Re: Traceable Infrastructure is as vulnerable as traceable messages.
-- Faustine:
I think it's dangerous and entirely to your disadvantage to dismiss everyone doing government work in computer security as a donut- chomping incompetent Barney-Fife-clone imbecile.
Anyone can laugh at the department heads on C-SPAN, but did you ever stop to think about who's really doing the hardcore research for the NSA at Ft. Meade--and elsewhere?
James A. Donald:
To judge by their most recent crypto ballsup, some donut chomping incompetents.
Faustine
That's just as inaccurate as condeming everyone who ever worked for Microsoft as clueless because of their corporate propensity for security lapses. You wouldn't go that far, would you?
Microsoft, as a whole, is incompetent at security. All supposedly secure software coming out of Microsoft varies from poor to worthless. Does anyone doubt it? They take standard well known methods and make well known bungles in applying it and customizing it. We do not get to see much of the spook output. What we have seen in recent years is not good. During world war II the government sucked up all the best people from the open sector, and put them to work in the secret sector. For example most of the words greatest scientists wound up hand making nuclear weapons. However, one would expect, with the passage of time, that people who work in secret would suffer from Parkinson's law, and this appears to be happening.
I know of an old-school NSA red teamer who's been teaching programming and engineering since before either one of us was born. An honest-to-god mathematical genius. Some of those old wizards could teach us all a thing or two. But whether the donut-chomping incompetents have the upper hand is anyone's guess. I wouldn't bet on it in the long run.
I would bet on it in the long run. It is inherent in the nature of government. Without the market weeding out the unfit and pressuring everyone for excellence, bureaucracies unavoidably decay for well known reasons. Microsoft produces crap security because most of their customers do not know any better. Therefore NSA will produce crap security because their customers are forbidden to know any better. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG FwLinDdmbEa6PhxFDMsPXCIlj97FlY1YpxKNR3KV 4FBpZ7okXglgl5/19J96vLLEaPc1wi1VxGVTGCRJf
I think it's dangerous and entirely to your disadvantage to dismiss everyone doing government work in computer security as a donut- chomping incompetent Barney-Fife-clone imbecile. Anyone can laugh at the department heads on C-SPAN, but did you ever stop to think about who's really doing the hardcore research for the NSA at Ft. Meade--and elsewhere? James A. Donald: To judge by their most recent crypto ballsup, some donut chomping incompetents. That's just as inaccurate as condeming everyone who ever worked for Microsoft as clueless because of their corporate propensity for security lapses. You wouldn't go that far, would you? Microsoft, as a whole, is incompetent at security. All supposedly secure software coming out of Microsoft varies from
Faustine: poor to worthless. Does anyone doubt it? They take standard well known methods and make well known bungles in applying it and customizing it.
Sure, but that doesn't mean the individual people working there are incompentent. It's an institutional problem.
We do not get to see much of the spook output. What we have seen in recent years is not good.
That's not by accident--they have zero incentive to show their true hand and every reason to hide it. For example, if someone from the NSA were to crack PGP, do you think they'd public-mindedly post the vulnerability on Bugtraq and have a big IRC coffee klatch to work on a fix? Hell no. There's no telling how many vulnerabilities in common software government security analysts found and kept secret. And the lousy thing is we all know it only takes one. Another one of their advantages is a fairly straightforward intelligence asymmetry: you have no clue as to who these people are and what they can do, whereas they can go over everything about you with a fine tooth comb at their leisure. People help them and don't even know it: the easiest way to get free security testing is to declare a government system secure, honeypot and fishbowl it to Kingdom Come, and wait for the free data to come rolling in from the too-smart-for-their-own-good suckers who can't wait to broadcast to the world exactly in excruciating detail how they "r00ted the Fedz". Everyone laughs and gloats at how insecure government systems are, but they didn't gain a thing, since all the truly interesting data was far, far away. And the veritable icing on the cake is that the feds turn around and use the very intrusions they invited as a tool to scare the Solid Citizens in Congress into allocating even more money and resources "to protect national security". Depressing.
During world war II the government sucked up all the best people from the open sector, and put them to work in the secret sector. For example most of the words greatest scientists wound up hand making nuclear weapons. However, one would expect, with the passage of time, that people who work in secret would suffer from Parkinson's law, and this appears to be happening.
Maybe. But some of those very same people are still around and sharper than ever. Never underestimate the old guys.
Microsoft produces crap security because most of their customers do not know any better. Therefore NSA will produce crap security because their customers are forbidden to know any better.
Well, I'm not ruling that out. But since none of us knows the first thing about what's happening behind the Silicon Curtain, that remains to be seen. ~Faustine.
On Sat, Aug 11, 2001 at 04:49:26AM -0700, jamesd@echeque.com wrote:
I would bet on it in the long run. It is inherent in the nature of government. Without the market weeding out the unfit and pressuring everyone for excellence, bureaucracies unavoidably decay for well known reasons.
In the long run, perhaps. But it is dangerous to underestimate the strength and determination of an adversary that has perhaps $1 trillion (in the U.S. alone) in resources to draw on. Dying elephants can cause violent disruptions on their way down. -Declan
participants (3)
-
Declan McCullagh -
Faustine -
jamesd@echeque.com