[Cryptography] Boing Boing pushing an RSA Conference boycott

Sun Jan 19 03:59:28 EST 2014

On 17/01/14 03:54 AM, Bear wrote:
> On Thu, 2014-01-16 at 21:30 +0300, ianG wrote:
> 
>> Wider scrutiny.  Also, it was the company that was tricked.  Was this
>> the only case?  Do we need to be suspicious of every other product?  Ask
>> pointed questions, how do we know that favours weren't done?
> 
> See, that is precisely the same problem that the NSA is up against. 
> How can they know that terrorists *aren't* operating in a given 
> theatre unless they know *EVERYTHING* that goes on in that theatre?
> That is the rock, the demand on them, on which the waves of ethics 
> and morality have broken.  

Yes, and when they can't find it in their haystack, they go looking in
others' haystacks.  All of the agencies have been implicated in tracking
democratic protests, under the guise of "breeding terrorists."

http://www.zerohedge.com/contributed/2014-01-09/500-years-history-shows-mass-spying-always-aimed-crushing-dissent

I definitely agree with your point.  We should not be seeking to
interpret information that isn't available.  The news I saw last week
was that the NSA's Trillion Dollar Anti-Terrorism Decade has succeeded
in ... stopping one $8500 transfer to an implicated somali group.

That's it!  My first calculator couldn't even display that ratio...

> The only way to 'prove' a negative proposition:  You have to know
> absolutely everything about the universe in which it takes place.
> And there is no way to do that.  There is no way to even approach
> it other than by doing evil and betraying the trust of everyone. 

Right, doesn't make sense.  The better way to deal with this is to use
what information we have, and seek to augment it with new information.
Which is what I'm saying above.

> We'll never be able to 'prove' that something didn't happen unless 
> we do the same kind of unethical crap and pervasive monitoring that 
> is so repugnant.  So clearly we cannot make lack of evidence into 
> a standard of trust.  

No, you're missing the point.  We don't have to prove a negative, we can
assert and agree to a positive.  We can create evidence by means of
disclosure, up front.

Let's say you are going to buy a crypto tool.  Something to replace
BSAFE, whatever, doesn't matter.  You can go to vendors and ask them to
disclose their practices.

"Do you have any sales to security agencies?"

"Do you have a process where security agencies provide you with security
input?"

"Do you ship product that is influenced by security agencies?"

"What process do you use to accept influence from security agencies?"

"Can we rely on these answers?"

Basically, a vendor that wishes to stand apart will answer these in one
way.  A vendor that is uncertain will answer them in another way.  And a
vendor that is compromised will answer them in a third way.  You can
interpret the answers, and you can hold the company to those answers;
this is the nature of civil litigation.

Try it.  Ask Silent Circle questions like these.  Ask RSA.  What would
Lavabit have said?  I don't know how they will answer (and I'm not
buying today) but I'm pretty sure anyone will be able to see the
difference in the answers, and any lawyer will too.

> We have to evaluate what is known and what isn't, and then reach 
> and act on our conclusions even if we can't have direct evidence 
> of malfeasance.  Or we have to descend into the kind of amoral
> backstabbing behavior and pervasive monitoring that the NSA is 
> now seen to have done.  The only alternative is sticking our 
> fingers in our ears and going, "la la la" and pretending we 
> don't have to think about it at all.

I agree.  Entirely.  But observe the distance between 'la la la' and
trying to prove the negative -- Nothing!

One is a benign response and the other is a circular aggressive
response.  Both have the same result.

Look elsewhere for answers.

iang