The wisdom of the ill informed

Allen netsecurity at sound-by-design.com
Mon Jun 30 14:47:54 EDT 2008 


Nicolas Williams wrote:
> On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
>> Given this, the real question is, /"Quis custodiet ipsos custodes?"/ 
> 
> Putting aside the fact that cryptographers aren't custodians of
> anything, it's all about social institutions.

Well, I wouldn't say they aren't custodians. Perhaps not in the 
sense that the word is commonly used, but most certainly in the 
sense custodians of the wisdom used to make the choices. This is 
exemplified by Bruce Schneier, an "acknowledged expert,"  changing 
his mind about the way to do security from "encrypt everything" to 
"monitor everything." Yes, I have simplified his stance, but just to 
make the point that even experts learn and change over time.

> There are well-attended conferences, papers published online and in many
> journals, etcetera.  So it's not so difficult for people who don't know
> anything about security and crypto to eventually figure out who does, in
> the process also learning who else knows who the experts are.

Actually I think it is just about as difficult to tell who is a 
trustworthy expert in the field of cryptography as it is in any 
field of science or medicine. Just look at the junk science and 
medical studies. One retrospective study of 90+ clinical trials 
found that over 600 potentially important reaction to the drugs 
occurred but only 39 were reported in the papers. I suspect if we 
did the same sort of retrospective study for cryptography we would 
find some similar issues, just, perhaps, not as large because there 
is not as much money to be made with junk cryptography as junk 
pharmaceuticals.

> For example, in the IETF there's an institutional structure that makes
> finding out who to ask relatively simple.  Large corporations tend to
> have some experts in house, even if they are only expert in finding the
> real experts.
> 
> We (society) have new experts joining the field, with very low barriers
> to entry (financial and political barriers to entry are minimal -- it's
> all about brain power), and diversity amongst the existing experts.
> 
> There's no major personal gain to be had, besides fame, and too much
> diversity and openness for anyone to have a prayer of manipulating the
> field undetected for too long.

I'm curious, how does software get sold for so long that is clearly 
weak or broken? Detected, yes, but still sold like Windows LANMAN 
backward compatibility.

> When it comes to expertise in crypto, Quis custodiet ipsos custodes
> seems like a relatively simple problem.  I'm sure it's much, much more
> difficult a problem for, say, police departments, financial
> organizations, intelligence organizations, etc...

Well, Nico, this is where I diverge from your view. It is the 
"police departments, financial organizations, intelligence 
organizations, etc..." who deploy the cryptography. Why should they 
be able to do that any better than they do anything else? I suspect 
that a weakness in oversight in one area is likely to reflect a 
weakness in others as well. Not total failure, just not done the 
best possible.

Best,

Allen

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list