[Cryptography] Now it's personal -- Belgian cryptographer MITM'd by GCHQ/NSA

ianG iang at iang.org
Mon Feb 3 06:10:03 EST 2014

On 3/02/14 02:56 AM, Jerry Leichter wrote:
> Commenting on only one thing in a long message:
> On Feb 2, 2014, at 5:38 AM, ianG wrote:
>> We can play the game of "you don't know that for a fact" forever, but at
>> the end of the day, they will never enter court and let the court
>> declare it a fact, so that easy excuse is their game, their rules, their
>> victory.
> And the alternative is ... what?  The witch hunt?  The mob?  Kill all, God will know his own?

Don't give up, Jerry!  The first thing is to not panic.  When our
systems fail around us, panic will surely develop the wrong reaction.


When our standards fail us, we need new systems by which to measure what
we see.  Everyone in the scientific world is comfortable with scientific
method.  But sadly, that doesn't consider attackers.  Most people are
also aware of the legal standards of truth and innocence.  Details
aside, the attacker blew them away.

What is left might be styled an adverse witness model or a
counter-intelligence model.  Verify before trust would be a kinder way
to put it.

Information has to be evaluated differently.  Stuff that they want to
hide -- snowden -- is accorded more credibility.  Same with the stuff
that they attack in public, attempt to undermine.  Claims made should be
seen not from the lens of truth-until-proven-lies, but interested,
agenda-laden and manipulative.  Turn the lie.  Reverse the deception
plan.  Follow the money.  Follow the budget.  Follow the jobs.

> It's so very easy to slip over the line, for (apparently) all the very best reasons.  That's what the intelligence community did.  The answer is not to slip over the same line.

No, that's their answer.  It does nothing to them, as they don't care
what you think of them, they only care that you slumber unopposed.  By
imposing your standards on you, and reminding you of that, they force
their game on you.

Our problem is to get them back across the line, without as you say,
adopting their lack of standards.  Us giving them the benefit of the
doubt doesn't cut it, they already factored that into their strategy,
and demand it.  Every PR, every senate hearing, every response says this
loud and clear:  you must give us the benefit of the doubt, the legal
presumption of innocence.

No more.

> The rule of law, the presumption of innocence - they are fundamentally based on the notion that we, as civilized members of society, will play fair, even when others don't.  We accept the costs because not to do so produce results that are even worse.

Indeed, these are the standards *we* hold.

And when it is gone?  When we fight those who don't have them?

Recall the old socialist's catchphrase, better red than dead.

Really?  Red XOR dead?

> Granted, the rest of your message doesn't rise to the strident and dangerous call that this paragraph does.  But the urge is there.  It's there in all of us.

The urge is there to stop with the excuses, sure.  The anger is
everywhere.  /Dangerous and strident calls/ for revolution would be
pathetic and stupid.

But we need something.  We need a response.

>> Old military truism:  the battle is won by the general that imposes his
>> plan over the other.
> "He who fights with monsters should look to it that he himself does not become a monster.  And when you gaze long into an abyss the abyss also gazes into you." - Nietzsche

Indeed, the abyss would be before us, if society's failure to hold the
NSA to standards resulted in us accepting the wholesale abandonment of
those same standards.

But nobody here is going to do that.  There is a middle ground -- which
is to do what we do and do it more and better:  build secure crypto
systems to protect people from all threats.

Not much of an abyss, more like a crack in a pavement or a line in the sand.

Granted, if we gaze long enough, everything becomes a nation-state
threat.  We've all met those guys.  We could probably gaze for a fair
bit longer before it even notices us, and arguably, that focus is better
than the current wishywashy PCI/DSS/PKI/FIPS Maginot Line, because it
includes the economic attacker (aka thief) as well as the uneconomic
attacker (aka *police).


More information about the cryptography mailing list