey you have
the jay walking laws in the US too don't you?)  (I missed the social
control aspect of the vote for kewlest public toilet story).

We all suffer this kind of mind numbing stupidity on part of our
governments to some extent.  Outlawing of `rambo' knives, laws
defining pi = 3, etc., etc.

> [CMR topic:] My position is something along these lines:
> corporations have a right to go down the CMR path; it is unwise to
> restrict them through the coercive power of the state. 

The question is really what _is_ the CMR path?  PGP Inc are arguing
that it is merely a recovery procedure to recover stored data in event
of disaster (stored emails in mail folders, and files encrypted to
yourself).  However the design seems itself much more suited to
message screening, or message snooping.

I have yet to see any PGP Inc representative admit to the message
screening design motivation.  In fact they have fairly clearly denied
this.  Either you believe that, or you figure they are being careful
not to admit to this.  I don't know what to believe.

The CDR approach (http://www.dcs.ex.ac.uk/~aba/cdr/) is more
secure, less politically dangerous, and equally privacy respecting.

> At the same time, we need to speak out against crypto-foolish
> practices. If corporations start building CMR products, the
> political consequences could be devestating. It's like building a
> gallows for your own hanging.

Yes, I think it is potentially dangerous.

> >From my perch in Washington, I see PGP 5.5/CMR as an existence proof that
> key recovery can be done. So far the crypto-advocates have been able to
> wave around the Blaze et al white paper that says we don't know how to do
> it. Even Dorothy Denning agreed. But now when a mandatory GAK bill goes to
> the House floor, all Rep. Solomon etc. have to do is wave around a
> shrinkwrapped copy of PGP and say: "I bought this for $19 at the Egghead
> shop at 21st and L." Details will be lost in the fearmongering.

This is one example of why CMR may be dangerous.  Another is the
danger that we have a couple of years of mass CMR enabled software
deployed.  Tim has been using the acronym GMR, which nicely says what
a well deployed CMR software base can be converted to with an over
night presidential decree.  Lethal.

> I suspect that there's not that substantial a market for CMR. The apparent
> market demand now is an artificial one created by the Clinton
> administration.

Again, what _is_ CMR?

I do think companies if they are storing lots of data in encrypted
form will want to assure themselves that they can get it back.  Sort
of like unix/windows NT passwords; if every time users forgot their
password, you had to start over with an empty account, people would
get annoyed.

The problem is that pgp5.x is both an email encryption system and a
file encryption system.  So PGP Inc argue that they need the recovery
features for files.  Well OK, but for emails in transit?  The way to
treat emails in transit is to encrypt with recovery info after
receipt, if the employee feels that particular email is worthy of
saving for company records.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Follow-Ups:
- GMR vs. GAK
  - From: Tim May <[email protected]>
- Re: Singaporean control freaks & CMR (Re: puff pieces vs tough crypto issues)
  - From: Harish Pillay <[email protected]>

References:
- Re: puff pieces vs tough crypto issues (Re: Singapore TOILETALERT)
  - From: Declan McCullagh <[email protected]>

Prev by Date: Re: PGP 5.5 CMR/GAK: a possible solution
Next by Date: Re: shared keys, proxy encryption (was Re: PGP 5.5 CMR/GAK: a possible solution)
Prev by thread: Re: puff pieces vs tough crypto issues (Re: Singapore TOILET ALERT)
Next by thread: GMR vs. GAK
Index(es):
- Date
- Thread