črypto is finished... and it's about time × (also: 'Balrog' malnet, firsthand view)

Steve Kinney admin at pilobilus.net
Fri Jun 12 12:41:19 PDT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/12/2015 01:26 PM, The Doctor wrote:
> On 06/11/2015 11:32 PM,  Александр  wrote:
>> A very interesting essay... Thank you, Seth. So, ok. We've
>> got it. There is no salvation from the "Barlog". But what are
>> the alternatives (already operating)?
> 
> Telepathy?
> 
> <pulls a face>
> 
> 

I guess we're stuck with Eye Of Sauron and Balrog.  Too bad, this
is a much more Lovecraftian issue IMO:  We are being pulled into a
place where all the angles are "wrong," and watching the most
merciful thing in the world - the inability of hostile actors to
correlate all the contents of the Internet - starting to crumble
away for reals.

Couple of things I can see to work on:

* Publicize this as a quantum leap in network security threats,
requiring new trust models and comms protocols across the board,
to every audience that is likely to understand the problem and
respond proactively.

* Review RFC 6973, Privacy Considerations For Internet Protocols,
and work to amplify/expand sections relevant to what we are
learning about large scale threat actors and their behavior as
observed in the wild.  This RFC is only two years old, so changes
now may have a large impact on results later.

https://tools.ietf.org/html/rfc6973

* Think about building an ecosystem of repositories for hashes and
signatures, and protocols for monitoring consensus and assigning
relative trust values to reduce reliance on repo signing keys as
guarantors of software integrity.  Developing comms protocols for
this network would also contribute to general solutions for
hardening networks against the capabilities of our new overlords.

* Think hard about open projects to reverse engineer IC chips with
attention to manufacturer sabotage.  It seems to me that the
likely venue for this would be non-aligned nations (so-called)
with a vested interest in pooling their resources to push back
against universal surveillance & sabotage capabilities of the
Superpowers and their special pets.

*  Keep pressure on all fronts already being worked, i.e.
replacing the HTTPS protocol with something that actually works in
the sense of costing a lot more to defeat.  Make the opposition
spend more money when and wherever possible.

Considering the choice of an apparently competent security
oriented venue to "pen test to destruction" as reported, I wonder
WTF that was about.  Does somebody with control of the resources
used WANT their capabilities publicly disclosed?  If so, was this
a strategic decision from the top, or an act of systemic sabotage
by a lower level actor within the organization in question?  So
many questions, so few clues... so far.

:o/

Steve


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVezXcAAoJEDZ0Gg87KR0LGPwQAOgmnO/1EdQaeehEVr6GPwGf
XAp90v1b1qomdGFya19Hs8i4hB6semgCq54MY265/Mo/2RB1N6MTL1K7R2kwR2lI
neaVxjbiZimiQ3BFh67gqm0dw9i3TAnpmw2Yuyj3qYtOLA9ORVcTwGk+x3z/yFGc
k2GyttbjQ14HLgxuRVnmRlTLhlAvYQorcG5hQdQLOU4oYbLTGsnRHOpmsForxZsX
SnQ83+flO1XjfVwZvRT/a72CFolHvi2gTQKFnmA801tLx1bmexHfHl8R2TbUiXxO
o53nycJuhGh6gzflzxFUGa/Cr/+KJc1bWLSpqNX8sncAn090OtGrtaWEsB0eSerm
Jd+cEvDd8rbB971dzq6gQuIZCjY4KmuWiy6C1RgkTY+lbf1AotEy6nFnJxw+EqqY
dtoWnoc8c8pXDWTOmZHT+8eN3ITJpq3BUp/A+JLQRLXQyh2cMa7Glo7J7udRL4CX
KxClnERlQCbt7Ou1ujrro4pYNDMNa0lwWnOtHy9ZzABZsX4sPHjZCs4OqdLNwqfP
4NhLF/UQhrilVm0Nmhc5n70gAR44ZfBS82gPZJiD+a6umWi9CI/UZf6AmvhI6ftU
Q7IX/ETFay6zHe6AB3rZnlkETHl4xdqtKSs6jNSy6UWI+v1Qg4UitrdtqD2HmvJ+
9Q7XGdT4u5OVt1YBdqeD
=zWuJ
-----END PGP SIGNATURE-----

More information about the cypherpunks mailing list