[146468] in cryptography@c2.net mail archive
Re: [Cryptography] Separating concerns
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Thu Aug 29 16:39:23 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <521F060F.5030609@iang.org>
Date: Thu, 29 Aug 2013 16:31:57 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============7924223781460799825==
Content-Type: multipart/alternative; boundary=001a11c2672a5874b804e51bffbb
--001a11c2672a5874b804e51bffbb
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Aug 29, 2013 at 4:27 AM, ianG <iang@iang.org> wrote:
> Hi Phill,
>
>
> On 28/08/13 21:31 PM, Phill wrote:
>
>> And for a company it is almost certain that 'secure against intercept by
>> any government other than the US' is an acceptable solution.
>>
>
>
> I think that was acceptable in general up until recently. But, I believe
> the threat scenario has changed, and for the worse.
>
> The firewall between national intelligence and all-of-government has been
> breached. It is way beyond leaks, it is now a documented firehose with
> pipelines so well laid that the downstream departments have promulgated
> their deception plans.
>
Quite, I had a conversation with a government type this morning. His
question, 'what if the intercepts are shared with the IRS'
Moreover Snowden has proved that the internal controls in the NSA are lax.
If a low level grunt working for a contractor has such access to the NSA's
own crown jewels it is idiotic to imagine that they keep the confidential
secrets of IBM or Microsoft or GE with greater care.
And, they told us so. In the comments made by the NSA, they have very
> clearly stated that if there is evidence of a crime, they will keep the
> data. The statement they made is a seismic shift; the NSA is now a
> domestic & criminal intelligence agency. I suspect the penny has not
> dropped on this shift as yet, but they have said it is so.
>
They will keep the data anyway. They will query it if there is evidence of
a crime but otherwise they are keeping everything.
And worse, they are creating fake stories to explain how the data was
collected. So they have perjured themselves in numerous criminal
prosecutions that are likely to be found unsafe when the full extent of the
scheme emerges.
This is not a stable situation. It is easy to see why Obama was infatuated
with the intelligence community and thus willing to give them carte
blanche. He came into office with the US losing two wars and a military in
which every staff officer who had had the courage to tell Rumsfeld his
plans were insane was dismissed. The intelligence services were the only
part of the military Obama could trust to provide an exit strategy.
But the next President is not going to be beholden to the intel services in
quite the same way. Even Obama appears to be starting to ask questions
about how the intelligence results are being achieved.
> In threat & risk terms, it is now reasonable to consider that the USA
> government will provide national intelligence to back up a criminal
> investigation against a large company. And, it is not unreasonable to
> assume that they will launch a criminal investigation in order to force
> some other result, nor is it unreasonable for a competitor to USA
> commercial interests to be facing a USA supplier backed by leaks.
>
> E.g., Airbus or Huawei or Samsung ... Or any company that is engaged in a
> lawsuit against the US government. Or any wall street bank being
> investigated by the DoJ for mortgage fraud, or any international bank with
> ops in the USA. Or any company in Iran, Iraq, Syria, Afghanistan,
> Pakistan, India, Palestine, .... or gambling companies in the Caribbean,
> Gibraltar, Australia, Britain. Or any arms deal or energy deal.
>
> (Yes, that makes the task harder.)
Not necessarily.
We have lots of technology. This is not a technology problem, it is a
deployment problem. The greater the level of concern, the easier deployment
becomes.
--
Website: http://hallambaker.com/
--001a11c2672a5874b804e51bffbb
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Thu, Aug 29, 2013 at 4:27 AM, ianG <span dir=3D"ltr"><<a href=
=3D"mailto:iang@iang.org" target=3D"_blank">iang@iang.org</a>></span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex">
Hi Phill,<div class=3D"im"><br>
<br>
On 28/08/13 21:31 PM, Phill wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
And for a company it is almost certain that 'secure against intercept b=
y any government other than the US' is an acceptable solution.<br>
</blockquote>
<br>
<br></div>
I think that was acceptable in general up until recently. =A0But, I believe=
the threat scenario has changed, and for the worse.<br>
<br>
The firewall between national intelligence and all-of-government has been b=
reached. =A0It is way beyond leaks, it is now a documented firehose with pi=
pelines so well laid that the downstream departments have promulgated their=
deception plans.<br>
</blockquote><div><br></div><div>Quite, I had a conversation with a governm=
ent type this morning. His question, 'what if the intercepts are shared=
with the IRS'</div><div><br></div><div>Moreover Snowden has proved tha=
t the internal controls in the NSA are lax. If a low level grunt working fo=
r a contractor has such access to the NSA's own crown jewels it is idio=
tic to imagine that they keep the confidential secrets of IBM or Microsoft =
or GE with greater care.</div>
<div><br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
And, they told us so. =A0In the comments made by the NSA, they have very cl=
early stated that if there is evidence of a crime, they will keep the data.=
=A0The statement they made is a seismic shift; =A0the NSA is now a domesti=
c & criminal intelligence agency. =A0I suspect the penny has not droppe=
d on this shift as yet, but they have said it is so.<br>
</blockquote><div><br></div><div>They will keep the data anyway. They will =
query it if there is evidence of a crime but otherwise they are keeping eve=
rything.</div><div><br></div><div>And worse, they are creating fake stories=
to explain how the data was collected. So they have perjured themselves in=
numerous criminal prosecutions that are likely to be found unsafe when the=
full extent of the scheme emerges.</div>
<div><br></div><div><br></div><div>This is not a stable situation. It is ea=
sy to see why Obama was infatuated with the intelligence community and thus=
willing to give them carte blanche. He came into office with the US losing=
two wars and a military in which every staff officer who had had the coura=
ge to tell Rumsfeld his plans were insane was dismissed. The intelligence s=
ervices were the only part of the military Obama could trust to provide an =
exit strategy.</div>
<div><br></div><div>But the next President is not going to be beholden to t=
he intel services in quite the same way. Even Obama appears to be starting =
to ask questions about how the intelligence results are being achieved.</di=
v>
<div><br></div><div><br></div><div>=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In threat & risk terms, it is now reasonable to consider that the USA g=
overnment will provide national intelligence to back up a criminal investig=
ation against a large company. =A0And, it is not unreasonable to assume tha=
t they will launch a criminal investigation in order to force some other re=
sult, nor is it unreasonable for a competitor to USA commercial interests t=
o be facing a USA supplier backed by leaks.<br>
<br>
E.g., Airbus or Huawei or Samsung ... =A0Or any company that is engaged in =
a lawsuit against the US government. =A0Or any wall street bank being inves=
tigated by the DoJ for mortgage fraud, or any international bank with ops i=
n the USA. =A0Or any company in Iran, Iraq, Syria, Afghanistan, Pakistan, I=
ndia, Palestine, .... =A0or gambling companies in the Caribbean, Gibraltar,=
Australia, Britain. =A0Or any arms deal or energy deal.<br>
<br>
(Yes, that makes the task harder.)</blockquote><div><br></div><div>Not nece=
ssarily.</div><div><br></div><div>We have lots of technology. This is not a=
technology problem, it is a deployment problem. The greater the level of c=
oncern, the easier deployment becomes.</div>
<div>=A0</div></div>-- <br>Website: <a href=3D"http://hallambaker.com/">htt=
p://hallambaker.com/</a><br>
</div></div>
--001a11c2672a5874b804e51bffbb--
--===============7924223781460799825==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============7924223781460799825==--
