3511
Security / [intel] Cybercrime a clear and present danger [pdf]
« on: February 11, 2012, 09:55 pm »
www.deloitte.com/ assets/ Dcom-UnitedStates/ Local%20Assets/ Documents/ AERS/ us_aers_Deloitte%20Cyber%20Crime%20POV%20Jan252010.pdf
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Since Insight exposed the U.S. Postal Service's customer-surveillance program "Under the Eagle's Eye" (see "Postal Service Has Its Eye on You," July 2-9), the eyes of many privacy advocates have focused like a laser on the agency. "Warning! The Post Office could report YOU as a drug dealer or terrorist," reads a press release from the Libertarian Party, which helped generate some 300,000 letters that helped defeat the government's proposed "Know Your Customer" surveillance rules for banks two years ago (see "Snoops and Spies," Feb. 22, 1999). Until the Postal Service drops its orders to postal clerks to report certain legal financial transactions as "suspicious activity," the Libertarian Party and others are urging consumers to purchase money orders, wire transfers and cash cards elsewhere.
But now Insight has learned that it's not just purchases of these financial instruments that the post office reports as suspicious. A training video and manual obtained by Insight indicate that you also could be reported as a "suspicious" customer when you put money on a postage meter, particularly if it's in cash. In the video, after a jewelry-store owner hands a postal clerk $50,000 cash to put on his postage meter, the clerk is told to report this as a suspicious transaction. Even though it may be perfectly legal, using this much cash is "strange," the video says.
But what is "strange" to privacy advocates is why the Postal Service reports postage-meter transactions at all. Treasury Department regulations that next year will apply Bank Secrecy Act provisions to sellers of money orders and other financial instruments, which the Postal Service uses to justify "Under the Eagle's Eye," say absolutely nothing about purchases of postage as a "suspicious" activity.
"If putting a lot of money on your postage meter is a sign of criminal activity, I'm afraid we're going to have to have a little talk with our own office manager," says George Getz, spokesman for the Libertarian Party, which uses a postage meter to send mass mailings. "I don't know how somebody would go about laundering money like that. It seems preposterous. Do you launder money 32 cents at a time? That's crazy."
According to the Postal Service, even transactions of a few thousand dollars in cash should arouse suspicion. "If they [customers] wanted $5,000 on their postage meter, they wouldn't pay for that in cash," says Gerry Kreienkamp, a Postal Service spokesman. "That's just not the way business is done."
But privacy advocates say it's not unusual for small retail-business owners to pay for mailings with large amounts of cash. It is normal, for instance, for restaurant or store owners who want to send out promotional mailings to go to the post office and put the cash receipts for that day on their postage meters, says Brad Jansen, deputy director of the Free Congress Foundation's Center for Technology Policy. "It would not be unusual that a retailer would, one, be using cash and, two, have to put out a great deal of postal mailings."
Kreienkamp says that "Under the Eagle's Eye" does not apply to purchases of stamps and "philatelic" items. But why, then, does the program apply to postage on meters, which is merely "electronic stamps," asks Rick Merritt, executive director of Postal Watch.
Jansen cautions that consumers should assume that any products they purchase at a post office could get them reported as a "suspicious" customer. "The intent is to make this as all-encompassing as possible," he says.
The internet is playing an increasing and "alarming" role in the trafficking of both illegal and unauthorised prescription drugs, according to the body that monitors the trafficking and use of narcotics.
Chemicals used for making heroin and cocaine and a range of drugs from methadone to amphetamines are being sold online by organisations that hide their identities from the authorities.
The report, compiled by the International Narcotics Control Board, paints a picture of an ever-expanding and increasingly violent drugs market, with new trafficking routes being opened regularly. It calls for governments to take stronger measures against drugs, in particular cannabis. The board was criticised by drugs reform groups last night for taking an "irrational" approach.
"Drug traffickers are among the main users of encryption for internet messaging and by this means evade law enforcement, co-ordinate shipments of drugs and launder money," claims the board's annual report published today in Vienna. "A co-ordinated, global response is needed to meet this challenge."
Criminal organisations often pose as fictitious companies in order to acquire the chemicals they need to manufacture illicit drugs, says the report. The chemicals used to make amphetamines, methamphetamines and MDMA (ecstasy) are being obtained illicitly in large quantities. Traffickers are placing orders with legitimate trading companies and using falsified authorisations to import pharmaceuticals into countries where controls are lax. African countries are said to have become increasingly involved in the production and trade of such drugs.
"The internet is a major problem," said professor Hamid Ghodse, the board's president. "That is why we started three years ago to have contact with Interpol (on the issue). There are illicit internet pharmacies and they do not have natural boundaries."
He said that there was evidence of such activity in the United States, Thailand, Australia and the UK but that it was difficult for law enforcement agencies to track down the perpetrators.
Cannabis continues to be the most widely used drug in Europe and Britons have the highest level of experience of it, with 37% having tried it at least once. Italy, France and Denmark have the next highest rates of use with Bulgaria, Malta and Romania the least. Schoolchildren aged 15-16 in the UK top the list for use of cannabis with 44% having tried it once. France, Spain, Ireland, the Czech Republic and Belgium are the other countries where schoolchildren have high rates of use. The countries where there is least use among schoolchildren are Greece, Cyprus and Romania. However, cannabis use among all schoolchildren in England dropped from 13% to 9% between 2001 and 2007.
Ghodse said that many European countries were sending the wrong message on cannabis, by not treating it seriously. The report suggests that "the international community may wish to review cannabis which, over the years, has become more potent and is associated with an increasing number of emergency room admissions".
Afghanistan remains the world's major supplier of heroin with 92% emanating from there. One new development had been the re-emergence of Afghan cannabis, a major type used in the 1960s and 70s. The report suggests that "cannabis cultivation has increased as this crop has become more lucrative". The board urges the Afghan government to "give priority to stopping this alarming trend and to provide farmers with sustainable options of legitimate livelihood".
Among other findings are that Canada has beome a major producer of ecstasy, using chemicals smuggled from China. Canadian versions of the drug have been found in Australia and Japan. Amphetamines have become popular in Saudi Arabia and the Persian Gulf. West Africa is seen as an important transit and stockpiling area for cocaine consignments from Latin America destined for Europe. Other conclusions are that Colombia remains the world's largest producer of coca leaf, despite extensive and US-funded eradication efforts, and illicit cultivation there has increased by 27%. Colombia accounts for 55% of the total area under illicit cultivation in South America, followed by Peru (29%) and Bolivia (16%). Latin America has seen an increase in "date rape" drugs, according to the report.
The number of people in the US who abuse prescription drugs is now greater than the total taking cocaine, heroin, hallucinogens, ecstasy and inhalants, said the report.
On the issue of access to controlled medicines, including morphine and codeine, considered by the World Health Organisation to be a human right, such drugs are virtually unavailable in more than 150 countries, according to the report.
The board was criticised last night for its approach. "The tragic irony is that it is the board's inhumane, unjust and irrational policing of the UN drug control system that has created or exacerbated most of the problems outlined in its report," said Danny Kushlick of the drug policy foundation, Transform.
"The board is complicit in gifting the illegal drug market to terror groups, paramilitaries and organised criminals, contributing to the political and economic destabilisation of producer and transit countries and putting millions at risk of contracting blood-borne viruses. The INCB and the UN Office on Drugs and Crime pose a greater threat to global well-being than drugs themselves."
Illegal drug suppliers are using the internet to target British youngsters, the UN report said.
11:00AM GMT 19 Feb 2009
Rogue online pharmacies are "promoting drug abuse among vulnerable groups" and unlawfully selling an array of controlled substances.
It includes the heroin substitute methadone, codeine, and other stimulants without prescription.
At the same time, traffickers are using international and domestic courier services to smuggle more serious illegal drugs such as heroin, cocaine, ecstasy and cannabis.
The report added: "Cybercrime is of particular concern as drug traffickers are among the main users of encryption for internet messaging and by this means evade law enforcement, coordinate shipments of drugs and launder money.
"A coordinated, global response is needed to meet this challenge."
Related Articles
Cannabis abuse by UK schoolchildren worst in Europe
19 Feb 2009
INCB President Hamid Ghodse said: "In the UK in the last two or three years there have been some seizures from these illicit pharmacies who have been active in selling within the UK and elsewhere."
The report also found: "Drug traffickers have realised that using courier services is a relatively secure method of illegal drug transportation."
It added: "Although relatively small amounts of drugs are smuggled in individual letters or parcels, they add up to significant quantities, which reflects the importance attached by drug trafficking organisations to that smuggling method."
It said small courier companies are more frequently targeted because larger ones are more closely tracked by authorities.
We recommend against the adoption of any nationwide, standard, personal identification format, with or without the SSN, that would enhance the likelihood of arbitrary or uncontrolled linkage of records about people, particularly between government or government-supported automated personal data systems.(11, introduction, p.122)
Unfortunately, this far-sighted report didn't stem the tide. Computer databases of personal information have infiltrated society without legal opposition or public outcry. How many times have you been asked to provide your SSN in the past year? Too many to remember? When was the last time you provided sensitive personal information to a government agency or private firm? Did you provide that information on the same form that asked you for your SSN? The cypherpunks are not enthusiastic about the use of law to protect private information. The law does not have a good history on that count. More importantly for the cypherpunks, the ideology of individual rights is near and dear to their hearts, and first among those rights is free speach:
If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. (12)
But if free speach is not to be restricted, then how is personal information to be protected? Here we see the cypherpunk ideology at work. The cypherpunk idea of rights is that some rights are like the right to the pursuit of happiness. Some rights are what you win for yourself by virtue of your own actions. So it must be with the right to privacy. Privacy is a right you must defend for yourself, not an obligation you can impose on others. So far, it all sounds very libretarian. But how can we attain privacy and still interact in the real world? Every time we send a message, or make a purchase, we give personal information away. Here we come to the other half of the cypherpunk agenda, and depart from ordinary politics. Rather than play the game by the current rules, or give up and become hermits, or long for the lost good old days before databases, or try to change the rules through the legislative process, cypherpunks instead seek to change the world with technology, the ephemeral technology of strong cryptography:
We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. . .
We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.
Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. (12)
With this context in mind, digital cash may make more sense. For the cypherpunks, the purpose of digital cash is simple. Digital cash has the same purpose as the rest of cryptography: the transfer of control of personal information and private lives from the institutions back to the individual. Without digital cash, much of the power of strong cryptography is lost. Money is the primary means whereby we satisfy our needs and wants. We all must engage in many transactions every day in order to function in society. Any institution with a record of the who what where when from whom and for how much of our puchases knows us all too intimately, and has the power to do us great harm, either directly or by not guarding their inforation about us from others. Digital cash provides the same peace of mind and individual control for financial transactions that DC-nets plus encryption brings to ordinary communications.
Full Crypto-Anarchy
Now that we know the technologies, we can understand what might happen in a world taken to the logical extreme. Imagine if the full capabilities of strong cryptography come into common practice. The result is a triad of absolute rights, enforced by the availability of the technology and unlimited by any purely legel distinctions:
First, there is the right to encrypt. This is the cyberspatial analog of a fundamental libretarian doctrine: individuals have a right to defend themselves. Strong encryption is quite unlike physical world weapons in that it is purely defensive, and is equally effective against adversaries of all sizes. The right to encrypt provides protection against the attacks of individuals, large private organizations, and particularly governments. Strong encryption constitutes a technological implementation of the fourth amendment, except that it protects against all searches and seizures, not just the "unreasonable" ones. The search and seizure of the files in a computer system is quite ineffective if all the files are encrypted. In order to unlock the data, the seizing authority must obtain the cryptographic keys. They will naturally want to force people to turn over the keys. But in any society that respects the fifth amendment, no one should be forced to testify against himself. If the society does not respect the fifth amendment, then it may be neccessary to destroy the keys. With a little advance planning, that deletion could be accomplished in a few keystrokes. Provided that they have the right technology, no one can be forced to get his records to testify against himself. This puts a serious hole in the investigative tools of law enforcement. Some would say that it makes law enforcement impossible.
Second, there is the right to free speach. This is an absolute right, enforced by strong cryptography. Encryption allows you to say anything at all to anyone you trust, without risking giving away any information about what you're talking about to anyone else. The people who are opposed the things you are saying can hardly stop you if they don't even know that you're talking. Through the use of anonymity, even trust of the recipient becomes unneeded. If your anonymity is sound, you can say anything you like, provided that what you say does not in itself reveal your identity. Intellectual property violation, defamation of character, obscenity, harrasment, national security leaks, and advocacy of violence are all well protected by strong cryptography. Taken to the logical extreme, this right to free speach can destroy the publishing, software and entertainment industries, and jeopardize lives and even nations. Third, there is the right to transactions. This is another absolute, technologically enforced right. With good anonymity, signatures, and digital cash, two parties can communicate and agree to any contract, and then fulfill the contract, sometimes entirely in cyberspace, all without ever knowing each other's true identity and without revealing anything to the outside world, not even that either party sent or recieved any communications. The potential total secrecy and convenience of digital cash transactions unfortunately make it an ideal haven for all kinds of unsavory activity. The anonymity of digital cash, combined with the low effort needed to transfer large sums, might make it the ideal medium of exchange for smugglers, in particular drug dealers. Infringement on intellectual property is common enough in cyberspace due to the ease of digital copying. Add the protection of anonymity and now the incentive provided by untracable digital cash, and intelectual property protection is rendered impossible. But much more than just intelectual property is at stake: "Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures."(1) ** An untracable means of payment like digital cash would prove tremendously useful to the sellers of the obsene. It would also help to make practical the sale of the valuable secrets of any large organization. Imagine if trade secrets and insider information could be sold anonymously to the highest bidder. Now extend this market to include national secrets. Keeping in mind that digital cash transactions can be untraceble, consider what happens if digital cash becomes common: Is taxation still possible? Can governments continue to function? How is the govenment going to collect on transactions it cannot even know exit? Next imagine what the ability to send truely anonymous threats could do for the business of extortion. Imagine what would happen if professional assasins could expand their customer base and enhance their own safety by doing business anonymously. The technology of anonymous untraceable payment has enourmous destructive potential.
** The rest of the paragraph, from the ** forward, draws heavily on (1).
Is it inevitable?
All these consequences projected forward from current and near-future cryptographic technologies with legitimate purposes to the destabilization of our whole society may have left the reader a little overwhelmed and sceptical. Surely things aren't going to change so much, just because of a few gadgets. This skepticism may well be reinforced when the reader learns that T.C.May ends "The Crypto Anarchist Manifesto." with the one-line command:
"Arise, you have nothing to lose but your barbed wire fences!"(1)
The Communist Manifesto ends in the command "Arise, you have nothing to lose but your chains!" Mr. May is obviously deliborately imitating that famous document. But Karl Marx made some predictions about the future, which later turned out to be drastically wrong. Perhaps Mr. May had better pick a better model to immitate.
Unfortunately, it seems that the case for the inevitability of at least some measure of crypto-anarchy is quite strong. First, the development of encryption technology is not going to stop. If anything, it is accelerating. Thomas Huges, a historian of technology, argues that technological systems develop their own momentum. In particular, momentum tends to appear when "Numerous persons develop specialized skills and aquire speciallized knowledge appropriate for the system of which they are a part." (13, p.460) In the case of strong cryptography, I can identify two classes of people who have made such a commitment to the field. First, there are the cypherpunks themselves, who have dedicated themselves to the cause of making this technology happen. Their mantra, "Cypherpunks write code," is sometimes intended as a general admonition to get involved, but can also be interprated more literally as a command to take the theoretical cryptography produced by the mathematicians and turn it into real world software. (14, section 4.5). Strong cryptography has also attracted a large number of fresh talented mathematicians, who have started their professional carreers with work in cryptography. Many of these theorists are probably in the field for life, and will continue to push the frontiers of knowledge outwards untill the limits of the possible are known.
Another great advantage that the developers of strong cryptography enjoy is the practice of wide distribution of freeware and the safety of regulatory arbitrage.(12, 15) information about cryptography is widely copied all over the planet, which provides broad exposure and redundent backups in case of loss or political oppression. Though many nations may make their own restrictive rules concerning crypography, the nature of the Internet allows the information and the young systems to find safe havens. Any nation that tried to eliminate crypto within it's boarders whould either have to shut down its part of the Internet or else find information on crypto leaking across the boarder from places with less restrictive rules. A working RSA crytosytem can has even been packed into a four line sig file, and printed on T-shirts.(16)
What about the anarchy part?
Just because the technology will be out there, it does not follow that it will automatically be used to turn the social order on its ear. Some weakening of the power of governements, particularly of the power of oppresive governmentst, seems likely to occur. Either governments will encourage economic growth, which today requires allowing networked computers, or they will close their information borders, which will leave them economically impoverished. If the governments allow networked computers, the a well educated fraction of the populace will get exposure to the idea of cryptographic privacy, in addition to all the other "dangerous" ideas floating around the net. An increasing number of organizations in both the free and the not-so-free worlds are already using the public key cryptosystem PGP. By allowing small, scattered bands to work together securely, encryption diffuses political power away from dense concentrations and into the hands of a larger number of activists. Predictably, encryption is very popular with the pornographers and drug dealers. This makes life a little more difficult for law enforcement. But most of the work of law enforcement is done in the physical world anyway, and is unaffected by crypto.
Some signs are begining to show that the contradiction of bits you're not allowed to copy will have to be resolved. But even if the resolution of intellectual property issues ends the publishing,entertainment, and software industries as we know them, society should survive and recover. The use of anonymous communications for defamation, harassment etc. has started to happen, but it doesn't matter all that much. People don't lend the same credence to anonymous messages as they do to identified ones. And most people can survive a little bad-mouthing anyway.
The only dramatically dangerous part of strong crypto is wide-spread untracable anonymous electronic payment for illegal goods and services. This backround is essential in order to make possible the "abhorent" markets of full crypto-anarchy. So far, digital cash has barely gotten off the ground. Some authors have suggested that even full-blown digital cash wouldn't mean the end of civilizationVincent Cate proposes that strong crypto and regulatory arbitrage will end government in cyberspace, but that physical space will remain quite regulable.(2) Hal Finney has proposed that digital cash will be unable to displace the existing monetary infrastructure, and will just end up as just a professional's share of the already existing cash economy, while the rest of the world continues without major change.(16) Wouldn't that be an anti-climax?
I might add that over-hyping of the changes due to cryptography is actually counterproductive. To the extent that law enforcement believes these projections, the government will oppose simple cryptographic technologies that do have an important role to play in preserving privacy.
Hal Finney
hfinney@shell.portal.com
Intro
The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy.
-- Timothy May, in The Crypto Anarchist Manifesto (1)
Is this yet another instance of a mad prophet rambling on about yet another unlikely doomsday schenario? People unfamiliar with the technologies to which May refers are likely to dismiss him as crazy. Whether or not Mr. May is crazy, the technology he's talking about is real, and could have a dramatic impact on the world in the very near future. The technology is known as strong cryptography. That is to say, really good secret codes and their applications.
Recent advances in crytography have shown that it is possible to control information in a wide variety of previously unimagined ways. These new methods require large amounts of computation, but the personal computer revolution is rapidly placing the necessary computational power into the hands of millions. The ephemeral technologies of strong cryptography promise to provide you with powerful and precise control over the privacy and security of your information.
Many institutions operating today, such as all governments, operate by collecting information about people that said people would rather keep to themselves. If the technologies of strong cryptography come into wide use, then these institutions will no longer be able to function as they do today. An informal organization dedicated to helping this technological revolution happen sprung up in 1992. The members of this organization call themselves Cypherpunks, and they generally believe that they are helping to change society for the better, by greatly expanding individual freedom. A subset of the cypherpunks, the Crypo-Anarchists, believe that the technology will inevitably lead to the total collapse of goverment as we know it, an usher in a new, better world of crypto-anarchy.
Both crypto-anarchists and many other cyperpunks are quite confident in their predictions, quite certain what the effects of the technology will be. Timothy May states catagorically that "These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation." (1). Vincent Cate, a self identified cryptorebel and cypherpunk, is also quite confident and optimistic: "Regulation of Cyberspace trade will not be possible. It will be impossible to even determine if two parties are doing business, let alone to stop them. Initiation of force in Cyberspace should be less and less of a problem as computer systems get more secure. Impersonation is easily prevented with digital signatures. Reputations will be the main guard against fraud." (2).
Is this confidence in strong cryptography justified? What does this technology do, and will it inevitably lead to the social changes which the cypherpunks describe? Will it lead to the drastic changes the crypto-anarchists describe? Many plausable predictions about the technological and social future have been wrong before. How are we to judge whether the cypherpunks are the leaders of a great new revolution, or just a band of crackpot malcontents? I propose to begin trying to answer this question by examining the cause of the entire debate, the new methods for handling information made possible by strong cryptography.
What are these Guys Talking About?
Before I plunge into a listing of the gadgets of strong cryptography, I'd like to give a quick overview. A great variety of remarkable tools are already in use. Others are in active development. I'll try to cover the basic technologies of symmetric key encryption, public key encryption, digital signatures, anonymous communications, and digital cash. The reader should recognize that this partitioning into subtopics is somewhat arbitrary. The subtopics overlap, and fail to exhaust the entire field. However, I hope that these catagories will help to organize the spectrum of possibilities and reduce the confusion that often results from failing to distinguish between difference applictions and different kinds of cryptography.
An author writing early in this century about the future impact of the internal combustion engine would be ill advised to innundate his reader with a discussion of the details of the manufacturing and operation of the various designs of engine. It would also be unwise for him to much discuss recent advances in the techniques of mass production, even though it was those advances that made the technology possible an practical. However, a discussion of cars, trucks, buses, heavier-than-air flying machines, home electric generators, and gasoline-powered yard equipment would provide the reader with a great deal of insight. Similarly, I will not try to present any details on individual cryptographic algorithms. I will not present the foundational ideas of complexity theory, number theory, and information theory without which the technology wouldn't exist. I do not intend to look inside the "black box" at all. Instead, I'll be describing the gadgets from the outside, purely in terms of what they do.
Strong Symmetric Key Cryptography and Data Security.
Symmetric, or secret key cryptography is the oldest and easiest to understand form of crypto. Given some data and a secret key, the encryption algorithm generates a piece of "cyphertext" which encodes the data in a form that looks like pure gibberish to anyone without the secret key. The mathematical gold standard for strong cryptography requires that an adversary can gain no information about the contents of a message by examining the cyphertext. But anyone who has the cypertext and the key used to encrypt can use the decryption algorithm to reconstuct the original data. Unlike the first, primitive cryptosystems, symmetric key cryptography does not assume that the encoding scheme is secret. The encryption and decryption algorithms are assumed to be publically known. Only your original data and the key used to encrypt it need to be kept private. (3, pp. 96-97)
There are many good uses for symmetric key encryption. Any individual or organization that wishes to keep any piece of information private has a use for strong cryptography. Sensitive files relating to military secrets, affairs of state, and industrial firms with trade secrets already use secret key cryptography. In all the above fields, and well as in the world of electronic commerce, many message senders employ encryption to prevent information from falling into the wrong hands and causing great physical or economic damage. As strong cryptography speads and becomes more commonplace, it could find many legitimate uses. For example, it could be used as a technological reinforcer of attorny-client privilidge, or as a means of protecting medical and finacial information, or as a way of insuring the privacy of diaries and interpersonal communications.
Public Key Cryptography
The concept of public key cryptography is a little more advanced and difficult than symmetric key cryptography. In a public key cryptosystem, you have two keys, your public and your secret keys. Reasonably enough, you make the public key publically available, but must keep the secret key to yourself. The curious property of this key-pair is that what one key does, the other undoes. Anyone can encrypt a message to you using your public key. But the
public key does not enable anyone to decrypt the cyphertext that is so generated. Only people with the private key corresponding to the encrypting public key can decrypt the cyphertext. (3, p.97) Thus, you can send a secure message to someone without having to prepare a shared secret key in advance.
This power to initiate secure communications without using previous shared secrets gives public key cryptography an enourmous advantage over symmetric key cryptography. The secure distribution of secret symmetric keys over insecure channels is quite difficult, and requires elaborate security precautions (4). Several public key cryptography systems are already in use by the cypherpunks and are spreading into the general computer-savy populace. Unfortunately, public key crypto is much more computationally expensive than symmetric key crypto. In order to get the best of both worlds, the first thing that two parties who contact each other using a public key system do is generate an agreed-upon secret key, then switch to symmetric key encryption.
Digital Signatures
A physical signature is a mark you make on a docmument in order to signify that you agree to the document. A physical signature is legally binding. For this reason, it is important that the physical signature be difficult to forge, and difficult to repudiate. Intuitively, there can be no good digital signatures, because your anyone who knew enough to decide whether or not a pattern of bits was a valid signature would also know enough to make a valid forgery (5, p.390). However, this intuition is false. The important idea is to make the bits of digital signatures dependent on the document signed, and to make use of the same one-way character that public key cryptography exhibits.
To see how digital signatures are possible, consider the following system: The signer encrypts the document using the secret half of a public key cryptography key pair. The resulting cyphertext is a signature. Remember, whatever one key does, the other undoes. Other users can decrypt this cyphertext using the public key, and check whether the decryption matches the document. Only the holder of the private half of the key-pair could have created such a cyphertext signature. Any attempt to alter the message will result in the new message not matching the decryption of the signature. There are many improvements and refinements of this idea which use less extra information to store a signature. What is essential is that digital signatures plus encryption provide an electronic means of creating messages and other documents with several desirable properties. These properties are:
Confidentiality, to provide privacy for a message (protection from disclosure)
Authentication, of the identity of the sender of the message
Message Integrity, to provide protection for the message from modification
Non-repudiation of Origin, so that the sender of a message cannot deny having originated the message,
(Paraphrased from source 6, section 6, Secure Electronic Mail)
Digital signature schemes are spreading hand-in-hand with public key cryptography, often in the same software.
Anonymous remailers, DC nets
One technology which does not strictly speaking require strong cryptography is anonymous electronic communications. Remailers take a message sent to them, strip off information about the sender, and send the message on. Sometimes, just knowing who sent a message to whom when can be a very important piece of information, one which the sender might wish to conceal. Such anonymous communication is already common in the physical world. We use anonymity often when we send an unpopular opinion as a "letter to the editor," when we act as whisleblowers, when we seak help after being victimized yet fear for our privacy, and when we vote.(7)
Given how useful anonymity is in the physical world, it's not surprising that anonymous remailers are already quite popular. Yet current remailer systems do have one property that the cypherpunks regard as a serious flaw: the remailers have to be trusted to strip off and forget information about the sender, or at least keep that information secret. Faith in this assumption was shaken recently when the International Church of Scientology was able to force the operator of a major remailer, anon.penet.fi, to disclose the identity of a whistleblower against the church.(This obviously defeats the entire purpose of anonymity. The cypherpunks have some solutions to this problem. The most mind-bending is the concept of DC-nets, which allow the electronic messages to be publically revealed without any computer other than the sender's ever having any information about the identity and location of the sender. DC-nets require no special equipment. They can be created using any existing network, some simple software, and a large enough starting pool of anonymous communicators.(9)
Anonymous communications plus digital signatures allow for verified psuedonyms. Without revealing their true identity, individuals can digitally sign using a psuedonym. This allows for verification that multiple anonymous messages all originate with the same individual, assuming keys are kept secure. The possibility of these virtual identities is one of the most important ideas of the cypherpunks.
Digital Cash
Current electronic payment systems demand a lot of trust from the users. All transactions are recorded by merchants and banks. These records can be cross-correlated to create profiles of individuals. These profiles are used for purposes of direct marketing, and more generally can be abused by any person or group that can get the data and wishes to influence "individuals' lifestyles, activities, and associations."(10) Frauds such as rubber checks and fake credit card numbers are common, and are part of the reason why extensive records are used. Everyone bears the cost of this fraud. But not all money has these bad properties. Cash lacks many of the properties other forms of payment have. Cash does not leave a trail of records behind about who bought what, when and where and for how much and from whom. And cash is significantly more difficult to forge than a credit card number. The purpose of digital cash is to do in bits what physical cash does in atoms, and more. The goal is to combine the easy transmission and storage of information with the information-hiding properties of cash, while still providing the security against cheating that well-kept records allow.
At first, it may seem impossible to turn bits into bills. After all, bits can be copied ad infinitum, whereas cash relies on the fact that it is conserved in order to retain its value. Also, it would seem that anyone who knows enough to tell valid bills from invalid ones should be able to generate valid bills themselves. But remember digital signatures: the intuitive answer is not always right. Old serial numbers can be retired by the agency that issues digital cash. Digital signatures can be used to validate bills and prevent forgery. Signatures can also be used to create unforgeable proof-of-order and proof-of-payment records. Psuedonymous methods can be used to conceal the identity of individuals. The use of different psuedonyms with different merchants can be used to prevent the cross-correlation of transaction data. In general, it is possible to design digital protocols that allow transactions to take place freely, while requiring individuals "to disclose only the minimum information necessary."(10) The design of digital cash systems is an area of considerable current activity. Which, if any of the competing schemes will catch on remains to be seen.
* This section draws heavily on source 10 throughout.
The Cypherpunk Privacy Agenda
So far, I've tried to stick to describing the gadgetry's functionality, without reference to the particular goals of the cypherpunks As the reader has certainly noticed, I couldn't maintain that policy while describing digital cash. Digital cash doesn't make any sence unless you understand the cyperpunk's ideas about the importance of privacy. The cypherpunks are deeply woried about the abuses made possible by the spread of computer databases containing personal information. They are not the first people to so worry. As long ago as 1973, a federal cival servant commented in an official report that:
. . . The net effect of computerization is that it is becoming much easier for record-keeping systems to affect people than for people to effect record-keeping systems. Even in non-governmental settings, an individual's control over the use that is made of personal data he gives the organization, or that an organization obtains about his, is lessening. (11, introduction, p.xx)
The report went on to advise that strong laws be enacted to prevent the abuse of such databases, and to prevent the use of private databases of personal information for any purpose not authorized by the citizen in question. The report even explicitly advised against the continuation of the then new trend towards the use of the Social Secuity Number (SSN) as a universal identifier:
China’s Ministry of Public Security announced Sunday that police had seized more than 300 kilograms of illegal drugs and arrested more than 12,000 people involved in production and trafficking through a network of online video applications and chat rooms, according to Xinhua News:
In March, police in the cities of Lanzhou and Xi’an in west China found some people were getting and selling drugs through chatting in online chatting room, which were usually inaccessible to outsiders.
New comers could only be allowed to enter the online chatting room after being introduced by “acquaintances” and performing drug-addiction through the online video, Liu said.
The MPS soon launched a nationwide battle to fight against online drug-related activities on Aug. 31, and started tightening the net to seize the suspects on Sept. 2.
Among the 12,125 arrested suspects, 66.2 percent are young people under 35 years old, and 2.6 percent are under 18, with the youngest being 14 years old, according to Liu.
China’s war against drugs also recently cut off a well-connected trafficking ring based in Guangxi and yielded the largest-ever drug bust in Hong Kong’s history.
An international collaboration is needed to stamp out internet trafficking of narcotic drugs and psychotropic substances around the world, the International Narcotics Control Board has urged.
Some online companies advertise that they can provide prescription drugs without prescription or that their dispensing pharmacy can issue the prescription, said the control board in its annual report. Two internet pharmacies in Bangkok and one in Chiang Mai, Thailand, mainly serving the US market, were closed down between November 1999 and January 2000 after raids by Thai authorities with the close collaboration of US Drug Enforcement Administration. These pharmacies were sending parcels of drugs to US citizens, including many drug addicts, who could not get their prescription from US doctors.
The control board's survey points out that internet drug trafficking has only recently come to the notice of most national authorities, and very few have taken legal action to stem it. "We do not know the amount of internet drug trafficking, but with 600 million internet users at present, we want the governments to take action," said Mr Chinmay Chakrabarty, a member of the International Narcotics Control Board.
The report warned of the potential for errors and misuse of the internet in facilitating medical and pharmaceutical services for large sections of society at low costs. "Substituting direct patient-doctor contact by electronic communication is problematic, particularly concerning the diagnosis of psychiatric disorders and prescriptions of controlled drugs," it said.
Over-consumption of controlled drugs in the developed world was caused by several factors—easy availability, loose regulation, and unethical practices, said the report. On the other hand, there is an undersupply in the developing world of much needed narcotic drugs for legitimate medicinal purposes, such as pain relief.
The report stated that in most countries of Africa the misuse of psychotropic substances seems to be rising. In Asia, the ongoing production of opium in Afghanistan, a leading world producer of opium, and the resultant smuggling of opiates and criminal activities in western Asia, remains a major concern, said the report.
In Europe the availability of drugs and the misuse of synthetic drugs and cocaine are increasing. Europe remains a major source of illegally manufactured amphetamines and amphetamine-type stimulants, especially ecstasy, for the whole world. "MDMA (Ecstasy) of western European origin is increasingly being abused by young people in North America," said the report. It stated that cultivation of highly potent cannabis under laboratory conditions "is spreading in Canada and parts of the US and continues to constitute a major concern to law enforcement authorities."
In the United States the rate of cocaine misuse among adolescents has declined by 14% since from 1998 1999, whereas in Canada, drug misuse among secondary school students is showing an increase, according to some surveys, said the report.
Drug gangs are making increasing use of the internet and exploiting the lack of cooperation between international law enforcement agencies to improve their operations, a new UN report claims.
The report from the International Narcotics Control Board (INCB) also draws attention to the problem of smaller scale drug dealers using chatrooms to sell their goods.
It highlights the ease with which internet users can find websites which give step-by-step guides on how certain drugs, especially amphetamines, can be manufactured.
The report, entitled Globalisation and New Technologies, says that drug traders are discovering ever more sophisticated ways to use the internet.
They are improving the efficiency of distribution networks by using the secure, instant communication offered by the net and protecting themselves by employing "IT warriors" to launch cyber attacks on law enforcement agencies. The gangs are storing information such as bank details, contact numbers, grid co-ordinates of landing strips and recipes for the manufacture of drugs in encrypted form on computers and pocket organisers.
Some of the problems being faced by law enforcement agencies emerged after American and Colombian agents captured 30 suspected drug traffickers.
Security experts were amazed at the technology the gang members were using. The chat rooms they communicated in were protected by firewalls which officials found impossible to penetrate.
The suspects also had access to highly sophisticated encryption technology. One US official said it took some of their best computer experts 24 hours to crack a 30-second transmission, making the exercise largely pointless.
Significantly, the gang fed information about its daily activities into a computer housed in a ship off the Mexico coast. Raiding the ship would have caused all sorts of jurisdictional problems for prosecutors.
Even basic uses of services on the internet can help the traffickers. In Australia, for example, traffickers have been known to have used the facility offered by courier services which allows clients to track shipments on a website. If there is a delay - which could indicate that the shipment is being investigated - the gang can take appropriate action.
Aggressive use of the internet is also becoming common. Colombian and Mexican cartels have intercepted communications between investigators and collected personal information about investigators.
The Chinese authorities reported a case in which criminals used hackers to penetrate a customs database and alter the details of a freight consignment containing drugs.
In Italy heroin smugglers managed to put the authorities off their scent by setting up bogus websites which were difficult but not impossible to penetrate. While the authorities wasted time collecting information from the bogus sites, the smugglers continued their trade using genuine sites.
The creation of global money markets and the introduction of "virtual casinos" helps the gangs launder money quickly and with little fear of detection. Narcotics police in Hong Kong say following drug money has become much more difficult because of the advances in electronic commerce and internet banking facilities.
The INCB report expresses concern that not enough is being done to coordinate efforts to clamp down on drug traffickers.
While countries like the UK the US and Japan are taking the problem seriously, many others are doing little to tackle internet crime.
A fear is that some less developed countries may become "data havens" where gangs can base their IT system with little fear of being prosecuted.
Alan McGauley, a senior lecturer in social policy at Sheffield Hallam University, said: "A major problem all law enforcement agencies have is that the cartels have so much money they can get the very best experts who can help them stay a step ahead."
The way smaller scale dealers are finding customers using the internet is also highlighted in the INCB report. Drugs paraphernalia and items such as cannabis seeds have long been offered for sale on the web but there is increasing evidence that dealers are offering drugs through chatrooms.
A quick surf of the internet yields hundreds of chatrooms where drug taking is being discussed. Some sites give users the chance to record details of where they bought drugs, how much they paid and the quality. One entry by a Luton user spotted on the web yesterday read: "Marijuana: skunk crossed with haze: £20-25: Quality: mind blowing, especially through a water or electric pipe. Availability: grown local, so only available in season."
Another trend which is concerning the INCB is the proliferation of web sites containing recipes for making drugs. While in the past recipes were kept secret, they are now readily available to anyone with internet access.
It is easy to find websites which give a step-by-step guide to making drugs. Many carry warnings which claim the recipes are not meant to be a practical guide but published for "informational purposes"only.
The INCB said the likely consequences of this trend were "alarming". It led to the creation of "drugs clubs" whose members encourage and assist one another.
David Wall, of the centre for criminal justice studies in Leeds and one of Britain's foremost experts on cyber crime, said he found this trend particularly worrying. He said: "People have always been able to find out information if they really want to but the internet does make it more easily accessible."
Potted guide to world trends
Africa
Injecting heroin is becoming more common, a trend which is contributing to the spread of HIV/Aids. The abuse of crack cocaine is growing faster than the abuse of any other drug in South Africa because it has become cheaper. Cocaine abuse has also increased significantly in Angola and Namibia.
Americas
Drug traffickers in Colombia are diversifying, supplying substances like ecstasy as well as cocaine and heroin. In Canada and the US cocaine use appears to be stabilising but heroin is on the increase.
Asia
Opiate addiction rates in Iran and Pakistan continue to be among the highest in the world. Amphetamines are becoming more popular in Indonesia, Thailand and Japan. Ecstasy, virtually unknown in the region 10 years ago, is also widely used.
Europe
Remains the major source of illicitly manufactured synthetic drugs such as ecstasy. Illegal poppy cultivation has been discovered in Albania.
Oceania
More Pacific islands are becoming offshore financial centres which could provide opportunities for drugs traffickers to launder their money. The number of labs manufacturing amphetamines is increasing in Australia.