RE: sounds just like the snitch you are [was]RE: engineering infowar disasters
Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
Attila T Hun <attila@primenet.com> writes:
I never promised any sabateur that I would keep any secret of theirs. I have worked with law enforcement and the security services for many years. If I catch someone damaging my property or property I am responsible for I call the authorities.
You know, Phill, life is not black and white.
Let's say for the sake of argument that you are admin for a system which is based on the security of MD4. Then along comes Boesslaers and co, and trashes it. You going to call for him to be locked up?
How about if someone then uses this new cryptanalysis to write some code which demonstrates the weakness... do you figure they should be locked up for demonstrating the flaw. (Note they haven't gone within a mile of your precious systems).
How about if some cypherpunks used this code to demonstrate that they could decrypt something which was encrypted by a webserver running on a machine you are admin for. Should these cypherpunks also be locked up?
This is not what was proposed at all however. Demonstrating security flaws is one thing, exploiting the flaws for malice is quite another. It is the difference between Ralph Nader demonstrating that the pinto is "unsafe at any speed" and buying one for your elderly aunt who has promised you that inheritance.
I can assure you that kerckhoffs principle applies doubly to infowar attacks, a hostile foreign government is hardly going to be cowed by your suggestion that you will call the feds if anyone breaks anything you've got anything to do with. I can see it now, Sadam Hussien's hired system-crackers, his inforwar attack team, will really be quaking in their boots, "better not trash US internet infrastructure -- that brit Phill Hallam-Barker guy will narc us out".
That is a deliberate misrepresentation of what I said. I was pointing out that *anybody* on the list who is responsible for a system is going to want a conviction if they are attacked.
I believe that people who do bad things should go to prison.
Personally I would rather see murderers and rapists locked up than teenage recreational crackers who go around breaking into poorly maintained systems for the challenge, but break nothing.
I believe the opposite. So would you if you had had my experience. Even if you know that the system is secure and you have the perp under 24 hour surveillence by top people you are going to worry like hell. One of the people I advised during an incident likened it to rape. I don't think this is too far fetched. There are many hackers who see their machine as an extension of the self. The anonymity of the net cuts both ways. You don't know whether its Sadam's storm troopers or teenage shit unless and until you get a collar.
I'm kind of wondering if _you_ as the security person who was responsible for security at the site, feel no responsibility to secure your systems. ("Oh don't worry about security, if anyone breaks in we'll call the feds").
I'm interested in security at every level, including severe reprisals.
I would hardly describe a bit of cryptanalysis of infowar risks as the work of `anarchist thugs'.
Neither did I. Discovering weaknesses is OK. Exploiting them is NOT.
Applying said cryptanalysis to in practice take out root DNS might not be such a friendly thing though. But hey, if someone does it, the real people to blame are Freeh and co for hindering use of crypto techniques to protect the infrastructure.
Not in that case. DNS security is taking time to adopt because that sort of thing just does. That is an authentication problem and there has not been a problem. Heck the NSA even published the DSS. Be exact, not every security problem can be blamed on the Feds. If you arn't carefull you will end up like Kitty Kelly who when I spoke with her yesterday began with the lie that truth is not a defense in british libel law (wasn't in 1776, has been an absolute defense since 1850 or so) then mixed up Australia and Argentina. Like you have to make sure the points are accurate.
People depend on infrastructure. Lives depend on it.
If people are depending on the internet for mission critical information, of the sort where people will die quickly if information isn't getting through, they need their heads examining. If they have been advised to use the internet for this kind of information they need to get better advice.
The assumption that the Internet and the telephone system are somehow entirely disjoint when it comes to Infowar is a somewhat naive one. The fact is that the telephone system is just as prone to attack, much more likely to use security through obscurity and so on than the Internet.
If people screw it up someone is likely to be killed. Freeh will have a party. Indeed its the sort of thing Nixon might have done on purpose to take advantage of the backlash.
Uhh... could you explain the logic there a bit please?
Don't think for a moment that if Joe Cypherpunk screws up the national power grid that that means cryptography rights for all. All it means is that Freeh is going to demand and get a blank cheque to eliminate crypto to match the blank cheque to eliminate drugs. One of the strategies Nixon's plumbers used was to deliberately sabotage their own rallies so that they could claim the violence came from the anti-war movement. Don't imagine that because something makes no sense US politicians won't insist on it. They voted for prohibition, they spend $40billion on failed drug interdiction policies and they won't stop at giving Freeh $5 billion to supress crypto. The symbol of the US government should be changed to a B2 bomber, hugely expensive ($1.5 billion and counting), with no remaining strategic role (Pentagon, RAND, Air Force Chief of Staff statements), can't be used in the rain (CNN reports) and visible on Marconi-UK build radar. US congress is insisting on building 20 more despite statements from DoD they just don't want them. Phill
participants (1)
-
Phillip Hallam-Baker