Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Ask Cryptome's John Young Whatever You'd Like 152

John Young of Cryptome, though trained as an architect, has garnered recognition in another field entirely. Since 1996, he's been publishing timely, trenchant news online as the mind behind crypto jya.com and Cryptome. ("Our goal is to be the most disreputable publisher on the Net, just after the world's governments and other highly reputable bullshitters." ) This has put him on the forefront of various online liberty issues, from the MPAA's DeCSS crackdown on DeCSS (he fought the lawyers -- and won), to Carnivore, to Dmitry Sklyarov's continuing imprisonment, and now the several fronts along which electronic communications are threatened by current and upcoming legislation. He recently posted this to the front page: "Cryptome and a host of other crypto resources are likely to be shutdown if the war panic continues. What methods could be used to assure continued access to crypto for homeland and self-defense by citizens of all nations against communication transgressors?" Now's your chance to ask him about the fight for online freedom. Please pose just one question per post; we'll send 10-15 of the highest moderated ones on to John for his answers.
This discussion has been archived. No new comments can be posted.

Ask Cryptome's John Young Whatever You'd Like

Comments Filter:
  • by jeffy124 ( 453342 ) on Wednesday October 31, 2001 @01:37PM (#2503238) Homepage Journal
    Immediately after the events of 11 September, lawmakers twiddled with the idea of backdoors in crypto products. Last week I read somewhere (not sure if it was on slashdot or some other news site) that lawmakers were backing down on this for some reason (can't remember why).

    Is this 'backing down' accurate? What do you think caused the change of heart? And what is your opinion of backdoors in general? Do you think they would work as lawmakers intend them to?
    • I would have to guess that a couple of large, corporate donors heard about plans afoot for mandatory key-escrow encryption and started making some phone calls. Don't forget that businesses need crypto too; they make tons and tons and tons of money from people who need to sleep well at night knowing that their data is safe. It's unfortunate but probably true, in fact, that the biggest users of digital encryption in this country aren't individuals at all, but businesses with data vaults and secure WANs to worry about. As key-escrow is apt to--nay, does--blow up in everyone's face the minute the backdoor key is discovered, I'm sure that backdoors made more than a few of the rich corporate fatcats who, let's face it, are calling the shots in this country, uneasy. A well-placed call here, and greased palm there, money everywhere... viola! no more backdoors anywhere.
  • Do you ever start to update your website and think, "You know, I'm just going to have a beer and watch some TV"?
  • Encryption (Score:4, Interesting)

    by JMZero ( 449047 ) on Wednesday October 31, 2001 @01:39PM (#2503253) Homepage
    The current means of doing public/private key encryption (via large primes) seems pretty much universal. Should we be looking for an alternative if/when someone finds a way to break it?
    • The problem is that if a method to quickly factor large primes were found, nearly all the alternative public key encryption techniques (i.e. connected graph problems and so on) would also be broken easily, as it's been shown that the NP-complete problems all reduce to each other. So some scheme other than relying on problems of NP-complete difficulty would have to be found (which are easy to verify solutions to, but hard to solve, as far as we know so far, which is what public-key encryption relies on).
      • Re:Encryption (Score:3, Interesting)

        by Zeinfeld ( 263942 )
        it's been shown that the NP-complete problems all reduce to each other.

        Err no, not even close. While there is a large class of NP complete problems which can be transformed into each other in polynomial time this is not the case for all NP complete problems.

        Futhermore a compromise of a security algorithm is a much weaker condition than solving an NP complete problem for the general case. There are many NP complete problems that have subsets that can be solved in polynomial time. The superincreasing knapsack problem for example.

        An attack that compromised only 5% of RSA keys would be very serious - a factoring algorithm that depended on smooth numbers or the like but it would not be a solution for all NP complete problems.

        In fact the DSA algorithm can be shown to be slightly more secure than RSA in that it only depends on the discrete log problem for security while RSA depends on discrete log and factoring. This is not a particularly big problem however since most atacks on factoring also tend to be convertable to discrete log.

        • Thanks for the correction. I think it's still the case that the majority of NP-complete problems used in public-key encryption are reducible to each other in polynomial time - at least all the ones I've seen used are. And yes, a successful attack on RSA isn't the same thing as a successful attack on an NP-complete problem in the general case. I was speaking of the potential ramifications of a polynomial-time solution to the factoring problem in the general case; such a solution would most likely also mean all other public-key encryption systems would be breakable in polynomial time.
        • Yes, all actual NP complete problems can be converted to each other in polynomial time. Factoring large numbers is not an NP complete problem. It's similar, but does not fall in the catagory of NP completeness. Neither is finding graph isomorphs, for that matter. Oddly enough one of the only problems thought to be unsolvable in polynomial time traditionally that can be solved in polynomial time with Quantum computers is factoring. But since factoring is not a real NP complete problem solving factoring of large numbers would still allow us to use NP complete problems. The only problem would then be finding one that has a key that can be generated in a short amount of time.
          All this comes from my old Algorithms instructor, who also happens to be the A in RSA.
          • Yes, all actual NP complete problems can be converted to each other in polynomial time.

            Yes, that is by definition, it is NP complete if you can convert it into a member of the set 'NP Complete'.

            But that is not the point I was trying to make, there are lots of NP complete problems that are no use as cryptographic systems because there are heuristics that find an acceptable solution in polynomial time.

            For example the travelling salesman problem is NP complete if the problem is finding the absolute best path, but you can get pretty good paths from Map quest.

