Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
Hmmm. Thanks, Ethan! Maybe I'm wrong? Maybe the NSA was always allowed to pass criminal evidence across to the civilian police forces. It's a very strange world. iang On 1/07/13 06:12 AM, Ethan Heilman wrote: The way I read that (and combined with the overall disclosures that they are basically collecting everything they can get their hands on) the NSA has now been de-militarised, or civilianised if you prefer that term. In the sense that, information regarding criminal activity is now being shared with the FBI friends. Routinely, albeit secretly and deniably. The NSA became demilitarised that is, involved in civilian law enforcement, when it stopped being the AFSA (Armed Forces Security Agency) and the NSA was created in 1952. But even prior to that in it's earlier form as the AFSA, ASA, and etc, the NSA did some civil law enforcement work with the FBI. For example Project Shamrock which started in 1945 (seven years before the AFSA became the NSA) involved: Intercepted messages were disseminated to the FBI, CIA, Secret Service, Bureau of Narcotics and Dangerous Drugs (BNDD), and the Department of Defense. Earlier forms of the NSA were also involved in cryptanalysis of pirate radio stations and prohibition era booze barons. The case of their abuses was Project MINARET 1967-1975 which spied on US citizens that suspected of being dissidents or involved in drug smuggling. This information was passed on to the FBI and local law enforcement. Project MINARET that uses “watch lists” to electronically and physically spy on “subversive” activities by civil rights and antiwar leaders such as Dr. Martin Luther King, Jr, Jane Fonda, Malcolm X, Dr. Benjamin Spock, and Joan Baez—all members of Richard Nixon’s infamous “enemies list.” The NSA has been a civil law enforcement organisation in practice if not always in principal since before it's inception (its charter broadened its role beyond its previous role as a military support organisation). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote: So then - what do you suggest to someone who wants to leak a document to a press agency that has a GlobaLeaks interface? I would suggest: don't use GlobalLeaks, use anonymous remailers. Bottom line: Tor is weak against powerful adversaries because it is low latency. High latency mixes are a lot safer. GlobalLeaks should have an email API, IMO. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote: I would like to see a tor configuration flag that sacrifices speed for anonymity. You're the first person, perhaps ever, to make that feature request without it being in a mocking tone. At least, I think you're not mocking! :) Let me add a second vote for that. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
if ever we managed to provide an interface where users successfully managed their own keys without screwing up. The only answer is to take key management out of the users' hands. And do it automatically as part of the work flow. Guido. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 1 July 2013 05:04, Ben Laurie b...@links.org wrote: On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote: So then - what do you suggest to someone who wants to leak a document to a press agency that has a GlobaLeaks interface? I would suggest: don't use GlobalLeaks, use anonymous remailers. Bottom line: Tor is weak against powerful adversaries because it is low latency. High latency mixes are a lot safer. GlobalLeaks should have an email API, IMO. Having looked a lot at the current remailer network, and a bit at GlobaLeaks - I'm going to wade in and disagree here. (Although this thread has gotten woefully off topic after I've bumped it. =/) Ben: I love mix networks. I've been learning everything I can about them, and have been researching them voraciously for a couple years.[0] But IMO the theoretical gains of high latency *today* are weaker than the actual gains of low latency *today*. Virtually all remailer use is Mixmaster, not Mixminion. If you want to use anything but a CLI on Linux - you're talking Mixmaster. So I'm assuming you mean that. Mixmaster uses a very, very recognizable SMTP envelope, that often goes out with no TLS, let alone no PFS. There's also precious few people actually using it. And finally, if you look at the public attacks on remailers (the unfortunate bombing threats of last summer) and Tor (the Jeremy Hammond case) - you see that Feds are willing to go on fishing expeditions for remailers, but less so Tor. Tor was traffic confirmation, Remailers was fishing.