[IIU] Re: [ILUG] FW: ALERT: EU storing all net traffic

Fri May 10 01:44:29 IST 2002

On Thu, May 09, 2002 at 11:51:22PM +0100, Paul Kelly wrote:
> tell them why at the time. 20 years later it turns out they were 
> actually making DES more resistant to this form of attack.

exactly.

nsa-type organisations have a lot of forces pushing on them.  being
able to read every pgp encrypted email could be useful (assuming that
this nsa-like organisation not only has at least one earth shattering
mathematical discovery but a stunningly efficient ai system to read
those messages).  this group might be able to assist law enforcement in
amazing ways (though they'd have to be sly about it as we'd have copped
on that they can read these messages by now).

however if these algorithms are vulnerable to cracking, then that
means many military and financial groups are using poor encryption to
do their comms.  if a rogue organisation (or even a competing nsa-like
group) figured out the weakness to rsa and other public key algorithms
they could wreck huge havoc on the financial world at the very least.

in fact, i'd say that any gain that an nsa might gain from being able
to crack public key algorithms, they'd lose in the huge risk they'd be
taking with their own national security.

but even skipping the idea that an nsa should release such info, if
it exists, for its own interest (since large orgs of any type don't
always act in their own interests), there is still a lot of weight in
trusting public key encryption.

first - it's not like crypto work happens *only* in america, or *only*
in top secret organisations.  rsa was invented out in the open - though
they were covering ground that the brits had covered a few years before
(look what being secretive bought them).  breakthroughs in factoring
would be a huge leap in math.  a person seriously against globalisation
could make an amazing mark on the world by releasing just such an animal.
banks and large international corporations would just roll over and die.

as for secret backdoors in gpg, this relates to a common fear with linux.
(oh golly, is this on topic?)  "the code's out there, they could stick
in a bug!"  the problem is that too many people with cross-purpose
interests can look at that code.  could you imagine the field day a
patriotic chinese hacker could have by pointing out how the us gov't
stuck in backdoors to gpg?  it would kind of screw up the us complaints
about respecting human rights...  various plays on this could be seen
in everything from linux and libc to a gnome or kde app.  for instance
suse or redflag could nail redhat for allowing trojans as a leg up for
their sales.

lastly, i keep checking out source code analysis tools from time to time
for linux.  from simple retakes on lint, to code colorising to things like
the stanford bug checker.  it seems like there are more projects like it,
and if i was teaching a security or compiler course in a cs dept. i'd
think an interesting project would be to detect source trojans and things
like that.  i suspect i'm not alone in having that interest.

kevin

-- 
kevin at suberic.net          "Adding manpower to a late software project
fork()'ed on 37058400        makes it later."  -- Brooks Law
meatspace place: inle      
http://suberic.net/~kevin