Interim Response from Philip Zimmermann

The little No Regrets about PGP piece from Philip Zimmermann and the associated interview "call for questions" we ran on Sept. 24 seems to have stirred up quite a ruckus. Apparently online crypto has become such a hot button issue that it is impossible to hold a rational conversation on the topic right now. Because of this, instead of answering the interview questions, Philip sent us a brief statement. We'll try to interview him (and other crypto experts) later, after passions die down a bit.

Overreaction to Washington Post Article

It seems that my recent clarification of how I was represented in the 21 September Washington Post article has itself created a deluge of harsh criticism of the Washington Post and the reporter who wrote the article.

People seem to be assuming the Washington Post is part of some grand conspiracy to restrict the availability of strong cryptography. I would like to say that this is an overreaction and a misinterpretation on the part of these critics.

I believe this was an honest misunderstanding by the people at the Post, and I never meant to imply in my previous clarification that this was done on purpose or with any malicious intent. On the contrary, I believe the Post worked hard to be fair in the story and had the best of intentions when they ran it.

Further, I'd like to say that all the individual facts and quotes were reported correctly. But the Post connected the dots in a slightly different way to conclude that I was feeling guilty even though I was simply feeling grief and anger just like everyone else since the attacks occurred. Overall, I thought the article was fine except for that one line that says I was "overwhelmed with guilt."

My purpose for sending out my original clarification was not to criticize the Post but to assure everyone that I am still standing firm on my convictions that PGP and other strong encryption products should be available to the public, with no back doors.

Through the years of coverage the Post has given the issue of cryptography restrictions, I have never detected any bias at the Post to promote restrictions on crypto. In fact, if they have any bias at all, it seems to be in the other direction. They helped me when I needed to keep the Justice Department at bay in 1995. We will need them again in the coming weeks as we in the crypto community attempt to keep the freedoms we have, as legislators try to impose new restrictions on strong crypto.

I find this jihad of criticism of the Post to be inappropriate. I can easily tell from talking with the reporter that her intentions were good. It is grossly unfair to punish her with all this hate mail. It's embarrassing to me and damaging to her. If anyone in the world of journalism wants any further clarification from me on that reporter's competence or journalistic integrity, feel free to call me directly and I will explain it to you in more detail.

I am in London at a data security conference, without as much Internet access as I have at home, so I cannot keep writing about this matter for much longer. I hope this letter is enough to put this matter to rest.

Sincerely,
Philip Zimmermann

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBO7ILqcdGNjmy13leEQLryACfffYuStFXNTC0aWnJStMEAWsbQSgAn0ID d2bqoxnEbABk+1V/edlzC84A =uBHG
-----END PGP SIGNATURE-----

Bad Frontpage Link

[Anonymous Coward]

Change the word 'interview' to the word 'articles' and the link works. Of course, if you read this, you've probably worked that out!

Measuring media dishonesty

[tinkerton]

At mediadishonesty.com [mediadishonesty.com] there is a media dishonesty rating system. See the link standard dishonesty rating system [edwarddebono.com]. As a rating system it is insightful and tough. The author claims a score of 30 bad points is reasonable.

In general i think most press dishonesty is in pursuit of the aim to be more interesting. That's the main selling value. Political agendas are much less important to press than most people think.

Useful moderation system for Slashdot? Very valuable, yes. Question is how. Too heavy for full use.

Slashdot and Crypto

[ichimunki]

Dear Phil,

Do you think you could give the Slashdot crew a quick lesson in using crypto? From the way they've posted the last two missives from you, it's obvious they don't actually use PGP or GnuPG and have no clue how to transfer information in such a way that the digital signature remains valid.

I mean, providing a link to the original text file seems to be too hard for them, so maybe you could walk them through the procedure for verifying a document and then ask them to try and do that on their own postings, to see what they are doing to those of us who verify signatures when we see them?

I mean, what's the point of signing a message if no one can verify it? Not that I think Slashdot would lie, but for all we know they've been duped into posting something that isn't from the real Phil Zimmerman. Or maybe their stories are being tampered with-- it's happened to bigger fish recently (and Slashdot itself has been hacked before).

Thanks!

was crypto even used?

[mikey_boy]

According to this [guardian.co.uk] article from the UK's guardian, cryptography wasn't even used, so it's all bunch scaremongering crap anyway ...

"FBI investigators had been able to locate hundreds of email communications, sent 30 to 45 days before the attack. Records had been obtained from internet service providers and from public libraries. The messages, in both English and Arabic, were sent within the US and internationally. They had been sent from personal computers or from public sites such as libraries. They used a variety of ISPs, including accounts on Hotmail.

According to the FBI, the conspirators had not used encryption or concealment methods. Once found, the emails could be openly read."

PGP is not to blame

[Anonymous Coward]

The Guardian Unlimited has a nice article which sums up a few views on encryption and the WTC attack: http://www.guardian.co.uk/waronterror/story/0,1361 ,558371,00.html [guardian.co.uk]. Basically it says the terrorists did not use strong crypto and had good reasons not to do so.

Re:use of word jihad

[nlvp]

Really? I read yesterday that it meant "Holy Struggle", but that it could be applied as equally to the struggle against temptation as it could to the struggle against religious oppression, and that this was the source of the ambiguity surrounding the use of the word.

But just 'cos its written don't make it right, so I may be wrong.

Guardian: How the plotters slipped US net

[MEK]

It looks like the rush to legislate against encryption has little basis in the facts. An article in today's Guardian states:

FBI investigators had been able to locate hundreds of email communications, sent 30 to 45 days before the attack. Records had been obtained from internet service providers and from public libraries. The messages, in both English and Arabic, were sent within the US and internationally. They had been sent from personal computers or from public sites such as libraries. They used a variety of ISPs, including accounts on Hotmail.

According to the FBI, the conspirators had not used encryption or concealment methods. Once found, the emails could be openly read.

Guardian: How the plotters slipped US net [guardian.co.uk]

Re:use of word jihad

[Anonymous Coward]

Here's what I got out of "jihad".

While there may well be no direct translation of "holy war" into Arabic to be found in the Koran, it doesn't take too many steps to translate it into that. Just like any other group and language, Arabic and Islam have their own euphamisms. While it may be that the literal translation of Jihad into English is "troubled times", and that generally that is the semantic sense of the word, like most other groups, words like "these are troubled times" are almost always followed by "it is time for us to take action and right the evil things that have put us in these Troubled Times".

Just look at the English-Irish conflict in N. Ireland. Sure, they are called "The Troubles", but the English do have a fine ear for euphamisms. We know it really has been quite a long period of guerrila warfare, not only between peoples of two countries, but peoples of two religions.

So when we hear a call for a "jihad" by some mullah or imam thrown into the same paragraph or sentence as "overthrow the Great Satan", along with a huge crowd of fired up Amway distributors... wait... wrong analogy... er, fellow citizens burning flags, trying to conduct voodoo ceremonies with world leaders, and firing off AK-47s, well... It is hard, very hard

If it walks like a duck, quacks like a duck, has feathers, small beady eyes, wings, feathers, webbed feet and a flat bill, it probably is a duck.

Help fight anti-crypography legislations

[man_ls]

The ACLU [aclu.org] [aclu.org] has a place where you can send a form-fax to your senator or congressman urging them to make an informed decision about the laws regarding cryptography. I sent such a message to my elected officials in Washington; you should to. I can't for the life of me find the actual link for the page again, but it is there, somewhere. I will post it as a reply here.

Also, elsewhere on Slashdot, again I can't find the link again, there is a very well-written letter that the author said he would allow for use provided it was modified a little bit.

If we don't want something to happen, we need to make sure to tell our government about it. They are there to represent US, and if we don't want something, it shouldn't happen.

Re:A better approach

[markmoss]

So are you going to go withdraw all the copies of old journals with the formula for public-key encryption from the libraries? Or maybe license mathematicians so nobody is out there that understands how to turn those formulae into code? And nuke Russia, since their gov't is too weak to ensure their many excellent mathematicians obey such a law.

Re:Media and conspiracy

[Theodore Logan]

This is probably the most insightful post (damn those moderators for marking this "interesting"!) I've seen regarding this whole media circus. I assume a number of books have inspired you to draw conclusions of this kind (if not, you are an orginial. Please go into politics), and I also assume that these books are the same that got me thinking, since a lot of these ideas sound stikingly similar.

Without rambling further, I will introduce all of you who found these ideas +5 interesting to the disturbing world of Noam Chomsky. Suggested reading here [amazon.com] and here [amazon.com] and here [amazon.com].

Senator Judd Gregg (R - NH) wants crypto backdoors

[DanEsparza]

Senator Judd Gregg (R - NH) wants to propose legislation that would require all cryptography to have standard 'backdoors'. I personally think that this is 'wrong-headed' ... but regardless of what I think, you can LET HIM KNOW PERSONALLY how you feel about his proposed legislation:

Phone: (202) 224-3324
Fax: (202) 224-4952

(Taken from http://politics.yahoo.com/politics/congress/senate /list_of_members/375/ )

Dan

Some common /. fallacies on crypto

[TomRC]

If slash-dotters want to win the debate over strong crypto, they need to examine their own arguments and eliminate specious ones, lest those weak arguments be considered the best case for strong crypto.

1) Arguments equating unbreakable encryption with various tools or envelopes for private mail are specious. Envelopes are easily opened - and can be opened under a court order. Hammers, pants, airliners, and crypto do all have uses beyond terrorism - but the vast majority of the value of crypto could *theoretically* be retained with well managed (i.e. privately owned and run, paid for by crypto users) key escrow.

2) Terrorists using alternative unbreakable crypto is NOT an argument against key escrow. Requiring all communication using strong encryption to use key escrow has the flip side of making other forms of encrypted communication illegal. Discovery that a suspect is using illegal/unbreakable encryption would be enough to arrest them and detain them indefinitely for contempt of court if they failed to turn over the keys to their crypto.

To defeat any particular "government backdoor crypto scheme", you must
(a) show it damages recognized constitutional rights;
(b) show it could not work because...(?);
(c) get enough people using it and emotionally attached to the protection it provides, that they irrationally tell their law makers to buzz off - or engage in widespread civil disobedience once key escrow is mandated.