            The use of NP complete problems such as the knapsack were tried extensively in the early days of Public Key, they were all broken, many of them by Len.

      • Correct me if I'm wrong, but I thought primes didn't *have* factors besides themselves and one.

        Or is this some new definition of "prime"?
    • What's needed cryptographers say are better implementations not better algorithms. Weaknesses in encryption systems are nearly always in their non-mathematical configurations. So far, it is whispered, there is no crypto system that cannot be broken so long as you avoid the mathematics and go for the overlooked weaknesses too often found in systems proclaimed to be mathematically unbreakable. No security expert will admit that these "unbreakable" systems are faulty, that would screw up their easy cracking. Bypass the Maginot Line math, walk in the unlocked doors, front and back and side and cellar and roof.

  • Encrypting email (Score:5, Interesting)

    by CmdrTroll ( 412504 ) on Wednesday October 31, 2001 @01:41PM (#2503264) Homepage
    Mr. Young,

    Currently the vast majority of email travels unencrypted through the Internet, ripe for eavesdropping by Carnivore/DCS1000/Echelon/etc. This is a bit of a "last mile" problem, as I can't reasonably expect my grandmother on AOL to be able to read my PGP-encrypted messages to her unless encryption is made into a standard part of the infrastructure. Otherwise 99% of the users won't bother and that's the situation we have now.

    What do you see as being the catalyst that forces the majority of software and service providers to make encrypted email standard equipment? Will it be public outrage over eavesdropping, bribery of ISPs and Microsoft by Verisign or Thawte, or something else altogether? And do you forsee more success for a decentralized standard, like OpenPGP, or for a centralized standard like S/MIME?

  • by Anonymous Coward on Wednesday October 31, 2001 @01:41PM (#2503267)
    I do nothing illegal in my life (okay, a little speeding) and don't really care if some government worker who I will never meet reads my e-mail. Should I be concerned about any of this stuff the gov't is trying to push?
    • You know there are so many books full of so many laws in this ridiculous judicial system that you could fill a substantial sized house with them?

      The point being, you may THINK that you don't do anything illegal, but none of us know all the laws that are on the books, so you never really KNOW. And, of course, ignorance of the law is no excuse...

      Let me give you some words to look up:






      And you probably represent the majority of americans... *sigh*

      may our chains rest lightly upon us

    • I do nothing illegal in my life (okay, a little speeding)

      That's because you happen to agree with the government's book definition of "illegal"... you're assuming that there are no corrupt politicians or vague laws waiting to be twisted against the common man (like Dmitry). Thomas Jefferson recognized the fallibility of government - if politicians were perfect, we wouldn't have referendum, jury nullification, judicial review, vetos, appointments, recall, and legislative override.
    • Consider yourself fortunate. Not everyone can be so secure.

      How about going to a church? If you are a Muslim in Afghanistan, conversion to Christianity is a capital offense. That means the government will kill you.

      You are not afraid of your government, but what about the rest of us?

  • by AlephNot ( 177467 ) on Wednesday October 31, 2001 @01:42PM (#2503275)
    Do you believe that it is even possible for any kind of government--be it theocratic, totalitarian, or democratic--to coexist on peaceful terms with the existence of individual and corporate privacy and secure communications?
    • Yes, if the government is very small, very obedient, very responsive and changes often. Tom Jefferson's generational revolution is too slow, government should be constantly adjusting to fit changing needs. If it fails to adjust, out with it. Give anarchy a chance. Cypherpunks highly recommend cryptoanarchy, but you to have guts for that, some say guns but I'm a peaceable cpunk.

  • Hi John (Score:4, Interesting)

    by Scott Lockwood ( 218839 ) on Wednesday October 31, 2001 @01:43PM (#2503286) Homepage Journal
    What's your opinion on Alan Cox's recient decision to censor security related fixes in his change log announcements on LKML? He cited the DCMA. Also, given that civil liberties are often the first casuality of war, and given that we're "at war" now with Afganistan, when if ever do you think we will see a sucessful court challange that will get this bad law (the DMCA) overturned?
  • MD5 Question (Score:2, Informative)

    by Anonymous Coward
    Dear John,
    My question has to do with both privacy and encryption. Recently, some web sites have taken to hiding the IP addresses of their visitors using MD5 before storing these IP addresses in a database. This feature exists in order to keep the IP addresses of visitors secure from data mining. Do you believe that using the MD5 signature of an IP address rather than the actual IP address provides real privacy to users? Would an attack to MD5 all known IP addresses be trivial, or extremely difficult?

    Thanks for your time.
    • There are only 2^32 possible IP addresses under IPv4, so it wouldn't take very long. Now, if they appended a secret salt value before applying MD5, that would be another matter.
    • Would an attack to MD5 all known IP addresses be trivial, or extremely difficult?

      There are at most 2^32 possible IPv4 addresses (fewer once all the "special" ranges like 127/8 and multicast are taken out). MD5 produces a 128-bit (16-byte) hash, and an IP address can be stored in 4 bytes.

      You could construct a lookup table with 20 columns (16 bytes for the hash, and 4 for the IP address that produced it) and 2^32 rows. That's about 85GB - a consumer-level hard drive, these days.

      Generating the table wouldn't take much time (I'd guess a few hours) and would only need to be done once. So I'd rate this as an "easy" dictionary attack.

