--Boundary (ID i.g+01I-TCF3SH.PZKB:61TN=QDGN3IG) Content-Type: text/plain; charset=us-ascii --Boundary (ID i.g+01I-TCF3SH.PZKB:61TN=QDGN3IG) Content-Type: message/rfc822 Received: from gatekeeper3.mcimail.com by DGN0IG.mcimail.com (PMDF V5.1-8 #16896) with ESMTP id <01ITCD9W7CSUB4TAJ9at_private> for 0005514706at_private; Sun, 8 Feb 1998 16:15:00 GMT Received: from fc.mcimail.com by gatekeeper3.mcimail.com (PMDF V5.0-8 #16708) id <0EO2I770100D8Tat_private> for 0005514706at_private; Sun, 08 Feb 1998 16:09 +0000 (GMT) Received: from 209.75.197.2 (209.75.197.2) by gatekeeper3.mcimail.com (PMDF V5.0-8 #16708) id <0EO2I75UB007BHat_private> for 0005514706at_private; Sun, 08 Feb 1998 16:09 +0000 (GMT) Received: (from majordom@localhost) by sirius.infonex.com (8.8.8/8.7.3) id HAA28480 for cypherpunks-outgoing; Sun, 08 Feb 1998 07:45:58 -0800 (PST) Received: (from cpunks@localhost) by sirius.infonex.com (8.8.8/8.7.3) id HAA28451 for cypherpunksat_private; Sun, 08 Feb 1998 07:45:43 -0800 (PST) Received: from rigel.cyberpass.net (rootat_private [209.75.197.3]) by sirius.infonex.com (8.8.8/8.7.3) with ESMTP id HAA28442 for <cpunksat_private>; Sun, 08 Feb 1998 07:45:34 -0800 (PST) Received: from toad.com (toad.com [140.174.2.1]) by rigel.cyberpass.net (8.8.8/8.7.3) with ESMTP id HAA22846 for <cypherpunksat_private>; Sun, 08 Feb 1998 07:40:25 -0800 (PST) Received: (from majordom@localhost) by toad.com (8.7.5/8.7.3) id HAA08239 for cypherpunks-unedited-outgoing; Sun, 08 Feb 1998 07:40:51 -0800 (PST) Received: from camel14.mindspring.com (camel14.mindspring.com [207.69.200.64]) by toad.com (8.7.5/8.7.3) with ESMTP id HAA08234 for <cypherpunksat_private>; Sun, 08 Feb 1998 07:40:48 -0800 (PST) Received: from default (user-37kb64g.dialup.mindspring.com [207.69.152.144]) by camel14.mindspring.com (8.8.5/8.8.5) with SMTP id KAA19921 for <cypherpunksat_private>; Sun, 08 Feb 1998 10:40:40 -0500 (EST) Date: Sun, 08 Feb 1998 11:15:00 -0500 (EST) From: John Young <jyaat_private> Subject: Soft Tempest Sender: owner-cypherpunks <owner-cypherpunksat_private> To: cypherpunks <cypherpunksat_private> Priority: normal X-Mailer: Windows Eudora Light Version 1.5.4 (32) X-Loop: cypherpunksat_private X-Sender: jyaat_private X-Precedence: first-class X-List: cypherpunksat_private MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT To: ukcryptoat_private=0D Subject: It is really me - the story of Soft Tempest=0D Date: Sun, 08 Feb 1998 15:09:40 +0000=0D Fromm: Ross Anderson <Ross.Andersonat_private>=0D =0D Bruce Sterling, and others, have asked of the Washington Post story=0D [see below]:=0D =0D > Is this story correct?=0D =0D The Washington Post gives a highly distorted account of some very=0D important scientific work we have done. I suggest that list members=0D read our paper - <www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf> - for=0D themselves before getting carried away.=0D =0D The story is as follows. Bill G gave our department $20m for a new=0D building, and his people said that what they really wanted from our=0D group was a better way to control software copying. So it would have=0D= been rather churlish of us not to at least look at their `problem'.=0D =0D Now the `final solution' being peddled by the smartcard industry (and=0D= others) is to make software copying physically impossible, by tying=0D program execution to a unique tamper-resistant hardware token. We=0D wouldn't like to see this happen, and we have already done a lot to=0D undermine confidence in the claims of tamper-proofness made by=0D smartcard salesmen.=0D =0D So Markus and I sat down and tried to figure out what we could do for=0D= the Evil Empire. We concluded that =0D =0D (1) large companies generally pay for their software; =0D =0D (2) if you try to coerce private individuals, the political backlash =0D= would be too much; =0D =0D so =0D =0D (3) if the Evil Empire is to increase its revenue by cracking down on=0D= piracy, the people to go after are medium sized companies.=0D =0D So the design goal we set ourselves was a technology that would enable=0D= software vendors to catch the medium-sized offender - the dodgy=0D freight company that runs 70 copies of Office 97 but only paid for one=0D= - while being ineffective against private individuals.=0D =0D We succeeded.=0D =0D In the process we have made some fundamental discoveries about=0D Tempest. Army signals officers, defence contractors and spooks have=0D been visibly flabberghasted to hear our ideas or see our demo.=0D =0D In the old days, Tempest was about expensive hardware - custom=0D equipment to monitor the enemy's emissions and very tricky shielding=0D to stop him doing the same to you. It was all classified and strictly=0D= off-limits to the open research community.=0D =0D We have ended that era. You can now use software to cause the=0D eavesdropper in the van outside your house to see a completely=0D different image from the one that you see on your screen. In its=0D simplest form, our technique uses specially designed `Tempest fonts'=0D to make the text on your screen invisible to the spooks. Our paper=0D tells you how to design and code your own.=0D =0D There are many opportunities for camouflage, deception and misconduct.=0D= FFor example, you could write a Tempest virus to snarf your enemy's PGP=0D= private key and radiate it without his knowledge by manipulating the=0D dither patterns in his screen saver. You could even pick up the signal=0D= on a $100 short wave radio. The implications for people trying to=0D build secure computer systems are non-trivial.=0D =0D Anyway, we offered Bill G the prospect that instead of Word radiating=0D= the text you're working on to every spook on the block, it would only=0D= radiate a one-way function of its licence serial number. This would=0D let an observer tell whether two machines were simultaneously running=0D= the same copy of Word, but nothing more. Surely a win-win situation,=0D for Bill and for privacy.=0D =0D But Microsoft turned down our offer. I won't breach confidences, but=0D the high order bit is that their hearts are set on the kind of=0D technology the smartcard people are promising - one that will=0D definitively prevent all copying, even by private individuals. We=0D don't plan to help them on that, and I expect that if they field=0D anything that works, the net result will be to get Microsoft=0D dismembered by the Department of Justice.=0D =0D Meantime we want our Soft Tempest technology to be incorporated in =0D as many products as possible - and not just security products!=0D =0D So to Rainier Fahs, who asked:=0D =0D > If these rumors are true, I guess we will face a similar discussion on= =0D > free availability in the area of TEMPEST equipment. Does privacy=0D > protection also include the free choice of protection mechanism?=0D =0D I say this: our discovery, that Tempest protection can be done in=0D software as well as hardware, puts it beyond the reach of effective=0D export control. So yes, you now have a choice. You didn't before,=0D =0D Ross Anderson=0D =0D ----------=0D =0D http://www.washingtonpost.com/wp-srv/WPlate/1998-02/07/060l-020798-idx.h= tml=0D =0D British Technology Might Flush Out Software Pirates=0D =0D By John Burgess=0D Washington Post Foreign Service=0D Saturday, February 7, 1998; Page H01 =0D =0D CAMBRIDGE, England=97 It's a technique that intelligence=0D agencies have used for years: Park a van filled with=0D monitoring gear near an embassy and listen for the faint radio=0D signals that computers routinely emit when they are on.=0D Analyze those signals for clues to the data that are on the=0D computers.=0D =0D Now researchers at the University of Cambridge, home of=0D groundbreaking work in intelligence over the years, are trying=0D to adapt this technology to the fight against software piracy.=0D With special code written into software, they say, computers=0D could be made to broadcast beacons that would carry several=0D hundred yards and identify the software they were running,=0D complete with serial numbers of each copy.=0D =0D Vans run by anti-piracy groups could pull up outside a=0D company's office and count the number of software signals=0D emanating from it. If, say, 50 beacons for a particular title=0D were detected but the company had licensed only two copies=0D of the software, that could become evidence on which a court=0D would issue a search warrant.