[cryptography] ICIJ's project - comment on cryptography & tools

ianG iang at iang.org
Mon Apr 8 05:30:23 PDT 2013 

On 7/04/13 09:38 AM, Nico Williams wrote:
> On Sat, Apr 6, 2013 at 6:34 AM, ianG <iang at iang.org> wrote:
>>> We hope the NSA types haven't forgotten that good guys
>>> need crypto, whether LEA like it or not.
>>
>> I personally believe that the NSA's policy that the good guys don't need
>> good crypto is the underlying root to the problem.  A goodly portion if not
>> all.
>>
>> Internally to the NSA this is known as 'the equity issue' or so I've heard.
>
> Well, it's like a pendulum.  As China and others make use of "cyber"
> warfare to fight wars by proxy the comsec folks will regain the upper
> hand at NSA.  Or so we should hope.  We can be secure in our comms and
> have a hard time eavesdropping on anyone or we can be insecure in our
> comms and have a hard time eavesdropping on anyone other than our own.
>   It's pretty obvious, no?  we need strong civilian crypto.


Yes, now.

I suspect going back say 20 years, pre-net, it wasn't so obvious, because 
the dependency on open nets just didn't exist.  See comment below about 
AT&T & IBM.  In those days, networking was telco business, a mentality 
which just happened to align nicely with control mentalities, which suited 
both swings of the pendulum.


> On the flip side, no amount of crypto can get one past certain
> fundamental issues in security.  How do you know your peer is who you
> think it is?  Crypto can't truly answer that, much less the question
> of whether they are doing as you wish.


Right -- but it can answer the question to a sufficient degree given an  
absence of interference in what is the right answer.  I posit.  C.f, Skype.


>> In economic terms, the NSA imposes a sort of tobin tax on crypto which
>> results in a stupidity drag on all security, thus making it easier for all
>> to avoid doing good work.
>>
>> Otherwise, I can't answer the question -- why as a society are we so good at
>> internets, databases, apps, social networks, distribution of institutions,
>> algorithms, all the good CS stuff, but we can't get our collective security
>> act together?
>
> Oh, well, we don't need to resort to conspiracy theories to answer
> _that_.


Delicious Irony!  Clearly my opinion is rather fruitloopy, but this  
'conspiracy theory' is enacted in law -- crypto is officially a munition.  
It's the job description of the agency of topic, which probably employs 
more computing security people than any other place. It's not as if Louis 
Freeh went to congress in the 1990s and said "Senators, I wish to engage 
you in a conspiracy!" although we might grant the DEA would wish it so.

What is perhaps controversial and maybe ridiculous is me saying that it  
worked.  The NSA succeeded in created a drag on internet security  
sufficient to explain the general failure -- the house of cards, as you  
put it.

OTOH, if they hadn't achieved that drag, was taxpayers' money really being 
used wisely?  What are all these security people doing, then? Another irony 
-- the trend for budget is firmly down;  maybe now's the time to reveal how 
they successfully they spent your money...


> We've built a house of cards, not so much on the Internet as
> on the web (but not only!).  Web application security is complete
> mess.  And anyways, we build on foundations, but the foundations
> (operating systems) we built on are now enormous and therefore full of
> vulnerabilities.  We're human -fallible-, and our systems reflect this
> -our failures-.


Yeah, this is the popular explanation -- we're not good enough.

Let me pose another thought question.  Most of the long termers here  
understand how Skype, SSH and now Bitcoin were constructed.  Peter adds  
iMessage to the list of successful crypto systems.

Many of us here could make a fair stab at duplicating that in another  
product.  I'd personally have confidence in that statement -- given the  
budget I'd reckon Steve, Jon, Peter, James, and a dozen other frequent  
posters could do that job well, or a similar one.

I therefore suggest the popular explanation doesn't really pass muster.  I 
say we really are good enough.

Why did they succeed, as an exception, but we did not, as the general rule?

The strange names and origins are a possible clue.  I suggest the same  
reason that a couple of bored scientists succeeded in creating a games  
platform that was then turned into a document preparation platform that  
then became a standard OS teaching tool and eventually by many steps is  
now in the hands of most of the planet:

     they did it without interference.



iang



PS: ok, that last comment about Unix requires some mental juggery.  The  
bored scientists did something that they were banned from doing.  At the  
time, AT&T was party to a cartel agreement with IBM that reserved  
computing to IBM and networking to AT&T.  How quaint!

This had perverse effect of turning Ritchie & Kerninghams' toy into a  
skunk works project, in effect allowing everyone to politely ignore it.  
Unix survived and grew within Bell Labs because AT&T could not  
commercialise it, and therefore the project was purely an academic  
exercise.  Hence, the corporate interference was untypically low to  
non-existent.  Hence, it grew in Universities only.
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list