[1] Compare to GlobaLeaks. Tor Hidden Service, Tor network. The two biggest threats are Traffic Correlation and the recent attacks on Hidden Services. Assume a Globally Passive Adversary logging all SMTP envelopes (because... they are. So don't assume, know.). Now assume a leak arrives over email. Light up all the nodes who sent a message via Mixmaster within a couple days, and you'll get at most, a couple hundred. Now dim all the lights who've never sent a mixmaster message before. You'll get a couple. That's enough to investigate them all using traditional methods. Now you *do* have to assume a GPA who's logging all Tor traffic. It's possible. Some would even say it's probable. But we've seen no evidence. Do the same light-up. You get a hundreds if not thousands of nodes. Too many to investigate traditionally. And to do Traffic Confirmation, you need to identify the Hidden Service. And there's the issue that it's not trivial to do traffic confirmation. Oh and there's also the little problem of sending anything over 10,236 bytes via Mixmaster splits the message into multiple messages that all emanate from your machine which makes it wildly probable some won't arrive, and also drastically makes you stand out the crazy person who's trying to send anything other than text through Mixmaster. I'm not saying GlobaLeaks+Tor is safe. I'm saying I think our current remailer network is wildly unsafe. (Now what I think about fixing it... that's a whole other story, for a whole other time.) -tom [1] https://crypto.is/blog http://defcon.org/html/defcon-21/dc-21-speakers.html#Ritter [1] If you don't like my last argument, fine, ignore it, and work with the others. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
On Sun, Jun 30, 2013 at 07:09:57PM -0700, Yosem Companys wrote: Speaking of which... If you had an extra $2-3K to give to a liberationtech or crypto project, who do you think would benefit the most? A BTNS implementation. There aren't any. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
Ben Laurie: On 1 July 2013 12:32, Tom Ritter t...@ritter.vg wrote: On 1 July 2013 05:04, Ben Laurie b...@links.org wrote: On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote: So then - what do you suggest to someone who wants to leak a document to a press agency that has a GlobaLeaks interface? I would suggest: don't use GlobalLeaks, use anonymous remailers. Bottom line: Tor is weak against powerful adversaries because it is low latency. High latency mixes are a lot safer. GlobalLeaks should have an email API, IMO. Having looked a lot at the current remailer network, and a bit at GlobaLeaks - I'm going to wade in and disagree here. (Although this thread has gotten woefully off topic after I've bumped it. =/) Ben: I love mix networks. I've been learning everything I can about them, and have been researching them voraciously for a couple years.[0] But IMO the theoretical gains of high latency *today* are weaker than the actual gains of low latency *today*. Virtually all remailer use is Mixmaster, not Mixminion. If you want to use anything but a CLI on Linux - you're talking Mixmaster. So I'm assuming you mean that. Mixmaster uses a very, very recognizable SMTP envelope, that often goes out with no TLS, let alone no PFS. There's also precious few people actually using it. And finally, if you look at the public attacks on remailers (the unfortunate bombing threats of last summer) and Tor (the Jeremy Hammond case) - you see that Feds are willing to go on fishing expeditions for remailers, but less so Tor. Tor was traffic confirmation, Remailers was fishing.[1] Compare to GlobaLeaks. Tor Hidden Service, Tor network. The two biggest threats are Traffic Correlation and the recent attacks on Hidden Services. Assume a Globally Passive Adversary logging all SMTP envelopes (because... they are. So don't assume, know.). Now assume a leak arrives over email. Light up all the nodes who sent a message via Mixmaster within a couple days, and you'll get at most, a couple hundred. Now dim all the lights who've never sent a mixmaster message before. You'll get a couple. That's enough to investigate them all using traditional methods. Now you *do* have to assume a GPA who's logging all Tor traffic. It's possible. Some would even say it's probable. But we've seen no evidence. Do the same light-up. You get a hundreds if not thousands of nodes. Too many to investigate traditionally. And to do Traffic Confirmation, you need to identify the Hidden Service. And there's the issue that it's not trivial to do traffic confirmation. Oh and there's also the little problem of sending anything over 10,236 bytes via Mixmaster splits the message into multiple messages that all emanate from your machine which makes it wildly probable some won't arrive, and also drastically makes you stand out the crazy person who's trying to send anything other than text through Mixmaster. I'm not saying GlobaLeaks+Tor is safe. I'm saying I think our current remailer network is wildly unsafe. (Now what I think about fixing it... that's a whole other story, for a whole other time.) The above argument is one I have had more than a few times - I think Tom really did a fantastic job. You are probably right - remailers are not what they used to be. The thing is - I'm not sure they were ever what they used to be - if we look at the disclosures from Snowden, we should assume a kind of GPA - the level of traffic from remailers is just too small. There isn't enough traffic because the desire for one very specific application (email) is extremely small. The more interesting point is high