[cryptography] ICIJ's project - comment on cryptography & tools

Kevin W. Wall kevin.w.wall at gmail.com
Tue Apr 9 22:57:54 EDT 2013

Some OT comments to an OT response...

On Mon, Apr 8, 2013 at 8:30 AM, ianG <iang at iang.org> wrote:
> On 7/04/13 09:38 AM, Nico Williams wrote:
[big snip]
>> We've built a house of cards, not so much on the Internet as
>> on the web (but not only!).  Web application security is complete
>> mess.  And anyways, we build on foundations, but the foundations
>> (operating systems) we built on are now enormous and therefore full of
>> vulnerabilities.  We're human -fallible-, and our systems reflect this
>> -our failures-.
> Yeah, this is the popular explanation -- we're not good enough.
> Let me pose another thought question.  Most of the long termers here
> understand how Skype, SSH and now Bitcoin were constructed.  Peter adds
> iMessage to the list of successful crypto systems.
> Many of us here could make a fair stab at duplicating that in another
> product.  I'd personally have confidence in that statement -- given the
> budget I'd reckon Steve, Jon, Peter, James, and a dozen other frequent
> posters could do that job well, or a similar one.

Sorry, but I agree with Nico on this one. The problem is the brittleness
of our systems. One tiny problem and it allows the entire system to
break down and suffer vulnerabilities.  An attacker only has to find
one way in. And to be clear, as bad as developers handle cryptography,
cryptography, even when used poorly, is seldom the weakest link.
No...the problem is that humans just suck at writing secure code...
for that matter, we suck at writing _correct_ code (which often
results in insecure code).

And while I can't comment on Bitcoin or iMessage, I do know that
both Skype and openSSH have had their share of vulnerabilities and
probably an order of magnitude or more of non-security related bugs.

As humans, we make make lots of mistakes in many other
endeavors, but in many of those cases, the human element
itself is the end recipient / consumer of those "systems"
and it is a lot more resilient than our computer systems
are to errors. Case in point, see how many typos you can
find in this particular email thread...spelling errors, grammatical
errors, etc. Most of us probably read right through them. I'm
pretty sure that none of those errors made our brain reboot. ;-)
Try the analogous thing with computer code and at best you have
a harmless bug, but often you get a security vulnerability.  So far,
we haven't invented computer systems that work on a Do What I Mean,
Not What I Say. Fortunately the human brain seems to grok DWIMNWIS.
(Google for "Cna Yuo Raed Tihs?" for one popular example.)

> I therefore suggest the popular explanation doesn't really pass muster.  I
> say we really are good enough.

That depends on what you mean by "good enough". I would agree that
most crypto is "good enough", but one reason for that there generally
are so many more easily exploitable vulnerabilities, why bother with
the crypto. For instance, when you web app is full of XSS and SQLi,
why would an attacker try some attack against TLS? It would be pointless.

On the other hand, if all other vulnerabilities were somehow magically
removed and only the crypto ones remained so that they were indeed
the weakest link, I think the crypto-related exploits would start getting
a lot more play.

> Why did they succeed, as an exception, but we did not, as the general rule?
> The strange names and origins are a possible clue.  I suggest the same
> reason that a couple of bored scientists succeeded in creating a games
> platform that was then turned into a document preparation platform that then
> became a standard OS teaching tool and eventually by many steps is now in
> the hands of most of the planet:
>      they did it without interference.

They were in Area 11 (research) and back in the day, that research wasn't
required to be directly applicable.  Today I think something like this would
be rare, at least outside of universities, because their is just too much
pressure to turn everything into product in order to make profits.

> PS: ok, that last comment about Unix requires some mental juggery.  The
> bored scientists did something that they were banned from doing.  At the
> time, AT&T was party to a cartel agreement with IBM that reserved computing
> to IBM and networking to AT&T.  How quaint!
> This had perverse effect of turning Ritchie & Kerninghams' toy into a skunk

Uh, that would actually be Ritchie and Thompson, but I'm sure you knew that. :)

> works project, in effect allowing everyone to politely ignore it.  Unix
> survived and grew within Bell Labs because AT&T could not commercialise it,
> and therefore the project was purely an academic exercise.  Hence, the
> corporate interference was untypically low to non-existent.  Hence, it grew
> in Universities only.

OK, that last part is a bit misleading.  I worked at Bell Labs from
79-96 and Unix
was used in many of our internal systems, not just as development platforms
but also as operations support systems, call routing systems, etc. So it was
commercialized in a sense. AT&T wasn't allowed to directly sell it, they did
indirectly commercialize it by making it an integral part of many of the
systems that they sold to RBOCs (after divestiture).

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list