[Cryptography] I don't get it.

[ianG]

On 18/04/2014 13:53 pm, Peter Fairbrother wrote:

> So why haven't they fixed it?


Because it doesn't effect them, directly.  It's generally some other 'them'.

With a clear exposed bug, there can be a tight feedback loop -- the
coder or team is embarrassed.  We can see Heartbleed it's a massively
embarrassing bug in the implementation of OpenSSL, it's really easy to
identify who is to blame, and everyone's piled into to fix it.  Even,
there are people now actually reviewing and rewriting OpenSSL.

Slash & burn, go guys!

But, if the bug is not a bug, or is arguably a bug, or if it's a
documented feature, or just a weakness, then it's SEPs -- someone else's
problem.  strcpy and C pointers fall into that.  They aren't bugs, they
are design decisions.  If there's even a shred of doubt as to whose
responsibility this is, the answer is clear:  it's not our responsibility.

(The entire PKI + phishing falls into this, which is why it was never
"fixed" even though there were no shortage of fixes suggested.)

This is called agency theory in economics, which people recognise more
comfortably as interests, aligned or unaligned.

When interests aren't aligned, we get dysfunctional behaviour at the
group level.  Examples abound:  the interests of the CAs are not aligned
with the interests of the users, and the browsers are stuck in the
middle.  The same problem occurs in IETF working groups where the
interests of the corporations are clear, but the interests of the
individuals are again lost in the noise;  although they are permitted to
do so, the individual internet users cannot or do not band together to
(e.g.) pay a salary to represent their interests in the groups against
the professionals who champion the corporate interests.  It's a stacked
game, rigged.  Occasionally we hear professionals on salaries saying
it's open, open for all, you're bad to suggest stuff and not stick
around to make it happen, but they only get to say that because their
comfortably paid, for the most part.  There are very few who can put the
effort into do an ID, credibility is handed out primarily to companies
before people, and power belongs to those with long-term staying power
and the recurring price of an IETF conference entrance and flight.

(This is why DNSSEC key signing is an interesting example -- how did
they do that and avoid corporate takeover?  Idk the answer...)

The same dilemma is seen in the cradle-to-grave behemoths, Apple,
Microsoft, Facebook and Google.  In those, there is a much tighter
feedback between the user and the vendor, so for example we see google
pushing to improve the SSL, almost alone amongst the companies, this is
primarily because they are on the hook for so many of the components:
software supplier, websites, email provider, apps provider, standards
player, browser vendor, CA, etc.  For the first time, almost all the
interests are aligned!  On the other hand, we have the massive
datamining problem where the behemoths have so much information on our
lives that there is no way we can trust them.

I talked earlier about Bitcoin, where the interests of the dev team are
slowly being eaten up by the startup horde, Ted talks about a deal he
struck with google to spend 50% of work on his project.



So the question with bugs.  How do you make such *external* bugs in the
'interest' of the group that controls and does most of the work?  Pick
OpenSSL if you like, the same problem exists.  I was involved in pushing
the TLS/SNI stuff for a long while.  It was really hard, nobody really
cared, pretty much everyone said it was SEPs.

Yet, arguably, this one patch would have led to more security than
fixing all of the pre-Heartbleed bugs put together, because it is a
use-multiplier.

So we need a way to align the interests of say the victimised phished
users with the developers in the groups.



iang