[cryptography] Law of unintended consequences?
iang at iang.org
Thu Dec 8 07:15:43 EST 2011
On 8/12/11 12:01 PM, lodewijk andré de la porte wrote:
> I figured it'd be effective to create a "security awareness group"
> figuring the most prominent (and only effective) way to show people
> security is a priority is by placing a simple marking, something like
> "this site isn't safe!" and contacting the owners with what the
> exploit is.
One problem with any "opinion group" is that if it succeeds, it can be
got at. Rich corporations join, snow the members with their paid
employees, and then it becomes a commercial-sales organisation, punting
marks to the highest bidder. You succeed, then you lose it.
> That'd also provide challenge to those who participate and it doesn't
> hurt anyone. I think it's most likely a mind-spinoff of lulzsec's
> work, who took it to the extreme.
Yeah. So, then we get the issue that their opinion is different to
others. Taking a leaf from my experience, CAs: the guys that are
running around recording all the certificates out there, like EFF and so
forth, and then rating the site on their certificate goodness .. they
think they are improving security by finding bad practices. But their
model of security is the PKI model, which they've adopted without
question. Which we now know (empirically) to be fundamentally broken.
So these groups are busy running around promoting an old idea of
security that actually sets users up for the fall.
> It kind of shocked me that regardless of the good spirit of my idea,
> the image of a happy hacker talking about how amazingly well he pulled
> off some hack and another about the stimulating it is to work with
> people who "live for it", would also be utterly illegal! I kinda liked
> the fact that the Internet was like a wild west, law is local and
> everything is possible and permitted. It being digital people wouldn't
> get quite so hurt if things went wrong. Now with security and size
> came legal matters. The funny thing to observe is that those who bring
> in the law have no idea of what's going on, they are (literary!) from
> another world! But with there laws the first thing they banned were
> the vigilante's, the criminals are still there. Some aren't building
> fences because the police will come busting everyone who passes into
> their backyard anyway, people become defenseless!
Yes. If the law makes people defenceless, does that mean the police
have to defend them? Good luck on that, it's pretty clear that the
police will take your report and file it somewhere. Beyond that?
Article about some guy who was hit with a dual channel attack for $45k,
and the police thing it is too small....
Interesting footnote on the PKI secure browsing claim that it tells you
who you are connected to (or whatever the claim is today): the article
doesn't even bother to mention that the guy's website connection had to
perverted in some way as well. It's simply exploring how the dual
channel (cell) was broken.
More information about the cryptography