vs low latency. I really like the idea of having a high-latency option in Tor. It would still need to have a lot of users to actually be useful, though. But it seems there are various protocols that would be ore high-latency-friendly than HTTP - SMTP, of course, and XMPP spring to mind. I think if Tor had an arbitrary queue with store and forward as a high latency module of sorts, we'd really be onto something. Then there would be tons of traffic on the Tor relays for all kinds of reasons - high and low latency - only to all be wrapped in TLS and then in the Tor protocol. It would actually be rather straight forward to add a new cell type that did something interesting like the above. It would also be dead simple to use torsocks to torify MixMinion or mixmaster. I've done it and the main problem was that none of the remailer networks really work very well for other properties - other than anonymity, I mean. Using Tor with mixmaster at least augments the forward secrecy problem a bit - that is Tor adds what mixmaster is missing. I think having Mixmaster and MixMinion support in Tails and run over Tor would be a good way to start. I also agree that GlobaLeaks should have an interface for receiving leaks via either of those networks - though I sometimes wonder if GL wouldn't be
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On Mon, Jul 01, 2013 at 01:31:51PM +0200, Guido Witmond wrote: The only answer is to take key management out of the users' hands. And do it automatically as part of the work flow. You need at least a Big Fat Warning when the new fingerprint differs from the cached one, and it's not just expired. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] crypto breakage in SALT
The comment thread is interesting for the level of I'm not a cryptographer but I know X is true -- oh wait, now I'm not so sure. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 1 July 2013 14:33, Jacob Appelbaum ja...@appelbaum.net wrote: I think having Mixmaster and MixMinion support in Tails and run over Tor would be a good way to start. I also agree that GlobaLeaks should have an interface for receiving leaks via either of those networks - though I sometimes wonder if GL wouldn't be better off with only type-III remailer support? Forward secrecy seems absolutely critical. While we're shooting the high-latency breeze, I should mention Minx, which was designed to be more robust against active attacks (the original had a slight flaw, so I am pointing to the fix for that): http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.140.9884. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 01.07.2013 15:33, Jacob Appelbaum wrote: I think if Tor had an arbitrary queue with store and forward as a high latency module of sorts, we'd really be onto something. Isn't that what Roger proposed as Alpha Mixing? http://freehaven.net/anonbib/#alpha-mixing:pet2006 It could be valuable if someone with enough knowledge of Tor's code sketched the required code and spec changes, no? --Mo ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On Mon, Jul 1, 2013 at 3:37 AM, ianG i...@iang.org wrote: Hmmm. Thanks, Ethan! Maybe I'm wrong? Maybe the NSA was always allowed to pass criminal evidence across to the civilian police forces. It's a very strange world. No, the doctrine of the fruit of the poisoned tree makes it non-trivial to avoid the requirements of the 4th Amendment regarding search and seizure. The non-triviality is this: LEA must somehow hide the warrant-less wiretapping (search) and produce a plausible path (and chronology) for how they came to the probably cause that they eventually will bring to a judge. This is non-trivial, but not *that* hard either, and in some cases it may well be trivial. And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). But when the *NSA* does this the risk of method information leaking to the public is very large, which is one reason to prefer that PRISM-type projects, if they exist at all, be and remain forever secret -- their own secrecy is the best and strongest (though even then, not fail-safe) guaranty of non-use for criminal investigations. Ironic, no? We should almost wish we'd never found out. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On Mon, Jul 1, 2013 at 9:05 AM, Eugen Leitl eu...@leitl.org wrote: On Mon, Jul 01, 2013 at 01:31:51PM +0200, Guido Witmond wrote: The only answer is to take key management out of the users' hands. And do it automatically as part of the work flow. You need at least a Big Fat Warning when the new fingerprint differs from the cached one, and it's not just expired. OTR's model should suffice. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 2013-07-01 9:50 PM, Ben Laurie wrote: On 1 July 2013 12:32, Tom Ritter t...@ritter.vg wrote: On 1 July 2013 05:04, Ben Laurie b...@links.org wrote: On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote: So then - what do you suggest to someone who wants to leak a document to a press agency that has a GlobaLeaks interface? I would suggest: don't use GlobalLeaks, use anonymous remailers. Bottom line: Tor is weak against powerful adversaries because it is low latency. High latency mixes are a lot safer. GlobalLeaks should have an email API, IMO. Having looked a lot at the current remailer network, and a bit at GlobaLeaks - I'm going to wade in and disagree here. (Although this thread has gotten woefully off topic after I've bumped it. =/) Ben: I love mix networks. I've been learning everything I can about them, and have been researching them voraciously for a couple years.[0] But IMO the theoretical gains of high latency *today* are weaker than the actual gains of low latency *today*. Virtually all remailer use is Mixmaster, not Mixminion. If you want to use anything but a CLI on Linux - you're talking Mixmaster. So I'm assuming you mean that. Mixmaster uses a very, very recognizable SMTP envelope, that often goes out with no TLS, let alone no PFS. There's also precious few people actually using it. And finally, if you look at the public attacks on remailers (the unfortunate bombing threats of last summer) and Tor (the Jeremy Hammond case) - you see that Feds are willing to go on fishing expeditions for remailers, but less so Tor. Tor was traffic confirmation, Remailers was fishing.[1] Compare to GlobaLeaks. Tor Hidden Service, Tor network. The two biggest threats are Traffic Correlation and the recent attacks on Hidden Services. Assume a Globally Passive Adversary logging all SMTP envelopes (because... they are. So don't assume, know.). Now assume a leak arrives over email. Light up all the nodes who sent a message via Mixmaster within a couple days, and you'll get at most, a couple hundred. Now dim all the lights who've never sent a mixmaster message before. You'll get a couple. That's enough to investigate them all using traditional methods. Now you *do* have to assume a GPA who's logging all Tor traffic. It's possible. Some would even say it's probable. But we've seen no evidence. Do the same light-up. You get a hundreds if not thousands of nodes. Too many to investigate traditionally. And to do Traffic Confirmation, you need to identify the Hidden Service. And there's the issue that it's not trivial to do traffic confirmation. Oh and there's also the little problem of sending anything over 10,236 bytes via Mixmaster splits the message into multiple messages that all emanate from your machine which makes it wildly probable some won't arrive, and also drastically makes you stand out the crazy person who's trying to send anything other than text through Mixmaster. I'm not saying GlobaLeaks+Tor is safe. I'm saying I think our current remailer network is wildly unsafe. (Now what I think about fixing it... that's a whole other story, for a whole other time.) You are probably right - remailers are not what they used to be. The more interesting point is high vs low latency. I really like the idea of having a high-latency option in Tor. It would still need to have a lot of users to actually be useful, though. But it seems there are various protocols that would be ore high-latency-friendly than HTTP - SMTP, of course, and XMPP spring to mind. One solution would be to have an anonymizing remailer inside tor as a hidden service. You send emails to that service. A random time later, they are sent to their destination. -tom [1] https://crypto.is/blog http://defcon.org/html/defcon-21/dc-21-speakers.html#Ritter [1] If you don't like my last argument, fine, ignore it, and work with the others. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. their own secrecy is the best and strongest (though even then, not fail-safe) guaranty of non-use for criminal investigations. Didn't the requisite construction of plausible paths from tainted seed just get covered. So, No! The only guaranty against secret taint is transparency. Try removing the 'non-' next time. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
I think if Tor had an arbitrary queue with store and forward as a high latency module of sorts, we'd really be onto something. Then there would be tons of traffic on the Tor relays for all kinds of reasons - high and low latency - only to all be wrapped in TLS and then in the Tor protocol. That would work for things you're able to 'encapsulate' within some compatible form of transmission. Email is essentially a single message in one direction. Various stackable modules could be apply to certain compatible things... random delay, storage at some prescribed levels of redundancy, add/remove padding, etc. Also of issue is if, when or where you're required to interact with clearnet. TCP and websites do not like any of these modules. They'll timeout or break. And you'd need a huge application specific volunteer army writing clearnet interface modules for each BBS, website app, etc. Which few would use since they need access tokens and exits can't be trusted (though see below if you would so choose to). But if you're able to throw out old models, things are possible, particularly over/within your own transports... for example, I2P-Bote. There may even come a time where you can view these overlays as your own implicitly trusted execution platform into which you launch a command packet/agent whose parameters will be followed according to various rules on your behalf. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 100 Gbps line rate encryption
