11/16: When did *I* get to be the cynic?
Category: Bumbling | Posted by: Cads
There's been a large number of draft blog posts that I haven't posted and have deleted because they expired - this one isn't like that. I just read this article about the NSA (description here, and their website) potentially putting a backdoor into a cryptographical security standard. Firstly let me say this: And you didn't think it was going happen? Any organisation that is interested in Security is interested in Security that it can control. That's the case with ALL organisations - including PGP, CounterPane etc.
The LEVEL of control is what is important. PGP, CounterPane et al. are all about controlling access to sensitive data - NOT about giving themselves some way of seeing that sensitive data. They provide the controlling software but allow you and I to sit down and lock whatever it is that we want away. Think of them like locksmiths with no skeleton key. They provide you with a padlock and a key and you go lock away your beanie bear collection.
The NSA on the other hand wants to be in a position (as all government agencies do) of being able to look at what is locked away with their locks. It's like a locksmith with a skeleton key. The problem is that the types of people that they are selling the locks to are deemed to be criminals, and the NSA is the police. Of COURSE they are going to want to provide some way of looking at what the criminal fraternity is doing....
BUT, while the NSA is doing what the NSA is bound to do (after all, why would a normal person want to encrypt their data - only criminals and terrorists would want to do that1), the following statement from the article throws me a little:
This just boggles the mind for me. Surely this is just a cup and balls trick. "Look everybody," says the NSA, "there's a big hole over here!" all the while influencing the audience to choose one of the other cups. And this brings me to my point. When did I become so cynical that even the CTO of a cryptanalysis and cryptography seems näive? Is this an age thing? or is this latent paranoia.
OR have we become so used to the ways of openness that we forget what Vaudeville and Penn and Teller teach us about people being honest? Especially those with an ADMITTED hidden agenda.
*This of course is the NSA party line
The LEVEL of control is what is important. PGP, CounterPane et al. are all about controlling access to sensitive data - NOT about giving themselves some way of seeing that sensitive data. They provide the controlling software but allow you and I to sit down and lock whatever it is that we want away. Think of them like locksmiths with no skeleton key. They provide you with a padlock and a key and you go lock away your beanie bear collection.
The NSA on the other hand wants to be in a position (as all government agencies do) of being able to look at what is locked away with their locks. It's like a locksmith with a skeleton key. The problem is that the types of people that they are selling the locks to are deemed to be criminals, and the NSA is the police. Of COURSE they are going to want to provide some way of looking at what the criminal fraternity is doing....
BUT, while the NSA is doing what the NSA is bound to do (after all, why would a normal person want to encrypt their data - only criminals and terrorists would want to do that1), the following statement from the article throws me a little:
"I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy."
This just boggles the mind for me. Surely this is just a cup and balls trick. "Look everybody," says the NSA, "there's a big hole over here!" all the while influencing the audience to choose one of the other cups. And this brings me to my point. When did I become so cynical that even the CTO of a cryptanalysis and cryptography seems näive? Is this an age thing? or is this latent paranoia.
OR have we become so used to the ways of openness that we forget what Vaudeville and Penn and Teller teach us about people being honest? Especially those with an ADMITTED hidden agenda.
*This of course is the NSA party line
Comments
Brent wrote (12/02 04:51:23):
This evening I saw the film Elizabeth in part of which Mary Queen of Scots encryption scheme failed and her loyal guards seemed to be running a truly open source philosophy with her treasonous letters to the point where her head ended up in the big recycle bin and she got the delete written over it with the ultimate string of random characters.
In short, all hands have faced the problem Cads writes of with far more profundity than this economist could hope to muster, before. And what drives it is nothing new. The economist does recognise however, and our author here hints at it, the fact that the whole thing rests on the incentives of the lock er and the lock ee and those who seek to know their secrets.
So the good lesson in here is, think about the incentives at least as much as the coding!
Parker wrote (08/10 05:13:00):
The word that is heard perishes, but the letter that is written remains.
This evening I saw the film Elizabeth in part of which Mary Queen of Scots encryption scheme failed and her loyal guards seemed to be running a truly open source philosophy with her treasonous letters to the point where her head ended up in the big recycle bin and she got the delete written over it with the ultimate string of random characters.
In short, all hands have faced the problem Cads writes of with far more profundity than this economist could hope to muster, before. And what drives it is nothing new. The economist does recognise however, and our author here hints at it, the fact that the whole thing rests on the incentives of the lock er and the lock ee and those who seek to know their secrets.
So the good lesson in here is, think about the incentives at least as much as the coding!
Parker wrote (08/10 05:13:00):
The word that is heard perishes, but the letter that is written remains.
Add Comment
Navigation
- Previous Item
- Next Item
- Today
- Archives
- All
- 40 Winks
- Bumbling
- Hums
- Smackerels
