(I've deleted the other list that was cc:ed here....) At 4:03 AM 8/17/95, Chuck McManis wrote:

This is the problem of using "physical" world analogies with the network. A similar argument that is posited is that "Sure its not 100% secure but its better than the carbons from a receipt (now gone) or people who don't shred their garbage." I respond that the network isn't the "real" world so the laws of physics don't apply. Someone in Boston MA is unlikely to fly into Sunnyvale to paw through my garbage, but it would be "trivial" for them to see my receipt go flashing by can throw some spare compute cycles at breaking it. A snooper/cracker program on a "spare" machine might yield a half dozen credit cards a week.

I agree. This has direct parallels to "physical eavesdropping" vs. "electronic eavesdropping." After all, one might argue, why bother with encrypting phone conversations when a physical bug could pick up the audio? As Whit Diffie has noted, the difference is one of ease of use. It is hard to plant physical bugs...and expensive, prone to error, etc. It would also be pretty obvious, eventually, if every office in a building were physically bugged, but it would be almost undetectable if the Northern Telecom PBX box in the basement was being tapped on the way out. Crypto with back doors is even easier for the wiretapper. Electronic surveillance and related technologies (packet sniffers are a form of surveillance) are cheap by comparison to physical surveillance. And the concentration of communication lines and systems makes ELINT and COMINT much cheaper _per target_ than HUMINT. Now I don't personally worry too much at this time about giving my VISA number over the phone, or even over the Net...I can always deny making an authorization and the CC companies will not charge me (assuming the goods ordered were not also shipped to my address). But the future lies with protecting electronic transactions against surveillance. The breaking of SSL in Netscape is not terribly important in and of itself, given the government-imposed limits on key size, and given the sorts of things now being encrypted (like VISA numbers). It gets more important as the types of things encrypted become more serious. At least now we know how people were "vanished" in that recent movie. --Tim May ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net (Got net?) | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."