Interim Response from Philip Zimmermann

The little No Regrets about PGP piece from Philip Zimmermann and the associated interview "call for questions" we ran on Sept. 24 seems to have stirred up quite a ruckus. Apparently online crypto has become such a hot button issue that it is impossible to hold a rational conversation on the topic right now. Because of this, instead of answering the interview questions, Philip sent us a brief statement. We'll try to interview him (and other crypto experts) later, after passions die down a bit.

Overreaction to Washington Post Article

It seems that my recent clarification of how I was represented in the 21 September Washington Post article has itself created a deluge of harsh criticism of the Washington Post and the reporter who wrote the article.

People seem to be assuming the Washington Post is part of some grand conspiracy to restrict the availability of strong cryptography. I would like to say that this is an overreaction and a misinterpretation on the part of these critics.

I believe this was an honest misunderstanding by the people at the Post, and I never meant to imply in my previous clarification that this was done on purpose or with any malicious intent. On the contrary, I believe the Post worked hard to be fair in the story and had the best of intentions when they ran it.

Further, I'd like to say that all the individual facts and quotes were reported correctly. But the Post connected the dots in a slightly different way to conclude that I was feeling guilty even though I was simply feeling grief and anger just like everyone else since the attacks occurred. Overall, I thought the article was fine except for that one line that says I was "overwhelmed with guilt."

My purpose for sending out my original clarification was not to criticize the Post but to assure everyone that I am still standing firm on my convictions that PGP and other strong encryption products should be available to the public, with no back doors.

Through the years of coverage the Post has given the issue of cryptography restrictions, I have never detected any bias at the Post to promote restrictions on crypto. In fact, if they have any bias at all, it seems to be in the other direction. They helped me when I needed to keep the Justice Department at bay in 1995. We will need them again in the coming weeks as we in the crypto community attempt to keep the freedoms we have, as legislators try to impose new restrictions on strong crypto.

I find this jihad of criticism of the Post to be inappropriate. I can easily tell from talking with the reporter that her intentions were good. It is grossly unfair to punish her with all this hate mail. It's embarrassing to me and damaging to her. If anyone in the world of journalism wants any further clarification from me on that reporter's competence or journalistic integrity, feel free to call me directly and I will explain it to you in more detail.

I am in London at a data security conference, without as much Internet access as I have at home, so I cannot keep writing about this matter for much longer. I hope this letter is enough to put this matter to rest.

Sincerely,
Philip Zimmermann

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBO7ILqcdGNjmy13leEQLryACfffYuStFXNTC0aWnJStMEAWsbQSgAn0ID d2bqoxnEbABk+1V/edlzC84A =uBHG
-----END PGP SIGNATURE-----

use of word jihad

[Anonymous Coward]

jihad != holy war

jihad == troubled times/problems

(mod parent up) Re:hmm.

[ishark]

I agree with you, but I think (fear?) that it doesn't come from some conspiration against crypto, but from the fact that often newspapers tend to "correct" reality a bit in order to make their articles sound more "strong". I've witnessed this happen a couple of times. After all, normal, flat life and feelings are a bit too "grey" to attract the public. A nice black/white strikes much more....

The Lesson for today is

[q-soe]

I think the thing to take away from any of this stuff is that technology no matter what it is and why it exists can be misused and that in itself is no reason to stop it.

The fact that some of the terrorists might have used PGP is not in itself surprising - they were planning an operation where secrecy is vital and thus they used a secure system - they could have as easily created some code known only to them so the method they used is somewhat irelevant.

The same goes for the planes, they were designed to transport people but they have lots of fuel and become a flying bomb in the wrong hands.

So do we ban planes and crypto software ?

Lets all take a step back from this and look at it in the cold light of day for a minute. Over reaction now will result in long term effects - the US govt has been against strong crypto for many many years - the block on exporting 129k encryption are a case in point - claiming that it might help people commit crimes and hide information, but these are ideas and codes and someone will get them.

So do we ban it ? Why ? isnt it simply arrogance for the US to think that no one else in the world can develop this stuff ? and theres always the secret code devised only for you.

The argument that they might have been able to find out about it is also bullshit, you could disguise this stuff in language so effecitevly you would never get close, so that invalidates that argument.

The fact is the government in the US and in other countries wants to control free access to information and prevent people from hiding it away - the attempts to stop crypto are aimed at their populations - to prevent people from hiding money and assetts, from opposing the government etc

The sacry thing is that as i see the patrotism grow in the US i see a government cracking down on elemental freedoms and toughening laws - computer crime, crypto, etc Whats next freedom of assembly, freedom of speech.

We all need to keep an eye and a ear on the world otherwise what we miss may cost is more than we can ever guess.

I don't understand the people that send...

[Dog and Pony]

... that kind of hatemail anyways. Who do they think they are winning over?

I think this was the right thing to do. Since people can't learn to control themselves. Maybe this will wake someone up.

He stated perfectly clearly in the old article that he liked the Post, and he thought it was a honest mistake. What more do you want?

Even if matters were otherwise, you are destroying for yourself by stooping down to the American election campaign level - ie mud pies.

"Jihad"

[sireenmalik]

Mr Zimmermann:

I hold you in high regard for your principals and the contributions you have made to the freedom of speech. But I dont think you undersand the word correctly like most other people. I will urge you to watch the CNN's little docu on Islam. As mentioned, in the entire KORAN there are 5-6 references to the word....and mostly the mention is about the battle one fights with oneself!

Uneducated Moslems have been misled by this word. They have been betrayed by people with evil motives. One way the educated community can make a contribution to the cause of anti-terrorism is to really understand both sides of the story. Rather, three sides of the story: yours, mine and the real-hard-truth.

I switched to gpg..

[MikeFM]

I usda use pgp a lot but then it got confussing enough with who owned what and what the licenses were and everything that when gpg came out I gladly switched. I have to wonder how the US expects to remove old copies of pgp, gpg, and similar programs from the Net outside the US not to mention things like books and the knowledge in peoples heads. I think blaming people or trying to put the encryption genie back into the bottle is a bit misguided. We should let these emotions pass before we start passing a lot of laws. Lets not do anything we'll regret later. Lets punish terrorist and not programmers/pilots/etc for whats happened.

Re:Thank you

[flatrock]

Tell them that security research is not cracking, that cracking is not terrorism

I agree that security research is not cracking.
Cracking is not terrorism in most cases, but if you crack some critical systems, it can get people killed. And though it doesn't rise to near the level of terrorism where people are killed, crackers who cost lots of innocent people a lot of time and money just to make their point or for the fun of it are still scum.

if you don't take the time to properly secure your systems, you need to take some liability!

People who don't secure their systems should take some responsibility for their lack of action. I think liability is the wrong word, because to me it infers that they deserve to be hacked. They don't. They have a responsibility because their lack of security can allow their system to be used against others. Trusting people that don't lock up their valuables don't deserve to be robbed. People that choose not to arm themselves don't deserve to be attacked. Defence against many forms of attack, including cracking may very well be a good idea, but lack of it does not imply guilt on part of the victim.

I strongly support free speech. I think that crypto laws requiring back doors, or making crypto insecure for the common person are wrong, and would be ineffective in their goals.

As part of supporting free speech, I am strongly against malicious cracking. Worms, viruses, trojans and the like do a lot to harm innocent people who just want to get online but don't have a lot of technical knowledge. The internet is a great tool for free speech, and it shouldn't be kept from them just because they don't know how to properly secure their home computer from malicious attacks of others. If the govenment ends up passing harsh legislation which inhibits our freedom to protect such people, it is the crackers who deserve the lion's share of the blame, not the people who got cracked.

I understand that in order to improve security, security needs to be tested. I also understand that in order to get vulnerabilities fixed, that security issues need to be made public. The way they are made public could often be handled better though.

If you really wan to stir some feathers, then remind them of the declaration of independence - "But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security"

You may stir up some feathers with this, but I doubt you'll help your cause. I agree that as a last resort, revolt is actually a responsibility of an american citizen. But only as a last resort, and only for the good of the country.

I realize that I made some comparison between terrorism and cracking in this post, and I want to state that I don't want to trivialize the problem of terrorism with this. Terrorisn is crime that far outshadows cracking. Malicious cracking is more of a petty terrorism in which lives aren't lost.

Lawmakers should learn from history

[Pinball Wizard]

The only way cryptography has ever been defeated historically has been to develop a technology that can beat it. For example, the first modern computer was built to defeat the enigma in WWII. If the govt. wants to do this, the proper course is to develop quantum computing. This of course will be very expensive to do, but if the government wants to break current crypto, its the only way. Of course, it would have to be developed in the labs and not leaked to the public.

Put backdoors on current cryptography programs, and you will ensure that only the criminals have real crypto. For more information, see The Code Book [amazon.com].

Media and conspiracy

[joss]

> People seem to be assuming the Washington Post is part of some grand conspiracy to restrict the availability of strong cryptography.

No, it's not a conspiracy, but it is a symptom of a much deeper problem. The fact remains that the paper blatantly misrepresented Phil's opinions in order to further the current agenda of cracking down on civil liberties. This distortion is not a coincidence, but it's not deliberate either. In fact, it's scarier than that. People who are sufficiently indoctrinated hear what they want to.

We don't need any controlling evil mastermind to produce the appearance of a conspiracy. All we need is a set of implicit and unstated tendancies where most people do what they think ought to be done, and the mass moves inexhorably in a particular direction, irrespective of a few free thinkers trying to throw a spanner in the works. This group concensus serves the interest of those in power (the rich, via corporations, media - which is corporate owned, and politicians - who are also corporate owned), and pushes the rest of the population in that direction.

Mainstream media is even more laughably distorted than normal at the moment. Suddenly the media is full of convenient statistics "80% of US population favors back-doors in encryption". And what percentage of the US population has any idea what the hell that means ? What was the queston "Do you favor laws that make it harder for terrorists to communicate in private ?" or "Should it be illegal for people to try to stop others from monitoring their communication ?"

Corporations and politicians have a vested interest in eliminating free speach from the population. They don't want you talking to each other, they want you listening to them. They definitely don't want you saying stuff to each other without them being able to monitor it and punish you for saying stuff that makes them uncomfortable. The real reasons for the desire to restrict and monitor may not even be apparant to the "group mind", but everyone has a huge capacity for self-delusion.

The media is just as accurate about other stuff. They laud George Jr's "bravery" without a trace of irony, like the jester in the Holy Grail "When danger reared its ugly head,
He bravely turned his tail and fled...." Meanwhile the cowardly terrorists were cowardly
giving their lives for their beliefs. Fanatical assholes, sure, but cowardly ?

The distortion is much worse than you think. The entire language is adjusted in a thoroughly Orwellian fashion. When people on our side die, the "terrorists" cause the "murder of innocent, men, women and children". Fine, this is accurate. However, when we do start beating up on Afghanistan. "Military commanders" will replace "terrorists" and "inevitable collateral damage during surgical strikes" will replace "bombing civilans". It's very difficult to reason about something when the terms are properly loaded.

The language molesters will be hard at work over the next few months. The funny thing is that when we hear blatant distortions in the other direction, (eg "The great satan") we laugh at the stupidity and talk about how these people have been brainwashed into believing all sorts of nonsense. Yeah, "they" hate us because they're jealous and they're victims of brainwashing and propoganda. Meanwhile, we're going to destroy civil liberties, escalate corporate welfare (through "defense" spending), slaughter innocent civilians and risk our own soldiers fighting people across the world who previously had no serious quarrel with us, because we're all well informed and logical.

== hammer seller?

[anshil]

I think this is the same status like selling a hammar. One can use it to construct houses, cupboards, tables, hang up pictures on the wall, and a lot of other good and constructive things. Now there is a group of people who might use hammers to destroy windows, does the producer of the hammer have any guiltiness on the destroyed window?

Same was dynamite, Nobel also thought of the constructive things when inventing it, like mining etc. but there are also people that will use dynamite to blow up other things than rocks.

Personally I think different for things created only for pure destruction. Like rockets, to a limited degree some kind of guns etc.

But also there history made sometimes funny turns. Take the LASER in example, when this technology came up people only thought of them using as super longrange weapons, and got quite funding for this purpose. Now look today, LASERs are used for everything, from construction computers, correcting teeth and eyes, meassuring stars, etc. etc. but one application they failed miserable as weapons themselfs.

Re:hmm.

[leviramsey]

In short, the WP editors should be working for the National Inquiror [sic --LR]

I remember reading in US News & World Report a few years ago that the National Enquirer actually has stricter standards regarding verification of sources and other fact checking than the NY Times/Washington Post.

[Goes to USN&WR's site...]

Here's a link where you can purchase [newsbank.com] [newsbank.com] the article in question for $2.

Google has a cached [google.com] [google.com] version.

As an aside, do you think US News might sue Google over things like this? I've always thought that their caching scheme might be of questionable legality (what with the DMCA and all).

Re:Philip why are you interested in cryptography??

[IainMH]

Philip, why are you interested in cryptography??

It seems that no-one understands you anyway so you might as well send everything as plain ASCII!

Bah - who modded that down! It was a joke!!

Jeez someone got out of bed the wrong side today..

Re:hmm.

[mrbnsn]

Oh, nonsense.

As someone who deals routinely with journalists, I'd have to say your version is the J-school fantasyland version.

For an illustrative example of the real world version, click here [netrinsics.com] (story of Time Asia hiring me to do a hatchet job on Bill Gates).

I've had a CNN reporter based in Beijing complain point blank that China coverage was for all practical purposes written in Atlanta.

I could go on with similar stories for pages and pages.

Re:A better approach

[Tassach]

Don't forget to have background checks and a 3 day waiting period on anyone who buys a pack of playing cards. After all, they can be used as an encryption device [counterpane.com]

Misquote

[nnet]

What hasn't been answered is WHY the article misquoted the overwhelming grief statement attributed to him.

Re:Thank you

[mikey_boy]

I wasn't going to reply to this, but my irritation with your attitude got the better of me. First off, if you are one of the 100 who are dead, do you think the total really makes much difference to you? Dead people is dead people, and frankly it sucks (I am not trying to lessen the scale of the tragedy, merely pointing out that innocents being killed is all in the same ball park)

Second, I am curious to know wtf pampered teenagers have to do with anything? If your implication is that I am a pampered teenager, fraid you are a few years too late ...

Also is it sacrificing their lives for the ideals of freedom, or sacrificing them to save the lives of others. (ie if you are refering to the sacrifice made by those passengers, then I would argue it was more the latter). In case you were wondering what the difference was:

- The ideals of freedom are subjective, and to a certain extent are based on the ideals of the society which you are brought up in. Personally speaking I don't necessarily agree with the all the ideals of the society I have been brought up, in spite of it being considered one of the more free, but I have work to do, so I am not going to go into that now.
- sacrificing your life for others is a moral decision, one which I like to think I would be willing to do , but will not until (if) I am put in that situation.

anyway, that's enough rambling, I am not sure if I have made a particularly coherent point, or just wasted 10 minutes, but it makes me feel better ;-)

not the washington post recently

[MemeRot]

I read the post often, I live in DC. Their editorial slant has gotten more and more extreme lately. I would have given them the benefit of the doubt a year ago. But they seemed hell-bent on becoming the mouthpiece of this administration even before this incident. Since? Even the unsigned editorials in the op-ed page have been rank and file in line with a certain ideology. Not one I share. They don't like people getting upset at their editorial slant? Maybe they should go back to unbiased reporting.

Re:hmm.

[Merk]

That's why it pays to read what he actually said:

1. "the article had no such statement or implication when she read it to me."
2. "I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite."
3. "It appears that this nuance of reasoning was lost on someone at the Washington Post. I imagine this may be caused by this newspaper's staff being stretched to their limits last week."
4. "I have always enjoyed good relations with the press over the past decade, especially with the Washington Post. I'm sure they will get it right next time."

If anyone is to blame for the change it's the editors, not the writer. And the editors are probably pretty stressed right now. I doubt they were being malicious.

You may have heard of the principle "don't attribute to malice what can be explained by stupidity". Maybe that should be changed to include stress, exhaustion, and emotional turmoil.

Happened to Bill Maher too...

[scheming daemons]

The same thing happened to Bill Maher of "Politically Incorrect" fame.

He made a statement that was an indirect slam against the Clinton Administration, but some right-wing shock jocks took it as an attack on the US military and Bush. Maher and his advertisers have been hammered with hate mail from the "Free Republic" types and Limbots ever since.

What Maher basically said was that it would be "cowardly" of us to lob cruise missiles at terrorist camps from 2000 miles away, like we did in 1998. He was calling the decision makers (i.e. Clinton) cowards, not the military.

But right-wing nuts reacted to the second-hand information they got from fellow wing-nuts like Mike Gallagher and went ballistic.

Very much the same way that slashdotters went ballistic on the WP.

Bill Maher has always been very pro-military on PI, but because he is impartial and sometimes takes the leftward position on some issues (drug war, death penalty), the conservatives in this country saw it as an opportunity for an attack. Never mind that he was implicitly criticizing their arch-enemy Clinton...he is sometimes liberal, so he must be taken off the air.

Heroes of Peace and Freedom in year 2061 schools..

[SomePoorSchmuck]

History describes the years around 2000 C.E. to be the climax of american military and cultural terrorism before its inevitable decline.

"The proles comprising the largest portion of the population were lied to extensively by their aristocracy, which during the 250 years of its existence had brokered its insatiable appetite for power through military land grabs, treacherously broken treaties, and financial and paramilitary operations, continuing through the years leading up to 2010 when, in response to the undeniable holocaust being perpetrated by some of their rulers as well as a great spiritual awakening, the middle classes began to convert to Hinduism, Sufic Islam, Buddhism [with a high rates of

Soka Gakkai practice among nonwhites], and Bahai, as well as a mass return to the quietly devout christianity which settled parts of north america.

It was only after the nihilist-capitalist government was itself reformed by the rising tide of tens of millions of muslim pacifists [who, taking the nonviolent resistance doctrines practiced by Gandhi and MLK, successfully leveraged their solidarity to bring the society to a halt, forcing it to re-evaluate its truculent foreign policies] that any evidence pertaining to who was informed and involved in the late-2001 attack on several locations essential to the operation of the military-industrial regime then in power could be unearthed."

"In view of the distortion and suppression of facts practiced by all governments during their periodic acts of violence against humanity, some began to speculate that the incredible secrecy and ease with which the attacks were planned and carried out could possibly be attributed to very delicately placed double agents in key resistance cells operating across the north american continent. Through this infiltration, hard-line paramilitary extremists throughout the US Federal Establishment and other world governments might have been able to subvert the chain of communication between those abroad desperately trying to have their voices heard and all of our human brothers and sisters fighting for justice and independence, trying to slow the deadly Imperialist Juggernaut from the inside, through the still nominally democratic structures available there. It's possible that many of those trying to effect nonviolent change in America were gradually, falsely led to believe that their mission had become one of dramatic force, and not the peace preached by Mohmed, the Prophet of Allah. Given the massive political tensions of the times, caused by conflicts over the extent of personal liberties, who would stand to gain from such counter-intelligence manipulations?"

"As a growing number of americans began to feel that there was a darker side of their rulers' international leanings, those whose power and wealth lay in perpetuating that dark side began to fear exposure. Thus, as some claimed happened with the invasion of Pearl Harbor on 7 December 1941, it also became apparent that those who stood most to gain from an 'unexpected, devastating, and cowardly' attack were leaders of military powers and corporate regimes. While no evidence regarding whether government agents had prior knowledge of or other involvement with the impending attacks ever came to light, there were some who theorized that the subsequent spate of anti-terror abrogations of civil liberties were the goal of these unseen high-level elements. If historians can ever find evidence of whether these scenarios might be true, we would have to wonder at the kind of people would play games with the lives of thousands to protect their financial or nationalistic interests. It is almost certain that they were acting out of honestly-held convictions. Even thousands of years of recorded history have shown us few Monsters -- most human violence has in fact been committed by highly principled men and women who felt sure that what they were doing was best for their fellow beings."

Let us now all have a week of careful meditation on the pain and suffering endured during the Greatest Dark Age of history, before all humans learned to wish only the Peace of God upon each other. Once we have all passed a week thinking upon these matters, our class will resume for a discussion of how similar misunderstandings and applications of the now-debunked "greater good" system of pseudoethics were also being perpetrated, to various degrees of horror, by governments and organizations outside the former United States of America.

Did they use Crypto or code talk?

[Anonymous Coward]

CNN recently reported finding some notes that the terrorists kept while planning the attacks and living in the United States:
www.cnn.com/2001/US/09/27/inv.rules.engagement/ind ex.html [cnn.com]
One of the last comments was "The source said that a translator helped decipher the document, but some of it "was unintelligible." " I began to think of our use of the Navajo language to allow our Marines to communicate without fear of Japanese code breakers listening in on our plans. Here is a URL about the code talkers :
wae.com/webcat/navajos.htm [wae.com]
With the concern about the law adjustments that DOJ is proposing here is a question. Did those people use code talk against us?
NSA,CIA,and FBI could listen in all day but if they developed their own "code talk" similar to what the Navajos did during their training no amount of encryption regulation on this planet would keep someone from doing this. My understanding of what the Navajos did was to take common everyday words they used in their native language and assign them meening. From what I remember in reading about them they had all just finished Marine Boot camp and they got together as a group and decided what navajo words meant what Marine words. They never wrote anything down and did not have any non-native speakers help them develop the code talk.
What would prevent the terrorists from doing something similar in a cave in Afghanistan?
If this is found to be true would that not mean that all of the lawmakers scrambling for added pressures on encryption technologies are wrong?

who should really be overwhelmed with a feeling...

[porky_pig_jr]

not sure about Zimmerman, but here is a brief list of those who should be overwhelmed with a feeling of guilt:

1. Those responsible for making the american foreign policy. Seems like we are fighting with monsters we've created in a first place (bin Laden and Saddam Hussein). Clearly this policy has no long-term strategic goals.

2. CIA and FBI. I'm not going to comment a lot on this item.

3. Those responsible for Airtravel security. Airport facilities at Logan are complitely inadequate. Apparently the rules of engagements with hijackers aren't adequate either. What amazes me is that the possibility of such events was considered a long time ago, and yet the old outdated rules were kept in place.

Now suddenly cryptography and Zimmerman are scapegoats. Give me a break.