 Hi, my name is Hugh Daniel and my voice went away with a frog this morning. So I'm not going to, I'm going to try not to talk very much. Excuse me, you don't believe it. Okay, let's start the panel. You better believe next time, right? There's a large gap of one Atlantic Ocean's distance between many of us here in the tent and all of us up here on the front table. And we've been wondering kind of what the different hacker communities are like all over the place in the world. I've traveled the world a little bit this year. I've been to Singapore. I've been in Europe now for several weeks exploring the place. And now we're kind of turning tables and we're going to give the people of Europe or at least the hackers of Europe a chance to find out what some of the cypherpunk lives are like. Because one of the things we noticed is that the media at least, if not our own community, often has this attitude that there's one hacker and that's the baddest, meanest cracker dude on the block. I can crack anything and he gets all the girls and no one else does. Well that really is true. No, no, no. Or she does. Really at least in our community, the cypherpunks community, it's a much more varied community than that. We really don't have the entire cypherpunk community here. But out of the 15 or 20 core cypherpunks that have made it here, we've got a small sample of them up here to talk a little bit about what they do and why they do it and what they're going to be doing next. And to kind of give you an idea of the different ways there are of at least being a cypherpunk, if not a hacker, and give some people some, really honestly, to give you some role models other than Kevin Mitnick, which might not be a bad role model, but it's certainly less effective than Son at the moment. I want to start off mentioning, first off, because I have very little voice, I'm just going to try to prod these guys and I could use your help. So if anyone has a question, raise your hand and I will mark you and try to get you up when whoever's talking is done speaking. We're going to start off, though, by playing a game. And this is a game you all played with kids. There's four people here. And I'm going to read, excuse me, Lucky Green is a little late. He's off dealing with some personal matters. He will be joining us in a few minutes. So there's three other people besides me. There's four people up here. I didn't lie to you. So I'm going to start off in reading four job titles. And you're going to try each one of you to guess out of the four job titles which one belongs to which person standing in front of me. So connect the dots. We have sitting up here a philanthropist, a classic American businessman, an industry association leader, and an applied cryptographic scientist. Those are the official titles. I've got some better titles. Plays a cryptographer on the net. Agitator, like running capitalist dog or whatever the title should be there, you know, your classic thing. And Loose Cannon. Those are a little more descriptive, but they're purposely just as confusing. So while we're doing this, you try to figure out who's whom. Why don't we start off with Ian Goldberg. Ian, let me ask a question. How do you get interested in crypto? That's actually a neat question. Okay, now let me ask another question. Go ahead. How do I get interested in crypto? So unlike the way actually a lot of people go about this, where they get into crypto primarily through studying mathematics and things like that and end up in using cryptography to achieve computer security or privacy or whatever your goals are, I actually came from it the other way in my undergraduate degree actually was both in mathematics and in computer science. And one day I was just sitting around and decided I wanted to know how NFS worked, so it was an early undergrad sometime. So I went and read the RFCs and I went, oh my God, because it just doesn't. NFS stands for no-f security. Oh, it's only local radio. You can swear. I'll swear later. Okay, yeah, and that basically got me started into looking at exactly the current state of computer security around internal networks, external networks, and I went from there to examining how to fix things and cryptography is the important tool that we know about to do this, and this is where it was a really good thing. I had a mathematical background and I could jump right in and, as he says, play the cryptographer on the net. I think you just gave away who you are. I wonder how you can tell me. I think it's the goatee. All mad scientists have goatees. Is that true? That's true. Okay. And they're front of stroke. So how did you get into your current position and what is your current position? What is my current position? Oh, I have a couple of them. Among my favorites. I'm a PhD student at UC Berkeley where I do research into things like privacy enhancing technologies, so things like electronic cash and re-mailers and using the internet pseudonymously. That last bit has been spun off into a company called Zero Knowledge Systems based out of Montreal, Canada, where there I hold the position of chief scientist and head cypherpunk, so it says my business card. And basically that company is just commercializing my research as fast as I can invent it, sometimes faster, which is odd. So the idea is that I come up with ways to make the internet more secure for certain values of secure. In this case, we're talking about in the realm of privacy, music, so that you can go online, you can browse the web without having every one of your click-throughs logged and all this data mining fodder available to anyone who wants it. That I think is an interesting project, coupled that with some nice anonymous electronic cash stuff, which we also know how to do, and we're often rolling to the races. So that's how you intend to spend your ill-gained wealth? At the races. So if I had any wealth, I wouldn't be a grad student. What sort of work do you do these days? So I concentrate mainly on finishing my thesis and, at the same time, getting this zero-knowledge systems product forward, which I'll be talking about on Sunday, except