[Cryptography] Insecure email might be an even bigger problem than we suspected

Phillip Hallam-Baker phill at hallambaker.com
Fri Aug 26 10:04:44 EDT 2016 

On Wed, Aug 24, 2016 at 5:18 PM, Ray Dillinger <bear at sonic.net> wrote:

>
>
> On 08/24/2016 11:45 AM, Phillip Hallam-Baker wrote:
> > Over the past few months we have seen some very remarkable and quite
> > unexpected developments:
> >
> > 1) Donald Trump wins the GOP Primary.
> > 2) Voters in the UK vote for Brexit.
> > 3) Fox News abandons a longstanding policy of paying off sexual
> harassment
> > claims against senior management.
> > 4) Trump appoints Breitbart staff to his campaign in an apparent bid to
> > pilot the launch of Trump News
> > 5) Despite knowing that Trump plans to usurp them, Fox News curiously
> keeps
> > giving Trump free air time.
> >
> > We also have the following observations
> >
> > 1) Cyber espionage attack against the DNC by the FSB and GRU
> > 2) Cyber espionage attach against the New York Times by same parties [*]
> >
> > Cui bono?
>
> On the one hand:
> Oh good.  Some other people are reaching the same 'paranoid
> conspiracy theory' I spun the other day.  So I'm at least no
> crazier than you.
>
> On the other hand:
> This.  Is.  BAD.  An attack on the integrity of elections by
> a power foreign to the nation in which those elections are to
> be held, cannot be allowed to stand. Regardless of who the
> attacker is.
>
> On the gripping hand:
> F***in' called it.
>

​One of the TV tropes I find least convincing is the 'people will think I
am mad' trope. Every week the crew of the Star Ship Enterprise meet aliens
with previously unknown powers. Yet they dismiss evidence as
hallucinations.​

We have abundant knowledge of the type of attack described. Some of us have
helped perpetrate attacks very similar. We all watched as Crimea was
invaded by Putin's 'little green men' which he denied were Russian troops
for over a year.

But the problem is not just the attacks, it is the distrust that they
engender. The long term cost of Operation Ajax was that a large part of the
world has good reason to be distrustful of US motives.


​My former colleague Roger Hurwitz spent his last decade trying to get
people in government to think about cyber attack as a new type of threat.
It is very clear that cyber engagement is nothing like nu​clear warfare but
the consequences can be equally significant.

The problem with nuclear weapons is that their strategic value is infinite
and their tactical value is zero. Cyber weapons are almost the exact
opposite, they have immense tactical value and no strategic value. You
don't even know if the weapon will work when used. If it does work the
enemy can take your weapon, change the payload and lob it back at you.

I believe that cyber-warfare should be considered in the same bracket as
terrorism and chemical weapons, tactics that the great powers have banned
because their use has no advantage to us while having the potential to
create great harm.


For the past twenty odd years there have been two sides in the US Crypto
Wars. On the government side there have been the representatives of the NSA
and FBI who run the US pervasive surveillance infrastructure and on the
other there are the civil society people (including most of us here) who
are suspicious of their motives.

But what if we widen the scope and consider the likes of Putin? We now have
concrete evidence of FSB and GRU interference with US elections. And if we
looked we might well see their fingerprints on much more, even Brexit
perhaps.

​If the only threat that is recognized is the likes of ISIS and such, then
the likes of Comey and Freeh have a point, cryptography is going to be a
useful tool for terrorists. That is not enough to support a ban in itself
of course, terrorists find many things useful. Guns for example.

If however we consider Putin as a threat, the need for a comprehensive and
pervasive cyber-defense ​infrastructure becomes a goal that everyone on the
government side should agree to and civil society should concur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160826/c954c966/attachment.html>

More information about the cryptography mailing list