Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On 2014-01-17 01:28, John Young wrote: Civil engineers never say a dam is infallible, they say it will fail, watch for well-known weak spots, prepare to patch and maintain continuously, and never forget the disasters of over-confidence, limited construction budgets, cut backs in maintenance, and water policy exploiters. The relevant analogy is not that a dam might fail, but that the builders were paid ten million dollars to make sure it failed when the town's enemies wanted it to fail by planting dynamite in the dam. This is not business as usual. We will not continue in this path. We will not continue to use dam builders who put dynamite in their dams. People are not going to accept RSA solutions, and they are not going to accept IETF solutions. You cannot just say that shit happens, and continue business as normal. That is not going to fly. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
James, you protest too much, not that there's anything wrong with it. There is much to be revealed about the indigination and outrage racket driving security marketing flim-flam from natsec to comsec. Tip: Dig deeper into the origins of RSA, as in Addison Fischer (and business partners), and you'll arrive at the real shady dealmakers. I know, I was his neighbor for quite awhile. At the time Jim Bidzos was a fairly unimportant creature, and Burt Kaliski and Art Corviello weren't even heard of. - At 04:57 AM 1/17/2014, you wrote: On 2014-01-17 01:28, John Young wrote: Civil engineers never say a dam is infallible, they say it will fail, watch for well-known weak spots, prepare to patch and maintain continuously, and never forget the disasters of over-confidence, limited construction budgets, cut backs in maintenance, and water policy exploiters. The relevant analogy is not that a dam might fail, but that the builders were paid ten million dollars to make sure it failed when the town's enemies wanted it to fail by planting dynamite in the dam. This is not business as usual. We will not continue in this path. We will not continue to use dam builders who put dynamite in their dams. People are not going to accept RSA solutions, and they are not going to accept IETF solutions. You cannot just say that shit happens, and continue business as normal. That is not going to fly. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On Wed, Jan 15, 2014 at 5:38 PM, arne renkema-padmos arne.renkema-pad...@cased.de wrote: ... Also, I would like to have doctors fixing things like intestinal ruptures, not some kid with their parent's sewing kit :P i think you misunderstand some of my intent: to be a competent developer, you must be expert in myriad technologies, systems, protocols, etc. however, this would be par for the course - a standard requirement - the lowest common denominator. this might imply that you apprentice, red team, blue team, triage, bug fix, and otherwise work on software systems for decades before becoming competent enough to be a developer. i've been at this far too long and still not capable enough for solid dev! ;) 2) Educational Support Everywhere Establish lock picking, computing, and hacking curriculum in pre school through grade school with subsidized access to technical resources including mobile, tablet, laptop test equipment, grid/cloud computing on-demand, software defined radios with full receive/transmit, and gigabit internet service or faster. If we already have problems trying to keep religion out of schools, how are you going to get HackEd into school? ;) i tried a hackers for jesus approach in my local sunday school teaching 5 years old squeak... but it was as well received as my lock pickers for the lord tial at the baptist day care... please advise of greater successes you encounter! L'enfer, c'est les autres, - Sartre ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On 16/01/14 11:34, coderman wrote: On Wed, Jan 15, 2014 at 5:38 PM, arne renkema-padmos arne.renkema-pad...