[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NRC Session Hiss
During the Q&A of the NRC public session, it was asked why
56-bit DES was selected as the standard of export over
other widely distributed programs such as PGP.
The panelists seemed to me uneasy in answering this.
Primarily their view was that DES was "ubquitious," well-
known and tested by use.
However, when pressed by later questioners on this topic,
they expanded their view: that if another, stronger,
program became "ubiquitous" -- in wide use -- they would
support it as the standard of export. When it was pointed
out that PGP now fit this definition, the panel merely
repeated the statement about ubiquity without specifically
affirming or denying the PGP claim. Their poker faces
seemed uniformly in place to dampen a potential
inflammatory topic.
Perhaps other attendees will amplify this odd demeanor, but
it seems to me that the panel was attempting to avoid
commenting one way or the other on PGP's worldwide ubiquity
for unstated reasons.
I wonder if this was a nudge to the audience that the
informal spread of unapproved encryption is the best way to
establish its ubiquity and thereby to set a new standard
for export, sort of under the noses of the authorities --
as if PGP was exemplary.
Recall that this fits the Clinton administration's way of
getting around the Croatian arms embargo -- the "no
position" position of sidestepping legality.
Also, I wonder if the panel wants avoid an open conflict
with the administration, the LEAs and the security agencies
about PGP. (Or do they know something about PGP that we
don't know, or have been led to think they do?)
Peter Neumann had pointed out earlier that crypto was going
to be ubiquitous, and fairly soon, no matter what. He noted
that it is the NRC's recommendation that LEAs take the
"long-term, pro-active" view about this and get on with
developing other technologies, and training personnel in
them, to fight computer crime -- like traffic analysis,
packet trace, etc. -- and to accept that prohibiting and
cracking crypto is not effective. (This may have been
diversionary, but he seemed sincere.)
Perhaps the panel is agreeing the crypto genie is out of
the bottle, and are advising the authorities to recognize
that stronger and stronger crypto is going to become
ubiquitous, and it's time to move on to other, presumably
less ubiquitious, cyber-crime fighting technolgies.
Perhaps the committee was briefed on these technolgies, or
maybe some members are even developing them -- Mr. Neumann,
for example, in conjunction with Ms. Denning, et al.
Those who plan to attend the June 6 session might want to
pursue the "no position" position about PGP's ubiquity, and
why. Diversionary sop, say, to cover the promotion of non-
crypto invasion of privacy.
Further, it would be helpful to learn more about what the
the committee members were told about "long-term" cyber-
surveillance technologies in the pipeline.
What bothered me more than anything else about the session
was that individual privacy got such short shrift by
panelists and by the audience. While there was a bit of
discussion on personal privacy protection, government and
business, and their mutual back-scratching, seemed to the
the primary focus.
Pretty Lousy Privacy appears to be in the works, judging
from what was not disclosed in the session (and in the
report) about two 800-pounders working in concert at
citizen data gathering, mining, selling, controlling,
dominating -- at the expense of individual privacy, and,
shout it, liberty.
Peter Neumann got to me when he described the "downside" of
anonymity, encryption and security: how can we know who are
the criminals if we don't for sure who is who and know for
sure who is doing what? Not a single panelist disagreed
with his statement about this, but then I heard only a few
snorts from the criminal-fraught-fed audience.
I kept mum. Jesus, who knows who was recording every
titter and hiss -- besides anonymous beside me and me.