Are you assuming a single core? I ran 'openssl speed' on an 8-core 2.9 GHz Intel Xeon E5-2690 with hyperthreading enabled, which gives it 16 logical cores. It's an artificial benchmark, but openssl is able to encrypt using AES-XTS with 128-bit keys at 28 gigabytes / second for 8KB blocks, which is 225.2 gigabits per second. This may not be relevant to the whichever platforms the original post was thinking of. On the x86 platform I tested this on, memory bandwidth would be the bottleneck before the crypto. Edited output: $ uname -a Linux [hostname] 3.2.0-41-generic #66-Ubuntu SMP Thu Apr 25 03:27:11 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux $ openssl speed -multi 16 -evp aes-128-xts OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 15 15:27:18 UTC 2013 [some build output omitted] The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes evp3994884.76k 11902064.66k 21140865.02k 26338644.65k 28151824.38k On Sun, Jun 30, 2013 at 2:13 PM, aort...@alu.itba.edu.ar wrote: Oops, miscalculation. That should be a 6.5 Ghz clock for 100 Gbps. ((100 Gbps/8)/2) . Anyway I don't think anybody has hardware that fast except maybe for IBM with the Power8. The fastest hardware implementation of RC4 that I know is 2 bytes/clock. I personally programmed a 1 byte/clock RC4 in a FPGA, it's quite simple. At 2 bytes/clock you still need a clock of 10 gigahertz to encrypt 100 Gbps. That's unfeasible, the way it's done is using paralelism, then you can use any algorithm you want as long as you have silicon available. Consider there are 400 Gbps systems coming online. Using a PC for that kind of workload is a waste of money and power. FPGAs are not that expensive nowadays. Just as a data point, on x86 processors with AESNI you can encrypt AES in, say, XTS mode with about 0.75 cycles / byte on each core. On an Intel Xeon E5-2690 'openssl speed -multi 4 -evp aes-128-xts' tops out at 13.5 GB/s for 8k blocks, which is 108 Gbps. That's only using half the physical cores and no hyperthreading. However, that's unlikely a realistic benchmark for whatever context the original question was referring to. On Sat, Jun 22, 2013 at 5:25 PM, Peter Maxwell pe...@allicient.co.ukwrote: On 22 June 2013 23:31, James A. Donald jam...@echeque.com wrote: On 2013-06-23 6:47 AM, Peter Maxwell wrote: I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough). I would be surprised if it is faster. Given the 100Gbps spec, I can only presume it's hardware that's being talked about, which is well outwith my knowledge. We also don't know whether there is to be only one keystream allowed or not. However, just to give an idea of performance: from a cursory search on Google, once can seemingly find Salsa20/12 being implemented recently on GPU with performance around 43Gbps without memory transfer (2.7Gbps with) - http://link.springer.com/chapter/10.1007%2F978-3-642-38553-7_11 ) - unfortunately I don't have access to the paper. On a decent 64-bit processor, the full Salsa20/20 is coming in around 3-4cpb - http://bench.cr.yp.to/results-stream.html - and while cpb isn't a great measurement, it at least gives a feel for things. Going on a very naive approach, I would imagine the standard RC4 will suffer due to being byte-orientated and not particularly open to parallelism. Salsa20 operates on 32-bit words and from a cursory inspection of the spec seems to offer at least some options to do operations in parallel. If I were putting money on it, I suspect one could optimise at least Salsa20/12 to be faster than RC4 on modern platforms; whether this has been done is another story. Fairly sure Salsa20/8 was faster than RC4 out-of-the-box. As with anything though, I stand to be corrected. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. their own secrecy is the best and strongest (though even then, not fail-safe) guaranty of non-use for criminal investigations. Didn't the requisite construction of plausible paths from tainted seed just get covered. So, No! The only guaranty against secret taint is transparency. Try removing the 'non-' next time. Sometimes it's easy to cover up, sometimes it's not. If you look at how the Allies used their cryptanalytic breaks in WWII you'll see that they made sparing use of their sigint obtained that way -- they had to be very careful when to act and when not to act on it, and when they did they had to take extra steps to make the enemy to believe other avenues to be plausible. Transparency is nice, but the thing is: I don't think you can keep a PRISM-like system secure from being abused by analysts and sysadmins, much less by political appointees, and I think it's harder still to pull that off if its existence is public knowledge. Whereas the incentive to keep the secret from spilling is so strong that it should act as a moderator on its operators. That incentive is lost once the program is public, and then transparency isn't enough: there's always going to be ways to game the controls, and those controls will never be as strong as the need to keep the program secret had been. I could be wrong though. It might well be that in practice there's no difference between abuse potential when the program was secret vs. now that it's public, in which case it's clearly better that it be known to the public. But my instinct tells me otherwise, and that's not a defense of the program, just... paradoxical, ironic. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
