On 7/04/13 09:38 AM, Nico Williams wrote:
On Sat, Apr 6, 2013 at 6:34 AM, ianG <iang@iang.org> wrote:
We hope the NSA types haven't forgotten that good guys need crypto, whether LEA like it or not.
I personally believe that the NSA's policy that the good guys don't need good crypto is the underlying root to the problem. A goodly portion if not all.
Internally to the NSA this is known as 'the equity issue' or so I've heard.
Well, it's like a pendulum. As China and others make use of "cyber" warfare to fight wars by proxy the comsec folks will regain the upper hand at NSA. Or so we should hope. We can be secure in our comms and have a hard time eavesdropping on anyone or we can be insecure in our comms and have a hard time eavesdropping on anyone other than our own. It's pretty obvious, no? we need strong civilian crypto.
Yes, now. I suspect going back say 20 years, pre-net, it wasn't so obvious, because the dependency on open nets just didn't exist. See comment below about AT&T & IBM. In those days, networking was telco business, a mentality which just happened to align nicely with control mentalities, which suited both swings of the pendulum.
On the flip side, no amount of crypto can get one past certain fundamental issues in security. How do you know your peer is who you think it is? Crypto can't truly answer that, much less the question of whether they are doing as you wish.
Right -- but it can answer the question to a sufficient degree given an absence of interference in what is the right answer. I posit. C.f, Skype.
In economic terms, the NSA imposes a sort of tobin tax on crypto which results in a stupidity drag on all security, thus making it easier for all to avoid doing good work.
Otherwise, I can't answer the question -- why as a society are we so good at internets, databases, apps, social networks, distribution of institutions, algorithms, all the good CS stuff, but we can't get our collective security act together?
Oh, well, we don't need to resort to conspiracy theories to answer _that_.
Delicious Irony! Clearly my opinion is rather fruitloopy, but this 'conspiracy theory' is enacted in law -- crypto is officially a munition. It's the job description of the agency of topic, which probably employs more computing security people than any other place. It's not as if Louis Freeh went to congress in the 1990s and said "Senators, I wish to engage you in a conspiracy!" although we might grant the DEA would wish it so. What is perhaps controversial and maybe ridiculous is me saying that it worked. The NSA succeeded in created a drag on internet security sufficient to explain the general failure -- the house of cards, as you put it. OTOH, if they hadn't achieved that drag, was taxpayers' money really being used wisely? What are all these security people doing, then? Another irony -- the trend for budget is firmly down; maybe now's the time to reveal how they successfully they spent your money...
We've built a house of cards, not so much on the Internet as on the web (but not only!). Web application security is complete mess. And anyways, we build on foundations, but the foundations (operating systems) we built on are now enormous and therefore full of vulnerabilities. We're human -fallible-, and our systems reflect this -our failures-.
Yeah, this is the popular explanation -- we're not good enough. Let me pose another thought question. Most of the long termers here understand how Skype, SSH and now Bitcoin were constructed. Peter adds iMessage to the list of successful crypto systems. Many of us here could make a fair stab at duplicating that in another product. I'd personally have confidence in that statement -- given the budget I'd reckon Steve, Jon, Peter, James, and a dozen other frequent posters could do that job well, or a similar one. I therefore suggest the popular explanation doesn't really pass muster. I say we really are good enough. Why did they succeed, as an exception, but we did not, as the general rule? The strange names and origins are a possible clue. I suggest the same reason that a couple of bored scientists succeeded in creating a games platform that was then turned into a document preparation platform that then became a standard OS teaching tool and eventually by many steps is now in the hands of most of the planet: they did it without interference. iang PS: ok, that last comment about Unix requires some mental juggery. The bored scientists did something that they were banned from doing. At the time, AT&T was party to a cartel agreement with IBM that reserved computing to IBM and networking to AT&T. How quaint! This had perverse effect of turning Ritchie & Kerninghams' toy into a skunk works project, in effect allowing everyone to politely ignore it. Unix survived and grew within Bell Labs because AT&T could not commercialise it, and therefore the project was purely an academic exercise. Hence, the corporate interference was untypically low to non-existent. Hence, it grew in Universities only. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE