[Cryptography] Cue the blamestorming

ianG iang at iang.org
Sat Apr 19 08:20:42 EDT 2014 

On 18/04/2014 19:28 pm, Phillip Hallam-Baker wrote:
> On Thu, Apr 17, 2014 at 8:12 PM, ianG <iang at iang.org> wrote:
> 
>> https://lobste.rs/s/3utipo/openbsd_has_started_a_massive_strip-down_and_cleanup_of_openssl/comments/fkwgqw
> 
> We also need a documentation fix. Bad documentation is a canary for bad code.
> 
> This might have been fixed but we all assumed that there was no
> problem. Nobody in OpenSSL was telling us they needed help.
> 
> 
>>> And the fact that the US govt. which
>>> we thought was making a significant contribution to COMSEC through the
>>> NSA turns out to have spent less than 0.5% of its budget on COMSEC
>>> standards related activities and most of that went into sabotage.
>>
>> Yes, that particular misinformation campaign has been revealed.  I'm not
>> sure who it was aimed at tho...
> 
> Problem is that it is really impossible for an organization to address
> two incompatible goals. We now know that SIGINT was the overwhelming
> priority to the effective exclusion of all COMSEC.


Exactly.  According to the evidence of their actions, NSA's mission is
to spy on everyone, and the rest is deception planning;  either they're
deceiving their enemy, or us, or themselves, doesn't really matter.

Which leads straight into the "we will own the net" mindset, aggressive
or otherwise.

And, continuing this thread,...

>>> We also need to bring government resources to bear because there are
>>> some things that are really hard to achieve in either a commercial or
>>> a volunteer model.
>>
>> That's not a sufficient reason.  You'd also have to show that the
>> government can do a better job, rather than make a bigger mess.  I err
>> on the latter, so I'm interested to hear claims to the former.
> 
> I was just in Turkey for the opening of the new CyberDefense program
> at METU in Ankara. Comodo is backing the program but commercial
> entities can't back such programs without government support. It has
> to be a partnership.
> 
> I can back individual projects but they will inevitably be seen as
> backing one particular commercial position. We need government funding
> as well.
> 
> If I don't like what is on offer from one, I'll pick another.


Governments start cyberwars, then rush to the people and say they want
money for cyber defence.  Because, shock, horror, other governments are
attacking them.

Now, of course, we probably do need government money for cyberdefence.
But they caused it in the first place.

So letting them in the game, encouraging them, and asking for their help
is strictly the wrong reward for the wrong behaviour.

Government-backed cyberdefence?  Just say no.



iang

More information about the cryptography mailing list