I am never kidding; ever. Before you can discuss cryptography and security mr fancy-fants ,who, no doubt, meets software engineers and security analysts on working lunches on a daily basis, should maybe, just maybe, consider the possibility, that before mr fancy-pants can discuss said problems mr fancy-pants could, and I do mean could, consider to learn some basic information about the subject at hand. Based on your previous responses, I was not sure you did.
I was talking about your choice of book to read to learn about the history of the internet and how security protocols get established. I happen to think you have it backwards though. One should start by understanding how packet based networks actually work, then how encryption works, then how to apply encryption to said packet based networks, and *then* you can start looking at the political side of things and assessing whether there's something horrible going on. Starting with the conspiracy and then working backwards is, well... backwards.
If you did and chose not to disclose it, Touche, I, for one, was fooled.
I'm sorry. I wasn't aware I was supposed to provide a resume before posting. I thought that merely pointing out that one should actually understand the technology *first* before trying to figure out if it's being applied correctly or manipulated for some nefarious plot would have indicated that I actually do know a bit about this. And frankly, your recommended reading suggests that you *don't*.
For once you are not wrong; well, not completely wrong. The goal is,obviously, nothing is mundane as money. Pfui -- only plebs worry about those. The object is information, and its derivative, power.
Which is no different today than it has ever been. Again... /shrug
I guess it is my turn to go into "are you serious?" mode. I am not sure how young/old you are ( depending on your philosophical bent ), but I am sure a security expert such as yourself remembers the problems and legal hurdles the US government was creating for pgp creator.
None of which prevented a single person from actually using it though. Attempts to stop the spread of encryption were a joke then and are a joke now. And it ultimately had very little to do with preventing private parties from using encryption, and more to do with outdated laws being applied in inconsistent and really ridiculous ways.
There is the might of the government telling you can't encrypt anything we can't decrypt. So what were you saying about nothing preventing me? Oh, you mean nothing stopping me from using tools that have been rendered less useful?
Er? Strong encryption is readily available. More available than ever before. So if anything the trend is towards folks having the capability of more privacy. The problem is that, as many actual security experts have predicted time and time again, people choose not to use it
. They do so, not because of some evil government schemes to make sure they can read your emails, but because it's easier not to. Hell, if it weren't for governments actually passing some regulations on the industry, most people wouldn't use encryption for anything at all. So complaining that the weak encryption we have in the default applications out there are some kind of plot by the government really is silly.
Here you are correct. I know. The main reason I know is because of the same reason most people know: real life manifestation of Dilbert principles ( and immediate cost). I could tell you stories, but I don't want to bore everyone more than is strictly necessary.
I literally had a conversation with a principle engineer here just yesterday in which he was trying to argue that I should add a modification to everyone's login to a set of systems such that it would allow anyone else to be able to connect to their session without their permission and completely bypassing any password that user may have set. He was seriously arguing this. Without going into the details of why, his reasoning was purely about convenience (saving a couple minutes on these systems under certain conditions). I had to explain to him that this was in complete violation of our emedia policy, not to mention a direct violation of a number of legally binding documents I have to sign in order to have the authority to make this kind of system/account level change in the first place. If I were to do such a thing, I'd be lucky to *only* lose my job.
Point is that I had to argue this with him for quite some time before he agreed to let me find another solution to the problem he was running into. Most people put convenience ahead of security. Even when they should know better. It's what social networking is about as well btw. You don't need the NSA to do that. Just give people the option to hand their information over, and most will do it. Give people the choice to use a 4 digit or 10 digit pin on their ATM card, and want to bet what most will ask for? Give them a choice of numbers only, or numbers and letters, and guess what they'll pick?
Hell. Look at this picture
. It's a keypad access to a car, right? Stop and think about it for a moment. It's got 5 buttons. Ask yourself why the buttons are labeled "1-2", "3-4", "5-6", "7-8", "9-0", instead of just 1, 2, 3, 4, 5? It's still just a combination of 5 keys, yet they labeled them such that the keys can represent any number in our decimal system. There's only one reason to do this and that's to allow people to use numbers that are significant to them, but which might require the numbers 6 through 0 instead of just 1-5. Um... Which is precisely what you're not supposed to do when picking a security code, right? Are the car companies intentionally wanting people to use less security? Cause that's the argument you're making with regard to the NSA.
Car companies design the keypads that way because even though they know they promote less security, they also know that customers want them
. Customers want to be able to use their birthday, or whatever as their code, and keypads which don't provide this less secure functionality will lose out in the market versus ones that do. My point is that the average person demands a less secure environment if more security means less convenience or ease of use. Not just the average person, the overwhelming majority of people.
Again, the NSA doesn't have to do anything except *not* impose stronger standards. The people will tend to pick the least secure methods that do "just enough" to prevent just anyone from hacking into their stuff. Why? Because it's not worth their time and effort to do more. And the companies which make the operating systems, and web servers, and all that other stuff know this. And they know that if they attempt to impose stronger security, they will lose customers to the guy that uses the simplest, weakest, but easiest to use solution. Doesn't take a government conspiracy for this to happen.
Huh? I am not sure you are deliberately misrepresenting my argument, misunderstanding it, or if you are carrying a different conversation on similar subject. I have not said anything about making bullet-proof network. I am arguing against making it vulnerable BY DESIGN. Do you see the difference? I am sure you do because in the very next sentence you paraphrase what I said... ie. don't put everything on the internet.
And as I said (but was apparently the one part of my post you didn't respond to), it's a matter of opinion and perspective. What is "vulnerable by design"? So if I currently have a network connection that uses zero encryption, and I implement a weak but easy to use encryption, but I could have used a much stronger, but harder to use/implement one, is my connection "vulnerable by design"? Depends on how you look at it, right? Technically, since it was designed, then every aspect of it is "by design". The question is whether the intent was to make it less secure than it could have been, or if I decided that it's "secure enough" for whatever data I'm transmitting along that connection.
Which is why I talked at length about relative costs. Convenience versus security.
And last, but most certainly not least,
but it has never been true
portion of your post. Never is a very long time. Unless you have some weird understanding of my "theory", the last time 'never' happened was when Snowden showed up. I can only assume you didn't communicate your point clearly enough for me to comprehend. Please try again. Remember, I am most definitely not a security expert; not completely unlike you.
I was referring to the fact that we have never had secure networks, so the idea that we're somehow "less secure" today is ridiculous. You're basically arguing reality against a possible alternative which never happened, but passing it off like we somehow moved in the wrong direction. As if somehow passing regulations which mandate X security level (instead of zero), is really making us less secure because they could have mandated something better. And then lumping in a bunch of conspiracy theories in to create a sinister motivation behind all of it.
I don't doubt for one moment that the NSA does have an interest in encouraging weak encryption around the world. I just question the degree to which they've actually had to work to make that happen. People will do this all on their own. You actually have to almost force them kicking and screaming to *not* use insecure methods. Edited, Sep 10th 2013 8:54pm by gbaji