[cryptography] ICIJ's project - comment on cryptography & tools

ianG iang at iang.org
Sat Apr 6 07:34:15 EDT 2013


On 6/04/13 07:27 AM, Nico Williams wrote:
> On Fri, Apr 5, 2013 at 9:17 PM, NgPS <ngps at rulemaker.net> wrote:
>> In the movies and presumably in real life, bad guys have smart crooked
>> lawyers advising them. Surely the bad guys have the resources to set up
>> bunch of servers a la iMessage/Whatsapp, and write/deploy their own apps on
>> their mobile devices, running stripped-down custom ROMs, to communicate via
>> these servers, to avoid 3rd party MITM. Don't even need crooked developers,
>> just advertise on Hacker News and whole bunch of "hackers" will jump on it.
>
> It'd be nice (for good guys certainly) to be able to open-code
> everything that one needs, or otherwise review all of the source code
> to the object code that one needs.  In practice you cannot do this.
> It's ETOOMUCH.


That's the best short description I've seen yet!


> In the worst case scenario for the LEA there's still traffic analysis
> and warrants/court orders/rubber hoses that they can resort to.
>
> Crypto only helps the good guys w.r.t. bad guys and other governments
> (and then only sometimes); crypto is just a polite way of saying "try
> harder, get a warrant" to the LEA with jurisdiction over you (or your
> devices).  For LEA my guess is that the biggest problem isn't how to
> get at evidence, but how to know who the bad guys are: in a sea of
> traffic it's hard to tell when you don't even know what's needles and
> what's hay, which must be why LEA tend to have such a dislike for good
> guy crypto.


This bit:

> We hope the NSA types haven't forgotten that good guys
> need crypto, whether LEA like it or not.


I personally believe that the NSA's policy that the good guys don't need 
good crypto is the underlying root to the problem.  A goodly portion if 
not all.

Internally to the NSA this is known as 'the equity issue' or so I've heard.

In economic terms, the NSA imposes a sort of tobin tax on crypto which 
results in a stupidity drag on all security, thus making it easier for 
all to avoid doing good work.

Otherwise, I can't answer the question -- why as a society are we so 
good at internets, databases, apps, social networks, distribution of 
institutions, algorithms, all the good CS stuff, but we can't get our 
collective security act together?



iang



More information about the cryptography mailing list