crypto for porno users

Ed Carp [khijol SysAdmin] khijol!erc at cygnus.com
Thu Nov 23 14:13:43 PST 1995 

-----BEGIN PGP SIGNED MESSAGE-----

> Strong authentication via crypto does not create a trusted group.  Trust is
> a human:human decision -- subject to severe flaws, none of which are solved
> by crypto.  [Can you devise a crypto protocol which will prevent or even
> just detect adultery, for example?]  With each additional person, there is
> a probability of deception.  For this informal network of yours, deception
> by any one participant constitutes a security failure.  If you want to
> avoid that, therefore, you need to keep the group *very small*.  If it's
> that small, then it's not that interesting a target for LE.

Very true.  Authentication, whether strong or weak, merely says that you are who you say you are -
totally different from this "web of trust" I keep hearing about - and that is *it*.  Do you trust me
any more now than before I started signing my postings? 

> Ah -- but that's the point I was making.  Crypto gives the appearance of
> security -- whether it's in the informal network or with file storage.
> It's often a bank vault door on a cardboard house.  For much of what people
> do, especially if there's a large net, it's not rational to expect to
> achieve security.  But -- if people have done something to achieve
> security, they're likely to be fooled into trusting it to be adequate.
> 
> Meanwhile, if *everything* on the perp's machine is encrypted, you're
> probably in good shape.  That means he'll be required to type passwords too
> often -- so he'll either pick a small one or have some machinery which
> stores the password.  Both give cryptanalytic advantages.

It's well-known that most revelations of encrypted information come from "humint", not from 
mathematical finesse with the encryption scheme.  I especially love Oracle's idea of security - when 
submitting SQL to the Oracle back-end, to automate the process, you feed it your user ID and 
password IN THE CLEAR, ON THE COMMAND LINE.  Any weenie can run "ps -ef/ps -ax" and pipe it to 
grep.  The fact that Larry Ellison wont do anything about it seems to me to be idiocy of the first 
order, and that Oracle doesn't know what it's doing.  It's not even a good database product.  Deity 
only knows why people keep buying it, although that's rather off-topic ;)
- --
Ed Carp, N7EKG    			Ed.Carp at linux.org, ecarp at netcom.com
					214/993-3935	voicemail/pager
Finger ecarp at netcom.com for PGP 2.5 public key		an88744 at anon.penet.fi

Q.	What's the trouble with writing an MS-DOS program to emulate Clinton?
A.	Figuring out what to do with the other 639K of memory.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMLTuOyS9AwzY9LDxAQEuWAP9EU0LgHHAFQgpR+h2D/u9oZmNR3I2z7Cm
qsEZr0Iy84Cu7fH5vIvy5waDx3OZC+Gc1Z2kFydebxl09rTrY88rYIj0Ezp3Mqjk
25oqSlKoDMJNYC2W6cfhVAx6VBDnuExMi4H/R/8pTUepNSBMyc9z0nG0ivkCbTBz
AQd1jcI3lPU=
=Fvaf
-----END PGP SIGNATURE-----

More information about the cypherpunks-legacy mailing list