[Cryptography] the hierarchy of cluelessness
jsd at av8n.com
Thu Dec 11 08:01:40 EST 2014
On Tue, Dec 9, 2014 at 2:55 PM, <dan at geer.org> wrote:
>> "Banks Dreading Computer Hacks Call for Cyber War Council"
>> Bloomberg, July 8, 2014
Specifically, they are calling for a *government-industry* cyber war council
On 12/10/2014 08:49 AM, John Ioannidis asked:
> Are these people that clueless (which makes me even more worried about the
> vulnerability of our financial systems) [...] ?
a) Yes, the banks are infinitely clueless... but we knew that already.
b) The government is infinitely clueless.
c) Most of the bank customers are infinitely clueless.
d) Other industry sectors are just as clueless.
e) The mainstream media are clueless.
f) The bankers blame the security geeks (i.e. us) for not providing
them with easy-to-use tools.
Evidence for point (b):
The NSA knew, or should have known, that what they were
doing was wrong, but they did it anyway. Consider the
++ The secrecy should be in the keys. In contrast, the
method "should not require secrecy, and it should not
be a problem if it falls into enemy hands."
-- Auguste Kerckhoffs
++ "The enemy knows the system."
-- Claude Shannon
++ "In the long run it is more important to secure one's own
communications than to exploit those of the enemy."
-- Frank Rowlett
-- "Let's create a situation where our friends can be spied
upon more easily than our enemies."
-- NSA policy for 40+ years
Evidence for point (a):
The fact that the banks would turn to the clueless government
for help proves the banks are infinitely clueless ... but we
already had plenty of other ways of proving that.
Example: The following email recently came to my attention.
I called the bank. The conversation went something like this:
jsd: This looks like a phishing attack.
bank: No, it is completely secure, because we sent it, and
our IT department is super-careful about things like that.
jsd: The little old lady who received this email, how is
she supposed to know you sent it?
bank: Because it's from us.
jsd: But how is she supposed to know that? By sending this
email, you are training your customers to be victims. What
if she got two emails on the same day, one from you and one
from North Korea, which one should she trust?
bank: She should trust the one from us.
jsd: And how is she supposed to know which is which?
bank: It says right at the top it's from us.
jsd: And how hard do you think it is for the bad guys to
bank: But the point is, we would never direct you to an
insecure website. It says so right in the email, at
the top and the bottom. We have super-strict rules and
procedures about that.
jsd: Well, this email violates your own rules bigtime. It
directs users to two different web sites not your own, a
third party and a fourth party. The mail itself emanated
from a fifth party. You keep saying you sent it, but in
fact you didn't.
bank: But those web guys are under contract to us.
jsd: You know that, but the little old lady doesn't. The
bad guys could be preparing almost-identical emails right
now, and none of your customers would be able to tell the
difference. You're training your customers to be victims.
bank: This email is secure, because we sent it.
They guy said he would pass my comments on to management. I
know this had no effect, because a couple of weeks later the
bank sent out another round of equally-phishy emails.
Further evidence for (a), (b), (c), and the interaction between them:
The government has imposed voluminous regulations on the banks.
A lot of stuff that used to be punishable by revoking your
banking license is now a felony. There are also regulations
that require elaborate encryption of customer data. The regs
are so cumbersome that bankers find them hard to handle, and
most customers find them impossible to handle. The result is
that bankers have completely-insecure personal hotmail accounts
that they use to communicate with customers. After the deal
has been worked out, they cut-and-paste it into the official
bank system. Ta Da! Problem "solved".
Example of point (e):
Today the Gomorrah Post ran a story about the Sony hack:
It says in part:
> The company has endured a wave of criticism — bordering on ridicule —
> in recent days for a reportedly lax approach to cybersecurity. In one
> widely mocked remark, Sony’s top information security official told
> CIO magazine in 2007 that it was “a valid business decision” to
> accept some cybersecurity risk because preventing an attack could be
> more expensive than simply enduring it.
It seems to me that the CIO's point is absolutely valid. There
is a dial to adjust how much risk you want to accept, and one
could argue that Sony set the dial in the wrong place, but one
should not "ridicule" the idea that such a dial exists.
The hypocrisy is stunning, given that Post itself has been hacked:
Remark on the interaction between (a), (b), (c), and (f):
The US black budget is on the order of 50 billion dollars
per year. AFAICT virtually all of it is spent on offense,
i.e. weakening perceived enemies. Department of "Defense"
my ass. The overall "defense" budget is on the order of a
trillion dollars per year. The /profit/ in the US financial
sector alone is something like 1.7 trillion dollars per year
... roughly 1/10th of the GDP.
Imagine what would happen if the feds, the banks, Sony,
and other players were to invest some of their money by
paying a few geeks to develop more easily-usable tools.
You know, actual /defense/ as opposed to offense.
One more point: The idea that China might try to pillage US
trade secrets should come as a surprise to nobody. The US
did exactly the same thing to Britain 200 years ago. See e.g.
More information about the cryptography