for this summer, of course, so I'm just taking the summer off because I like having fun. So you would describe your daily grind as figuring out where the next party is? This summer, yeah, while throwing them. When you're working, what's the sort of work you do? What's your daily real work seriously like? There are a lot of difficulties involved in fielding a large privacy-enhancing network, and they range from network operations to host security and everything in between, and there are lots of problems that even if I don't need to solve all of them myself, I at least need to be able to find someone who can solve them and arrange that all the important problems be solved, whether or not I personally do each one of them. So what's the best thing that's happened to you because of this work? What's the best thing that's happened to you? Hey, you know, I'm talking... Oh, you don't have to tell us her name or anything. You wouldn't think you'd need to bring bondage gear to a Linux conference? So what's the best or worst hack you've pulled off recently? The best or worst hack I've pulled off recently? Oh, what's the recent? I think the GSM stuff was pretty cool, but that was like last year. Can you describe it? Well that was when we found a flaw in the algorithm used to authenticate GSM cell phones to the network, and thus we were able to produce clone GSM cell phones. We discovered that back in April last year, a year and a bit ago now. How long after the GSM specs became available? Did it take for you to notice this flaw? Yeah, that was the thing. GSM's been using this algorithm for like 10 years, but the algorithm was secret. Of course, that makes it stronger, right? So security through obscurity. So as soon as the algorithm was leaked or reverse engineered, as soon as we got our hands on it, it took my office mate and myself about two hours to find this flaw. So it's like, we're just grad students here. I mean, if they had published this algorithm 10 years ago and it was made, hopefully some grad students working on it would have noticed this flaw and they wouldn't have this problem deployed in 80 million cell phones worldwide. Now, of course, there's an interesting coda in that just recently they announced the GSM consortium, announced they're working on Comp128-2, a improved version of Comp128, also designed in secret and not being published. So we'll just wait and see. What do you want to do next? Graduate. I can hear that one coming. Is there anything else? Grad student life is fun. I've been in school now for like 22, 23 years. And I'm done now. Well done, I would hope. OK. So since the cat's kind of out of the bag, you now know who our applied cryptographic scientist is. Next, I want to introduce you to our classic American businessman. Now, I want a show of hands since it's either one of the people on Ian's right or left, who thinks it's the person at the far end of the table? Clap your hands. Enough, enough. And who thinks it's the person immediately to my right? What a bunch of wishy-washy people. That was a split exactly even. Well, welcome to Mr. Samir Parakesh, our classic American businessman. Yay, yay, question. Samir, how do you get into your current position? How did I get into my current position? I took a plane to Germany and I walked into the same house sitting here. I mean, why do you hate me so that you're trying to embarrass me? OK, so, I mean, I just told my life story of my current position. The question is kind of weird. Talk so I don't have to. OK, so. I like your first question better. OK, well answer the first question. How did you get into such an equipped app? So in 1991, I was a high school student in Illinois and I thought the government was grand. But then, but I was using a bunch of board systems in Chicago. And then one day I went to school and my friend came up to me and said, dude, the BBS got busted. I'm like, oh, it sucks. Panic. And so I panicked for a few minutes and I was like, whatever. But then I started doing research and I learned that the RIPCO BBS was this small board system in Chicago. There was nothing particularly interesting going on. People were trading their files and their wares and whatever. But the big thing was that the Secret Service took all of the equipment but they didn't press charges against the owner. And it's actually legal to take all of the owner's equipment without pressing charges. And so then I realized that the government sucked. So after I realized that the government sucked, I got really depressed and I was like, oh, the government sucks. What do I do? But then I learned about this thing called cryptography. And I read an article in Scientific American about how you could use this public key cryptography thing and how it was very cool and all of this. And then I read all these articles about how cryptography will stop the government from sucking. At least sucking you, right? Well, so that wasn't very well worded. How you can avoid the government from sucking you, yeah. How you can prevent the government from sucking in your life or something like that. So then I got interested in cryptography. Are you ready for your speech before the Rotary Club now? Totally. I'll make sure I drink heavily before that, too. Don't worry, that'll be like all the rest of them then. So anyway, I got hooked up into the cypherpunks and I thought that was all cool and interesting. And moved out to California, did the whole Berkeley school thing. And that didn't last very long. I decided to quit much earlier than Ian. Well, Ian's not quitting. He's actually going to graduate. But, and then I started a company. I ran my company for a while. That was a lot of fun. I have some stories. My company was C2Net. We do the web server called Stronghold, which is pretty popular. It's like the number one fully encrypting web server available worldwide. And I've done that. I did that for a number of years. Had what? And that's been interesting and exciting. And lately I've been doing a lot of different things. I have a job as a security consultant. I'm involved with the company I started as this chairman. I throw