On Tue, 11 Aug 1998, Vladimir Z. Nuri wrote:

if the internet is insecure, blame the real source of the problem: the multibillion dollar NSA that has a vested interest in keeping the world technology weak..

This is absurd. The internet would be insecure even with strong crypto. Certainly, good crypto would plug up some holes but general internet technology is full of cracks. All the crypto in the universe won't stop a buffer overflow in your mail program, or 1000's of nested tags from crashing your browser in a DoS. NSA has nothing to do with bad programming practicies. Crypto is not the end-all-be-all in overall security. Encrypting your mail does you little good if I can read the plaintext off of your hard drive. Crypto is one piece of a secure system, and in some cases it may be the smallest piece. I don't support export restrictions any more than anyone else who is likely to be on cypherpunks .. but laying all the evils in the universe at NSA's door is a wee bit irresponsible. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "..subordination of one sex to the other is wrong in itself, and now one of the chief hindrances to human improvement.." John Stuart Mill "The Subjection of Women"

On Tue, 11 Aug 1998, Vladimir Z. Nuri wrote:

you will find most people here will disagree with you. cyberspace is very, very weak without crypto. when you think about it, 98% of cyberspace is the "stuff between the wires". the other 2% are the people on each end. now, crypto protects the 98%, but agreed, the 2% is still vulnerable.

I never said that the internet would be great without crypto. Crypto is needed. As long as we are quoting percentages, "87% of statistics is made up on the fly." Seriously, protecting the internet entails more than securing data transmission, as you imply. Explain to me the difference between having a broken web browser that is vunerable to a buffer overflow attack, and a broken browser that implements snake-oil crypto? In both cases we need better programs on the user's end. The ends of the communication link define the communication itself. You can't protect the middle without modifying the ends.

...

Certainly, good crypto would plug up some holes but general internet technology is full of cracks. All the crypto in the universe won't stop a buffer overflow in your mail program, or 1000's of nested tags from crashing your browser in a DoS.

this is nothing anyone cares about in the cyberspatial world.

You're right about that.. and that is _exactly_ the problem. As I see it, the primary function of the internet is to communicate, to exchange information. As such, any security we talk about is going to be information security. A secure information system not only keeps unauthorized users out, but it must insure that authorized users can get to the information when they need it. This means that DoS attacks are part of our security concerns, just as much as crypto is in keeping the transmission secret, and authorization is to keep unwanted people out of the loop.

these are thing that happen outside of cyberspace.

I'm not exactly sure what 'cyberspace' is, anyhow.. so I'm just going to ignore this. It sounds like you mean to tell me that the internet is just a bunch of wires.. that the only security issues the internet faces is in the area data transmission. This is false. Encryption prevents eavesdropping, yes. This is the only area that NSA regulates. In reality, the internet faces other, more fundamental problems as well. The idea of using crypto to fix a problem such a TCP/IP hijacking is bizarre to me. This is not the optimal solution, and everyone knows it. It _is_ however, the best practical solution. Pure encryption is (ie, confidentiality) is not needed for this. A MAC will suffice. Internet security runs far deeper than confidentiality.

the bigtime issue is internet commerce, security of your mail. how about if someone reads your mail to steal your money?

In my opinion commerce over the internet is insane. Period. Let me say it again: commerce over the internet is insane. Even if Uncle Sam let us use any crypto we like with any key size, it is still insane. There are too many problems with the fundamental network structure. Confidentiality doesn't help us here. Lets be factual: NSA doesn't regulate authentication technology and most of what we need to fix these problems is secure authentication, not confidentiality. You brought up email. We have secure email: PGP. So does the rest of the world. Confidential email is available. Does NSA like it? They certainly don't like the theory. They probably don't like us using the algorithms. If, by "strong crypto" you mean any cryptographic technology used for authentication, confidentiality, or otherwise then I must agree with you. But no one regulates this.. they only regulate a subset of this. It happens to be a subset that I like, but it is not _the_ most vital thing needed for securing the internet. It is not necessarily even the most important thing for e-commerce.

p.s.-- can you quote to me how many billions go to the nsa every year? and would you care to calculate how much of your own salary from your paycheck is sent to them? and you think you are getting your money's worth? rather than paying someone to hold you down?

