On Tue, 17 Jul 2007 13:11:41 -0400 (EDT) "Leichter, Jerry" <[EMAIL PROTECTED]> wrote:
> > I'd guess that the next step will be in the business community. All > it will take is one case where a deal is visibly lost because of > "proven" eavesdropping ("proven" in quotes because it's unlikely that > there will really be any proof - just a *perception* of a smoking gun > - and in fact it could well be that the trigger case will really be > someone covering his ass over a loss for entirely different reasons) > and all of a sudden there will be a demand for strong crypto on every > Blackberry phone link. Things have a way of spreading from there: If > the CEO's need this, then maybe I need it, too. If "it" is expensive > or inconvenient, I may feel the need, but I won't act on it. But the > CEO's will ensure that it isn't inconvenient - they won't put up with > anything that isn't invisible to them - and technology will quickly > drive down the cost. You're an optimist. There was the Israeli case of the tailored virus. I haven't noticed any rush to get rid of insecure operating systems, mailers, and word processors. Or have a look at http://fe24.news.re3.yahoo.com/s/nm/20070717/tc_nm/internet_attack_dc and ask if that will do it. (Department of Transportation? Department of Defenses, more likely, from that list of businesses...) Today's Wall Street Journal reported on "new" threats from ads on the Internet, and loudly worried why ad companies and web sites weren't doing more to filter their offerings. But an ad is just web content, which means that the real problem is the web browser and host OS. Will that prompt a switch? We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help.... Want another example? How many US corporations have major operations in China? What are the odds that the Chinese government is listening in? If you're uncertain, see (a) the posting on this list a few days ago about the landing declaration about communications security devices and yesterday's news story about email problems to China because of apparent problems with the Great Firewall (http://www.cnn.com/2007/TECH/07/18/china.email.reut/index.html). None of his seems to have affected business there. (Nor are corporations unaware of this; I was advising people on this close to 20 years ago.) I agree that it will take a trigger. I don't know what that trigger will be, but it won't be something as simple as a proven case. It's hard to predict what will get enough people upset; sometimes, it's nothing at all. (Remember the Pentium serial number case? Objectively, that was a complete non-issue, but enough people got upset about it that Intel had to back off.) It will also have to be dead simple. It can't happen on the POTS network, because modem handshaking takes too long. It can't happen on conventional cellular unless the voice is traveling over a clear-channel end-to-end data connection, not something that the carrier's equipment "knows" is voice. (There's also the question of phone CPU access to the voice channel, per Bill Stewart's post.) It could happen for VoIP if done properly, as others have pointed out. It has to be easy to use, which means that things like PKIs are, shall we say, obstacles. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]