[cryptography] ICIJ's project - comment on cryptography & tools

Nico Williams nico at cryptonector.com
Sun Apr 7 02:38:14 EDT 2013

On Sat, Apr 6, 2013 at 6:34 AM, ianG <iang at iang.org> wrote:
>> We hope the NSA types haven't forgotten that good guys
>> need crypto, whether LEA like it or not.
> I personally believe that the NSA's policy that the good guys don't need
> good crypto is the underlying root to the problem.  A goodly portion if not
> all.
> Internally to the NSA this is known as 'the equity issue' or so I've heard.

Well, it's like a pendulum.  As China and others make use of "cyber"
warfare to fight wars by proxy the comsec folks will regain the upper
hand at NSA.  Or so we should hope.  We can be secure in our comms and
have a hard time eavesdropping on anyone or we can be insecure in our
comms and have a hard time eavesdropping on anyone other than our own.
 It's pretty obvious, no?  we need strong civilian crypto.

On the flip side, no amount of crypto can get one past certain
fundamental issues in security.  How do you know your peer is who you
think it is?  Crypto can't truly answer that, much less the question
of whether they are doing as you wish.

> In economic terms, the NSA imposes a sort of tobin tax on crypto which
> results in a stupidity drag on all security, thus making it easier for all
> to avoid doing good work.
> Otherwise, I can't answer the question -- why as a society are we so good at
> internets, databases, apps, social networks, distribution of institutions,
> algorithms, all the good CS stuff, but we can't get our collective security
> act together?

Oh, well, we don't need to resort to conspiracy theories to answer
_that_.  We've built a house of cards, not so much on the Internet as
on the web (but not only!).  Web application security is complete
mess.  And anyways, we build on foundations, but the foundations
(operating systems) we built on are now enormous and therefore full of
vulnerabilities.  We're human -fallible-, and our systems reflect this
-our failures-.


More information about the cryptography mailing list