[cryptography] It's time for a Whistleblowing / Leaking Initiative for Cryptographer ?

Jeffrey Walton noloader at gmail.com
Mon Sep 16 17:42:33 EDT 2013


On Mon, Sep 16, 2013 at 5:17 PM, Fabio Pietrosanti (naif)
<lists at infosecurity.ch> wrote:
> http://threatpost.com/uk-cryptographers-call-for-outing-of-deliberately-weakened-protocols-products/102301
>
Right now, whistle blowers are vilified in the US. Just ask Jesselyn
Radack, Thomas Drake, William Binney, Bradley Manning, et al. The
irony is the US recognized the usefulness of whistle blowing hundreds
of years ago during colonial times:
https://en.wikipedia.org/wiki/Qui_tam. (Thanks CB).

I'm all for monetization of whistle blowing to encourage the behavior.
But that would take a proverbial 'paradigm shift', because the sneaky
assholes who need to be uncovered are the same assholes who hold the
power and control popular thinking.

>From the article:

> ... that calls on authorities in that country and the United States to
> conduct an investigation to determine which security products,
> protocols and standards have been deliberately weakened by the
> countries’ intelligence services.

I think MQV and Dual_EC_DRBG events are kind of rare, and I'm not sure
about this.

Does an intelligence agency need to backdoor code when: (1)
architectural and design defects are incumbent; and (2) shitty code is
regularly checked-in? I think the agency's best course of action is to
do nothing and wait for the defects to become widely available through
normal channels.

Given the above, an agency probably benefitted by doing nothing with,
for example, MQV and Dual_EC_DRBG. In this case, would the panel of
scientists be asking to investigate lack of agency action? I think
that's going to be pretty tenuous.

Jeff


More information about the cryptography mailing list