      Now if a random salt value was hashed along with each possible IP address, you'd have to re-generate the entire 85GB table for each salt value. So this would make the attack more difficult, but it would still be possible to recover several IP addresses per day on a regular PC.
    • That's the way Slashdot works, right?

      PS: I hate the 20 second thing. This will be my third attempt to ask a simple question. I only include this miniture rant so as to not resort to simply staring at the monitor like a dullard whilst indulging an ineffectual attempt to block spammers.
  • by Roundeye ( 16278 ) on Wednesday October 31, 2001 @01:45PM (#2503294) Homepage
    Your efforts (and your unwillingness to flinch in the face of 800-lb. corporate and governmental gorillas) have made cryptome an invaluable resource, for which I certainly thank you. At least once in recent memory you've made a call for mirroring sensitive software and information.

    1. What can normal people do to help out with mirroring important information (e.g., crypto information, documentation on civil liberties threats, reverse engineering and Fair Use securing tools, etc.)? How can we stay out of trouble with the law while we're helping out?

    2. Have you ever considered providing a mirroring clearing house? That is, devoting a section of cryptome to listing, in an up-to-date manner, resources which need mirroring in various parts of the world?


  • Certified email? (Score:4, Interesting)

    by jeffy124 ( 453342 ) on Wednesday October 31, 2001 @01:46PM (#2503298) Homepage Journal
    Due to the current wave of anthrax troubles in the US, do you think a system will be developed somewhere to allow for Certified Email that employes the applications of crpyto to certifying digital signitures, certificate authority, etc? Even if such a service is funneled through a government agent like the Postal Service at like 5 cents per message to be certified, do you think such a service would be useful?
  • by Jerf ( 17166 ) on Wednesday October 31, 2001 @01:46PM (#2503299) Journal
    I keep track of the kind of thing Cryptome covers. It affects you, after a while.

    Overall, are you optimistic or pessimistic that we will eventually (call it 5-20 years) have a society that you would find reasonably acceptable? Or do you think we're destined for one form or another of effective totalitarianism?
    • The only way totalitarianism wins is if we give up challenging it in all its early manifestations, one of the first being to induce self-censorship by breeding fear of speaking and writing and acting on your beliefs whatever they are, leavened with tolerance for other's beliefs. Keeping an open mind in times of panic is hard, so don't panic, especially now when the bastards of all persuasions are working hard at that. Keep looking for reliable information, doubt authority, talk it up, act it up, write it up, publish, publish , publish. Run a web site, run several, duck the attacks, set up some more, keep sharing information, criticize, jeez, this is Slashdot, the mother of what I'm saying.

      Make sure you laugh at ridiculous seriousness, but duck the angry swings this will cause.

      For me babbling at the righteous preachers works. YMMV.

      • The only way totalitarianism wins is if we give up challenging it in all its early manifestations

        Boy, I wish it were that easy. However, in the real world, the bad guys can win, even when the good guys fight back.
  • Sources? (Score:4, Interesting)

    by SupahVee ( 146778 ) <superv@mischievo ... minus herbivore> on Wednesday October 31, 2001 @01:46PM (#2503303) Journal
    I read Cryptome regularly, generally every day or so, and the only question that I can think of is, Where do you get your information from? I'd like to know os that I canstart researching things much the same way.
  • Question: (Score:4, Interesting)

    by atrowe ( 209484 ) on Wednesday October 31, 2001 @01:46PM (#2503304)
    John, I've heard a lot of debating lately on Slashdot and other discussion sites regarding the US governments recent initiative to include a government accessible "back door" into all new crypto tools.

    Supporters of this program claim that such a program will allow day-to-day communications among law-abiding citizens to remain private, whilst still allowing the FBI and CIA to monitor the communications of suspected terrorists(with a warrant, of course).

    The liberal media opposition to this initiative is claiming that by installing government accessible backdoors into encryption tools, we are giving up our right to privacy in favor of increased public safety. For the purposes of this post, I'm going to ignore the fact that nowhere in our Constitution or Bill of Rights, are we guaranteed anonimity or absolute privacy. It seems to me that if we cannot trust our policing agencies to be responsible with the power they have been given, the problem is not with the cryptography, but the government itself, and this problem needs to be addressed as such.

    My question to you is: What is Cryptome's, and your personal, stance on government accessible backdoors installed in cryptography. Would the benefit to law enforcement, and the increased homeland security outweigh the possible implications to the loss of privacy. Do you think open-sourcing popular cryptographic tools would help alleviate people's fears about the integrity of their data security?

    • Re:Question: (Score:4, Insightful)

      by Steve B ( 42864 ) on Wednesday October 31, 2001 @02:26PM (#2503449)
      Supporters of this program claim that such a program will allow day-to-day communications among law-abiding citizens to remain private, whilst still allowing the FBI and CIA to monitor the communications of suspected terrorists(with a warrant, of course).

      A backdoor which does not require anyone outside the agency to assist, or even know about, the tap makes the warrant requirement unenforceable, of course.

      The liberal media opposition to this initiative

      What color is the sky in your world? If anything, the opposition to increased government snooping is from the conservative and libertarian factions of US politics.

      For the purposes of this post, I'm going to ignore the fact that nowhere in our Constitution or Bill of Rights, are we guaranteed anonimity or absolute privacy.

      That's good, because the Constitution specifically requires [cornell.edu] that position.

      It seems to me that if we cannot trust our policing agencies to be responsible with the power they have been given, the problem is not with the cryptography, but the government itself, and this problem needs to be addressed as such.

      The obvious first step in addressing the problem of government abuse is to avoid aggrivating the situation by giving the abusers additional powers.

      • I would just like to point out a little portion from a cnn article (http://www.cnn.com/2001/TECH/internet/10/31/new.n imda.idg/index.html) about anti-terrorism legislation being temporarily enacted in France:

        ...The plan also allows investigative judges to demand that phone or Internet companies save wiretapped conversations and Internet data for up to a year.

        Green Party polticians, who voted against the moves, and Communists, who abstained, condemned the measures as an attack on civil liberties.

        "The Greens are worried that the law is useless, ineffective and an attack on individual liberties," said Green Party lawmaker Noel Mamere, the movement's candidate for presidential elections in 2002....

        I know it's easy and (at least on Slashdot) fashionable to target liberals as being against free speech. And some liberals are.

        But there are certainly short-sighted or ignorant conservatives and libertarians who support legislation that would hurt personal freedom.

        Remember, nobody ever complained about the ACLU being too conservative, but they've protected our civil liberties more effectively than any other group in the past 100 years.

        There are libertarians and conservative that I disagree with ideologically, but I respect their dedication to personal freedoms.
    • I think there is a point you have missed. Not all programmers and companies are bound by US law. By putting a backdoor stranglehold on _US_ Encryption, you lessen overall security for those who _do_ abide by the law, but do nothing to prevent those who could care less about it from obtaining non-backdoored encryption outside of the US. How does providing a backdoor to our encyption stop these people? We still have the problem of decrypting the same level of security. Now the criminals have a leg up, and law enforcement is no better off for our surrendered security.
    • Backdoors would not increase gov access to encrypted messages, they do just fine now without them by attacking weaknesses in cryptosystem's implementation and usage. What is needed is stronger implementation of cryptosystems so that nobody, that means nobody not just government, can gain access to private communications and data. There are enemies equal to government, some more devious and exploitive, some learned their criminal skills while in government service and are now preying on the unwary among the citizenry and the government, and not only in the US. Maximum crypto, algo, implementation and usage, is sorely needed, not weakened for the inept low level cop to rummage in your mailbox while genuinely evil leaders and their buddies are stealing the world's nation's jewels. What would empower the citzenry would be for NSA to publicly disclose more about crypto weaknesses as well as how to attack the communications of national leaders doing the dirty. No kidding, there are NSA operators who just might get angry enough to tell what they know about the shenanigans in the homeland what they intercept about foreign leaders. That used to be against the law, or was until Bush signed the anti-terrorism bill, now the operators can tell what they're doing in the USA, not to us just yet but soon it will leak.

  • by EccentricAnomaly ( 451326 ) on Wednesday October 31, 2001 @01:47PM (#2503306) Homepage
    I know it's a basic question - but it seems to be at the heart of the Free-Crypto debate. Free speech should be free whether its in English, French, FORTRAN or Perl. What arguments do you hear against programming being protected as free speech? Can you use the First Amendment against DMCA, ITAR, etc?
  • by mttlg ( 174815 ) on Wednesday October 31, 2001 @01:58PM (#2503314) Homepage Journal
    The main problem when dealing with all of these technical/legal issues (legal access to encryption, fair use, privacy, etc.) is that the masses simply don't care. Many people will gladly give up their future rights to ever record a television broadcast again for the chance to watch higher quality (picture-wise, not content-wise) Friends reruns. My question is this - at what point will enough people say "Keep your laws out of my data!" to create a movement that is likely to change the way legislators look at these issues?
  • by Alrocket ( 191107 ) on Wednesday October 31, 2001 @02:00PM (#2503317) Homepage
    Hi John,

    What do you think of XP, particularly with regard to Passport and privacy concerns?

    • My personal opinion is that centralizing personal data without oversight is a mistake. Now, layer on top of that a company that has consistantly placed marketing and profit above security and public interest, and a less than optimal security record, I'm a bit scared of the idea. How many non-techs would be entering their information into Passport if they didn't think that was the only way to access the Internet through XP? On the conservative side, I would say 3 out of 4 (my thought would be less than half, but I will give MS the benefit of the doubt).
    • Don't know, waiting for somebody who knows to tell me, or best, for an anonymous Microserf to send over a devastating critique that bares all.

  • by b-side.org ( 533194 ) <bside&b-side,org> on Wednesday October 31, 2001 @02:01PM (#2503327) Homepage
    Given modern computing's advances, it's now much easier to encrypt casual traffic than it has been in the past. Have you ever considered providing https:// or some other encrypted form of access to your sites for the general public?
  • by Bonker ( 243350 ) on Wednesday October 31, 2001 @02:02PM (#2503331)
    Despite how everyone on /. talks a big storm about bucking the government, it's got to be pretty damn scary when the feds come knocking at your door. You've no doubt made some powerful, big-time enemies in both the private sector and the government.

    Do you ever fear for your own or your family's saftey because of this. Have you ever been threatened? By whom, government agents or private individuals?

    If you don't fear for your saftey, what factors about what you do make you feel 'immune' from being 'removed' clandestinely?
  • by Anonymous Coward on Wednesday October 31, 2001 @02:05PM (#2503349)
    Your efforts (and your unwillingness to flinch in the face of 800-lb. corporate and governmental gorillas) have made cryptome an invaluable resource, for which I certainly thank you. At least once in recent memory you've made a call for mirroring sensitive software and information. 1. What can normal people do to help out with mirroring important information (e.g., crypto information, documentation on civil liberties threats, reverse engineering and Fair Use securing tools, etc.)? How can we stay out of trouble with the law while we're helping out? 2. Have you ever considered providing a mirroring clearing house? That is, devoting a section of cryptome to listing, in an up-to-date manner, resources which need mirroring in various parts of the world? Thanks!
  • A few questions (Score:5, Interesting)

    by xmedar ( 55856 ) on Wednesday October 31, 2001 @02:06PM (#2503350)
    Are you ever worried about being shutdown / arrested / bugged / having a smear campaign run against you?

    Do you think that all the muck flinging by both governments and corporations is going to lead to somone developing a virtual, anonymous, secure network running over the Net that will be untouchable by governments (i.e. legally secure from attack by dint of listening to the Harvard Law types and using their knowledge combined with technological solutions)?

    Do you expect show trials by governments to show that the laws they areintroducing now (RIPA in the UK, USA-Patriot in the US etc) are effective, and how long do you think before there will be miscarragies of justice based on political expedeincy?

  • Public CA (Score:5, Interesting)

    by imrdkl ( 302224 ) on Wednesday October 31, 2001 @02:07PM (#2503357) Homepage Journal

    Thanks for your efforts. My question was discussed recently on a thread regarding the decision by Thawte to discontinue selling CodeSigning certificates to individuals.

    What are the biggest obstacles to a public CA which is supported and funded by, say, the FSF? Is such a thing possible for the Free software community? I guess insurance and certification would be the biggest stumbling blocks. Are there other dimensions to such an undertaking which have not been considered?

  • by thryllkill ( 52874 ) on Wednesday October 31, 2001 @02:08PM (#2503364) Homepage Journal
    In your opinion Sir, what would be the best response to those who feel this monitoring should be fully funded and supported? My personal feelings are just if it is my business, it probably isn't any of yours.

    Also, since most e-commerce is conducted on so called "secure" connections, how would the installation of government backdoors effect e-commerce. If a government back door was hacked and my credit information stolen and exploited, who would the blame fall on? The credit card company, the business I ordered from, or the government agency who installed a faulty back door?
  • by Mentifex ( 187202 ) on Wednesday October 31, 2001 @02:09PM (#2503365) Homepage Journal

    Extremely serious efforts are underway to create artificially intelligent minds, such as at http://sourceforge.net/projects/mind [sourceforge.net] -- just one of 365 open-source projects in artificial intelligence (AI). Do you expect that the World Trade Organization (WTO) or other allances -- either governmental or corporate -- will attempt to control the emergence of AI technology and of an AI-based cybernetic economy?

    As an architect, do you have any interest in the architecture of the mind?

    Is there any likelihood that AI research will be outlawed or otherwise subjected to illiberal control?

  • Passport. (Score:4, Interesting)

    by Soko ( 17987 ) on Wednesday October 31, 2001 @02:09PM (#2503367) Homepage
    Is there any way you can think of that would help convince people (based on scientific principles) that centralised security services are a bad idea? That convenience should not come before security?

  • So what was it they cracked down on again?

    - A.P.
  • Personal Background (Score:5, Interesting)

    by andrew cooke ( 6522 ) <andrew@acooke.org> on Wednesday October 31, 2001 @02:15PM (#2503406) Homepage
    What do you do all day? From what I've read on Cryptome it's clear you remain interested in Architecture - do you still have any professional involvement (info in the on-site BIO tails off at 98)? If not, how do you pay the bills? How did you get from architecture to cryptome? Do you have any interest in computers and the internet other than as a tool (would you consider yourself a hacker, in the positive sense)?
    I know, it's more than one question, but they're all in the same direction. I'm curious about the guy.
    • Wow. Didn't expect this to be rated so high. Thanks. If it does get through, could you fix my capitalization?!
    • Yes, Natsios and I run an architectural office, thriving on unusual projects which we don't talk about in Cryptome world. Not secret just very peculiar, our speciality. Getting from architecture to Cryptome was impossible so it took a jump into the yawning void of cypherpunks, truly beyond good and evil. No, I'm not a hacker, too inept, a Windoze cripple, but yearn to be a Penguin, black hatted.

      • I'd really like to know what originally motivated you to start this. How about a brief bio, with the event (or events) that inspired you to take the FOIA to new heights. I've known of you for a few years, but you were already well on your way by the time I discovered jya.

        Thanks for everything.
  • The Panopticon (Score:5, Interesting)

    by der raketemensch ( 529146 ) on Wednesday October 31, 2001 @02:18PM (#2503425) Homepage
    The theory of the panopticon state bounces around on Cryptome and Cartome quite a lot. It is interesting that Cryptome and JYA in a certain sense have been set up to watch the watchers and mitigate the power of the panopticon.

    My question is: how aggressive can you/should you be in trying to detail the actions of the (insert three letter acronyms and governments here) pushing panopticonism as the solution to society's problems?

    You are clearly willing to put yourself in legal peril, but surely there is a point of diminishing returns. How do you balance things, and have you withheld, or would you ever withhold, information that you would like to publish? (...and yes there are two question marks, but they are pretty related)

    And thanks!!
  • by Anonymous Coward
    Should citizens' have a right to keep personal documents/data private from anyone, including their government?
  • Any thoughts about possible future legal threats to Freenet [sourceforge.net], and technical / political / legal countermeasures? Speaking primarily from a U.S. perspective.
  • by Thagg ( 9904 ) <thadbeier@gmail.com> on Wednesday October 31, 2001 @02:37PM (#2503511) Journal
    John, I find the service that you provide as Cryptome to be essential. You remind me strongly of the title character in Vonnegut's short story
    Report on the Barnhouse Effect [http]. Your reporting keeps the entire world somewhat more honest; and I can't think that it's possible that governments are more careful knowing that someone is watching.

    The end of the story, is, of course, of the passing of the torch to Barnhouse's apprentice. I am worried that there's nobody with the combination of integrity, fearlessness, and intelligence to carry on with your work, when your time to perform it is over. Do you worry about that, and are there people to carry the load?

  • by Azog ( 20907 ) on Wednesday October 31, 2001 @02:42PM (#2503534) Homepage
    I've been watching the United States slow slide towards becoming a police state since the early 90's, when I discovered the Clipper Chip fiasco on comp.org.eff.talk. Thanks for your dedicated work to fight this trend, it won't be forgotten, even if it fails...

    So, my question is: If the United States becomes a hostile place for freedom (DMCA, SSSCA, extreme anti-terrorism laws, etc.) where are some good places to flee to?

    I write and use free software, and I expect I'll be leaving the US within a couple of years. (I've got a great job, otherwise I'd be leaving already). I don't mind learning a different language... Do you know of any comparative study of different countries of the world, considering at least:

    - free speech
    - free software
    - software patents
    - Privacy
    - public awareness of the above issues (Most important, perhaps!)
    - A just and fair, uncorrupted legal system
    - Reasonable balance of taxation, government spending on useful things like education, health care, etc.
    - High standard of living

    Where would you go?
    • I used to think in those terms. Then it occurred to me that the U.S. is a nuclear power, and unlike the Soviet Union, it's not balanced by any other large nuclear power. If it goes all the way totalitarian, the rest of the world is fucked. So we'd damned well better keep it honest.
      • Yes, well... I think the general population of the US can probably be brainwashed into thinking that things like the DMCA and SSSCA are good, but I don't think they'll ever be convinced that it would be a good idea to go to war against... oh, Finland, say, "because those Scandanavian bastards are writing evil communist Free software that lets people copy music, and hurting American Industry!"... I think people would start thinking "uh, wait a minute, why do we have to go over there and get in a war when we could just outlaw it here?"

        God help us all if anything like this ever happens.

    • The UN Freedom Index:

      "This is a devastating statistic for those who believe that America's greater commitment to individualism translates into greater individual freedom. In reality, the social democracies of Northern Europe are the freest societies in the world."

      Places America pretty low on the freedom scale
      (google: UN freedom index)

      Also, a very interesting node on e2:
      http://www.everything2.com/index.pl?node_id=3855 79 &lastnode_id=124
      were Sweden came out top and America didn't even make number 10 lol :)

      Looks like your too late, you better hope someone anthraxes Bush before he does any more damage
  • by Tucan ( 60206 ) on Wednesday October 31, 2001 @02:52PM (#2503565)
    At some point you decided to run cryptome and publish controversial materials under your true identity rather than under a pseudonym.

    What benefits and detriments have you found to using your real identity for your efforts instead of a pseudonym?
  • by renard ( 94190 ) on Wednesday October 31, 2001 @03:15PM (#2503649)
    Dear Mr. Young,

    In your opinion, what will it take - either in terms of EFF-style activism or in terms of 1984-style government repression - to make the average person-on-the-street care about our digital freedoms?

    In the current environment it seems that most people have adopted the attitude of Britain's John Major who said - as his Tories wired the UK with videocameras - ``If you have nothing to hide, you have nothing to fear.''


  • by Seth Finkelstein ( 90154 ) on Wednesday October 31, 2001 @03:34PM (#2503787) Homepage Journal
    Dear John:

    Many people will undoubtably ask wide and far-reaching questions about civil-liberties, activism, and running cryptome.org. In contrast, I would like to ask a question perhaps trivial in comparison, but also in the hearts of so very many of your fans.

    If this is really ask whatever we'd like ...

    How in the world do you generate that unique hash of free-association, bafflegab, verbing, just-this-side-of-understandable wording (not sure which side), "Younglish" writing, for which you are reknowned?

    Are consciousness-altering substances ever involved? Where they ever involved? Is it effortless, or do you work at it?

    This is nowhere in the same league as DMCA, terrorism, and whatnot.

    But believe me, inquiring minds want to know.

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

    • "Renowned". [dictionary.com]
    • Seth, Seth, all I do is point to what's in your head. You read it directly from the source code.

    • Me Too ! If this is really ask whatever we'd like ...
      How in the world do you generate that unique hash of free-association, bafflegab, verbing,
      just-this-side-of-understandable wording (not sure which side),
      "Younglish" writing, for which you are reknowned?

      And another excellent quality of cpunks that does
      indeed impress the world of media boodthirstiness,
      is the number of its outstanding writers sent to
      jail, some repeatedly, for cutting edge taunts of
      illiterate critics, diseased poobahs and for
      sure, aesthetic cowards who ever try to pump up
      their fiction with idiotic pretense of non- fictional earnestness.

      Now I know its a grave offense to those with
      gravitas (spit) to ridicule their seriousness of
      purpose and pretentious judgmentalism, but they
      pose such easy targets, for all purposes I can
      see, beg to be made fun of, display abysmal
      ignorance of what they write, cite spurious
      authorities for it, remind when it was first,
      last, and forever written, just cannot forgo wild
      swings at fantasms, urge close attention to their
      pulp, deliver sweeping statements as if a world
      authority, viciously attack untalented writers
      like themselves, slather the most shallowly
      manipulating praise ever imaginable, and probably
      lay awake at night dreaming of triumph, a Nobel
      Prize or violent heroic death before dishonor.

      This is what I like about cypherpunks and find
      repugnant about Cyberia which has produced no
      jail time for its members, but more advice on how
      to avoid it than is good for humanity. A refuge
      for intellectural and corporal cowards, Cyberia,
      among many other lists, is, but in time that will
      hopefully change, in particular if I can persuade
      you and Declan to go over the line all great
      writers must do to spend jail-time among the
      winners and stop sucking up to losers who will
      always remain unimpressed having no judgment worth writing about.

      or better yet, wrt Stuart Baker,

      When I first got within 20 trace aromas of the
      lushness of Baker's double cultivated what-grows-
      wild-elsewhere above his peepers, my bubonic
      dingleberry squatters jumped cess to copulate in his.

      You think darkholed bugs, you think impenetrable
      hedgerows to camouflage the skidmarks.

  • Invariably the first argument encountered when I go on a tirade about the choking off of our civil liberties, someone responds to the wiretap question with: "So what,? I don't do anything wrong." In my mind I know they are completely missing the point, but I have yet to come up with a quick, pithy, persuasive argument to open up their mind. What are the dangers of widespread monitoring that the average american (that hasn't read 1984)can grasp?
  • Often people dont quite understand things

    Examples such as the FBI having misgivings about mobile phones and crypto
    (GSM includes a simple hash which while easy to break the FBI like their plain scanners)
    and US politicos asking for back doors in algorithms
    (while I can pick up AES or serpent which both do not have US involvement)

    you can get crypto and use it rather simply

    how do people think they can make me give it back ?
    e.g. in the U.K. they say that you can use strong crypto but when asked by a court you must give over your keys or go to jail for up to 19 years !
    What they dont say is that the law has yet to be tested, there is a wealth of past history where people have written in secret diaries and they cant make them decode it and these people are not put away under this scheme.
    (so IMHO it will fall on its face and I am not giving over any keys !)

    my question is what is the stupidest thing you have ever heard of ?


    john jones

  • I've been an avid cryptome reader for some time, even to the extent that I followed most of the USA-vs-UBL trial transcripts - that was a great effort on your behalf.

    My question is - do you think that you will be in a position to publish the transcripts for the trial of the Sept.11 events ?

    Assuming, of course, that at least some of the perpetrators are brought to trial and that this will probably be well into the future.
  • by Anonymous Coward on Wednesday October 31, 2001 @04:31PM (#2504174)

    Let me begin by thanking you for your unflinching adherence to the principals of disclosure and freedom of information. I am a great fan of your continuing work. My question follows:

    You have in the past, and continue to, post "dangerous" information like names of former intelligence agents, details of government cover-ups, radically contrarian opinions, and open calls for subversive action.

    A good example of this is Cryptome's continuing threads on the structural failure of the WTC and potential vulnerabilities of other landmarks. Some would claim that this kind of conversation should take place in closed-door meetings - that open discussion like this could only benefit evil and your support of such discussion is irresponsible.

    What are the principals and moral guidelines you use when publishing Cryptome? Are there any lines you would not cross? What are the implications of shifting public opinion (70% favor a national ID card) and mounting US totalitarianism to Cryptome?
  • I would like to know if you have been more careful about what material you publish, in light of the terror attacks on September 11th?

    In a talk that you gave to the USENIX Security '01 you had mentioned that you try to publish most anything that is given to you that fits within your guidelines. Basically, have you changed those guidelines at all?
  • by Dynedain ( 141758 ) <slashdot2@@@anthonymclin...com> on Wednesday October 31, 2001 @04:44PM (#2504250) Homepage
    As an architecture student who is also a geek - I'm curious as to how you made the transition to the technology sector. What prompted you to make the change and how did you do it? Was there anyone instrumental in providing you an opportunity? Do you still try to make a connection back to your architecture roots?
  • by Black Art ( 3335 ) on Wednesday October 31, 2001 @04:48PM (#2504272)
    You are channeling Dr. Bronner?

    Encrypt! Encrypt! OK!
  • Backups? (Score:4, Interesting)

    by rsimmons ( 248005 ) on Wednesday October 31, 2001 @04:48PM (#2504275) Homepage
    Also, during your talk at USENIX Security '01 you talked about different ways that you are keeping backups of your data. Including having other sites ready to host the data at a moment's notice, and sending out backups of the site to whoever wants copies. You had also mentioned work on a distributed storage system that would be more resistant to having one node shut off. Have you made any progress with this?
  • To a certain degree, the encryption genie is out of the bottle. How would the goverment go about reeling in the use of SSH and SSL all over the place? Could they possibly pass a law that said you had to upload your private keys or face prosecution? (I don't think they could get away with that but who knows)

  • by Anonymous Coward
    Dear Mr. Young;

    I've been a long time fan of your site, and I hope it never gets shut down and/or censored. There's not much you can do if you get shut down, but have you considered using freenet and/or freeweb to mirror your content? Once content is on those systems, it won't come down until nobody wants it.

    If not, why not? Are there any changes in those systems that would make you reconsider?