@cased.de wrote: ... Also, I would like to have doctors fixing things like intestinal ruptures, not some kid with their parent's sewing kit :P i think you misunderstand some of my intent: to be a competent developer, you must be expert in myriad technologies, systems, protocols, etc. however, this would be par for the course - a standard requirement - the lowest common denominator. this might imply that you apprentice, red team, blue team, triage, bug fix, and otherwise work on software systems for decades before becoming competent enough to be a developer. i've been at this far too long and still not capable enough for solid dev! ;) If you only let these mythical omnipotent developers of yours near any IT system then the economy will grind to a halt. I think a better alternative is to look not just at usability of cryptosystems for users, but also to look at the usability of cryptosystems for implementers, because these are the two spots where most mistakes are likely to be made. The latter hasn't had as much focus AFAIK, but from what I've seen there's a growing focus on the problem of dev-proofing in addition to user-proofing. 2) Educational Support Everywhere Establish lock picking, computing, and hacking curriculum in pre school through grade school with subsidized access to technical resources including mobile, tablet, laptop test equipment, grid/cloud computing on-demand, software defined radios with full receive/transmit, and gigabit internet service or faster. If we already have problems trying to keep religion out of schools, how are you going to get HackEd into school? ;) i tried a hackers for jesus approach in my local sunday school teaching 5 years old squeak... but it was as well received as my lock pickers for the lord tial at the baptist day care... That is a noble cause, and I applaud your efforts. -- Arne Renkema-Padmos @hcisec, secuso.org Doctoral researcher CASED, TU Darmstadt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
With a $67B security market heading to $87B by 2016 why would any security firm settle for RSA piddling racketerring? http://www.nytimes.com/2014/01/15/technology/upstarts-challenge-old-timers-in-lucrative-computer-security-field.html Not saying the RSA bashers are diverting attention from their venality, that would be contrary to industry ethics to hide and be hidden, by that I mean journalism and advertising, publicity and campaign bribery, donations to computer education and conferences, dark web sales to rogues and spies, plagiarism and huffy indignation, sabotage and thievery, copyright and DMCA takedowns, well, why preach in this smokey chapel to the stogie-sucking porkies, don't they pay minimum taxes to betray the privacy of ordinary taxpayers who pay the most. FatSec Preacher bellows: Is there any industry more corrupt than the fatuous security industry? FatSec Believers yell back: Nope, and newcomers are flocking in. And so, the sated toads toddle out to fancy chariots stashing drunken investor bedmates, croaking, And we bloated firms are getting much fatter on hackers. and we pay them shady bitcoins them to boost the flab. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On Wed, Jan 15, 2014 at 10:31 AM, John Young j...@pipeline.com wrote: With a $67B security market heading to $87B by 2016 why would any security firm settle for RSA piddling racketerring? ... Not saying the RSA bashers are diverting attention from their venality, that would be contrary to industry ethics to hide and be hidden, by that I mean journalism and advertising, publicity and campaign bribery, donations to computer education and conferences, dark web sales to rogues and spies, plagiarism and huffy indignation, sabotage and thievery, copyright and DMCA takedowns, well, why preach in this smokey chapel to the stogie-sucking porkies, don't they pay minimum taxes to betray the privacy of ordinary taxpayers who pay the most. information security as a discipline or specialization should not exist. that systems, code, protocols, *, are built without security priorities, and without end-user privacy and availability paramount, is the dereliction of basic duty. we could try a different approach as complementary: security by self evident existence.