Begin forwarded message:
From: Jim <jim@indomitus.net> Date: November 8, 2009 4:10:07 PM GMT-04:00 To: gold-silver-crypto@rayservers.com Subject: Re: [gsc] Fwd: managing and protecting nyms...
R.A. Hettinga wrote:
From: John Young <jya@pipeline.com> Date: November 8, 2009 1:31:05 PM GMT-04:00 To: cypherpunks@al-qaeda.net Subject: Re: managing and protecting nyms...
Peer review is necessary to assure blunders are not overlooked. However, there has been no demonstration that peer review is all that is needed for the superior protection.
I have never seen anyone make this argument. So, burn down the straw man, John.
This is not an argument for obscurity, only a caution that peer review is not necessary sufficient.
Not necessary or sufficient? Not necessarily sufficient?
Peer review is very useful. I've never seen anyone argue that it is sufficient for total information security. To my knowledge, there is no total information security, no perfect system.
Open source operates on the assumption that everyone is fallible. Other assumptions to demolish John's arguments, below, in line.
Peers miss stuff too, as amply demonstrated by holes and bad implementation later discovered.
Of course. But, look, John, dummy, you can't discover these holes and bad implementations without open source crypto. If you keep your secret codes secret, then when the codes and ciphers are broken, you won't know it.
Betting you life on peer review, or open disclosure is probably not very smart.
Who isn't betting their life every day? The scum who have gotten Republican politicians to waste three trillion dollars on military contracts in order to slaughter millions of people in Southwest Asia are quite willing to slaughter as many people as it takes to maintain power and keep the gravy train coming.
Is it more clever to bet your life on a super duper secret code that no one can review? No, that would be asinine.
John, don't be an ass.
Instead, expect some shrewd peer(s) to see something that will serve a private purpose by keeping quiet. Competiton, betrayal, disinfo, venality, play a role as well as search for truth through open discourse.
Competition, for those who can spell it, is a good thing. The whole point of open source crypto is that different persons would each have different purposes, different motivations. Some will be genuinely motivated by math, just doing the math, just seeing the equations work, just understanding it all. Some will be motivated by private purposes, but these will vary widely. So the more people who actually sift the source code and review the math and do the peer review, the better.
Yes, there will be betrayals and venality, but the advantage of open source is that there will be different people with very differing agendas. You don't get nearly as many minds looking for holes in your crypto without open source.
Comsec is a swamp, quicksand, punji trap,
Which is it? A swamp is not all quicksand, and neither a swamp nor quicksand is a punji trap.
Communications security and data security are ill served by mixed metaphors and endless abbreviations.
and comsec experts are never trustworthy about each other or about systems.
Nobody is trustworthy. The whole point of someone like, say, Tim May, saying that something is a "trust me" level of security is to deride and ridicule trusting anyone with your security. (Was that Tim who said that about Safe-mail.net or was that someone else quoting Tim on another topic? Not that it matters.)
There is no royal road to geometry. There is no substitute for actually doing the math. There is no one but you that you can really trust. Which is okay.
Really, it is, John. It'll be okay. Calm down. Don't get all fussy. Finding market clearing prices is an intensely cooperative activity. People are very motivated to find these prices and clear markets. So, in part because of the fact that no one can trust anyone else, people find ways to cooperate actively to create, price, and clear markets.
The open source methodology, call it snakeoil,
Why call it snake oil? This metaphor isn't any better than the punji trap in quicksand in a swamp metaphor.
If you don't like open source crypto or open source software, why not propose some other methodology?
There is no other methodology that provides similar levels of scrutiny of code and math. The preceding methodology, of making a secret code and keeping it ultra-mega-top-letter- clearance-secret-word-clearance-burn-before-reading classified has been completely discredited. When you have a highly secure code, you will never know when it has been broken.
works well for the inexpert to gain a limited education,
Who would that inexpert be, John? Would he be the guy who stares out of your mirror when you shave? lol
but behind that stage the usual shit goes on.
Shit goes on all the time. LBJ and his cronies spent on the order of $2 trillion in today's dollars on the war in Southeast Asia, slaughtering about 7.9 million in dead and wounded, military and civilians, across all countries. So, for about a quarter million dollars in corruptly allocated profits, one person was horribly mutilated or killed to make the CIA and military death merchants happy.
If there is any good news about this shit that goes on, it is that somewhat closer to two million have been killed in Southwest Asia for about $3 trillion in today's dollars. So more like $1.5 million in death merchant profits and campaign contributions for GOP villains (and since 2006, Democrat villains, too) per horribly mutilated or killed victim.
Ain't efficiency grand?
Of course, the tricky part is the casualty figures. No body counts these days. It could be tens of millions of dead people, and we won't know until the empire falls and the archives are opened.
Keeping quiet about crypto cracks, holes, trojans, backdoors, is extremely rewarding.
For everyone? So, John Young works for the feral gummint on ways to keep secrets and slaughter young children in foreign countries, as well as babies in the USA. How rewarding is it, John?
Concealing deep faults with shallow ones is SOP.
Standard for whom? Operating procedures assume some sort of goal or outcome for operations. Different people have very different plans, goals, skills, and ethics.
I mean, clearly, you are the sort who would have no problem having the IRS come into a home, kill the family pets, rape the young children, put the adults in cages, seize all the records, and confiscate every asset. You want the IRS to do so for the benefit of your lofty goals of having trillions of dollars for corruptly allocated government contracts so that the CIA and the military can rape, torture, kill, and mutilate foreigners in an endless war.
Note that wide crypto use has become a stimulus to intercept, store forever (NSA policy), crack when possible and to continue trying to crack indefinitely (NSA policy), with successful deep cracks seldom revealed. "NSA policy" is that of deeply embedded contractors and researchers as well.
Yes, that's all terribly sweet. Build up your Library of Alexandria of data of every comment ever written by anyone ever. Build (with corruptly allocated contracts and dead taxpayer confiscated funds) your huge quantum computing apparatus to sift through all this data. Enjoy trying to figure out which e-mail address goes with which person.
At some stage you still have to have a human being apply it. Or manufacture it wholesale and assign it to someone innocent and insist that it has been in your database for years.
It is just like your archive of finger prints and DNA samples. You can now fabricate "evidence" that anyone was anywhere, with "irrefutable" evidence from your laboratories, cooked up before the crime and analysed after the crime, to frame anyone.
So what? Who cares?
What are you doing with all these abilities, all these technologies, all the money that you steal, all the lives you ruin?
Nothing much. Slaughtering a whole bunch of children to not much purpose.
Going to the stars, John? No, you aren't. Exploring the planets, John? Nope.
Spying on your neighbors, sure. Raping their children, sure. You and your government do a whole lot of that.
Bringing the resources of the Solar System to bear on the problems here on Earth? Nah, that would be a waste of your very important time. Arbeit macht frei, motherfucker.
Publicly-availalbe encryption and other currently usable comsec protection are satisfactory for ordinary communications
Anyone who isn't using them for ordinary communication is a fool. Anyone who is communicating about actual criminal activity and thinks encryption is sufficient "cover" is a fool.
but not for more than that if you are up to extraordinary renditions, say, making a bundle peddling natsec-grade counter-threat assurances.
Well, gosh, Johnny, are you torturing people to death? Does that make your opinions about open source methodology more interesting, or less interesting, to ethical persons?
Yep, natsec-grade is what the telecoms and like critical infrastructure dealers claim they are providing. Nothing pays better.
And we all know that if it paid well enough, you would rape and torture your grandmother in front of your siblings, and then rape and torture and murder them all.
Thanks, John, for a trip inside the mind of a maniac.