 Welcome to the crypto and privacy village on this nice Sunday morning. I appreciate that you got up or stayed up. And we've got a good lineup of speakers today. And we're starting with Ryan Lackey. And he's giving a great talk on cypher punks, or cypher punks history. Great. Thank you very much. And yeah, definitely. Thanks. And yeah, Sunday morning is always a fun day at DEF CON. 1130 is pretty early for me, too. So yeah, so my name is Ryan Lackey. I've been interested in cryptography since probably 1990 when I first discovered it when I was like 11 years old. It was just the thing that immediately drew me to being really excited about the possibilities of mathematics, computer science, everything else. And fortunately for me, I discovered IRC and then I discovered the cypher punks mailing list really early on, like a couple months after it got started. So there's this mailing list that we're going to talk about called the cypher punks mailing list. It was founded in 1992. There were three guys that are individually really famous for a lot of other things, Eric Hughes, Tim May, and John Gilmore. They've gone on to do a lot of things. They've actually done a lot of things beforehand as well. So it was really probably the most interesting place on the internet to discuss cryptography, privacy, politics of the sort of techno-libertarian front, all sorts of other stuff for the whole 1990s, which was really exciting for me because I was a teenager and got to see all this stuff firsthand. I actually ran one of the first mailing list archives for this on my machine at MIT when I was a student, which became really interesting legally later. But yeah, just as a quick question, who knows about the cypher punks by show of hands? So maybe about half the people. Who is on the mailing list in the 1990s? One person. So this is going to be something that people hopefully are going to be really excited about and then go look into after the fact, because it's definitely worthy. So the reason you probably haven't heard of it as much is that it had this sort of like golden age in the 1990s, probably from the list founding in 1992. I think 93, 94, maybe 95 was really the high point of the list where lots of stuff was being discussed. But just as you've seen with other forums on the Internet, a lot of stuff came up later and sort of made it so that today it's essentially non-existent. All sorts of ideas will go into these individually and talk about them in a minute, but I just want to describe some of the other stuff that happened. There was a lot of politics on the list. There was bad politics, which I'd say we're like internet scene warfare. Who gets to run the mailing list? A couple court cases, trolling and spam like in a weaponized way, like anything you see on Twitter or modern stuff. Imagine if you had a centralized mailing list that people were fighting over. So there's a lot of bad politics, but there's also a lot of good politics. It's where people were discussing a lot of the big issues of the day. A lot of the legal precedents that exist today with like DMCA, the downfall of the CDA. Things that are still issues today, ITAR, patents, everything else were contentious issues there and we didn't really have anything that went to reference. There was no history of these things, so it was the first time. And then all sorts of stuff. This was sort of the founding time of the internet becoming commercialized, going from like NSF net and a lot of academics to being commercialized. So there were a lot of discussions about that kind of stuff, ranging from people that thought governments evil, corporations good, free market, whatever, or corporations evil, regulation can help people. And there were like pretty serious debates there. I wouldn't say that debates are often very good, as long as they're constructive, and there were a lot of constructive debates there. There were a lot of really interesting people there. I think at the peak, it was probably about 2,000 people. There were hundreds of people who actively posted on a weekly basis. And of those people, I think if you looked at people that were active in the 1990s and crypto, a lot of the people that are still active today were people from that mailing list. There's a lot of professors, there's a lot of people that have gone on to do startups. I was on the younger side back then. There were a lot of people that were maybe 10 or 20 years older than me that have gone on to be like tenured professors or VCs or have found things and even retired at this point. There were some really famous people that we can go into in a minute. But just as a quick step, I'll go back. I have a mailing list archive that I just about 30 minutes ago put live again. Embarrassingly, I had a web server that had a hard drive that failed. It's still a physical server, not virtualized. And I left it offline for a little while. I put it back online, it's free, accessible. There's a web archive, you can go per message. There's also raw archives of the entire list. So as we discuss these things, you can then go back and search. And I submitted it back again to Google so it should be searchable by the keyword. So if you find a keyword that you find interesting, you should get links on this pretty soon. And I have most of the archives. Hugh Daniel gave me a lot of copies a couple of years ago. I then lost some of those and then someone else archived them. So it was a crazy thing where 600 megs of data was like a big deal back in the mid-90s. But it should be pretty comprehensive and I have some other ones that I'm adding to it as well. So the thing that's most interesting are there's a lot of ideas that were discussed on the list and they were discussed over a period of years. In multiple stages, there were initial ideas and there was really people would discuss things in short comments, like one or two line comments and reply to a mailing list, but people would also go out and write running code. The motto of the list is Cypherpunk's write code. The idea was that you'd have somebody build a proof of concept or demo something and you'd actually get to see how it works in practice rather than spending years discussing theoretically how something might or might not work. And as a result, you got a lot of really interesting but kind of janky prototypes built that were useful somewhat, but then you got other people that said, oh, this is wrong. And instead of just saying, oh, this is wrong, this sucks, they would actually build something better and it would be sort of this iterative process which was really interesting because it was back before startups and commercialization were really the way that the internet worked. So you had people that would be just building these projects. Like I was a student, there were lots of people that were students. There were lots of people that worked for big companies. Tim May, one of the biggest people on the list worked for Intel for a while and then was retired. So it was a really fast, like, iterative cycle of developing stuff and everything else. And so, yeah, so lots of these, it was very, very fertile for these ideas. So lots of things were discussed then and then have happened. These are some of the things that have happened, a few of them that haven't. I'd say onion routing is one of the biggest successes. So the concept of onion routing was discussed on this list and a few other lists in, I think probably about 94, 95 was the earliest. I was looking through and there were some academic people. Naval Research Laboratories, Paul Cyberson and some other people there were working on it. And this is what we now know as Tor. It's gone through a lot of evolution, the Tor project now exists. It sort of got separated out from government, but it's been a long process. But this is something where the seeds have been, like, they were planted back in the 1990s and this is a tool that's still under active development, active use and it's probably the best system today. It's a system to anonymously or non-attributedly connect to things. Anonymous Electronic Email was discussed on the list a lot, Remailers. There was one of the most technically advanced things that I saw on the list. The idea was that you could send email to a server and then the server would have a pool of messages and would resend them after a certain point. And this is one of those cases of iterative development where the first version was called a Type 1 Cypherpunk Remailer that really wasn't all that great and had a lot of problems and then we had Mixmaster Type 2 Remailers that were a lot better, that were built on top of that and then we had Mixminion Type 3 Remailers that were under development. One thing that Len Sassiman worked on a lot, unfortunately he passed away a couple years ago. The field has largely declined because email has become less of a thing. It used to be everyone liked SMTP. They had a lot of separate systems that would interconnect via regular email messages. Now people use instant messengers or on-site messaging like Facebook Messenger or whatever else which has sort of led to the decline of Remailers. It's one of the things that I think is the most underutilized technologies, sort of message-based Mixnets. Thomas E. Cash, so everything you see about Bitcoin had precedence on the Cypherpunks mailing list. It was really interesting. This is the one technology that got me interested in crypto and in the Cypherpunks. David Chalm, an American professor who was working in the Netherlands, developed this, I'd say from 1983 to 1986. He patented a lot of it and everything you see about Bitcoin, except for one feature, this stuff does better, faster, cheaper, everything else. The only downside is it's an inherently centralized system. It's permissionless in that anyone can spin up a server and do whatever they want, but it lets you set up a currency, but every currency has a server that has to remain online. So for a lot of reasons, 20-year cycle of development, Bitcoin eventually was successful, but the whole promise of blinded transactions where you can anonymously pay someone a currency or a transaction in cash, in app coins, the stuff that's being discussed today has been already gone over for years, prototype built, commercially built through DigiCash Incorporated, through a couple other companies, everything else from the 1990s to the 2000s and on. One of the most interesting things that has sort of existed in various forms is Blacknets. Tim May created something called Blacknet. It was sort of a prototype for it. The cool thing with all these technologies is you can combine them. You take remailers and anonymous cash and together you have a way to build a server that lives somewhere that can receive email that you don't know where the physical server is. Receives payment, does something, and sends you back a message. And that's actually more secure than an onion site in a lot of ways, because it can be separated out through time. If you have a high latency operation, you can very easily send a message and say, oh, it'll take a week to get a response, and that protects you from a lot of things. But he created something that was basically an information market, where you could say, I'm willing to pay X amount of money for, say, the source code to Windows 95 or something, and people would be able to anonymously fund that kind of transaction. We saw that later happen with Bitcoin and then Silk Road and things like that. So it sort of has a precedent there. And information markets where people would, there were all sorts of exciting things like the Street Performer Protocol, where you would come up with a bounty for people to create works of art. Basically Kickstarter, so decentralized cryptographic way. One of the weirdest things was this concept of assassination politics. It's probably the most inherently negative thing on the list. It's also the thing that I had sort of a personal connection to. There was a, it was discussed on the list as like an idea that no one would actually want to do. The idea was that you could create a bounty, so an abet. You could basically create an assassination market that was a betting market. I predict that certain famous person is going to die in a certain date in a certain way. Obviously the best way to win your bet is to be the one who affects that operation. So it's sort of a weird legal hack where you have sort of plausible deniability, never really tested. Normal people would think this is a bad idea. Unfortunately, or well, it's a trait that there were some fairly non-normal people that were attracted to stuff. It was on the list and I think mentally a little bit unhinged. I never met him in person. He really was a big fan of this thing and lived in Oregon and incidentally to all that, he published about it and all sorts of other stuff, incidentally he set off some stink bombs at the IRS building in, I think, Portland. And there was some prosecution that happened and for me this was really relevant because in that court case they subpoenaed my mailing list archive and they wanted me to testify to the veracity of the archives and everything else where he described killing federal officials and all sorts of other crazy stuff. I was living in the Caribbean working on an anonymous electronic cash system at the time and it turns out that you don't want to go to federal court even as a witness. It's just never a good idea and they don't really have any power to compel you to show up if you're outside of the US trying to attend and it went and he was prosecuted and went to jail. It was a pretty interesting thing. There's a bunch of fundamental security technology that was discussed, the capability security model. This was actually something that existed before the cypherpunks that existed in the 80s from some cool people that were doing electronic gaming virtual community stuff and then turned it into a really exciting really technically powerful but different than the way everyone builds stuff. Security model self-enforcing contracts, I'd say Nick Zabo who's in there running for being Satoshi Nakamoto I'd probably say is one of the top five candidates for it. Developed the idea of contracts that you can write that would enforce themselves and would be machine interpretable which sounds an awful lot like Ethereum or Tezos or any of the modern systems like that and this was all discussed in like 1997 and built as a prototype. Things like data stores that were essentially turning the internet into a block device where you could pay someone to store a certain amount of data that was encrypted that they wouldn't know what it was four period of time with like redundancy striped across a bunch of servers sounds a lot like the store coin or the other things that are built today. So cool things like that. A bunch of secure hardware stuff. Lots of discussions of secure communications terminals which at the time were the very end were like palm pilots that people had regularized so it was really before it was possible to do this kind of stuff. I remember walking around with like a briefcase and a laptop and like a handcuff thing on it and that was like the secure terminal I could use for cool stuff. The idea of data havens I think Bruce Sterling Islands in the Net novel from sometime in the 80s was one of the first people to discuss this the idea had existed previously there was lots of discussion about where to build it and I actually ended up meeting the co-founders for HavenCo the offshore data haven that I started on the list and cool stuff and then much more useful stuff this was where debates happened about the SCT protocol versus SSL and you probably have not heard of SCT unless you work in banking so as a result we got the consensus on the list was this other thing is a little bit technically more interesting because it will never get used and that's in fact what happened and then all sorts of secure messaging stuff voice encryption, secure terminals using wince, all sorts of cool stuff like that so yeah it was a pretty exciting place and now there's a mailing list archive where you can search there's like 600 gigs of data where you can go and find the initial idea one of the things I was thinking would be really nice would be if people found prior art for patents that people are asserting in the field because if something is really discussed and prototype back in the 90s it clearly shouldn't be patentable by a company today also there probably are ideas that you could build today and turn into a working thing that haven't been built yet so yeah lots of cool stuff I would be interested in discussing any of these things with anybody if anyone has any questions at this point otherwise I can talk about some of these or persons from the cyberbonds list but thank you sure okay so secure hardware and HSMs are really interesting HSM is a hardware security module so people used to this was in the time when doing public key operations was actually a challenging thing for a computer to do you would probably tie up your desktop computer you could do maybe like three to five RSA operations in a second and if you had a mobile device it would drain the battery on like a palm pilot or something so there was the idea of using an outboard dedicated processor to do your cryptographic operations it would either be a card or a scuzzy drive thing that would fit in they still exist today there's a lot of reasons to do them they used to be crypto accelerators now they are really there for putting hardware protection around a CPU and doing two factor human control and things like that these have been they've gone from on every web server every public facing web server you'd have a lot of them to now they're very limited in deployment like you can use a cloud HSM in Amazon because they're all at $30,000 each so instead of having one big server which used to be the model with this it was at the time $5,000 to $10,000 box to do the crypto now you have like a hundred $2,000 PCs as your front end and you might have one of these server to distribute keys but in most cases you don't they are another one of these things that I think was a good idea then that sort of has had a 20 year period of not really doing all the stuff it should do and actually makes sense to do today because now you're using cloud resources where you never actually see the computer you're working on and there's this whole like matrix question of you're talking to a remote server do you know if you're actually talking to a bare metal server or you're talking to some virtualized environment where someone's monitoring everything and finally people have keys like there are Bitcoin keys out there that are probably worth $100,000,000 or more where people have a single wallet with lots of stuff and I personally don't ever want to have a key that I have sole authority over with $100,000,000 on it because if I did I'd have to have a level of physical security at all times equal to that because otherwise you just like kidnap somebody and say like turn over the key or we'll shoot you or shoot somebody else so this hardware security module idea is becoming more relevant again I had a looking at building one of these things it's sort of like an open source project where you could have an open source HSM container and put an arbitrary board the problem is they're fundamentally a very niche product right now I don't know how many are sold per year but it's definitely under $10,000 a year because they're so expensive and they're sold to banks, governments, CAAs people like that are basically price insensitive so the costs have just kept going up they become more niche one of those things where if it were more widely deployed it would be cool that stuff is interesting on the client side for it but unfortunately fails some of the hardware requirements if you have physical access to the device it's pretty straightforward to attack not super straightforward but it is feasible to attack a T or an SGX environment if you have physical access to it if you're willing to do hardware level stuff and with an HSM you're not supposed to be able to although you can but yeah that's the HSM market the thing that was really missing the most from the cypherpunks era was the mobile phone I think if the smart phone had existed back then in any form that had wide area connectivity even if it was a very low bit rate connectivity and a thing that you could carry around as a handheld terminal I think that would have pushed a lot of this technology about 10 years earlier than it did and a lot of that stuff was held up for carrier licensing reasons like the technology basically existed there were like the Scion PDA from a long time ago had a lot of this capability there were lots of weird restrictions why it didn't happen but yeah really I'd say mobile phones, smart phones have been the thing that was missing and of course back then there were millions of people on the internet actively communicating and not billions of people so the market for anything was a lot smaller and the people were kind of boring like the other weird thing about the cypherpunks is that most of these people aside from being kind of weird didn't really have like there were like westerners living they made like 100k a year in places with rule of law they were generally well protected so they were thinking about these ideas as a theoretical thing and the thing they wanted to aspire to but in reality if they had a problem they'd have legal recourse nobody would attack them everything else as the population on the internet has changed we have people in countries that have no legal system or where they're targets of stuff so it's a big deal many of them lived in Europe but they were still first world kind of that was actually the crypto it was a weird split between US and Europe there were a lot of people that were major contributors from Europe probably at least half by the number were Europe and then by quality I'd actually probably say more like 75% were outside of the US and mostly Europe but there was a very restrictive interpretation of cryptography export at the time under ITAR, Vostner agreement other US laws where it was basically impossible for a US person and a foreign person to collaborate on a project in a useful way the only way you could do it would be by publishing you could either do a restrictive thing like a 40-bit key which is essentially breakable on a smartphone now but it was at the time something that was feasible for a couple of computers to break in a period of time or you had to go through the First Amendment protections in the US and actually publish something to at least 50 people in public and then have them download it re-type it in and then do it and this is really interesting the PGP software was developed by Philip Zimmerman and a couple other people in the US and had to get exported from the US in the form of physical books we have a lot of precedent for you can't restrict people's ability to publish and that's clearly speech but there wasn't any real precedent for sending binaries out of the country so it was a pretty exciting thing there was a place in 97 in the Netherlands where they had a book scanning party where they had I think it was like 50 books or something and they scanned them in and they had error correcting code on the page and that was how the code got out of the US legally to do all this stuff but yeah it was pretty weird so compared to the past I would say the mailing list is a non-ennedy it basically doesn't exist anymore the people that were on the list as well as people that were inspired by some of the ideas are the people building all the cool tools today that are directly inspired the people that are running the tour project were people that were from back then or that were inspired by that everybody working on Bitcoin has a lot of history with that kind of stuff I think certainly like the celebrate people so it's definitely like an inspiration for this stuff in practice a lot of the developers like whenever I go to a developer thing there's a lot of people that are like 20 to like in their 20s today would necessarily have been on a mailing list in like 1995 so there's a lot of people that weren't on the list in its heyday but I think a lot of the ideas were discussed there and it's pretty good I'm not really sure if it was more about the technical side or the political or social side I think you really need to have both because without the ideas of like why you should build these tools it was unclear why why do you care about making tools that are cheap hardware if you can afford to have an expensive PC and everything else you don't really care but then people discuss the activist use case where these people didn't have a lot of money so the people that are at the most risk are actually the people that have the least resources to defend and also the idea of disposable devices and everything else so I think you need to have the ideas behind it but you clearly need to have the technology but none of this stuff is finished it's been a long time the cryptography, the met style list that Perry Metzger ran that was really popular and it's still popular P2P hackers, a couple decentralized things the individual projects got their own list so clearly the like the tour project has their internal stuff and a lot of those stuff Twitter, a lot of forums basically things have moved away from email to other forums but yeah, there's a lot of active discussion in various places sure, yeah, I'd be happy to take questions outside thank you