[0] FatSec Preacher bellows: Is there any industry more corrupt than the fatuous security industry? FatSec Believers yell back: Nope, and newcomers are flocking in. And so, the sated toads toddle out to fancy chariots stashing drunken investor bedmates, croaking, And we bloated firms are getting much fatter on hackers. and we pay them shady bitcoins them to boost the flab. bloated [.. and] fatter [...] hackers [paid in] shady bitcoins [...] to boost the flab [and excesses] - sounds exactly like DEF CON 21 point in fact! :P P.S. i have discovered a chain of black ops infowar payments to JYA as proxy pressure against corporate players not sufficiently cow towing to powers as deemed fit. the list of disclosures on cryptome.org a persistent store of targeted retaliation as paid for by covert coin wallets https://blockchain.info/address/1P11b3Xkgagzex3fYusVcJ3ZTVsNwwnrBZ 0.0666 BTC from 1JM2M2n246Ug3niz4X1YxTsivM8JxuXahJ, 1NEwWKEYtewMYmUzSc11CTUEUj4XSUhoGy 0.1 BTC from mix 13cgGBPRzdoBLWdkcjkBufeKJkS7t7EMmt,1JdHacTEKzKNu22thGkR3QoAqJEgixs9xD,1LxrugsC8hRWbAoNDU3QJAmUbwUGovnDB3,1NoJRdptNeQ7xB16p4kV1hXk1sKqfv1qs4,1LybLfgmtp2nC2toY8kR3vmSzBzQsxyreR,1ALfEcdd6Sdr77shtjAynia98orGrZEkN5,1BtFpAnqqaYBxy4CJG8NZkygz5YkQ8rnTa,16zeB2RLRV7BR1pjG4K1cNptDaUwTzDRm4,1CjAT7be3uhq5FXphJr1bZQ9TCe8hN18yr,1Bcsf8AWvhb8k3dsa52f9wEfdGq4JFC7cB,1LwwzPvcJC28JTitvAQ76PzukEZzTc4Hr2,155cq3FNNDyr3inrrKKFR2z2dEQHs1UARY,1HpJ54pzy36rredY6ArSzmK4HLADgN4yBi,1HAZzEeawHNyy9vtKrTz1iuVYiDAN8JXYw,1Nb8N1BMANUStTz3k2ajcjyW2g17FHCnXq,115WXPRm3o4gE3wnKWPQGC4i6f5XGM2sJY,1J6jEAUQtnCd4mJpuBkXRy4KH1rKuP42ze,12Tuo695poGwkzCpPnTctt2kVC6NkG3iyG,17WeGSpZBRuJ1FbU9CDj2dvZuf4nsFGasY,1HUsEBRFnMgi77KATEdtJhUhPp8D1K1dm2,1K2Try6bipWvin517XaP3eHTQkKD7vRdRA,16kx8bvc9bmSaLGraUbp5verErFz8EoWGw,147A9ysb1MKY75ECGj3XiiiDKpomJgzZs1,1KyXSwxFjdjCc4gRdTJu2kora3Li2suWdx,14xjUyxRkH1Fa55UGUXf3RzgjbpbVsGfPn 0.10101 from mix 1DktVLeDwuQNBR5GhCDyZGcS4hBVLdiV7Y,1HMXV3RbWvkqT348yci7AEF57GYRZrPEwf,1A5sHDrGtEvyMPC51pcCKN2VcCyj6PpKfA,18E6VwKbHTcns5tzB8VFTei8RDG4f12DsN,1BxRMpZmjrBcDKvccgLbAa8CYrmNZSzP8v,1MCTZnt9ZC8wmFtRcfxFzGikAqdsUu1NXi,1HehKV16aioxoDFmRypVFbHt7Nj4yE21K6,18yxEFyKWU7k4SN8H6SA7cxey3f6CrDJd3,1AFuP17AaGnn7EukjKYQoKf8qHqcut4jEA,19DNCpRYZLvmvBRHFH9CQoeArgaXXaXqP6,12TiNxaaF12nJR9pKyYZk4X7HCKuVCh1FM,1dXS2dwDsT29h7gvRnUyjHK2ViWArcDfH,1HYXCHgACh9cat2tHJsFAUHTYkqtU6SPj7,15XsYmWSb2tk2BbFsusyqodQTmWzdU1SBx,1NCCrGZTvECaxPVsJW8FG2k3ez1FJrHFcv,16qYQB4mKBvN5w7pB4NnPR7AXUMG4wLA7H,19XRN2CeiRK4xn2B5bcHBjWkXdjTHKXoNr,18XKyXcMfLcsPyspx1M5TLfzvv7QuoNi12,1ADJRNQkJg2fiYTWAuupBqrP1LXFLzeBy7,17c7qx7pektRmKp83XtZhc4yiRYGzzY8Cj,1E9uKJLW1D5iK9mHwDuasYCqUYhR2NfQ9x,13JfZ5Pm2UMKV6jRvFyjkSGsyGqio6mSZF,1KpjyYK4NNLGn1wMSUfpK4xY5emr72zJGX,1KS8XumTUcZE5oALLevpDMAQASfWX1gZJb,189QUKAQhTRkrrRGsKHBxTVbLGtSz7rXYH,1Ph79b99rHtkE1p5KV2LXGPaPdgunMR8Bq 0.1 from mix 1JJ5zWzRjr88BFKHPnvbWqxD5vtbWFbKja,1PBEb8KeBQpjPAyXwQAABu67cLufLEWFC4,1AsL2Y76BBZxHjQdpY5w3hdXSW5VeCLSPi,1KKHz4VWNu2xvK1VMHmUTrasuUkN1aUkZt,1KuWiFj4fdHSf8VwYP7P2aJosBsMM6UvZx,1AKqBPYULbJoVwv2bU3JJ9BNAaxmp4MQNQ,1AjkkN7Xd4mdzMYJDWK16h7WmgYVQkY9RE,1CDusW53zzxYjEXqjiDoECnHAJkmke46R8,18hCUt5TjKVepJsHBryupGfFtjte6bqsqV,1B7DhKYBUTThdsw4y9RqXY1yUokcFCj5xS,1VVRw4BJKxMF6yTrGCusfjo7NgFwGFiTH,12CN4CfHg31LkpdhiYpQZMmgaxWevmL7wC,12ufG6NpEM3p4SJgTGB1YMUuzTaVyfmkzn,15NhfgGSrgLCMQK4Q3skX39fZn9H1jJauh,19DZwxTUFtDgxZGZNNomSzUfdtuENaqZ3J,14syscfppLQ3NpCV16HudsABHW4U1J3pnb,1249NaoLoQ9jrqpUtb3FuMRmp8eT5ud5sy,1JdytQhBfvbMb2138SqwT8msuykYwu4jts,1CmTgm9tH7FuhYxNGGkWHkK8umWBxTqBaL,1BWjgmPpjSGaeWFPL3eXKTuYttYvGCYo3V,1NH9nTXUCNfA3LnzcjWkQLKnEK3FX33uB7,1DFTLTPgTtMwog6u5B6dW36T4HAmCEHrMn,1FRcgEgqGvcQPbjejD6rZtv6k4coKReAsm,198EdZ8oGTqHVPbDqofTBecXVXj6vsYXK5,13TvfH7y619ZvefN6yxWBcZUmHUy1qzjMs 0.037 from mix
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On 16/01/14 01:08, coderman wrote: information security as a discipline or specialization should not exist. that systems, code, protocols, *, are built without security priorities, and without end-user privacy and availability paramount, is the dereliction of basic duty. Not if the idea of duty for many is an eye to the bottom line. Also, I would like to have doctors fixing things like intestinal ruptures, not some kid with their parent's sewing kit :P 2) Educational Support Everywhere Establish lock picking, computing, and hacking curriculum in pre school through grade school with subsidized access to technical resources including mobile, tablet, laptop test equipment, grid/cloud computing on-demand, software defined radios with full receive/transmit, and gigabit internet service or faster. If we already have problems trying to keep religion out of schools, how are you going to get HackEd into school? ;) Cheers, arne -- Arne Renkema-Padmos @hcisec, secuso.org Doctoral researcher CASED, TU Darmstadt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
Shirley Jackson, The Lottery, sacrificing a victim purges guilt of the guilty. Does anyone really believe RSA is alone in this betrayal? And that making an example of RSA will stop the industry practice of forked-tonguedness about working both sides of the imaginary fence of dual-use, dual-hat, duplicity of comsec? Industry standards were invented and are sustained for this purpose. No matter NSA, RSA, IETF, NIST, this breast-beating list of the guilty cryptographers pretending they did not know what their best customers and employers are doing. Boing Boing is being played like the crypto promotional wargame is played. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
Well said. In perhaps-related ethics news: RSA Conference is a separate entity from RSA, and (I believe) not a subsidiary or profit center for either RSA or EMC. At this point, they're just unlucky enough to have hitched their branding to the most recognized name in the industry. If it's wrong for RSA to take $10M to set a bad default in BSAFE, is it not MORE wrong to sell the federal government a 0day for a fraction of that price? On that score, black/gray hats boycotting RSA are like H dealers who cry foul because their neighbors let their kids run with scissors. By boycotting the show, one is essentially depriving others the opportunity to hear one's nuanced, well-informed ranting about crypto ethics in its preferred venue i.e. the various bars and seafood restaurants of SF. As always, focusing inward is indicated all around. /j On Jan 14, 2014, at 11:12 AM, John Young j...@pipeline.com wrote: Shirley Jackson, The Lottery, sacrificing a victim purges guilt of the guilty. Does anyone really believe RSA is alone in this betrayal? And that making an example of RSA will stop the industry practice of forked-tonguedness about working both sides of the imaginary fence of dual-use, dual-hat, duplicity of comsec? Industry standards were invented and are sustained for this purpose. No matter NSA, RSA, IETF, NIST, this breast-beating list of the guilty cryptographers pretending they did not know what their best customers and employers are doing. Boing Boing is being played like the crypto promotional wargame is played. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On Tue, Jan 14, 2014 at 8:34 AM, Jared Hunter feralch...@gmail.com wrote: ... If it's wrong for RSA to take $10M to set a bad default in BSAFE, is it not MORE wrong to sell the federal government a 0day for a fraction of that price? collusion to weaken RNGs enables pervasive insecurity and global passive interception. 0day is unilateral, targeted, and active (not passive) by comparison. we can argue ethics, however these are two different classes of compromise... By boycotting the show, one is essentially depriving others the opportunity to hear one's nuanced, well-informed ranting about crypto ethics in its preferred venue i.e. the various bars and seafood restaurants of SF. a few people have mentioned having an un-conference at the same time / location to provide for a more authentic exchange of actual crypto geekery. i support this effort! best regards, ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On Jan 14, 2014, at 1:53 PM, cryptography-requ...@randombit.net wrote: Does anyone really believe RSA is alone in this betrayal? And that making an example of RSA will stop the industry practice of forked-tonguedness about working both sides of the imaginary fence of dual-use, dual-hat, duplicity of com sec? First, “Almost everything you do will seem insignificant, but it is important that you do it”. Second, boycotting an e. coli-laden meat packer is not for the effect on that packer, but for the effect on the other packers. It serves as a warning and as a demonstration of damage that accrues to bad behaviors. Brands take notice of such things. It serves the public good. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
If courageous, Rivest, Shamir and Adelson can be burnt in effigy. Their initials once were rightly world famous, and to smear these distinguished gentlemen by vulgar opportunistic protest instigated by noobs with less than zero comprehension of cryptography should be condemned not debated. James Bidzos raped the three once, twice, thrice, then hid his corporatorizing crime under skirts of EMC. Don't ravage his victims. Protest, sure, but demonstrate what to protest for effectiveness, not idiotic sloganeering of a logo. Hell, long-time duplicitous IBM deserves deeper anger than RSA. DES and much more. Go big and really bold. Protest the Waasenaar Arrangement, the greatest rigging of the dual-use technology market ever, and the world's greatest gang of cheaters, bribers, underhanded dealers of contraband, most of it lethal, far deadlier than crypto. Greenwald blogs there are cryptographers and comsec experts reviewing Snowden's material for future releases. Presumably the highly ethical reviewers have a clear shot at avoiding release of their own names and firms. They will cheat, that's certain. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On 2014-01-15 02:12, John Young wrote: Shirley Jackson, The Lottery, sacrificing a victim purges guilt of the guilty. Does anyone really believe RSA is alone in this betrayal? And that making an example of RSA will stop the industry practice of forked-tonguedness about working both sides of the imaginary fence of dual-use, dual-hat, duplicity of comsec? Yeah, it will. Open source the cryptographic part of your product, and don't use RSA, IETF, or NIST standards. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On Tue, Jan 14, 2014 at 10:34 AM, Jared Hunter feralch...@gmail.com wrote: RSA Conference is a separate entity from RSA, and (I believe) not a subsidiary or profit center for either RSA or EMC. At this point, they're just unlucky enough to have hitched their branding to the most recognized name in the industry. This is incorrect. From http://www.rsaconference.com/about : RSA developed RSA Conference in 1991 as a forum for cryptographers to gather and share the latest knowledge and advancements in the area of Internet security. Today, RSA Conference and related RSA Conference branded activities are still managed by RSA, with the support of the industry. RSA Conference event programming is judged and developed by information security practitioners and other related professionals. Also, the footer on all rsaconference.com pages specifically claim copyright by EMC, and both the Legal Notices and Privacy Policy links go to pages on emc.com. -- @kylemaxwell ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
But open source is compromised as well, for the same reasons and by the same parties. Some claim open source was born of and is powned by the spies. No problema, overcoming compromises of parentage has forever been the fundamental, albeit futile, crypto challenge. Even precious OTP is compromised, the gold standard of industry pure-blooded progeny. No matter, cryptologists are dogged and faithful as rutting canines. One or two mad but considered geniuses, placed on virtual pedestals, then back to wild-rut cheating, lying, stealing and high-selling to evildoers. This is a thumbnail of The Codebreakers. Come to think of all security volumes. Ross Anderson has amusing comments on this onanist bazaar in Security Engineering, which, book-rich Schneier, no slouch at unfettered self-rutting, moans 'It's beautiful. This is the best book on the topic there is.' At 05:58 PM 1/14/2014, James Donald wrote: Yeah, it will. Open source the cryptographic part of your product, and don't use RSA, IETF, or NIST standards. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
On 2014-01-15 10:48, John Young wrote: But open source is compromised as well, for the same reasons and by the same parties. Some claim open source was born of and is powned by the spies. We can audit open source. Of course that costs serious money, but some people have adequate incentive to do so. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography