[148642] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [Cryptography] RSA is dead.

daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Mon Dec 23 18:15:41 2013

X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20131223183441.3CBA92280CB@palinka.tinho.net>
Date: Mon, 23 Dec 2013 17:42:31 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "dan@geer.org" <dan@geer.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

--===============6534720219313545463==
Content-Type: multipart/alternative; boundary=001a11c36e1cddb6c004ee3b5793

--001a11c36e1cddb6c004ee3b5793
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Dec 23, 2013 at 1:34 PM, <dan@geer.org> wrote:

>
>  > What the recent revelations really show is that the NSA is abjectly
>  > incompetent at its real job which is making America safe. They have
>  > failed to protect the confidentiality of US government secrets.
>  > They were pwned by a 29 year old contractor.
>
> It is said that the most important legacy for an executive
> is what did not happen on their watch.  In a complexifying
> world, the list of things that did not happen (the numerator)
> becomes as inestimable as the list of things that could
> have happened (the denominator), thus reducing  conversations
> on a given legacy to the listing of anecdotes.
>
> In the meantime, what do you think of the Russians going
> back to typewriters?  To be crisp, on a scale from paranoid
> fantasy (0) to unshakeable genius (100), where would you
> place the mark?
>

I think they miss the real risks even worse than our own generals.

Disclosure is not the risk to worry about. The problem is integrity
attacks. Specifically the fact that we are all operating pre-cryptographic
critical infrastructures.

My bank just called to tell me that my bank card spending limit is reduced
to $200 and they are sending me a card because another vendor (not target)
has been compromised. We have known how to block card present fraud
completely for two decades and Europe has had Chip and Pin for getting on
for a decade.


Cyber is not a new and exciting domain for warfare any more than terrorism
was in the 1970s. Cyber-attack is terrorism. Stuxnet was terrorism.

Cyber-attack has a low barrier to entry and is inherently unattributable.
The risk of misattribution or a false flag attack are inescapable. The
likely impact of a cyber attack is low but the fear factor is very high.

Cyber lowers the threshold for deciding to use force. This encourages the
use of force in place of diplomacy. The alternative to Stuxnet was not war,
it was to make a serious effort at finding a diplomatic solution. Olympic
games were politically expedient in that they were much cheaper politically
than the diplomatic route. But the cost is that the US has set a precedent
in which civil nuclear facilities under IAEA inspection are fair game for
cyber attack.


Every major power should have as its primary foreign policy objectives to
avoid the use of nuclear weapons or any major conflict between the great
powers. The risk of a war between the US and Russia or China is negligible.
But the risk of a war between Russia and China is quite significant. Russia
has a weak, corrupt government with a loss of empire complex. China is
emerging as a successful, confident economic power. Between the two
countries lies a half dozen failed states with corrupt, unstable
governments and large ethnic Russian and Han populations.

Breshinsky calls the area the global Balkans because of the risk of a war
in or between the states in the region leading to a Russian/Chinese war.
Scenarios in which the Russians attempt a pre-emptive attack on the Chinese
cyber infrastructure to keep them busy while they invade seem quite
plausible to me. Since 1979 Russia has had an unbroken record of backing
the losing side in every major international conflict in which they have
taken a stand.


Security is not the zero sum game Hayden and Alexander believe it to be. It
is in the UK and US interest to ensure that every country has a solid and
trustworthy critical infrastructure.

I think it is possible to go further and argue for mutual assistance in
putting diplomatic and government communications beyond attack but that is
a longer argument.

Going to typewriters is not going to help much, there were acoustic attacks
against typewriters in the 1970s. And any modern process that is based on
typewriters is also going to have a lot of photocopiers involved. And those
all have CPUs these days and many have hard drives and all are hideously
insecure.



