Traceable Infrastructure is as vulnerable as traceable messages

Faustine a3495 at cotse.com
Sat Aug 11 15:50:46 PDT 2001


> Faustine:
>> > > I think it's dangerous and entirely to your disadvantage to 
>> > > dismiss everyone doing government work in computer security
>> > > as a donut- chomping incompetent Barney-Fife-clone
>> > > imbecile.
>> > > Anyone can laugh at the department heads on C-SPAN, but did
>> > > you  ever stop to think about who's really doing the
>> > > hardcore research for the NSA at Ft. Meade--and elsewhere?
> James A. Donald:
>> > To judge by their most recent crypto ballsup, some donut
>> > chomping incompetents.
>> That's just as inaccurate as condeming everyone who ever worked
>> for Microsoft as clueless because of their corporate propensity
>> for security lapses. You wouldn't go that far, would you?
> Microsoft, as a whole, is incompetent at security.  All
> supposedly secure software coming out of Microsoft varies from
> poor to worthless.  Does anyone doubt it?   They take standard
> well known methods and make well known bungles in applying it and
> customizing it.

Sure, but that doesn't mean the individual people working there are 
incompentent. It's an institutional problem. 

 
> We do not get to see much of the spook output.  What we have seen
> in recent years is not good.

That's not by accident--they have zero incentive to show their true hand 
and every reason to hide it. For example, if someone from the NSA were to 
crack PGP, do you think they'd public-mindedly post the vulnerability on 
Bugtraq and have a big IRC coffee klatch to work on a fix? Hell no. There's 
no telling how many vulnerabilities in common software government security 
analysts found and kept secret. And the lousy thing is we all know it only 
takes one. 

Another one of their advantages is a fairly straightforward intelligence 
asymmetry: you have no clue as to who these people are and what they can 
do, whereas they can go over everything about you with a fine tooth comb at 
their leisure. People help them and don't even know it: the easiest way to 
get free security testing is to declare a government system secure, 
honeypot and fishbowl it to Kingdom Come, and wait for the free data to 
come rolling in from the too-smart-for-their-own-good suckers who can't 
wait to broadcast to the world exactly in excruciating detail how 
they "r00ted the Fedz". Everyone laughs and gloats at how insecure 
government systems are, but they didn't gain a thing, since all the truly 
interesting data was far, far away. And the veritable icing on the cake is 
that the feds turn around and use the very intrusions they invited as a 
tool to scare the Solid Citizens in Congress into allocating even more 
money and resources "to protect national security". Depressing. 


> During world war II the government sucked up all the best people
> from the open sector, and put them to work in the secret sector.
> For example most of the words greatest scientists wound up hand
> making nuclear weapons.   However, one would expect, with the
> passage of time, that people who work in secret would suffer from
> Parkinson's law, and this appears to be happening.

Maybe. But some of those very same people are still around and sharper than 
ever. Never underestimate the old guys. 


> Microsoft produces crap security because most of their customers
> do not know any better.  Therefore NSA will produce crap security
> because their customers are forbidden to know any better. 

Well, I'm not ruling that out. But since none of us knows the first thing 
about what's happening behind the Silicon Curtain, that remains to be seen.

~Faustine.





More information about the cypherpunks-legacy mailing list