Re: [Cryptography] Separating concerns
Hi Phill, On 28/08/13 21:31 PM, Phill wrote: And for a company it is almost certain that 'secure against intercept by any government other than the US' is an acceptable solution. I think that was acceptable in general up until recently. But, I believe the threat scenario has changed, and for the worse. The firewall between national intelligence and all-of-government has been breached. It is way beyond leaks, it is now a documented firehose with pipelines so well laid that the downstream departments have promulgated their deception plans. And, they told us so. In the comments made by the NSA, they have very clearly stated that if there is evidence of a crime, they will keep the data. The statement they made is a seismic shift; the NSA is now a domestic criminal intelligence agency. I suspect the penny has not dropped on this shift as yet, but they have said it is so. In threat risk terms, it is now reasonable to consider that the USA government will provide national intelligence to back up a criminal investigation against a large company. And, it is not unreasonable to assume that they will launch a criminal investigation in order to force some other result, nor is it unreasonable for a competitor to USA commercial interests to be facing a USA supplier backed by leaks. E.g., Airbus or Huawei or Samsung ... Or any company that is engaged in a lawsuit against the US government. Or any wall street bank being investigated by the DoJ for mortgage fraud, or any international bank with ops in the USA. Or any company in Iran, Iraq, Syria, Afghanistan, Pakistan, India, Palestine, or gambling companies in the Caribbean, Gibraltar, Australia, Britain. Or any arms deal or energy deal. (Yes, that makes the task harder.) iang ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Separating concerns
On Aug 28, 2013, at 2:04 PM, Faré wrote: My target audience, like Perry's is people who simply can't cope with anything more complex than an email address. For me secure mail has to look feel and smell exactly the same as current mail. The only difference being that sometime the secure mailer will say 'I can't contact that person securely right now because…' I agree with Perry and Phill that email experience should be essentially undisturbed in the normal case, though it's OK to add an additional authorization step. One thing that irks me, though, is the problem of the robust, secure terminal: if everything is encrypted, how does one survive the loss/theft/destruction of a computer or harddrive? I'm no ignoramus, yet I have, several times, lost data I cared about due to hardware failure or theft combined with improper backup. How is a total newbie to do? This is a broader problem, actually. If you've ever had to take care of someone's estate, you'll know that one of the problems is contacting all the banks, other financial institutions, service providers, and other such parties they dealt with in life. My experience dealing with my father's estate - a fairly simple one - was that having the *paper* statements was the essential starting point. (Even so, finding his safe deposit box - I had the unlabeled keys - could have been a real pain if my sister didn't remember which bank it was at.) Had he been getting email statements, just finding his mail accounts - and getting access to them - could have been a major undertaking. Which is one reason I refuse to sign up for email statements ... just send me the paper, thank you. (This is getting harder all the time. I expect to start getting charged for paper statements any time now.) Today at least, my executor, in principle, work with the mail provider to get access. But for truly secure mail, my keys presumably die with me, and it's all gone. You don't even have to consider the ultimate loss situation. If I'm temporarily disabled and can't provide my keys - how can someone take care of my bills for me? We can't design a system that can handle every variation and eventuality, but if we're going to design one that we intend to be broadly used, we have to include a way to handle the perfectly predictable, if unpleasant to think about, aspects of day to day life. Absolute security *creates* new problems as it solves old ones. There may well be aspects to my life I *don't* want revealed after I'm gone. But there are many things I *do* want to be easily revealed; my heirs will have enough to do to clean up after me and move on as it is. So, yes, we have to make sure we have backup mechanisms - as well as key escrow systems, much as the term key escrow was tainted by the Clipper experience. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Separating concerns
On Thu, Aug 29, 2013 at 7:15 AM, Jerry Leichter leich...@lrw.com wrote: On Aug 28, 2013, at 2:04 PM, Faré wrote: My target audience, like Perry's is people who simply can't cope with anything more complex than an email address. For me secure mail has to look feel and smell exactly the same as current mail. The only difference being that sometime the secure mailer will say 'I can't contact that person securely right now because…' I agree with Perry and Phill that email experience should be essentially undisturbed in the normal case, though it's OK to add an additional authorization step. One thing that irks me, though, is the problem of the robust, secure terminal: if everything is encrypted, how does one survive the loss/theft/destruction of a computer or harddrive? I'm no ignoramus, yet I have, several times, lost data I cared about due to hardware failure or theft combined with improper backup. How is a total newbie to do? This is a broader problem, actually. If you've ever had to take care of someone's estate, you'll know that one of the problems is contacting all the banks, other financial institutions, service providers, and other such parties they dealt with in life. My experience dealing with my father's estate - a fairly simple one - was that having the *paper* statements was the essential starting point. (Even so, finding his safe deposit box - I had the unlabeled keys - could have been a real pain if my sister didn't remember which bank it was at.) Had he been getting email statements, just finding his mail accounts - and getting access to them - could have been a major undertaking. Which is one reason I refuse to sign up for email statements ... just send me the paper, thank you. (This is getting harder all the time. I expect to start getting charged for paper statements any time now.) Today at least, my executor, in principle, work with the mail provider to get access. But for truly secure mail, my keys presumably die with me, and it's all gone. You don't even have to consider the ultimate loss situation. If I'm temporarily disabled and can't provide my keys - how can someone take care of my bills for me? We can't design a system that can handle every variation and eventuality, but if we're going to design one that we intend to be broadly used, we have to include a way to handle the perfectly predictable, if unpleasant to think about, aspects of day to day life. Absolute security *creates* new problems as it solves old ones. There may well be aspects to my life I *don't* want revealed after I'm gone. But there are many things I *do* want to be easily revealed; my heirs will have enough to do to clean up after me and move on as it is. So, yes, we have to make sure we have backup mechanisms - as well as key escrow systems, much as the term key escrow was tainted by the Clipper experience. Systems do need to be usable in practice and too much security can be a bad thing. I am thinking about 'PRISM Proof' as a hierarchy of needs: 0 No confidentiality requirement 1 Content Confidentiality Passive intercept (met by STARTTLS) 2 Content Confidentiality Active Intercept (met by STARTTLS + validated recipient server cert) 3 Content Confidentiality Coercion or compromise of Mail service provider 4 Content Confidentiality Coercion or compromise of Trusted Third Party 5 MetaData Confidentiality 6 Traffic Analysis Confidentiality At present we only have a widely deployed solution for level 1. The constituency that has a requirement for level 6 is probably very small. Certainly none of us would benefit. Is is a hard goal or a stretch goal? It is certainly a desirable goal for people like journalists but the cost of meeting the requirement may not be acceptable. At any rate, I think that starting by trying to build something to level 4 would be a good start and provide an essential basis for getting through to levels 5 and 6. It might be that to get from level 4 to level 6 the solution is as simple as 'use a German ISP'. Since we are talking about Snowden and Greenwald, folk might be amused to learn that I was the other party who contacted Baghdad Boylen, General Pertreaus's spokesperson who sent Greenwald a bizarre email which he then lied about having sent (to me, Greenwald and Petreaus), apparently unaware that while an email message can indeed be faked, it is improbable that these particular message headers are faked. Further, had any such attempted impersonation of Boylan taken place it would have been a very serious matter requiring urgent investigation. Since I was never contacted it is clear that no investigation took place which can only mean that Boylen did send the emails and then lied about sending them. http://www.salon.com/2007/10/28/boylan/ If a UK military officer had sent a similar email he would be cashiered. But then again, in the British army Colonels are not minted by the thousand as in the US. --
Re: [Cryptography] Separating concerns
On Aug 28, 2013, at 2:04 PM, Faré fah...@gmail.com wrote: On Wed, Aug 28, 2013 at 4:15 PM, Phill hal...@gmail.com wrote: My target audience, like Perry's is people who simply can't cope with anything more complex than an email address. For me secure mail has to look feel and smell exactly the same as current mail. The only difference being that sometime the secure mailer will say 'I can't contact that person securely right now because…' I agree with Perry and Phill that email experience should be essentially undisturbed in the normal case, though it's OK to add an additional authorization step. One thing that irks me, though, is the problem of the robust, secure terminal: if everything is encrypted, how does one survive the loss/theft/destruction of a computer or harddrive? I'm no ignoramus, yet I have, several times, lost data I cared about due to hardware failure or theft combined with improper backup. How is a total newbie to do? You have to have key backup to address that security goal. And that will necessarily mean that you increase your coercion risk. And which security goal you choose to satisfy is likely to depend on your situation. One solution would be to back up your private key and put the shares in one or more bank safes. But then you are vulnerable to a coercion attack on your bank. Which you can address by putting the shares in a tamper evident bag but only if you go to the bank regularly to audit it. One of the features of this problem is that if you make absolute security a requirement you are going to go absolutely potty trying to solve every element. Fortunately we can still do a lot of good by providing a system that prevents wholesale abuses. I am not a crypto-absolutist. I don't particularly want to be giving crypto to terrorists. When I was 18 I woke up to hear that the IRA had attempted to murder my cousin. However I don't want to be giving intercept power to Putin who murders people with poisoned teapots on the streets of London either. And I certainly don't trust the NSA and GCHQ with the wholesale intercept capability revealed by Snowden. Most newbies rely on things surviving despite their lack of explicit caution. Currently, they do it by basically trusting Google or some other company with their mail. Whichever way you do things to make them responsible for keys will lead to either (1) failure because it's technically too hard, and/or (2) automated attacks on the weak point that handles things for them. And for a company it is almost certain that 'secure against intercept by any government other than the US' is an acceptable solution. That's a lot of yak to shave to provide end-users (or even average geeks) with seemless secure email. I am currently working on a podcast history of the web to publicize my expert witness practice. Which had me looking at the reason Tim Berners Lee succeeded where Ted failed. The thing that distinguished their efforts was not the problems they solved. Ted had 120% of the Web ten years before Tim started. The difference was that Tim realized that some of the problems were very hard and could be punted on for a first draft. Then after the Web took off it built out infrastructure that made it possible for others to fill in the gaps. So Ted had search built in. Tim had a hole which was filled by others. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Separating concerns
On Wed, Aug 28, 2013 at 4:15 PM, Phill hal...@gmail.com wrote: My target audience, like Perry's is people who simply can't cope with anything more complex than an email address. For me secure mail has to look feel and smell exactly the same as current mail. The only difference being that sometime the secure mailer will say 'I can't contact that person securely right now because…' I agree with Perry and Phill that email experience should be essentially undisturbed in the normal case, though it's OK to add an additional authorization step. One thing that irks me, though, is the problem of the robust, secure terminal: if everything is encrypted, how does one survive the loss/theft/destruction of a computer or harddrive? I'm no ignoramus, yet I have, several times, lost data I cared about due to hardware failure or theft combined with improper backup. How is a total newbie to do? Most newbies rely on things surviving despite their lack of explicit caution. Currently, they do it by basically trusting Google or some other company with their mail. Whichever way you do things to make them responsible for keys will lead to either (1) failure because it's technically too hard, and/or (2) automated attacks on the weak point that handles things for them. For instance, you have a program that automatically recovers keys from the escrow modulo a few questions. Then, either few questions are too hard and he actually looses the keys, or they are easy enough that the attacker can find answers and recover the key. Or, you have standardized key management and backup policies. Then the attacker can look at the standardized location for the precious keys, and modulo extraction of some master key, can automatically steal everyone's wallet. And then, to prevent automatic extraction of security data, you find that you need not just an appropriate distributed infrastructure (which is more painful to fund if you can't sell the data and require an explicit transaction from the user), but also secure terminals — which implies a secure OS, and hardware that you actually control, rather than big corporations that bend over for big governments. That's a lot of yak to shave to provide end-users (or even average geeks) with seemless secure email. —♯ƒ • François-René ÐVB Rideau •ReflectionCybernethics• http://fare.tunes.org Being generous is inborn; being altruistic is a learned perversity. No resemblance — — Robert Heinlein, Time Enough For Love ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography