On 09/07/2013 02:46 PM, Eugen Leitl wrote:
On Sat, Sep 07, 2013 at 12:26:22PM -0400, Jonathan Wilkes wrote:
Hi Eugen,
When Bruce Schneier made the call for people to come forward
and describe being asked to degrade standards or build backdoors
I don't think this is what he meant.
Bruce is a cool guy, but nobody died, and made him king.
Mr. Gilmore seems perfectly happy to give us enough details to
be able to find the identity of a "suspicious" Kernel dev, but he
refrains from identifying the NSA employees and their friends.
We have evidence that NSA is using social engineering to weaken
protocols and implementations. Incidentally, when it comes to IPsec
this pattern has been independently corraborated by other parties I
happen to trust. This is no proof, but we need to become very
careful about preventing such security meltdowns in future.
Because this *will* happen, again.
If he can write without reservation that he knows someone had
longstanding ties to the NSA, he obviously knows who this person
is. Deanonymizing the person from the free software world while
Come on, that the mainline inclusion is a major political
snakepit is pretty well known. I don't know whether spooks
are pulling strings behind the scene to fan the flames, but
if they don't they're really lousy at their job.
granting anonymity to someone with ties to the NSA isn't fair, isn't
helpful, and most of all it isn't intellectually responsible.
I can tell you that I would be very interested who commited
all the crypto regressions into Debian. I really hope that
someone is going to review the checkin history, and writes
a report about it.
I cannot fault people for failing to be perfect heroes, but I can fault
them when what may be reasonable fears result in writing that
speculates where we need it least and lacks evidence where we
need it most.
This is a war, and there will be innocent people hurt. This is
regrettable, but we didn't start it.
The only things the free software community has that its
greater than $50 billion a year adversary doesn't are a) its
transcendental laziness and b) its history of and propensity
for sharing. The way it works is someone looking at
mundane work that might take them twenty or thirty
minutes instead decides to do ten or twenty months of
work so that the _next_ time they need to solve a
similar task it takes ten or twenty seconds. Then they
give it to everyone else because some other transcendentally
lazy developer made it trivial to do so by applying those
same principles to the software that automates the process
of sharing stuff (Git).
Those are the singular strengths of the free software
community when pitted against this particular adversary. If
you make more obstacles to sharing, you lose. If you
hammer down on laziness by wasting mindshare on
speculation that one's neighbor may be a spy, you lose.
On the second point you actually lose twice, because
at least the speculation and bad science within the
surveillance industry can be covered up and controled
for a limited time. In the free software community-- as
was the case in the reddit crowdsourced "detective" work
after the Boston bombing-- it's there in all its transparent
ugliness for the world to see, forever. Let it stand there
for all time as a reminder of the unnecessary suffering
caused when we forgot that we suck as speculating.
Then we can get back to one of the two things we do well.
What we need to let go is personal sensitivities. If you check
in crap code that breaks things, whether you're an NSA mole or
just incompetent, it doesn't matter. You need to have your checkin
license revoked.
If you're smart and compassionate, you'll realize that the
free software community could turn its two strengths I
mentioned above into three strengths-- give amnesty to
anyone with a direct account of being asked to degrade
standards or software, or even carrying it out. We're not
interested in calling people traitors, digging up dirt on their
loved ones, or other such retribution. As with hardware,
we're interested in one thing: the specifications. Tell us the
details of how the process of undermining happens-- what
are the incentives, what are the tactics used. Only then
can some frustrated dev look at the borked system and
spend ten or twenty months designing a better one so he/she
doesn't have to care about whether that guy in the sunglasses
is a spook or not.
If you're smart but not compassionate, then think in terms of
bug reports. "I installed a program that I think uses an unstable
library that may be making the operating system unstable,"
isn't a proper bug report. I'm sure you know what you'd say
in response to that. It is even more pressing in the domain of
human affairs that we demand the same care and attention.
-Jonathan
Same thing applies to package signing secrets of Debian.
Unfortunately, we can no longer afford to be negligent there.
--
Liberationtech is a public list whose archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
