[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tim May and Security for The Millions



Tim (yes, it was me--Kent Borg--you quoted the most recent time you
said--roughly--that other people's security is no very important to
you), there is a very good reason why you want *everyone* to have good
security.
 
The fact that "everyone" will use up the snooping resources of the
TLAs, leaving less for them to throw at you, is not the main point,
for the TLAs might come up with clever secret approaches which allow
their resources do amazingly efficient things.
 
What you really want to know is what the state of the art is inside
the NSA, what efficient things they can do.  (You want to know the
*whole* story behind the S-boxes, what Skipjack is, etc.)
 
The best way to do this is to badly, I mean *BADLY*, tempt them to tip
their hand.  If pedophiles (the canonical/mythical threat) are the
threat they see then put the best security we (on the outside) have in
the hands of the world's pedophiles and watch the prosecutions.
 
Either the TLAs tip their hands by cracking the 1998 version of PGP
5.0.2 with IDEA^3 or they don't.
 
If they do, you know they cracked it.  If they don't you know one of
two things:
 
1) They didn't crack it.
 
2) They did crack it *but* are too afraid to say they cracked
it--which is nearly equal to not having cracked it.  (Preventing them
from acting on information is close to denying them the same
information--the Coventry Legend and all.)
 
A wonderful way for us to drive cryptological research out into the
light is to *temp* them into showing their hands, and giving good
security to *everybody* is the best way to do that.  Following this
argument, preventing trivial "quick brown fox"-attacks is part of the
job of giving good security to everyone, make them work at the
interesting problems.  Conclusion: my recent "passwords are hard"
tirade is not completely off-subject.  More general conclusion: user
interface issues ("My Mom" et al) are very important.
 
Certainly, working on the gaping hole of Tempest attacts is very
important (any ideas?), but don't forget that RF-snooping of moving
notebooks requires risky ~field work~ and bad take-out food, something
properly high-tech TLAs hate.  Tempest attacks are only worthwhile
against juicy targets, while some other attacks are useful in bulk.
(For examples of how poor passwords are useful in bulk, read RISKS,
use your imagination, and extrapolate to large populations.)
 
Tim, the best way for you to have good security is to put good
security in the hands of the millions.
 
 
-kb, the Kent who can sometimes get personal and use first names
 
--
Kent Borg                                                  +1 (617) 776-6899
[email protected]                                
[email protected]                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!