[governance] NSA sabotage of Internet security standards

Ian Peter ian.peter at ianpeter.com
Sun Sep 15 17:54:41 EDT 2013


Apologies for “I don’t see a response based on privacy considerations being 
forthcoming”. I would have been better saying that I don’t see such 
responses being accepted by authorities without an accompanying economic 
rationale.

Ian Peter



-----Original Message----- 
From: Ian Peter
Sent: Monday, September 16, 2013 7:09 AM
To: Karl Auerbach ; governance at lists.igcaucus.org ; Louis Pouzin (well)
Subject: Re: [governance] NSA sabotage of Internet security standards

I am copying this largely unedited from a response on another mailing list -
but I think its relevant to the debate here as well. I was responding to
Vint Cerf's suggestion that
" I think the only pragmatic response is to provide strong authentication
standards, strong cryptography, and protocols that allow users to detect
hijack, MITM re-directs, false certificates, etc. "

( Apologies to those who have already seen this).

It would be lovely it were as simple as this, Vint,and I agree the efforts
should be made and a pragmatic response is a good start.
But I think the primary problem is trust, for which there is no
technical-only  solution.  And I have just been alerted elsewhere to this
great article - http://cm.bell-labs.com/who/ken/trust.html by ACM award
winner Ken Thompson on the subject of trust in code.

We have seen stories of IPSEC being compromised by NSA demands. Why then
would we trust the output of any IETF working group that contains members
from companies who are subject to NSA directives and unable to tell us when
they are acting under such directives? And even if we did trust the output
of working groups, would we trust the implementations of these standards by
major software and hardware players subject to NSA directives?

The primary problem we face is a political one, caused by interference in
the Internet and its common use platforms for political purposes. There is a
political dimension to this problem that cannot be solved technically, and
which must be addressed. There are also significant economic issues for the
industry if the problems are not addressed politically as well as
technically.

And while I am on the rant, I do not find the narrowing of the political
debate to a focus on US surveillance of US citizens helpful at all. Mass
surveillance worldwide by any country on the citizens of any country has to
be addressed as well before trust in the Internet will be restored.

I am not the only person who now questions every software update I receive.
I no longer trust major hardware platforms with US origins or containing
chips with US origins. (or Chinese hardware for that matter...)

But I suspect the next 12 months will begin to show substantial economic
effects and drops in market share for US companies as a result of this
problem. The pragmatist in me  hopes that there will eventually be a
political solution brought on by economic concerns, because I don’t see a
response based on privacy considerations being forthcoming.




Ian Peter

-----Original Message----- 
From: Karl Auerbach
Sent: Monday, September 16, 2013 5:50 AM
To: governance at lists.igcaucus.org ; Louis Pouzin (well)
Subject: Re: [governance] NSA sabotage of Internet security standards

On 09/15/2013 07:03 AM, Louis Pouzin (well) wrote:


> Best quote of the day, so cutely childish.
> The trend is no secret: user open source encryption and States standards.

If the actual encryption algorithm contains a mathematical backdoor then
code inspection of an open implementation is not likely to reveal the flaw.

That's the scary thing - it is now beyond hyperbolic speculation that
some intentional weaknesses may have been secretly baked into the actual
mathematics of the algorithms.

And lest we forget that sometimes we may not be able to see what is
there we ought not to forget this famous paper:

Reflections on Trusting Trust
Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

After reading that who can say that our compilers or interpreters are
safe to use to compile open source encryption code?

--karl--












____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t








____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t 


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list