[cryptography] Law of unintended consequences?

ianG iang at iang.org
Thu Dec 8 07:15:43 EST 2011


On 8/12/11 12:01 PM, lodewijk andré de la porte wrote:
> I figured it'd be effective to create a "security awareness group" 
> figuring the most prominent (and only effective) way to show people 
> security is a priority is by placing a simple marking, something like 
> "this site isn't safe!" and contacting the owners with what the 
> exploit is.

One problem with any "opinion group" is that if it succeeds, it can be 
got at.  Rich corporations join, snow the members with their paid 
employees, and then it becomes a commercial-sales organisation, punting 
marks to the highest bidder.  You succeed, then you lose it.

> That'd also provide challenge to those who participate and it doesn't 
> hurt anyone. I think it's most likely a mind-spinoff of lulzsec's 
> work, who took it to the extreme.

Yeah.  So, then we get the issue that their opinion is different to 
others.  Taking a leaf from my experience, CAs:  the guys that are 
running around recording all the certificates out there, like EFF and so 
forth, and then rating the site on their certificate goodness .. they 
think they are improving security by finding bad practices.  But their 
model of security is the PKI model, which they've adopted without 
question.  Which we now know (empirically) to be fundamentally broken.  
So these groups are busy running around promoting an old idea of 
security that actually sets users up for the fall.

> It kind of shocked me that regardless of the good spirit of my idea, 
> the image of a happy hacker talking about how amazingly well he pulled 
> off some hack and another about the stimulating it is to work with 
> people who "live for it", would also be utterly illegal! I kinda liked 
> the fact that the Internet was like a wild west, law is local and 
> everything is possible and permitted. It being digital people wouldn't 
> get quite so hurt if things went wrong. Now with security and size 
> came legal matters. The funny thing to observe is that those who bring 
> in the law have no idea of what's going on, they are (literary!) from 
> another world! But with there laws the first thing they banned were 
> the vigilante's, the criminals are still there. Some aren't building 
> fences because the police will come busting everyone who passes into 
> their backyard anyway, people become defenseless!

Yes.  If the law makes people defenceless, does that mean the police 
have to defend them?  Good luck on that, it's pretty clear that the 
police will take your report and file it somewhere.  Beyond that?

Article about some guy who was hit with a dual channel attack for $45k, 
and the police thing it is too small....

http://www.scmagazine.com.au/News/282310,45k-stolen-in-phone-porting-scam.aspx/0

Interesting footnote on the PKI secure browsing claim that it tells you 
who you are connected to (or whatever the claim is today):  the article 
doesn't even bother to mention that the guy's website connection had to 
perverted in some way as well.  It's simply exploring how the dual 
channel (cell) was broken.

iang



More information about the cryptography mailing list