+1. This, totally. On Mon, Jul 1, 2013 at 6:52 AM, Eugen Leitl eu...@leitl.org wrote: On Sun, Jun 30, 2013 at 07:09:57PM -0700, Yosem Companys wrote: Speaking of which... If you had an extra $2-3K to give to a liberationtech or crypto project, who do you think would benefit the most? A BTNS implementation. There aren't any. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Taral tar...@gmail.com Please let me know if there's any further trouble I can give you. -- Unknown ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On 2013-07-02 8:47 AM, Nico Williams wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Until 1930 or so, in California, pretty much all criminal prosecutions were by the public. I would suppose the laws are still in place, just not applied. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Sparta, one of the first democracies, would put the public officials on trial at the end of their term. It was part of the process. I imagine their Spartan was sufficiently different so that folks like Ted Kennedy (liar, cheat, murderer) would not have been able to serve the class. Sorry for the OT chatter. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
as a spartan of sorts, and one thats shared laphroig with both a plank member of the nsa and the creator of fbi's hrt, id like to say these fellas are decent men and not petty. On Jul 2, 2013 12:55 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Sparta, one of the first democracies, would put the public officials on trial at the end of their term. It was part of the process. I imagine their Spartan was sufficiently different so that folks like Ted Kennedy (liar, cheat, murderer) would not have been able to serve the class. Sorry for the OT chatter. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On Mon, Jul 1, 2013 at 8:33 PM, mtm marctmil...@gmail.com wrote: as a spartan of sorts, and one thats shared laphroig with both a plank member of the nsa and the creator of fbi's hrt, id like to say these fellas are decent men and not petty. Then they would have nothing to fear if put on trial for potential crimes they've committed. (At least, that's what they tell us - if you don't do anything wrong, then you don't have anything to worry about). On Jul 2, 2013 12:55 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Sparta, one of the first democracies, would put the public officials on trial at the end of their term. It was part of the process. I imagine their Spartan was sufficiently different so that folks like Ted Kennedy (liar, cheat, murderer) would not have been able to serve the class. Sorry for the OT chatter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
Whereas the incentive to keep the secret from spilling is so strong that it should act as a moderator on its operators. ... against use outside of its original scope/parties. I can see that. Time and history tends to expose everything though. And in the present, not knowing what we don't know makes these models hard to evaluate. Sorry for the OT chatter. Similarly, guilty here as well. Off like a Spartan to Cali :) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
id like to say these fellas are decent men True for sure. Yet sometimes when you assemble large systems of even the best of men, those systems may drift from or not always retain the fine character of its components. A weakness of humanity perhaps. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
enlisted guys and trigger job attys arent worried about being put on trial...as much as it pains me to say it.. if youre doing nothing wrong.. On Jul 2, 2013 1:42 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jul 1, 2013 at 8:33 PM, mtm marctmil...@gmail.com wrote: as a spartan of sorts, and one thats shared laphroig with both a plank member of the nsa and the creator of fbi's hrt, id like to say these fellas are decent men and not petty. Then they would have nothing to fear if put on trial for potential crimes they've committed. (At least, that's what they tell us - if you don't do anything wrong, then you don't have anything to worry about). On Jul 2, 2013 12:55 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Sparta, one of the first democracies, would put the public officials on trial at the end of their term. It was part of the process. I imagine their Spartan was sufficiently different so that folks like Ted Kennedy (liar, cheat, murderer) would not have been able to serve the class. Sorry for the OT chatter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography