Mondo 2000 - Issue #10 ====================== Interview with the legendary John Draper, aka Captain Crunch. MONDO 2000: What are you up to right now? CAPTAIN CRUNCH: I'm with the Cypherpunks. We're the people that use cryptography or cryptotechnology to protect and preserve our privacy. The Cypherpunks are the ‚litist of the ‚lite. I just came back from the Computers, Freedom, and Privacy '93 conference where we all met. M2: What was the most important thing that happened there? CC: The thing I really feel good about is the tremendous opposition to the FBI's Digital Telephony proposal and the tremendous interest in data encryption. Dorothy Denning, who's at Georgetown University, seems to think that data encryption should not be in the hands of the private citizen, that the private citizen should not have the _right_ to use data encryption. M2: But surely she's not opposed to data encryption per se? CC: Well, I meant encryption that can't be unscrambled by the NSA. That's understood. See, there are different levels of encryption. But the key idea was that if private citizens use encryption, they should have to register their private keys with the government. M2: Amazing! And how did people react to that? CC: There was so much opposition to her outrageous ideas that it was shot down. She is still out there, though, and there is upcoming legislation proposed. But if it ever does get that far, the EFF, CPSR, and ACLU will be right there to keep it in check. M2: What other issues came up? CC: Well, one problem the New York State Police have is with "call sell" operations--people getting credit card numbers from companies or using the company's PBX system to make free calls to the Dominican Republic or something like that. And it's mushroomed to the point--this is according to Senior Investigator Donald P. Delaney of the New York State Police--that toll fraud has jumped 1000% in New York City and in some place in L.A. because of "call sell" operations. So there's a major concern there. People are able to take cellular phones now and make them use the system in ways they've not figured out before. M2: Such as? CC: Well, they're able to change the ESN (electronic serial number) of the phones and they have this scheme they call "tumbling" which means that every time you make a call you switch to another ESN number. M2: So you can't be traced? CC: Exactly. The authorities are countering that by nailing down the location of the phones by triangulation. So when people use these things they can usually pinpoint them within a block. M2: So what else came out of it that was really exciting? CC: A lot of pretty dazzling talks. Bruce Sterling and Clifford Stoll also talked. Is was a continuation of the first two confrences, in the sense that other issues that needed to be resolved were brought out in the open. For the very first time, the Justice Department has gotten to hear the computer professionals talk about their concerns over data privacy. The hottest debate was over the FBI's Digital Telephony proposal. M2: What exactly is the Digital Telephony proposal? CC: The telephone company vendors have agreed that the FBI should be able to do their jobs, but they don't want to do a lot of extra work. They're cheap. They don't want to have to spend the money to develop the software that would provide a "back door" in telephone switch software. The new digital phone system is very difficult to tap, because there is no way for tappers to pick out a single conversation from the digital streams on fiber optic lines--digital transmissions are all mixed up with other calls and are hard to seperate without expensive software changes to the switch. This forces them to be back on the telephone poles with alligator clips like the good old days. Normally, the line going into your house is still analog, unless you are lucky enough to have fiber optic cables. Your analog voice doesn't turn into digital until it gets to the central office or to some entry point. Anywhere along there they can tap that line, so why write legislation to force the phone companies, on-line services, or any other common carrier to make it easier for FBI wiretaps? M2: OK, so where is everything going in the Cypherpunk area? CC: The biggest thing the Cypherpunks are doing is to promote widespread use of public-key data encryption for e-mail and voice phone calls. There's a group on Usenet called alt.security.pgp with a flame war instigated by Dave Sternlight. It seems bent on discouraging the use of PGP and is putting pressure on site administrators to remove uploaded copies because they allegedly violate the RSA patent. He continually rambles on about how everyone using it is a criminal. He makes tons of postings daily to the alt.security.pgp newsgroup worldwide. M2: So who holds the patent on the public-key encryption algorithm? CC: PK Partners holds the patent but RSA issues most of the licenses. There's been lots of confusion over RSA licensing. You can use RSA for free non-commercial purposes. The biggest problem is RSA's public communication has not resulted in a climate that people know how to proceed in. Because of this, independant software companies have not produced products using RSA. Mr. Zimmermann, the author of the PGP code, certainly has more balls than I do. M2: What else is hot in this arena? CC: I think what's really hot are the anonymous remailers. There's a lot of dispute about that. M2: Yeah, I hear they're worried about so-called accountability. We _need_ a public forum without "accountability." Accountability is important in our elected officials, but for the average person, it means they could be hauled into court for libel. CC: Exactly! I can see some great uses for remailers, like whistle-blowing. You discover, for instance, that a company is doing something really weird, and you want to let the world know but you don't want them to know that it came from you. So you can write an expos‚ on this company from an insider's point of view--you can send all the gory details and anonymously post it--and your anonymity would be preserved. The bad side of it is that it could be used for disinformation. M2: Kind of a cognitive Badlands for criminals and psychopaths?!? CC: Yeah, and the regulatory groups want to "protect" us. They also claim the child porn people can mail their files anonymously to anybody they want. M2: The Controllers want to stigmatize anonymous remailers by associating them with the child pornography industry calculated to inflame middle America! So how do anonymous remailers work? CC: You mail a central address and you put something on the subject line as to where the mail goes. The remailer automatically looks at the subject line and does this through a thing called a "perl script" which is like a program. It takes your header, strips it out, then puts its own header in. And then it hooks into the mailer, so the remailer can handle it. With your mail header stripped out, your anonymity is preserved. M2: But the remailer has your e-mail ID when it comes in, right? So... CC: Yeah, there's a lot of controversy and discussion about the integrity of the person running a remailer. For instance, a law enforcement type can set one up and record who anonymously mails. So the legit anonymous remailers go out of their way to ensure that when a mailer comes into their machine, the header's stripped properly and that no previous identity of the original poster of the message is intact. But the problem is that as soon as these remailers are being set up they are being taken down by the system administrators of Internet hosts. This is largely because of a small group of people who think they can be abused. On the Internet, people are pretty well-behaved. But like anywhere, there are always dickheads that are bent on screwing things up, like with mail bombs. M2: What's a mail bomb? CC: It's somebody sending an obnoxiously long message into your mail box that's extremely annoying. M2: Like junk mail. The ultimate abuser's data would expand to fill the available Internet bandwidth and disk space and paralyze the net, like the Morris virus. It's related to the caller ID question, isin't it? CC: Actually, the Internet is currently set up so that _everyone_ has caller ID and _no blocking_, so ironically, the Internet and phone company positions were originally the opposite of what they are now. Before Caller ID, when you received a phone call, you didn't know the number of the phone that called you. Now you can find out in some states. Postings on the Internet on the other hand have maintained your original e-mail address, but it is evolving into supporting _some_ anonymity now, but with great debate among a few right-wing types. M2: Are there any other major developments in the Cypherpunk area? CC: I'm working with some other folks on a new version of Mac PGP. My main goal is to put encryption in the hands of everybody as cheaply as possible. I'm doing the user-interface, working very closely with someone on the East Coast. I don't know where he is located, but I don't care. After all, this is just one global village with no distances, borders, or other real-world obstacles. This is why I like the Internet. M2: I found Mac PGP user-hostile. It wrote over the original file of this interview when I created an encrypted version! CC: It's a litle bit difficult to use right now for the uninitiated, because it was originally written to work under UNIX. It's not very user-friendly. Because UNIX people don't usually care about that kind of stuff. The new graphic user interface will make it easier for people to use PGP. We're going to be adding a very rich selection of features to PGP that the original will not allow you to do. For instance, it's nice to be able to decipher text directly to the display without having to actually save it as a file. When you save your plain text as a file inside your computer, there is the possibility that you may forget to remove it. The original PGP solves that by letting you spool the plain text temporarily to the screen, but there's no effective way of scrolling once it starts displaying. So one of the features we're adding in this version is being able to pipe the text directly to an editable text window. We're also adding copy and paste and some enhanced key-management features. These are being done by the other PGP team members. There's a whole PGP development team of the most ‚lite programmers working on this project and I'm honored to be a part of it. But I'm sticking with the user interface. I don't think I could be put in jail for designing a dialog box! My handiwork will be up for display, which is why I'm doing a very careful job. If I have my name on my code, man, it's going to be perfect! It will be readable and well commented and easily maintainable. I also recommended that the PGP core code be rewritten in such a way that it can be re-entrant. What that means is that it will be more modular, easier to break up into organized procedures and to be interfaced with other graphics platforms. Like you'll