On 9/09/13 03:48 AM, James A. Donald wrote:
On 2013-09-09 6:08 AM, John Kelsey wrote:
a. Things that just barely work, like standards groups, must in general be
easier to sabotage in subtle ways than things that click along with great
efficiency. But they are also things that often fail with no help at all from
anyone, so it's hard to tell.
b. There really are tradeoffs between security and almost everything else. If
you start suspecting conspiracy every time someone is reluctant to make that
tradeoff in the direction you prefer, you are going to spend your career
suspecting everyone everywhere of being ant-security. This is likely to be
about as productive as going around suspecting everyone of being a secret
communist or racist or something.
Part of the problem is that we are trained to label ideas that we find
uncomfortable as conspiracy theories. And, when they are shown to be
true, we aren't ready to apologise for our slapping down of those
wretches so labelled.
It's far better to talk in risk terms. Yes, the NSA could have hacked
the RNG in intel's chips. But what is the likelhood? Low? Medium?
High? Everyone can choose, and now the desire to slap down is detuned.
Same with NSA infiltrating the IETF. Yes, we can agree it is a risk.
But what steps has the IETF taken to mitigate it? It is an open forum,
we can check the bona fides of all players, we can read their comments
forever, etc etc. We can therefore all (personally) decide on whether
the risk is adequately mitigated. And whether to do more mitigation at
the individual level.
Everyone is a racist, and most people lie about it.
Everyone is a communist in the sense of being unduly influenced by
Marxist ideas, and those few of us that know it have to make a conscious
effort to see the world straight, to recollect that some of our supposed
knowledge of the world has been contaminated by widespread falsehood.
The Climategate files revealed that official science /is/ in large part
a big conspiracy against the truth.
And Snowden's files seem to indicate that all relevant groups are
infiltrated by people hostile to security.
I think we can just about comfortably put our own professional
difficulties into risk analysis, and agree to differing levels of risk.
But once we get into non-security issues such as racism, politics,
etc, our ability to be objective rapidly diminishes.
(I don't disagree with what is said above, I just agree we can't talk
productively at that level...)
The cryptography mailing list