parties. And I am involved with some MP3 streaming stuff for DJs. So when you're not partying, dot, dot, dot, what sort of work do you do? What's your workday like? What sort of problems do you solve? What's my workday like? I do, I solve a bunch of different problems. At my company, which I founded when I was working there full time, I had a lot of different, there were a lot of different problems. I was in charge of the company. So I had to deal with everything from sales, marketing, development, human resources, legal. One of the most interesting problems I think I solved was the way in which we had to sell. I wanted to sell my products to everyone because then I could make the most money. But the US government didn't want that because they have We could have the most freedom. Yeah, they don't want people to have the most freedom. So in order to be able to sell my products to the most people, I had to set up development offices in two different countries and two different continents in the UK and Australia. And I had to set up an office in Anguilla, which is three miles off of St. Martin in the Caribbean, in order to hold the intellectual property. I had to learn about international tax law in the United States in order to figure out how to avoid being taxed five or six times on the income that was generated worldwide. And I dealt with multiple attorneys in multiple different law firms, in multiple different countries, in multiple different time zones. And so I had to stay awake from the end of the UK business day in the morning in the States to the end of the Australian business day in Australia. So I sometimes had lovely 18-hour days of phone calls to the UK and then phone calls to Australia and conference calls and all of that sort of thing. I've solved problems with personnel. I've had people complaining about how they're upset, how the company was running or whether or not they were going to quit or whether they were going to ask for more money. I've got to hear one of your programmers now. Tell us about the phone part. And so that's one of the more difficult problems to solve because it's very interesting when you've got a company and you're trying to go in a certain direction and everyone knows you're trying to go in that direction. And everyone has the common goal, but there's always conflict over what the right way is to get to that common goal and resolving those conflicts and getting everyone to work together towards the goal is a difficult problem. Those are a few problems that I've been working on solving. Cool. So since you've become a cypherpunk, how did you find the cypherpunk community? How did you find out about this? I have to say, I know Chicago. I was born there. And it's a long ways from California. How did you initially find that community? I initially found the cypherpunks because in my high school in Illinois, I became upset at the government. And I started becoming involved in a whole bunch of libertarian leftist activism stuff. And I got interested in drug legalization. And I started publishing a newsletter in my high school about drug legalization. And that was a lot of fun. And the cool thing, one of the cool things, I actually didn't take drugs when I was in high school. But anyway, so I was publishing this newsletter. And I was involved with the internet at the time. I actually didn't have an actual internet account. I had a dial-up account on a machine that had a UCP connection. And I was on Usenet all the time. And I was on TalkPolitics drugs. And I was on TalkPolitics EFF. And I was posting to these lists, to these Usenet groups, about what I was doing. And I was getting people telling me, ah, cool. Here's some ideas about how to talk about drug legalization and all sorts of things like that. And through doing that on Usenet, a bunch of people were telling me, oh, do you know about cryptography? Here's the deal with cryptography. It's great stuff to let you do this. So I got involved in a bunch of mailing lists. And those mailing lists afforded me to other mailing lists. And those mailing lists afforded me to other mailing lists. And then eventually, I found the cypherpunks mailing list. And so then I started talking to the people on the cypherpunks mailing list. I knew a bunch of them were in the Bay Area. And so I thought, well, I'm graduating high school soon. I can go to UCBundles. I can go to Berkeley in Berkeley, California. Or I can go to Carnegie Mellon in Pittsburgh. And Carnegie Mellon is a really good school. And it's great for computer science, but it's in Pittsburgh, which is all the way on the other side of the, not all the way, but almost all the way on the other side of the country. So I picked Berkeley and moved to Berkeley and got hooked up with the cypherpunks card in person. And then a year after moving to Berkeley, I started my company. What's the coolest single event that's happened to you because of your work? Coolest single event. Lifestyle change of moving to California. Oh, that's tough. Well, work on it. There's been a lot of cool events. All right, what's interesting enough so I can like, you know, sit here and cough on my own for a minute. Okay. Okay, I think one of the really cool things, I can't say it was the coolest event because a lot of cool things happened, was that I was talking to this reporter one day and it was July 4th, Independence Day in the United States. And actually I was talking to him on July 3rd, but then he was like, oh, I wanna talk to you some more. Let's talk tomorrow. And July 4th was like a Saturday or something. So we met in a cafe close to my house in Berkeley. And we said hello and stuff. And I was like, oh, this is a cool holiday. You get to celebrate overthrowing the government. And so he wrote his article and some time later, a photographer came, took some pictures that were gonna be used in the article. I was like, cool, getting my picture taken, media horror and all of that. So that was all very cool. And then one day he sends me an email. He's like, oh, the first printing of the article has come out. I'm gonna FedEx it to you for next day delivery. I think you'll get a kick out of it. And so I get this article in the mail the next day and I look at it and say, oh, wow, that's my picture on the cover. And I look at what it says and it says, this guy wants to overthrow the government. By cool. So I open up the article and I look at the lead quote and the lead quote says, I really like this holiday. You get to celebrate overthrowing the government. And I thought that was cool. One of the really good things about that article though was that on the left facing page, you've got a picture of me talking about how cool it is that you get to celebrate overthrowing the government. And then on the right facing page, you have a picture of the chairman of Citibank talking about how cool it is that you get to overthrow the government. So that was a pretty good article. What are your plans next? I don't know what my plans are next. I'm still figuring that out, so. Anyone with a good business idea, we have a businessman here for you. Anything else you'd like to say? Anything else? Not particularly, no. No, okay. So back to the crowd here. At the far end of the table, one of the last two people is a hippie agitator and one of the others is an industry association leader. I'm trying to do this step. Which one should we talk to first? Okay, Lucky. Well, you're up. Lucky Green is an industry association leader. An upstanding member of his industry, causing many companies to work together in building better components and widgets to be sold upon the widget market, if I remember correctly. Yeah, hi there, Lucky. Lucky Green, and perhaps I should recap somewhat my involvement with CypherPunks as we discussed earlier. There's one common thread that I think you will find going through CypherPunks, and that certainly is anarchy with a big capital A. I've been an anarchist as long as I can remember, a very active anarchist. Sometimes people ask me which government I wish to overthrow, and the obvious and only answer that I can come up with is all governments. So this anarchist tendency certainly permits CypherPunks and it has very much from the beginning. My background in the field of computer science actually is not computer science. My degree in fact is very much removed from computer science. My background is very different than computer geek. However, I quickly became aware that cryptography was a very good tool to achieve at least partially the goal that I had set. The social goal that I had set, certainly, certainly my whole interest in cryptography was really prompted primarily by political and social reasons, rather than technical causes. I stumbled upon the CypherPunks shortly after they were founded, actually reading the very first issue of Wired Magazine, which probably got CypherPunks quite a bit of publicity, and have been an active subscriber ever since. I became a beta tester for PGP 2.0 at the time, and if anybody complains about buggy software code, if you folks, if any of you not beta tested, excuse me, I did back AlphaTester for PGP 2.0, and if you had the hard press to come with a crypto product, it was bugger than that. I quickly realized that there were a number of interesting projects out there, development efforts underway, that were hampered by the lack of modular tools in order to achieve these goals. It's one thing to design and develop a very large project, a very large programming task, that typically frequently requires infusions of money, but what do you do if you don't have that money, or what do you do if you can't get the information you need in order to institute that project? One issue that particularly sprung to mind to me was the dire absence of open source, easy to use development tools for integrating smart cards with a developer's application, whatever that might be. Yes, the smart card vendors will happily sell you a development kit that will only work with their particular smart card in their particular reader. We'll only run on Win32, and probably will cost you somewhere between $3,000 and $5,000, and if you're lucky, you just might get a little bit support out of them in the process, but don't count on it. There's one smart card vendor that comes to mind, a fairly well known smart card vendor, certainly here in Europe, which will only provide you technical specifications, detailed technical specifications for their cards if you, prior to receiving the specifications, sign a contract that you will use their cards exclusively, company-wide. I can fathom why anybody would sign these contracts about anybody would use their cards, but apparently they're people silly enough to do that. I then turned around, contacted some people I knew in industry, and decided to do something about this problem by developing a cross-platform vendor-independent, a reader-independent, card-independent, smart card development kit that allows you to talk to any card in any reader, under, well, not any, but virtually any operating system, with only making minor modifications. This kit became somewhat popular, not quite as popular as I certainly would have hoped, and it's always with these open-source projects, we could always use more people working on it, so if there are any smart card hackers in this audience that feel like writing some tables for this kit, by all means, do so. It's on double, the kit gave birth to a somewhat more formal structure that structure ultimately received a name called the Smart Card Developer Association. We're an association that's comprised of members worldwide, Europe, Asia, Pacific, we even have a member in Africa. The kit is available on www.scartisinsmartcard.org. It already has conversion tables for some of the more popular cards, such as the various crypto cards, of course, which we put in first, the various crypto cards which we put in first, and perhaps most importantly, GSM Sims, and I don't know if Ian had a chance to get into this at all. Oh, he did quickly. We did quickly, okay. Anyhow, this kit ultimately proved rather crucial towards performing the discovery and ultimate break of Comp. 128, the authentication algorithm used by the vast majority of the 120 million by now GSM phones worldwide. But really what I've been trying to focus on is to develop small achievable tools that can later on be integrated and serve set up the structure to provide for a clearinghouse for information, information that vendors don't provide you with. So that's my industry association angle. So what are you gonna do next after this? What are we gonna do next after this? In the immediate future or in the far future? Yes. Yes, okay. In the immediate future, having published Comp. 28, the authentication algorithm for GSM, and having published A51, the stronger of the voice privacy algorithms in GSM, I plan the stronger. Well, stronger for some value of stronger, we don't quite know what actually the word factor is probably two to the 38th most likely. But in the very immediate future, I plan on discovering by whatever means I can, and in fact during CCC hopefully, A52 the weaker of the GSM voice privacy algorithm, at which point we will have published three out of three of the algorithms used in the most widely used digital telephony system worldwide. And very much would hope to do so before CCC is over. After that, I'm still following my original goal, which is to overthrow the government, overthrow all governments. Preferably in a nonviolent fashion by slowly eroding the attack space. So lucky. This one, I gotta hear your answer to this one, because I've got a set of canned questions here. What's the best thing that's happened to you due to your involvement in all of this? Due to your hacking? The best thing that happened to me due to the involvement, especially with cypher punks, is that from people that I've known only by a reputation capital posting on a mailing list for a number of years, folks that I had never met in my life and after exchanging emails with them for four years, in some cases longer, many of them ultimately when we met became personal friends, close personal friends in some cases. There's one I worked for, there are several that I parted with, all of which I parted with. And the most exciting thing is really the knowledge that there are others out there who are willing to do something to exert effort to spend money, time, energy, contacts, whatever it takes to bring about social change in a positive fashion through technology. I'm just gonna remind the audience again that I'm not gonna have enough questions to fill up too much time without some of your help, so remember to ask questions. Okay, well I think we're down to one turkey left on the panel here, and I think you can figure out that he is both a hippie agitator and a philanthropist. Mr. Gilmore, how did you first get interested in crypto? Well, I was, I was in junior high school, or maybe younger, maybe sixth grade, and encountered a scholastic book service, this book about codes and ciphers, and read this thing, because I was reading a lot of books at the time, I was a real avid kid reader, and discovered all of this stuff about spies and secret codes and how this had changed the course of history at various times, how people had figured out what had been encoded on Shakespeare's gravestone 300 years later, did Francis Bacon really write those plays or not? It was all strange puzzling stuff in the world, and that was my introduction to crypto. It turned out that about 15 years later, I was working at Sun Microsystems and trying to figure out how to make the systems more secure, so that as we sold the Unix machines to customers, people couldn't break into them all the time. But still, people, the scientists who we were selling them to could still get in and get their work done and not be annoyed too much. And I realized that this code and cipher, this cryptography stuff was actually the key to making security work over a network, because anything else could be faked. There could be somebody in the middle who's just copying, making a copy of your fingerprint and sending it on or making a copy of your credit card and sending it in as if they were you. But the encryption stuff provided some kind of mathematical hooks that meant really only the real you could be doing this and somebody who'd be faking it would get caught. And so I started investigating encryption to try to make computers more secure. And I quickly discovered that the government didn't want computers to be more secure and they didn't want people to have encryption because it made it harder for them to break into computers. So that was my introduction. Exciting, isn't it? So how did you end up in your current position as a hippie agitator philanthropist? Stock option. Well, I saw an ad for a hippie philanthropist. Damn it. Why can't I ever get to the paper first? What happened was actually I was, as a teenager I got interested in computers because I was interested in math and it was an offshoot of math. And I discovered after I got out of high school people would actually pay you money to do this. So instead of going to college I took computer jobs and they paid me to learn about it instead of me paying them, which I thought was a great deal. And by just building up my work experience from that point I happened to be at the right place at the right time when Sun Microsystems was just starting up in Silicon Valley. I was the fifth employee there because I happened to call them at the right time and tell them I was thinking about taking a job that would port Unix to their boards, to their new CPU boards. And they said, well, God, we're really too busy to talk to you, but we're starting a company and did you say you were porting Unix to this? Maybe you should come talk to us. And so I became the fifth employee at Sun Microsystems which turned out to be one of the big success stories of Silicon Valley. And partly by my efforts, but it was an really incredible team. The first 10 people there were just some of the most excellent people I've ever worked with. Really good at hardware, really good at finances, really good at running a company. All the people involved in the early days were honest so none of us got cheated. And the result was that each of us had a small share in the company and my share initially was half of a percent. But that half a percent by the time the company had grown to be a multi-billion dollar company was worth real money in the millions of dollars. So by being in the right place at the right time and with the skills I'd built up, I made a whole bunch of money. And that sort of set me back for a few years because I had to figure out, well, once I could do anything I wanted, what did I want? Middle-class life doesn't prepare you for that choice. And eventually what I figured out was that I wanted to work on civil rights. I wanted to make sure that the rights that I had when I was born were still there when I passed them on to my children. And that as we were moving on to the internet, we don't lose the right to free speech, the right of privacy, the right of free association, choosing who we can get together with at a conference and who we can send email to and what we can talk about. And having all that stuff persist even as the world moves on into this whole new realm. So I thought that was an interesting challenge and it's turned out to be great. It's a wonderful way to meet people. It's the same experience that Lucky was talking about, finding all the people who care about this and want to find a way to contribute in their lives. And I contribute some money to it, but mostly what I contribute to it is attention, is thinking about the questions and talking to reporters about what's going on and trying to figure out if we're gonna have a privacy problem, if we're gonna have a problem where people are breaking into the infrastructure and making it so that the fresh water doesn't run and you have to figure out how to drink or people are taking down the phone system and you can't call up. What do you do about that? How do you solve those problems long term and trying to figure out, eventually what I figured out was that the government policy on encryption was wrong, that it was preventing us from securing all of our infrastructures and providing privacy to ourselves. And I had to figure out, so how do you change such a deeply ingrained bad idea so that before it screws up your society you actually get it fixed? So that's, it's been an interesting challenge. And go ahead. No. I want the next question. Can I have one? Wimps, ah, good, one man among you. I mean, folks in the US originally invented the internet but we didn't invent the web, that happened over here. It's really been a worldwide collaboration. We just happened to be there first but there've been lots of contributions made by other folks. And, yeah, of course we screwed a bunch of stuff up. We gave a monopoly to a small company that was sort of doing an okay job of taking name registrations but then a big defense conglomerate, we called them Beltway bandits, bought that company and started trying to exert real monopoly control over what went on on the net and just say, everybody's gotta pay us $50 a year to be on the internet. And we said, gee, there's something wrong with that but it's taken now many years to try and fix it and it's still not fixed. Whatever you guys can do to help fix that, we will appreciate it. So, John, can you describe what your daily grind is? Oh, it's like six to eight hours a day of reading and responding to email. So you're an email hacker. We need better tools for dealing with email. Secretaries. Yeah. Can you describe your best or worst recent hack? My best recent hack I thought was the Desk Cracker. That was a lot of fun. Big win. Right, the government, IBM invented an encryption system in the 70s and the government was running a competition for who's going to create the standard encryption system. And IBM won it with their system called Lucifer and then the National Security Agency went in and said, well, there's a few problems in that. Let's change these things around it and here's the standard you should use. And that was called Desk. And the academic cryptographers, of which there were just a few back then, were saying, wait a minute, what'd they change in there? I mean, is this really a good cipher or not? And we think we could build something. It might cost 20 or $30 million. We think we could build a machine that would crack this. And the government said, oh, these guys don't know what they're talking about. These are students. Let's just use the standard. Oh, babe. Over there? Right, and people use the standard and it did actually provide a lot more security than what people had before, which was nothing or almost nothing. Machine ciphers like Enigma and Clear Text. And the whole banking system, ATM machines, all of that stuff was protected with Desk, which was certainly better than nothing. But it turns out that Desk had been designed such that the key was sufficiently short. There were a short number of possibilities on the combination lock. And like getting into a suitcase, you only have to try 0, 0, 0 through 9, 9, 9. Maybe if you have a few hours to spend, you can do this. The government had left few enough combinations in the keys. They could try every possible key. And probably by this point, they can do it in seconds. We built a machine. We set a goal to build a machine that could prove this could be done in a week. And to spend as little money as possible, but just do as little work as possible, come up with some machine that proves you can crack Desk in a week. And I hadn't done a hardware project since I got out of sun, so I'd forgotten all the horrible ways that you could screw yourself with hardware. So we had chips that didn't work the first time. We had to make them work anyway. We had boards where half the wires were soldered, not half, but hundreds of wires are soldered on wrong, and we have to re-solder them up on the surface on little green wires. We had systems that overheated and drew too much power. All the things you don't worry about is a software programmer. It's like even these days, you run out of memory, it just allocates more off the disk. There we had, it took us a year, and we had to do lots of collages, but we ended up entering a contest put on by RSA Data Security, and we cracked a Desk encrypted message in 56 hours, and then published a book. When we won the contest, we also immediately published a book, and that gave the complete details of how to build the hardware, how to build the software, and hook it all together, as well as academic papers, the original papers that had talked about, we think there's a problem with this in the 70s, and some later papers like by Ian that talked about some initial experiments they had done using programmable gate arrays to figure out how fast you could break this code. So the whole idea was to make a big publicity splash, get people aware that, hey, Des isn't any good, you should stop using Des, because the intelligence agencies are all listening in to everything you do under Des. So if you want real protection, you gotta switch to something else. So by winning this contest, publishing this book, et cetera, we talked to a New York Times reporter who I know, because he calls us up about other things, got him in and showed him the machine, basically said, you gotta hold this story until we win the contest. We wanna be able to announce, not that we're going to build a machine for this, but that we have built it and it works, and he took the bait, and he held the story until we won the contest, and then we got on page one of the New York Times with this thing that broke the government standard, and eventually caused the export laws to change and a bunch of other things. So I thought that was a cool hack. So you had a question. Yeah, the national security agency, when they first changed the Lucifer algorithm into the Des algorithm, when it was just being standardized, it turns out that they had actually strengthened the algorithm in several ways. They made it resistant to several forms of cryptanalysis that we out in the public world hadn't discovered yet, but that they inside the classified world had discovered. In particular, differential cryptanalysis, which was invented 15 years later by Adi Shamir and Eli Beham, had already been invented in the classified world, and they changed it so that other nations, cryptographic agencies that also knew about this couldn't break DES, but they also shortened that key so that anybody who threw enough hardware at it could break DES. And this agency, the national security agency, it has an annual budget in the $5 to $10 billion a year range, and it spends it on wiretapping the world, on intercepting as much satellite traffic as they can, as much undersea cable traffic, as much microwave and cellular traffic as they can, and scanning it for things that the U.S. government and other allied governments are interested in. There's actually an NSA listening station at Bad Eblen, I'm probably mispronouncing it, here in Germany, another one in the U.K. at Menwith Hill, and stations in Australia at Pine Gap, and several stations back in the United States that listen in for all of our communication and everyone else's, and try and filter it for things of interest to them. And the trick is, we never get to find out what's of interest to them. Are they actually tracking criminals? Are they doing diplomatic spying, or are they spying on people exercising their civil rights, people doing commercial transactions, and feeding it back to their own companies? We don't know what they're doing, and we'd like a little more oversight. John, I believe there was an interesting incident just before you announced Deep Crack with a reporter in Washington, over in a bar. Oh yeah, tell me about it. The reporter asking you if you knew who these people were doing this project? Oh, well, several people knew that we were doing the project. I brought some folks in from the cryptographic community to help me design the hardware who actually did design the hardware and design the algorithms involved. We had a bunch of people who contributed papers to it like Ian, and also several people in the computer security and crypto community who reviewed the book and told us what was wrong with it so we could fix it before we published it. And all of those people were sworn to secrecy, not because we're trying to pull one over on any one, but because we wanted to get the maximum impact when we released it by saying, it's a done deal, it really works this way, it's not that we're some academics predicting that it will happen, it's that it really happened. And so all those people were being very good about not talking about it, but a reporter in Washington kind of got on the scent anyway, heard there was something going on and eventually started pestering me. And I had to put him off to basically say, well, I telling him the same story, I told you we're looking for maximum impact, we want it to be announced after it's done and it's not done yet, so I can't tell you about it. But he got annoyed that we'd given him the story to the New York Times before him. So what do you plan to do next? Well, I've got any clips to see. Ha, ha, ha. But I'm also hoping to round out more of my personal life. I'm trying to start a relationship, looking to have a family, as well as pursuing civil rights and all of that stuff. I'll be 44 this month. It's time to get a few of those other things dealt with. At this point, I'm gonna open things to general questions if anyone has them about the Cypherpunk community, about hacking, about anything that you feel you want to ask of us. So boring. Way in the back. Are you interested? The question is whether I can reveal some additional details regarding my attacks on the GSM algorithms. I'm not sure I fully understand the question. Are you talking here about the future attacks still to happen? No, the one you're doing here at the CAC. The one where, yeah. How can they help? That's a really good question. Currently, much of it depends on actually what's happening back in the reverse engineering tent, which I must confess and I'm most embarrassed to say so I have absolutely no idea. Since I spent the entire day actually driving around in the car to get a sound system for the big party that we're having tonight. And all other following nights, of course. So depending on what kind of equipment there is in the reverse engineering tent, I would very much like to take some rather, some harsh measures to some of the ASICs inside a GSM phone. It's more for hardware attack. I don't know if these guys actually have a scanning electron microscope. I very much hope they do. On site here? On site, yeah. I hope they have a scan electron microscope. If they don't, then we might have a problem. But anyway, what I would like to do is decap the chip and to really go over it with a scanning electron microscope and just read out the algorithm directly because I'm sick and tired of having to deal with GSM. I've worked on this now for two years and it's time to wrap it up. If you happen to have bought a scanning electron microscope, talk to us then. Oh. You do not have one in the engineering tent. Well, we'll figure something else out. I have something like that. OK, we're halfway there. It's a start. Well, I thought one of the possibilities was to do some decompilation, some reverse engineering on software code for an embedded processor. Does that work? Does that help? So we discovered that there is a good number of GSM phones that actually allow you to flash upgrade the firmware. There are some, we then discovered, unfortunately, that the crypto algorithms aren't done in the phone firmware. However, the DSP that performs both the voice encoding and the crypto algorithms actually has a diagnostic port that we believe might allow us to dump the contents of the DSP. So if we have some DSP hackers here that know a bit about Motorola DSPs, then by all means talk with us because if we can get the DSP to spill its guts, which should be possible, then yes, in fact, we can just simply decompile the code of the DSP and reverse and publish A5 to from that. So any DSP hackers give us a holler. You want? What? Could you introduce yourself to ask all of us a question? Oh, you! You! He is a big... Yeah, you is the big-time troublemaker. Hi, my name is Hugh Daniel. My current work revolves around trying to get the internet itself secured when the military-industrial-educational complex in the USS of A designed TCPIP fact in the early 80s, we had no need of protecting the privacy of data, of making certain the data was the data you thought it was, or providing any sort of anonymity because we were all just students or military contractors or something like this. The IETF, the Internet Engineering Task Force, I don't know if I can make this a very long paragraph with the way my voice is going. The IETF has spent six years arguing and bickering over a design to add security and authentication, encryption and authentication, although not anonymity, to IP itself. And I have a team of programmers outside the USS of A in free countries that are coding this up for Linux, and we're trying to distribute that system to all of the Linux distributions and to people all over the world to start authenticating and encrypting their communications over the net in general. So yeah, I'm philanthropizing this project. Hugh is managing it, and we have people in other countries working on it. Something that you folks actually who live outside the USA can do, the people who make Linux distributions inside the United States can't put this code into their distributions unless they comply with a lot of export control bullshit, which would make it harder for them to do their job of pushing Linux out into the world. And make it impossible to do the crypto right, which is more important than playing games with our government. Yeah, so what you folks can do is when you make Linux distributions out here, put the good crypto in, make the stuff work in your own distribution so that people all around the world in Europe and back in the United States can bring it back in and have a secure network. If when you install Linux all over an academic network or something, make sure you've put the crypto stuff into it so you can set up secure connections among them, make it, you know, put it to good use and spread it around. And you can do many things that we in the US can't do. So we're depending on you to help pull some of the weight. And at this point, since I have very little voice, I will simply put up an advertisement for the next session here in this room at midnight, which is the Linux crypto summit where we're gonna try to figure out how do we do some of the stuff John was just asking about. I guess I'm gonna say one other thing. The way I got started hacking, the way I got involved in computers so I wandered into my high school in 1976 and then there was a Altair 8800. To give you an idea, this machine at the time had 256 bytes of memory on a card like this, okay? So I asked the teacher, can I learn about computers because it had more blinky lights and more cool switches than any light board I'd ever run, rebuilt, designed or whatever. The teacher looked down and he said, kid, if you passed algebra one, I said, no, but I'm taking math. Kid, get out of here. So two weeks later, I forced my way into the computer course by having had one of the other students teach me to toggle in bootstrap loaders. The computers were so dumb, when you woke them up in the morning, they didn't know what to do, they just kind of sat there going, dee, dee, dee, dee. And you had to basically twiddle their nose for 20 minutes up and down until they got going. Four years later, I graduated, excuse me? Yeah. Eek, what are you using, M size? No, no, Win 2000. I thought that product was coming out in 100 years, I thought the next thing they were shipping was Win 1900. So to finish the story up before my voice completely goes, four years later, I bothered graduating from high school. My job at that point was as a person at the university in town where I grew up, I was doing research on how to write educational games that weren't shoot-em-ups and teaching professors and deans at the university how to integrate computers into secondary and tertiary education systems. I never did pass algebra one. I think we're done unless these people actually find a question in their souls. Let's call it quits. You can corner us individually. Thank you very much.