be able to use it in an X command in HyperCard. M2: When will this new version of Mac PGP be available? CC: We're shooting for May, but I was hoping that no real deadline be set, so it will be available all over the Internet, provided that david Sternlight is kept on a short leash. M2: What will this do for the average Mac user? CC: They'll be able to communicate in complete privacy with other Mac users either through the on-line services such as the WELL and CompuServe, or just by mailing diskettes. If you have a really important program or product and you want to protect that product, then you would encrypt it--put it on a diskette, mail the diskette over the regular mail. If it ever gets intercepted, the interceptor would not be able to make heads or tails of the contents of the disks--only the intended party can decrypt it. And that means you can send beta copies of software to your publisher and your publisher could then decrypt your software and convert it back to the original through the use of PGP or any other encryption program out there. Also, it would be impossible for someone to intercept the disk and inject a virus in the program. M2: What do you think of the Clinton administration's proposed Clipper chip for encrypting phone calls? And registering everyone's encryption keys to provide tappability in criminal investigations? CC: I believe they're trying to push this idea through without giving much thought to the ramifications. This overwhelming urge to tap into our private conversations is simply going to promote private encryption and voice scrambling. It is not going to make law enforcement's job any easier to catch criminals. It reminds me of that popular bumper sticker "If guns are outlawed, then only outlaws will have guns." If i were a criminal, do you think I would be dumb enough to register my phone with the government? Of course not! I would probably get mine on the black market, or through some other illicit means. If I were a law-abiding citizen, would I trust some government agency with my encryption key? Would you? M2: No. So what's the reaction so far? CC: Very negative. I'm getting about 150 messages a day on this. This is not only going to get a bad reception in the industry, but it will cost the government more money by piling on huge administration costs. Let's see: You need two agencies (hopefully ones that people can trust). Gee! I can't even think of just ONE agency that I can trust!!! Can you? Then, these agencies have to keep track of one half of an 80 bit key. I guess there is one key for each Clipper chip, so there has to be the capability of millions of keys. Each one has to perfectly match the other half. Then there will be people needed to "register" these "tapper" phones. And then what if you decide to sell it? The mind boggles! Then there is this classified algorithm used in the Clipper chip itself. I'm sure it's probably hard to attack and crack. But can you really be absolutely sure that there isn't some sort of back door in it? It's clear that the industry hasn't been consulted, or ideas were not put forth in some public forum. So, where is this democratic process?!? We ARE still a democracy, aren't we? How was this company that sells the Clipper chip selected? Were RSA data security people contacted? A lot of questions will have to be answered before something like this can be accepted. M2: What else is going on? CC: There's something I'm working on with a student at the University of Houston. What we want to do is a virtual cyberspace. Where you have a machine on the Internet called a "virtual world server." If you enter the server, you select which of the virtual worlds you want to go into. After selecting one, you enter that virtual world and you have other people or entities in there you can play around with. Your digital identity could be a knight in shining armour--you render that with an artist. It has a certain size and weight, certain characteristics. M2: Sounds like True Names! CC: Cool. And as you're moving around in this virtual world, and other people are moving around, your positions are being send to the server, and the server broadcasts those positions out to the other people in the virtual world. M2: How can people reach _you_ in Cyberspace or Cypherspace? CC: Well, the best way to reach me is via e-mail. I already receive TONS of e-mail, but I have an efficient screening system, and it is not uncommon for me to receive about 150 messages a day. That may seem a lot, but most is due to the mailing lists I belong to and I can download them fairly fast. I am also an Internet guide. In this role, I guide the beginner or wannabe through the complex maze of the Internet, which has over 1.5 million computers hooked up to it. I charge a fee for this, but it is very low and affordable by more then 90% of the cybernauts or beginners. I have some pretty famous clients. My e-mail addresses are: crunch@well.sf.ca.us (my home system) crunch@netcom.com (I visit this one first) crunch@hacktic.nl (my European e-mail box) If you e-mail to request my Internet guide service, please put "Internet guide" in your subject line and I'll e-mail back a contract form to fill out. By the way, if you want my PGP public key, I can e-mail it to you. So if anyone wants to send something encrypted to me, they can use this key. Only I can decrypt your message. If you expect me to send anything back, please send me you public key, which can be encrypted along with your text message. See ya all in Cypherspace. Rave on d00dz!!