----- Forwarded message from Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> ----- Date: Sun, 08 Sep 2013 15:50:33 -0400 From: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> To: nanog@nanog.org Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 With regards to the 10$ snake oil security product versus the real one at $100: since the NSA can break both, they are both worth worth $0 in terms of privacy.
From a business/corporate point of view, there are two aspects:
1- Image: If your weak security has allowed a data breach to become public (such as TJ-Maxx) then you have damage to your image. But TJ-Maxx has survived and average person forgot about millions of credit card numbers having been stolen from its databases. If the NSA snoops on your systems to see what kind of underwear Ossama Bin Ladin buys and where he has them delivered, there is nothing your company can do about it. Either you don't know it is happening and NSA will never make it public (no image problem), or you got a warrant and were forced to do it (some image problem, but you can say your hands were tied and shift blame to NSA) 2- Real cost: if you're a bank, and someone intercepts a letter of credit or payment transaction to find out how much a corporate customer pays for widgets, that customer can sue you for breach of security/confidentiality (since its competitors now know what deal he has negotiated to buy those widgets). The lawsuit against the bank has real costs (not only lawyers, but settlement as well). It becomes easier to cost justify security when you can put real costs to not having security. So risk management is an important factor in both cases. BUT, when you get to general public, the equation changes: For the general public, a burglary is a good analogy. You can easily put value to the stolen TV set and replace it. But this isn't what happens when the NSA spies on your private communications and you have no real measurable damage. The damage you get is akin to losing your family pictures or the feeling of having been violated because someone came into your home and rummage through all your personal stuff and not knowing exactly what they will do with your personal items and why they stole them. Putting a value to this is next to impossible. Risk managememnt becomes impossible, except at the politival level. If the NSA intercepts private emails between a husband and his mistress, the husband can't know if the NSA will ever use this against him. This fear remains because the NSA night hold on to these emails for a long time (or might not). And at the political level, Obama made it clear in a recent speech that he hopes this will blow over and that he will be able to convince americans that the NSA is doing good things. Their political staffers evaluated the risk that this might backfire and figured it wouldn't. This has nothing to do with selection of technology to guard against the NSA' it is all about political public opinion. Here is what the politicians forget: Because the economy is moving to the internet, losing trust in the internet is akin to losing trust in the banking system. I am not sure network operators have much of a choice. Sure, someone like Bell Canada will hopefully review their no-peering policy in Canada (forcing so much traffic to route via USA), but for other networks there isn't much they can do to prevent NSA from accessing any/all data while in transit. What is really needed is for an intelligent debate by politicians on the need to preserve trust in the internet and whether preventing a couple of bombs is really worth the loss of trust and freedom due to implementation of measures worse than what "1984" predicted. Since intelligent debate by politicians is impossible, the other way to change things is to seriously deprive any politician who supports excessive spying by NSA of any money and chance to be re-elected. Imagine the good publicity AT&T and/or Verizon would get if they were to announce that they are ceasing all political contributions to any party or individual politician who supports the indiscriminate data collection done by NSA. And this might be enough to tilt the table and get politicians to start to criticise the NSA and call for measures to limit its spying. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5