[cryptography] ICIJ's project - comment on cryptography & tools

ianG iang at iang.org
Mon Apr 8 08:30:23 EDT 2013


On 7/04/13 09:38 AM, Nico Williams wrote:
> On Sat, Apr 6, 2013 at 6:34 AM, ianG <iang at iang.org> wrote:
>>> We hope the NSA types haven't forgotten that good guys
>>> need crypto, whether LEA like it or not.
>>
>> I personally believe that the NSA's policy that the good guys don't need
>> good crypto is the underlying root to the problem.  A goodly portion if not
>> all.
>>
>> Internally to the NSA this is known as 'the equity issue' or so I've heard.
>
> Well, it's like a pendulum.  As China and others make use of "cyber"
> warfare to fight wars by proxy the comsec folks will regain the upper
> hand at NSA.  Or so we should hope.  We can be secure in our comms and
> have a hard time eavesdropping on anyone or we can be insecure in our
> comms and have a hard time eavesdropping on anyone other than our own.
>   It's pretty obvious, no?  we need strong civilian crypto.


Yes, now.

I suspect going back say 20 years, pre-net, it wasn't so obvious, 
because the dependency on open nets just didn't exist.  See comment 
below about AT&T & IBM.  In those days, networking was telco business, a 
mentality which just happened to align nicely with control mentalities, 
which suited both swings of the pendulum.


> On the flip side, no amount of crypto can get one past certain
> fundamental issues in security.  How do you know your peer is who you
> think it is?  Crypto can't truly answer that, much less the question
> of whether they are doing as you wish.


Right -- but it can answer the question to a sufficient degree given an 
absence of interference in what is the right answer.  I posit.  C.f, Skype.


>> In economic terms, the NSA imposes a sort of tobin tax on crypto which
>> results in a stupidity drag on all security, thus making it easier for all
>> to avoid doing good work.
>>
>> Otherwise, I can't answer the question -- why as a society are we so good at
>> internets, databases, apps, social networks, distribution of institutions,
>> algorithms, all the good CS stuff, but we can't get our collective security
>> act together?
>
> Oh, well, we don't need to resort to conspiracy theories to answer
> _that_.


Delicious Irony!  Clearly my opinion is rather fruitloopy, but this 
'conspiracy theory' is enacted in law -- crypto is officially a 
munition.  It's the job description of the agency of topic, which 
probably employs more computing security people than any other place. 
It's not as if Louis Freeh went to congress in the 1990s and said 
"Senators, I wish to engage you in a conspiracy!" although we might 
grant the DEA would wish it so.

What is perhaps controversial and maybe ridiculous is me saying that it 
worked.  The NSA succeeded in created a drag on internet security 
sufficient to explain the general failure -- the house of cards, as you 
put it.

OTOH, if they hadn't achieved that drag, was taxpayers' money really 
being used wisely?  What are all these security people doing, then? 
Another irony -- the trend for budget is firmly down;  maybe now's the 
time to reveal how they successfully they spent your money...


> We've built a house of cards, not so much on the Internet as
> on the web (but not only!).  Web application security is complete
> mess.  And anyways, we build on foundations, but the foundations
> (operating systems) we built on are now enormous and therefore full of
> vulnerabilities.  We're human -fallible-, and our systems reflect this
> -our failures-.


Yeah, this is the popular explanation -- we're not good enough.

Let me pose another thought question.  Most of the long termers here 
understand how Skype, SSH and now Bitcoin were constructed.  Peter adds 
iMessage to the list of successful crypto systems.

Many of us here could make a fair stab at duplicating that in another 
product.  I'd personally have confidence in that statement -- given the 
budget I'd reckon Steve, Jon, Peter, James, and a dozen other frequent 
posters could do that job well, or a similar one.

I therefore suggest the popular explanation doesn't really pass muster. 
  I say we really are good enough.

Why did they succeed, as an exception, but we did not, as the general rule?

The strange names and origins are a possible clue.  I suggest the same 
reason that a couple of bored scientists succeeded in creating a games 
platform that was then turned into a document preparation platform that 
then became a standard OS teaching tool and eventually by many steps is 
now in the hands of most of the planet:

      they did it without interference.



iang



PS: ok, that last comment about Unix requires some mental juggery.  The 
bored scientists did something that they were banned from doing.  At the 
time, AT&T was party to a cartel agreement with IBM that reserved 
computing to IBM and networking to AT&T.  How quaint!

This had perverse effect of turning Ritchie & Kerninghams' toy into a 
skunk works project, in effect allowing everyone to politely ignore it. 
  Unix survived and grew within Bell Labs because AT&T could not 
commercialise it, and therefore the project was purely an academic 
exercise.  Hence, the corporate interference was untypically low to 
non-existent.  Hence, it grew in Universities only.


More information about the cryptography mailing list