This is irrelevent for me: I don't pay income tax. Even if I did, I can't say whether or not I am getting my money's worth, because I do not know what NSA is capable of. If NSA can factor 2048 bit numbers easily or other such things, then yes.. I would say I am getting my money's worth. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "..subordination of one sex to the other is wrong in itself, and now one of the chief hindrances to human improvement.." John Stuart Mill "The Subjection of Women"

On Tue, 11 Aug 1998, Vladimir Z. Nuri wrote:

MG: it's a question: do you imlement security top down, or bottom up? which is the top? the internet, or the computer?

it's very taoist-- I don't think there is a correct answer.

The answer depends very much on what your goals are.

I do think however that crypto *everywhere* over the internet is a major part of the solution. and yes, NSA is not fully responsible for the lack of it. the patent system & greed is involved in some of the deficiency. but the NSA is responsible for far more than most people realize. are you aware they regularly visit software companies developing crypto to squelch any innovation? basically, through bribes that they call "grants" or "purchase agreements"...

I am aware of the allegations, yes. I would not be surprised if they use this tactic. If I were in their position, and my job were to at least try to read every message sent by every foreign governments, especially those under crypto I suspect I would try very hard to limit the amount of strong crypto that these governments have. This may mean limiting the amount of crypto that the citizens of the U.S. have. So be it then. The NSA does not have the job of ensuring unbreakable kick-ass privacy and crypto to the public. Their job is to read the Other Guy's messages, and to make sure the Other Guy can't read Uncle Sam's messages. We speculate that they do both reasonably well. I am reminded of the cypherpunk's charter. We have to create privacy for ourselves. We can't expect others to not get in our way or to help us out. This is reality.

you're against commerce on the internet? what are you, a luddite? <g> seriously, I don't have much to say to you, if you oppose it. the internet is already the backbone of a new economy.

Then you have little to say to me. I do not see the wisdom in running commerce over a shit-box communication system like our internet is. The technology sucks. The protocols suck. The implementation of those protocols suck even more.

crypto will help secure it further.

This implies that it is not secure now, yes? Why the hell would you run commerce over something that you know is fundamentally flawed? It lacks wisdom.

...

Lets be factual: NSA doesn't regulate authentication technology and most of what we need to fix these problems is secure authentication, not confidentiality.

it's an artificial distinction. it's all crypto. standing in front of any of it is standing in front of all of it. the NSA doesn't lead, they block. get out of the way!!

Right. Whatever. So then I suspect that you support any jackass running around with a duffel full of C4 then, right? After all .. its all technology. Science is pure; technology is using science as a means to an end. That end defines whether or not we are talking about a psycho with a bunch of C4 or a responsible civil engineer preparing to take down a building in a controlled fashion. This is not to imply that crypto is like C4 .. it isn't .. however we must remember that while the mathematics of crypto are pure, we can use that basis for a variety of things. One of them is authentication the other is confidentiality. The FBI has no problems with the engineering having dynamite out on the street, but they will get really pissed if it is some average Joe. The NSA doesn't care about American's using strong crypto (presumably) and they don't care about foreigners using authentication technology. This 'artificial distinction' is a very real one.. it is the difference between a terrorist authenticating himself as a terrorist or keeping the fact that he is a terrorist (and his next target) a secret. I am not claiming that I think misuse of crypto is a legitimate reason to bottle it up, but one must be reasonable and look at it from NSA's perspective.

you say, a taxpayer of the US should consider himself "getting his money's worth" out of the NSA if the NSA can crack 2048 bit keys. well hee, hee. that's pretty funny. what if they find the bazillionth prime number? would you be getting your money's worth then too? it's the same technology, no?

If the NSA is so far ahead of the general public in mathematics, then yes.. considering that the NSA's job is to break crypto, we should feel that we are getting our money's worth. Now, whether or not we want to spend our money on that in the first place is a different story. Selling me a champion racehorse for $1 is a damn good deal, and it is worth the money.. but I don't have much use for a horse.

death to the NSA leeches!!! the US taxpayers have been submitting to government-originated *bloodletting* for too long

Then don't pay taxes. It is a rather simple fix. I don't like big government much myself, but I'll be damned if I am going to piss and moan and claim that it is the root of our evils. It isn't .. rather, our evils give birth to such monstrosities in the first place. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "Let your life be a counter-friction to stop the machine." Henry David Thoreau "Civil Disobedience"