Crypto Winter (Re: Looking back ten years: Another Cypherpunks failure)

R. A. Hettinga rah at
Sun Jan 27 14:08:48 EST 2002

--- begin forwarded text

Status:  U
Date: Sun, 27 Jan 2002 10:30:20 -0800
Subject: Crypto Winter (Re: Looking back ten years: Another Cypherpunks
From: Tim May <tcmay at>
To: cypherpunks at
Sender: owner-cypherpunks at

<x-flowed>Some thoughtful ideas on the current situation (what I have
called "the
Crypto Winter"). A few comments:

On Saturday, January 26, 2002, at 09:55  PM, Dr. Evil wrote:

> We know that some kind of privacy-enhanced payment system has been one
> of the long-time c'punk goals, probably for at least ten years.  We
> know that we are probably further away from having that be a reality
> than we were ten years ago.  This is excusable; the obstacles are
> enormous.  You need a lot of people to use it before it's useful, and
> there are all kinds of regulatory problems.  And there are a whole
> list of other problems, too.

I somewhat disagree. The obstacles to widespread acceptance (of
_anything_) are enormous, but the obstacles to experimental deployment
for specialized uses (Napster-like trading, porn, remailer use) are not
great at all. Pr0duct Cypher and others got Magic Money/Tacky
Tokens/etc. out in what was probably a period of a few months' worth of
effort. (PC may have been working for years on it, but this seems
likely. Digital cash was the topic and MM/TT appeared during the
discussion...circa 1993, IIRC.)

"First we change the world" is not a good business model. New
technologies and methods often spring out of unforeseen needs and
technologies. An interesting Harvard Business School type of study would
contrast the long and slow growth of Diner's Club and Carte Blanche
versus the effective complete replacement by BankAmericard (later Visa)
and MasterCard beginning in the late 1960s. Way too many folks in the
crypto/digital cash community are aiming for penetration similar to Visa
and Mastercard. It may happen, but not with a) experimental technologies
and protocols, b) by planning by a bunch of small companies. A
full-scale "launch" by a very large and well-funded company _might_
work, but probably not. (There's that nagging "How do we convince Joe
Sixpack to learn to manage keys and to use untraceable forms of digital
cash?" A facet of "First we change the world." Bah.)

I agree that facing regulatory obstacles head on is a lose, lose, lose.
Ain't gonna happen. Even the well-funded launch above would never get
approval for "truly untraceable" forms of digital cash. All of the
recent trends toward "fighting terrorism," "war on drugs," "currency
control," etc. tell us the regulators will never accept untraceable
digital cash (even though physical cash is grandfathered in...they will
outlaw it when they think they can get away with it).

This is presumably why Chaum watered-down his earlier digicash scheme to
make it only one-way untraceable/unlinkable.

> One of the other c'punk goals was encryption all over the place.
> Seems reasonable, right?  This Internet thing was just starting to
> take off.  Free open-source OSes like Linux were coming out.
> Encryption everywhere was well within reach.

My guess is that PGP went off the track when it tried to get PGP
"integrated" into various platforms and applications. Things were a lot
easier when PGP simply took a text file and did things to it. The
processed text file could be from a text editor or the "clipboard" (on
various platforms) and could then be pasted into or cut out of a mail
app, a word processor, etc. A few extra steps, but the "orthogonality"
principle was upheld: PGP was just another modification of text, a form
of writing. What the user _did_ with the text was up to him and was not
of any concern to PGP qua PGP.

Alas, the battles to "integrate PGP with Pine" (or with Eudora, or
Outlook, or Outlook Express, or Entourage, or ....) and all the crap
about "checking signatures" (which is almost never needed for most of
us, for reasons discussed many times), and the general "bloat" of
providing hooks to various OSes, various mailers, various
all resulted in the predictable.

(What did those 200+ staffers at NAI's PGP division actually _do_? Some
have told me that this 200+ figure referred to teh entire crypto tools
division. Maybe. But PGP lost a lot when it went corporate and lost its
simple focus. More on GPG in a moment...)

Here's my own personal situation. Now I don't make a claim to being a
software guy (I'll avoid the hateful term "geek"). I like software, I
use it, I read about languages and OSes, I like Smalltalk and
Lisp/Scheme and suchlike, I have a project brewing on actors/agents and
money/instruments, I follow E and capabilities, and so on. But I don't
run a Unix box (well, OS X is now a full-fledged Unix box, being based
on FreeBSD, OpenBSD, Mach, NeXTStep, etc.).