=0D =0D Ross Anderson, a University of Cambridge lecturer who is=0D overseeing the project, said the idea originated last year when=0D Microsoft Corp. Chairman Bill Gates visited the university=0D after his private foundation announced a $20 million donation=0D to the school. Gates told officials that, among other things, he=0D would love the university to come up with new anti-piracy=0D techniques.=0D =0D So far, Microsoft isn't enthusiastic about the university's=0D approach, Anderson said. "They have some reservations.=0D Obviously there are Big Brother aspects," he said. A=0D Microsoft spokeswoman said the company has no plans to=0D adapt the technology.=0D =0D Emilia Knight, a vice president at BSA Europe, a trade group=0D that combats software piracy, said such an anti-piracy system=0D might be technically feasible. But she noted many practical=0D questions on the legal side, such as how the system would=0D differentiate between companies pirating software and those=0D legally using multiple copies of programs.=0D =0D Knight said that concerns of privacy and consumer rights=0D might make the system a no-go for industrialized countries.=0D But in places like Eastern Europe, she suggested, where piracy=0D is rampant and there is no tradition of such protections, the=0D software signal detectors might be acceptable.=0D =0D Richard Sobel, a political scientist who teaches at Harvard=0D University and researches privacy issues, called it "an=0D appalling idea."=0D =0D "If the technology is there to identify what software people are=0D using, there's the prospect to figure out what people are doing.=0D =2E . . It sounds like a horrible violation of privacy," Sobel said.=0D =0D In Britain, however, it might seem less controversial. Here=0D authorities have long used similar techniques to ferret out=0D people who fail to pay the annual license fee of about $150=0D that the law requires for each TV set in the country.=0D =0D Cruising the streets here are vans carrying equipment that can=0D detect emissions from a TV set's "local oscillator," the part=0D that turns a station's signal into a picture. If the gear senses a=0D TV set inside a house from which there is no record of a=0D license payment, this is used as evidence to levy fines.=0D =0D The system also can tell what channel people are watching=0D because the oscillator gives off a slightly different signal for=0D each one.=0D =0D Anderson's researchers have built a prototype that can detect=0D the type of software running on a machine from short range --=0D the hallway outside the room where the computer is running.=0D Anderson said they are ready to build prototype hardware=0D with a longer range, at a cost of about $15,000-$30,000 -- if=0D the lab can find a customer. So far, none has stepped forward.=0D =0D =A9 Copyright 1998 The Washington Post Company=0D =0D ----------=0D =0D Date: Sat, 7 Feb 1998 13:05:45 -0500=0D Fromm: Stewart Baker <sbakerat_private>=0D To: ukcrypto <ukcryptoat_private>=0D Subject: Ross, Is that really you?=0D =0D Today's Washington Post claims that a Cambridge research team led b= y one =0D Ross Anderson is developing technology that would require all perso= nal =0D computers to broadcast the identity of all programs they are runnin= g so =0D that anti-piracy investigators can sit outside universities and bus= inesses =0D and check to see whether the folks inside are running more programs= than =0D their licenses allow. =0D =0D The article says that even Microsoft thinks this might go too far i= n =0D invading the privacy of computer users. But advocates for the techn= ology =0D claim that it will work fine in benighted Eastern European countrie= s where =0D piracy is rampant and the natives are used to having their privacy = invaded.=0D =0D This raises at least three questions:=0D =0D 1. Is this story correct?=0D =0D 2. If so, is the Ross Anderson it describes the same Ross Anderson= known =0D on this list for his attacks on Big Brother?=0D =0D 3. If so, are we to understand that Ross objects not so much to in= vading =0D privacy as to government competition in that endeavor?=0D =0D Stewart Baker=0D =0D =0D --Boundary (ID i.g+01I-TCF3SH.PZKB:61TN=QDGN3IG)--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:47 PDT