Gecko/20040113 Thunderbird/0.4 To: Ivan Krstic <ccikrs1@cranbrook.edu> Cc: Metzdowd Crypto <cryptography@metzdowd.com> Subject: Re: Bank transfer via quantum crypto Sender: owner-cryptography@metzdowd.com Ivan Krstic wrote:

I have to agree with Perry on this one: I simply can't see a compelling reason for the push currently being given to ridiculously overpriced implementations of what started off as a lab toy, and what offers - in all seriousness - almost no practical benefits over the proper use of conventional techniques.

You are looking at QC from a scientific perspective. What is happening is not scientific, but business. There are a few background issues that need to be brought into focus. 1) The QC business is concentrated in the finance industry, not national security. Most of the fiber runs are within range. 10 miles not 100. 2) Within the finance industry, the security of links is done majorly by using private lines. Put in a private line, and call it secure because only the operator can listen in to it. 3) This model has broken down somewhat due to the arisal of open market net carriers, open colos, etc. So, even though the mindset of "private telco line is secure" is still prevalent, the access to those lines is much wider than thought. 4) there is eavesdropping going on. This is clear, although it is difficult to find confirmable evidence on it or any stats: "Security forces in the US discovered an illegally installed fiber eavesdropping device in Verizon's optical network. It was placed at a mutual fund company ..shortly before the release of their quarterly numbers" Wolf Report March, 2003 (some PDF that google knows about.) These things are known as vampire taps. Anecdotal evidence suggests that it is widespread, if not exactly rampant. That is, there are dozens or maybe hundreds of people capable of setting up vampire taps. And, this would suggest maybe dozens or hundreds of taps in place. The vampires are not exactly cooperating with hard information, of course. 5) What's in it for them? That part is all too clear. The vampire taps are placed on funds managers to see what they are up to. When the vulnerabilities are revealed over the fibre, the attacker can put in trades that take advantage. In such a case, the profit from each single trade might be in the order of a million (plus or minus a wide range). 6) I have not as yet seen any suggestion that an *active* attack is taking place on the fibres, so far, this is simply a listening attack. The use of the information happens elsewhere, some batch of trades gets initiated over other means. 7) Finally, another thing to bear in mind is that the mutual funds industry is going through what is likely to be the biggest scandal ever. Fines to date are at 1.7bn, and it's only just started. This is bigger than S&L, and LTCM, but as the press does not understand it, they have not presented it as such. The suggested assumption to draw from this is that the mutual funds are *easy* to game, and are being gamed in very many and various fashions. A vampire tap is just one way amongst many that are going on. So, in the presence of quite open use of open lines, and in the presence of quite frequent attacking on mutual funds and the like in order to game their systems (endemic), the question has arisen how to secure the lines. Hence, quantum cryptogtaphy. Cryptographers and engineers will recognise that this is a pure FUD play. But, QC is cool, and only cool sells. The business circumstances are ripe for a big cool play that eases the fears of funds that their info is being collected with impunity. It shows them doing something. Where we are now is the start of a new hype cycle. This is to be expected, as the prior hype cycle(s) have passed. PKI has flopped and is now known in the customer base (finance industry and government) as a disaster. But, these same customers are desparate for solutions, and as always are vulnerable to a sales pitch. QC is a technology who's time has come. Expect it to get bigger and bigger for several years, before companies work it out, and it becomes the same disputed, angry white elephant that PKI is now. If anyone is interested in a business idea, now is the time to start building boxes that do "just like QC but in software at half the price." And wait for the bubble to burst. iang PS: Points 1-7 are correct AFAIK. Conclusions, beyond those points, are just how I see it, IMHO. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'