    Thanks for talking to /.!
  • In light of the USA PATRIOT act, this question may now be moot, but there might be further attempts to impose restrictions on privacy in the future.

    What strategy do you think will be the most effective in preserving privacy rights in the future? To be more precise, should the proponents of electronic freedom fight as strongly as possible against attempts to restrict those freedoms, or do you think it would be more effective to have some flexibility? I have often wondered whether the gun manufacturers and the NRA (for example) might be more effective in preserving gun rights if they took some effective actions on their own to keep guns away from wackos.

    In the case of electronic freedoms, I wonder whether fighting will only result in a complete collapse of our rights. It might be better to fight the worst proposals vigorously, and to assist the Feds (in some appropriate way) to catch the bad guys. This latter approach might erode some privacy, but might preserve the body of rights better in the long run.

  • By about 10:15am on Sept 11, someone in DoJ was talking about banning strong cryptography for individuals, or at least only allowing key-escrowed crypto. It's pretty clear to me that factions in the US government (NSA? DoJ? DoD?) don't really like the idea of strong cryptography used on a daily basis on a large part of the Internet, and the events of Sept 11 merely provided an emotionally-charged fog in which to go after demonized targets.

    But why? After about 30 seconds of reflection, it's pretty clear that terrorists/Russian Mafia/Red Chinese Communists/drug smugglers/money launderers/Swiss Bankers wouldn't use key-escrowed or US-government sponsored crypto products in the first place - why should the bad guys trust the US government? The bad guys don't play by the rules in the first place, so "safe" encryption won't apply to them. After 30 more seconds, it becomes apparent that key-escrowed crypto isn't crypto at all - whoever has the keys must use them constantly to determine whether the encrypted data isn't doubly-encrypted: once with a non-approved/non-key-escrowed scheme, the 2nd time with the "official" key-escrowed scheme.

    One has to arrive at the conclusion that the only people that key-escrowed, or semi-weakened crypto applies to are regular, law-abiding US citizens and businesses.

    Given that conclusion, why has the US government (and UK and French governments, too for that matter) tried so hard and for so long to prohibit law-abiding use of strong crypto? Feel free to speculate, I won't mind.

  • by Irvu ( 248207 )

    In recent years we have seen a raft of laws that, under one guise or another, act to limit speech and dissemination of information. Your own experience with DeCSS is a prime example. Since September 11 there has been a renewed push in Governmental circles not only to restrict information by refusing to comply with FOIA requests [aclu.org] but to demand information by increasing surveillance [aclu.org].

    As someone who has dealt with this and won, how do you see it progressing? Do you think that this will pass and these laws will be overturned? Or do you see this as only the beginning?

  • What information sources (websites, newspapers, radio stations) do you go to for news and information? Which ones do you trust? And, which ones don't you trust?

  • Will you please create some kind of CD or DVD archives so we can buy a copy of the entirety of the cryptome archives in case you ever get downed with the current U.S. foolishness?
  • by AntiNorm ( 155641 ) on Wednesday October 31, 2001 @06:45PM (#2504791)
    With recent legal pushes such as the DMCA and proposed SSSCA, what do you see in the future of our legal system? Do you see more pro-corporate laws being passed or do you see potential for a change in the government's traditional bend towards protecting corporate interests? It seems that you are in a position that would grant more insight into this than most of us would have.
  • by leto ( 8058 ) on Wednesday October 31, 2001 @07:46PM (#2504985) Homepage
    Mr Young,

    I appreciate your site a lot (not only because you have posted some of my own material on it :)

    Your site hosts obvious controversial papers. Yet you clearly don't want to have your site mirrored. You state so on your website and your robots.txt disallows it. Why don't you want the information on cryptome and jya to be mirrored? I noticed you changed this policy briefly after the sep 11 attacks,and ofcourse immediately grabbed a copy.

    But I'd still like to have a synchronised copy. Not even to publish now, but just to have in case cryptome disappears for whatever reasons.

    Paul Wouters
  • Hey John,
    whats the relationship between code and karma?
  • Assuming I'm an average internet user (which I'm not) I'd like to know what benefits I can get from using cryptography for my private email/internet communications.
    It's been said "I don't do anything illegal, why do I need it?" and it's also been said "I don't kill people, why do I need a gun?" (valid answer to both is "just because")
    I guess the main question in this post is this:
    For John Q. Public, what benefit will "impossible/darn-near-impossible to crack" encryption give? In other words: Who are we encrypting against? Who - in your opinion is reading my email and why?
  • Hi John,

    I've gone to cryptome on a regular basis - it's always an interesting read.

    However, do you have any internal guidelines or a gut reaction for stuff you wont host?

  • by Dudi ( 62824 )

    I enjoy reading cryptome, but I was always wondering: Where are your sources from? Why do they seem to know a lot about secret/top secret govt. activity (and why are they willing to risk being shot to give you this info)? Also, has anyone in the security establishemnt or government ever contacted you about your sources? Thanks and keep up the good work!
  • You`ve been threatened by the FBI, if is correct.

    Both agents were very courteous during most of the conversations. Except toward the end of the conversation with Mr. Marzilliano, when I mentioned my intention to publish an account without revealing his and Mr. Castano's names, he warned me there would be "serious trouble" if their names were published, and that he would be speaking with the US Attorney about the matter and call me again

    Did you find out what was meant by this?
  • The line between security and encryption seems to be merging, would like to hear your thoughts on this today and in 10 years time.

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray