On 9/09/13 03:48 AM, James A. Donald wrote:
On 2013-09-09 6:08 AM, John Kelsey wrote:
a.  Things that just barely work, like standards groups, must in general be 
easier to sabotage in subtle ways than things that click along with great 
efficiency.  But they are also things that often fail with no help at all from 
anyone, so it's hard to tell.

b.  There really are tradeoffs between security and almost everything else.  If 
you start suspecting conspiracy every time someone is reluctant to make that 
tradeoff in the direction you prefer, you are going to spend your career 
suspecting everyone everywhere of being ant-security.  This is likely to be 
about as productive as going around suspecting everyone of being a secret 
communist or racist or something.

Part of the problem is that we are trained to label ideas that we find uncomfortable as conspiracy theories. And, when they are shown to be true, we aren't ready to apologise for our slapping down of those wretches so labelled.

It's far better to talk in risk terms. Yes, the NSA could have hacked the RNG in intel's chips. But what is the likelhood? Low? Medium? High? Everyone can choose, and now the desire to slap down is detuned.

Same with NSA infiltrating the IETF.  Yes, we can agree it is a risk.

But what steps has the IETF taken to mitigate it? It is an open forum, we can check the bona fides of all players, we can read their comments forever, etc etc. We can therefore all (personally) decide on whether the risk is adequately mitigated. And whether to do more mitigation at the individual level.

Poor analogy.

Everyone is a racist, and most people lie about it.

Everyone is a communist in the sense of being unduly influenced by
Marxist ideas, and those few of us that know it have to make a conscious
effort to see the world straight, to recollect that some of our supposed
knowledge of the world has been contaminated by widespread falsehood.

The Climategate files revealed that official science /is/ in large part
a big conspiracy against the truth.

And Snowden's files seem to indicate that all relevant groups are
infiltrated by people hostile to security.

I think we can just about comfortably put our own professional difficulties into risk analysis, and agree to differing levels of risk. But once we get into non-security issues such as racism, politics, etc, our ability to be objective rapidly diminishes.

(I don't disagree with what is said above, I just agree we can't talk productively at that level...)

The cryptography mailing list

Reply via email to