But some years ago PGP just became too difficult to use regularly. I
would install 2.0. 2.1,...5.5, 6.1, whatever, and would even buy the
"PGP for Personal Privacy" CD-ROM ($40). Then something would break, and
PGP plug-ins would no longer work with Eudora or Eudora Pro. Were I
doing something _important_ with PGP, I could justify either sticking
with an older version of Eudora, an older version of my OS, etc.

Digression: Remember that the military spends a lot of money keeping
older legacy systems running. And doing the "crypto hygiene" involving
key management, limiting access to crypto shacks (on ships, bases), and
so on. We "casual" users don't want to spend 5 minutes getting key
material out of a vault or safe, plugging in our USB Flash dongles,
inserting CD-ROMs, etc., copying encrypted mail across an air gap to a
secure machine, etc.....just to decode a PGP-encoded message to read
"Hi, Tim, just testing out this really cool thing called PGP! Send me a
message back!" Being a casual user, with no real _need_ for crypto (the
subversive things I do I do out in the open, by choice), the "bang for
the buck" for PGP is just not there. And the seamless integration into
mailers and suchlike has not been easy.

A further example. I converted all of my main Macs to OS X. Wonderful.
Elegant. Powerful. Robust. The best thing I've ever seen in OSes. The
Mac-type front-end on a robust Unix (BSD) core, with a Mach kernel and
on and on. All of the old NeXTStep/OpenStep tools, and more. Incredible.
But no PGP, without major work.

What about PGP? The main guru at NAI/PGP tells us that a version of PGP
for OS X, presumably with hooks into various mailers (like OS X Mail,
based on the NeXTMail app, and Entourage, part of the Microsoft Office X
package), is "ready to go." But NAI/PGP has dropped the inexpensive
versions, let alone the free versions. (Sidenote: So much for PRZ's
anger that Bidzos and RSA had the gall to want $50 for MailSafe and
hence PGP needed to be released. The NAI/PGP packages  _start_ in price
at astronomical levels compared to what so many folks were "outraged" at
back around '92-94 when the "free alternative to RSA" was being touted.)

Also, NAI/PGP is apparently being shopped around for sale to another
company, so they don't want to release the OS X version until things
settle out. (I forget which forum I read this in...a search should turn
it up for those interested.)

What about GPG? Being that OS X is Unix, GPG should compile. It does.
And some work on giving it a better front-end and on linking it to OS X
Mail has been done. provides some

But it's a "hack," they admit, with numerous limitations. (I've got it,
and will be trying to make it work.)

To make some of the points about limitations, here's what they say about
the current release:

"Current limitations

*	GPGMail accepts only one personal PGP key.
*	GPGMail always uses your default identity and all message receivers
addresses as recipients for encryption (To and CC. For security
considerations, BCC recipients are not taken in account).
*	GPGMail does not support PGP keys distribution (following RFC 3156)
*	GPGMail does not support S/MIME
*	GPGMail encrypts/signs the whole message, and can decrypt/verify
only the whole message. You can not choose which part you want to
*	GPGMail does not support for RFC 1847 encapsulation
*	Encryption operation cannot be interrupted
*	You cannot send encrypted messages with BCC recipients.
*	You cannot forward encrypted messages: encrypted message is used.
You need to copy decrypted message into new message.
*	If Mail cannot deliver the message immediately, it postpones
delivery but doesn't prevents you from modifying the message; do NOT
modify a signed or encrypted message!!!
[end of quoted comments]

And it only works for certain versions of OS X and OS X Mail. Which
means I expect it to break in some future evolution, causing me to
either stop upgrading my OS and apps or to stop using GPGMail. This has
happened many times in the past.

Now while I may not be a "software guy" ("geek"), I'm maybe more
software geeky than most folks are, even most OS X users. Who will
bother with this kind of complexity, this number of bugs and hacks and
"won't work with" errors?

I've been talking about OS X. Maybe the situation with Windows 2000,
Windows ME, Windows XT, etc. is better.

For something so simple as what PGP used to be, look at the code bloat,
the cruftiness, the complexity. Will Joe Sixpack be installing GPGMail
so as to "use crypto everywhere"? Ha.

I don't mean for this to sound like a whine. I expect that if I spent a
few days reading up on GPG, using the Developer Tools on my OS X
distribution disk, playing with GPGMail such as it is, I could get
something workable running. But why? Why spend even a few frustrating
days just so--for the current software versions!!--I can open the very
occasional "Tim, just thought I'd try out PGP!" message.

