On Sat, May 18, 2013 at 5:26 PM, Jonathan Thornburg <[email protected]> wrote: > On Sat, 18 May 2013, Adam Back wrote: >> Would you expect microsoft IIS web server to contain an SSL backdoor? Or >> microsoft VPN client? Or cisco? > > Of course they contain backdoors. It's clear from the the US political > and Congressional reaction to the revelations of large-scale NSA domestic > spying that the US political system strongly supports having such backdoors. > The fact that various wiretap laws may appear to forbid using backdoors > to snoop (or maybe even putting in the backdoors in the first place, I'm > not sure) doesn't seem to have landed any AT&T executives in jail yet > (to put it mildly). > > ... >> A lot of businesses and individuals are >> relying on these things to do what is advertised. Not doing what is >> advertised can itself get companies in trouble, in many jurisdictions. >> Skype has/had as a differentiator that it was end2end encrypted, it is my >> impression that a number of people used it for that purpose. > > Yes, many people are foolish enough to believe advertising. The contrast > between what the advertising says and what (little) the EULA shrink-wrap > license text actually promises is IMHO quite instructive... Well, I'm not user how foolish someone is being (no disrespect intended). Most users don't have the expert knowledge of folks in this group; nor the expert knowledge of a lawyer to wade through the fine print. Users are just being users, and both Gutmann and Anderson have a lot to say about them in their books.
In New York, Attorney General Schneiderman is questioning why the cell phones are promoting "safety and security by design", yet have no (or limited) recovery capabilities [1]. The AG claims this is promoting or facilitating "Apple Picking" or cell phone theft, and he is investigating if its a deceptive trade practice. I think the same applies to a lot of technologies. If the technology is advertised a "secure" or it ensures "privacy", that's what people expect. These companies are *not* advertising "partially secure," "partially encrypted," or "partially private" conversations. Would you laugh if Harley Davidson began advertising its bikes as "safe"? Or would you feel deceived if Volvo advertised its cars as "safe" but only had two rear wheel brakes, not seatbelts, and no airbags? I think the same applies to technology and use of the word "secure," "encrypted," and "privacy." Sorry to drift off-topic. Jeff [1] http://www.informationweek.com/security/mobile/smartphone-theft-what-is-best-defense/240155038 _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
