[cryptography] To Protect and Infect Slides

Wed Jan 8 14:49:01 PST 2014

Thanks. We posted the Wassenaar changes on Cryptome
on December 19.

http://cryptome.org/2013/12/wassenaar-intrusion.htm

http://cryptome.org/2013/12/wassenaar-list-13-1204.pdf

The intrusion software has received some but not sufficient
attention. And beyond the sections you cite there are many
covering other technologies which interrelate and affect crypto.
Those have received even less attention, at least in crypto
world as far as we have seen.

The means to transceive crypto continue to be its Achilles
heel and appear headed toward crippling the whole body -- the
bubble in which crypto exists precariously dependent on
sophisticated support systems which, as seen in the Snowden
minimal releases, have overwhelmed public crypto security, not
least by leaving the impression public crypto was highly effective.

More attention to the support system presumably will be given
as the Snowden releases recommence, now dead stopped.
Greenwald claimed recently  that cryptographers and other
techies are now reviewing the material, much of which is
beyond the capabilities of journalists, lawyers and politicians.

The stumbling block of comprehensive Snowden disclosures
is that to do so, allegedly, could severely damage national security.
Uh oh, that terrible aroma of complicity to protect secrets
too dangerous for the public to know. Instead a few select experts
are allowed to perfomr dual-hat assessments. Which is what has led
to the current imbroglio of public and expert distrust: who watches
the dual-hat experts who operate under the cloak of secrecy.

At 04:38 PM 1/8/2014, you wrote:

>Keying off of one phrase alone,
>
>  > This combat is about far more than crypto...
>
>I suggest you immediately familiarize yourself with last month's
>changes to the Wassenaar Agreement, perhaps starting here:
>
>http://oti.newamerica.net/blogposts/2013/international_agreement_reached_controlling_export_of_mass_and_intrusive_surveillance
>
>Precis: Two new classes of export prohibited software:
>
>Intrusion software
>
>     "Software" specially designed or modified to avoid detection
>     by 'monitoring tools', or to defeat 'protective countermeasures',
>     of a computer or network capable device, and performing any of
>     the following:
>
>     a. The extraction of data or information, from a computer or
>     network capable device, or the modification of system or user
>     data; or
>
>     b. The modification of the standard execution path of a program
>     or process in order to allow the execution of externally provided
>     instructions.
>
>IP network surveillance systems
>
>     5. A. 1. j. IP network communications surveillance systems or
>     equipment, and specially designed components therefor, having
>     all of the following:
>
>     1. Performing all of the following on a carrier class IP network
>     (e.g., national grade IP backbone):
>
>     a. Analysis at the application layer (e.g., Layer 7 of Open
>     Systems Interconnection (OSI) model (ISO/IEC 7498-1));
>
>     b. Extraction of selected metadata and application content
>     (e.g., voice, video, messages, attachments); and
>
>     c. Indexing of extracted data; and
>
>     2. Being specially designed to carry out all of the following:
>
>     a. Execution of searches on the basis of 'hard selectors'; and
>
>     b. Mapping of the relational network of an individual or of a
>     group of people.
>
>
>All the same arguments that applied exportation bans for crypto
>software apply here, especially that of pointlessness.
>
>--dan
>
>[ Software doesn't spy on people; people spy on people ]