Crypto between servers, a la SWAN, is a more cost-effective way to
thwart Big Brother's plans to simply slurp down all Net traffic.
Individual crypto rides on top of that, of course, and doesn't
interfere. And it has its place as well. But trying to change the world
to get more users to encrypt seem like a quixotic crusade.

If you're still with me, I'll continue commenting on Dr. Evil's remarks:

> And guess what, that goal was _almost_ achieved, except in two places,
> which I am calling the Great Encryption Tabboos (GETs).
> GET #1 is voice encryption over phone lines.  Three years after
> Starium started, and ten years after c'punks started, you still can't
> buy a digital voice encryption device that has trustable crypto in
> it.  This is also excusable because it encounters some of the same
> problems that privacy-enhanced payments encounter, namely overcoming
> network effects and dealing with regulators.

But you can in fact buy such units. I bought one of the earlier Starium
units, as did several other Cypherpunks. 3DES is pretty trustable, from
all indications. There are other units, too.

Pricey, yeah. Strong crypto has not come down to the $100 cellphone
level yet.

A matter of "who pays for privacy"? (In both cost per unit, as with the
Starium phones, or the complexity of setting up PGP and GPG, as above.)
A little birdie told me a few years ago that certain characters looking
like they'd be right at home in a "Miami Vice" episode were buying sets
of Starium phones. This makes perfect sense. It's not all surprising to
me that most Cypherpunks didn't buy Starium phones.

> GET #2 is disk encryption.  Yes, it sounds so simple, but it is a
> Great Tabboo, and this time there are no excuses.  None.  You don't
> need any network effects.  Regulators in the US have little they can
> do about it.  There are about half a dozen great Open Source OSes to
> work on.  And yet there is nothing.

Disk encryption is built into several of the disk tools packages. Few
use them, this is true.

(When I was writing my Cyphernomicon in '93-94, there was a section on
disk encryption tools out at that time. And yet there was no interest I
ever saw at Cypherpunks meetings. If they weren't using the tools, why
would Joe Sixpack?)

Most people (maybe even many Cypherpunks) don't even do good backups on
their disks. Urging them to encrypt their disks seems pointless. (And
from a Neo-Calvinist point of view, why bother?)

Lastly, the reasons for the "Crypto Winter" are many and various:

* boredom the focus on PGP and other "old paradigm" uses. Only so much a
hobbyist can do with PGP, except make is cruftier and harder to use.

* the surge of interest in 1992-95 was for lots of reasons. We had
hundreds of eager students playing with remailers, crypto, Magic Money,
data havens. Lots of articles, lots of interest. This waned, for various
reasons. Now we get essentially no new students (Dave Molnar was the
last notable one I can recall) and there are few if any new projects.

* many on the list got jobs in industry, working for RSA/Verisign,
NAI/PGP, ZKS, C2Net, Microsoft, etc. Go back at the archives from
'92-96, roughly, and match the names up with where they are today. To
this extent, we somewhat helped crypto in industry...but at the expense
of the exotic ideas and apps.

* "crypto is tired." It was premature for "Wired" to write this in, say,
the summer of '92, when just several months earlier they'd declared
"crypto is wired," but they were always prone to overhyping and
overtrashing. But years later it was true. Crypto is now pretty tired.

* the war on terrorism, 911, crackdowns on money laundering, the
shifting focus to copyright issues (mainly a _legal_ focus, not anything
technological)...all of these things have helped to suppress interest
and willingness to experiment.

* the role of law and lawyers deserves even more mention: way too many
of our Cypherpunks meetings over the past few years have involved
extensive, and boring, discussions of new laws. I think this causes
people to think that law is the way to change things. It's important,
but what do _we_ have to contribute? What does having Mindy Cohn or
Robin Gross updating us on the DMCA, for example, do for our interests
and goals?

* some of the recent Cypherpunks meetings have been wastes of time:
bored people sitting and saying almost nothing. (I don't think many of
them are subscribed to, or contributing to, this list, so they won't be

Will things revive? Hard to say. Maybe it's a time for reflection and
consolidation, for working on projects.

Maybe it'll take a further expansion of the police state to jar people
out of their apathy.

--Tim May
"Ben Franklin warned us that those who would trade liberty for a little
bit of temporary security deserve neither. This is the path we are now
racing down, with American flags fluttering."-- Tim May, on events
following 9/11/2001

--- end forwarded text

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list