t byfield on Mon, 25 May 2015 15:53:20 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> What should GCHQ do?

You make some excellent points, Morlock, but -- if I understand your first sentence correctly -- most of what I said doesn't follow from an ironclad assumption that there are two sides. A simple proof: the DIY approach you advocate would have the same effect of ~privatizing records. Why? Because monolithic and DIY approaches both cast unknown third-party readers as 'attackers.' Unfortunately, third-party readers also include regulators, the public, scholars, historians, serendipity. I think erasing the past by encrypting it is functionally equivalent to erasing the past for political purposes -- the difference mainly boils down to motive, which as we know is less durable than concrete outcomes.

Many communications and records have no real need to be very secure. That is, in many cases, if there is a need, it's often external and systemic -- for example, the need to lock down *all* I/O in a given domain in order to prevent indirect attacks (for example, spearfishing a mid-level employee in order to compromise a system that has access to another system ad nauseam, in order to achieve some high-level goal).

Also, I think you're mistaken that the widespread use of idiosyncratic crypto would have much of an impact on state actors. Of course the bulk of their currently implemented systems are tailored to the use of standardized cryptography. But those same actors are quite capable of accurately analyzing unknown objects, and of doing so on a large scale. ('Objects' includes arbitrary, incomplete, and/or noisy portions of streams, *all* activity in a given frequency range, and so on.) They'd certainly be able to keep pace with the adoption of idiosyncratic crypto. The moment it becomes 'too expensive' to rely on the known-crypto approach, state actors -- being *state* actors -- will just revalue the currency, as it were, by switching over to more flexible, exploratory systems. The 'increase the cost' argument may be one of the few things less durable than motives.

But this is just quibbling. I think your main point is that reducing these questions to two sides is a mistake. One implication of that, which you didn't explore, is what we're seeing: the dissolution of this area of the state into a 'community' -- a plurality of more or less connected, more or less official entities. As that progresses, we'll see (or maybe it'll be there but we won't see it) a stratification based on different levels of resources and access. Some will have the horsepower to break whatever you implement, others won't. The risk is that civil society -- regulators, the public, scholars, historians, serendipity, etc -- will have the least.


On 24 May 2015, at 22:39, morlockelloi@yahoo.com wrote:

There is a fine point here which is almost always missed, but from which most of these conclusions come from.

It is about the concept that 'crypto' is created by some small set of Illuminati, it needs to be standardized, and the rest of the world must trust them. These 'crypto wars' are then waged between the mentioned Illuminati and various evil agencies that would like take away the tools, bestowed by Illuminati upon the unwashed.

The concept works great both for the Illuminati and evil agencies - both do everything they can to maintain it.

Illuminati get livelihood: denigrating terms like "home brew crypto" are deeply entrenched and help maintain the guild exclusivity.

Evil agencies get their job made easy - it is trivial to subvert several standards or rubberhose few dozen experts into submission. Mass surveillance is only possible when there is a small number of crypto technologies.

This is all total bs.

While crypto is not the simplest technology in the world, it is far from being rocket science in practical terms. If everyone that did some scripting in any language would construct their own custom terribly weak cipher (ROT-14, ROT-15, etc), and use it only between themselves and their personal correspondents, totally incompatible with ways that "standard" web sites and VPNs do crypto, it would become too expensive, for any evil entity, to break millions of terribly weak ciphers. There is nothing "standard" about your circle of correspondents. There is no need that everyone in the world can participate in your crypto technology.

Back to the point: you don't need absolute crypto. You don't need to trust anyone. Scramble your communications in some custom way that will take evil agency's analyst 10 minutes to break: they can't afford it. And if they target you, you are f*cked anyway, no matter what you use.

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org