[cryptography] Snowden Induced Mea Culpas
iang at iang.org
Sun Aug 25 08:23:11 EDT 2013
It's Sunday, it's time for some amusement. I agree with everything John
writes, and although I prefer an alternate style, it may be time for
On 24/08/13 00:33 AM, John Young wrote:
> Comsec experts should not be surprised at the Snowden
> revelations about NSA so far, most of which are venerable.
> What is surprising is their seemingly exaggerated surprise
> because many of them worked at or ran firms which were
> known to be heavily involved with official spying through
> dual-use technology and dual-purpose contracts.
We have met the enemy, and he is us. In a Pogo-like moment, the IETF
finds that we might like to mandate encryption in the use of the web:
... at its conference in Berlin this month, IETF members reached “nearly
unanimous consensus” on the need to build encryption into the heart of
the web, said Mark Nottingham, a developer who chairs the IETF working
group on HTTP, a data access protocol that underpins the web. “There are
a lot of people who want this to happen,” he said.
Mr Nottingham cautioned that it was “very early days” and said the
proposal would need to undergo extensive discussion within the broad web
community before it could be implemented. Exactly how the plan would
work has yet to be decided.
But at present the idea is to mandate the use of Transport Layer
Security (TLS), a cryptographic protocol, in the next version of HTTP,
which is planned for 2014.
It would then be up to companies behind web browsers and web servers to
put the new standards into practice.
It is economically understandable and inevitable that the IETF are part
of the problem and not part of the solution. Hence, they go around
looking for some solution they already have and have failed on before,
without analysing why "try harder" didn't, hasn't and won't work.
But this comment from google has left me scratching my head:
... “There has been a complete change in how people perceive the world”
since whistleblower Edward Snowden disclosed the extent of US
surveillance programmes earlier this summer, said Mike Belshe, a
software engineer and IETF member who helped develop Google web browser
“Not having encryption on the web today is a matter of life and death,”
Google's answer to PRISM is to insist that TLS be used everywhere? Wtf?
> In most instances these dual roles were not hidden.
> Or were they?
One kind of expects goodle engineers to at least understand the
difference between point-to-point encryption and being social-engineered
into employing dual role persons to set up secret cells.
> What might be troubling about Snowden's possible
> revelations that is causing exaggerated surprise of
> these experts is the disclosure that the dual-uses
> and dual-roles in spying were more extensive than
> has been made public. That has been protected by
> highest secrecy about to be breached, not about
> the spy agencies but those used to camouflage
> and assist the spying by downplaying its pervasiveness
> by selling protection that could never be wholly
> effective, that the cybersec game was as rigged
> as gambling.
> That the backdoors, vulnerabilities, holes, faults,
> and errors were more craftily hidden and exploited
> with the complicity of the best and brightest while
> they deluded the the public for market share and
> FOI fame. That it was a charade to agitate for more
> security and privacy while undermining them. That
> Snowden has the documents about that ancient
> betrayal and will at some point make them available.
> That it would be wise to get ahead of this exposure
> by rushing to claim the spying has been greater
> than even we experts knew and comsec is a
> fraud by design. Crypto-AG the norm.
We are all conspirators now. The only question is whether we're
conspiring for our own truth or conspiring for our own deception.
ps; apologies, the link is behind some FT firewall.
More information about the cryptography