-- 
Website: http://hallambaker.com/

--001a11c36e1cddb6c004ee3b5793
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Mon, Dec 23, 2013 at 1:34 PM,  <span dir=3D"ltr">&lt;<a href=3D"=
mailto:dan@geer.org" target=3D"_blank">dan@geer.org</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">
<div class=3D"im"><br>
=A0&gt; What the recent revelations really show is that the NSA is abjectly=
<br>
=A0&gt; incompetent at its real job which is making America safe. They have=
<br>
=A0&gt; failed to protect the confidentiality of US government secrets.<br>
=A0&gt; They were pwned by a 29 year old contractor.<br>
<br>
</div>It is said that the most important legacy for an executive<br>
is what did not happen on their watch. =A0In a complexifying<br>
world, the list of things that did not happen (the numerator)<br>
becomes as inestimable as the list of things that could<br>
have happened (the denominator), thus reducing =A0conversations<br>
on a given legacy to the listing of anecdotes.<br>
<br>
In the meantime, what do you think of the Russians going<br>
back to typewriters? =A0To be crisp, on a scale from paranoid<br>
fantasy (0) to unshakeable genius (100), where would you<br>
place the mark?<br></blockquote><div><br></div><div>I think they miss the r=
eal risks even worse than our own generals.</div><div><br></div><div>Disclo=
sure is not the risk to worry about. The problem is integrity attacks. Spec=
ifically the fact that we are all operating pre-cryptographic critical infr=
astructures.</div>
<div><br></div><div>My bank just called to tell me that my bank card spendi=
ng limit is reduced to $200 and they are sending me a card because another =
vendor (not target) has been compromised. We have known how to block card p=
resent fraud completely for two decades and Europe has had Chip and Pin for=
 getting on for a decade.</div>
<div><br></div><div><br></div><div>Cyber is not a new and exciting domain f=
or warfare any more than terrorism was in the 1970s. Cyber-attack is terror=
ism. Stuxnet was terrorism.</div><div><br></div><div>Cyber-attack has a low=
 barrier to entry and is inherently unattributable. The risk of misattribut=
ion or a false flag attack are inescapable. The likely impact of a cyber at=
tack is low but the fear factor is very high.=A0</div>
<div><br></div><div>Cyber lowers the threshold for deciding to use force. T=
his encourages the use of force in place of diplomacy. The alternative to S=
tuxnet was not war, it was to make a serious effort at finding a diplomatic=
 solution. Olympic games were politically expedient in that they were much =
cheaper politically than the diplomatic route. But the cost is that the US =
has set a precedent in which civil nuclear facilities under IAEA inspection=
 are fair game for cyber attack.</div>
<div><br></div><div><br></div><div>Every major power should have as its pri=
mary foreign policy objectives to avoid the use of nuclear weapons or any m=
ajor conflict between the great powers. The risk of a war between the US an=
d Russia or China is negligible. But the risk of a war between Russia and C=
hina is quite significant. Russia has a weak, corrupt government with a los=
s of empire complex. China is emerging as a successful, confident economic =
power. Between the two countries lies a half dozen failed states with corru=
pt, unstable governments and large ethnic Russian and Han populations.</div=
>
<div><br></div><div>Breshinsky calls the area the global Balkans because of=
 the risk of a war in or between the states in the region leading to a Russ=
ian/Chinese war. Scenarios in which the Russians attempt a pre-emptive atta=
ck on the Chinese cyber infrastructure to keep them busy while they invade =
seem quite plausible to me. Since 1979 Russia has had an unbroken record of=
 backing the losing side in every major international conflict in which the=
y have taken a stand.</div>
<div>=A0</div></div><br clear=3D"all"><div>Security is not the zero sum gam=
e Hayden and Alexander believe it to be. It is in the UK and US interest to=
 ensure that every country has a solid and trustworthy critical infrastruct=
ure.</div>
<div><br></div><div>I think it is possible to go further and argue for mutu=
al assistance in putting diplomatic and government communications beyond at=
tack but that is a longer argument.</div><div><br></div><div>Going to typew=
riters is not going to help much, there were acoustic attacks against typew=
riters in the 1970s. And any modern process that is based on typewriters is=
 also going to have a lot of photocopiers involved. And those all have CPUs=
 these days and many have hard drives and all are hideously insecure.</div>
<div><br></div><div><br></div><div><br></div>-- <br>Website: <a href=3D"htt=
p://hallambaker.com/">http://hallambaker.com/</a><br>
</div></div>

--001a11c36e1cddb6c004ee3b5793--

--===============6534720219313545463==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6534720219313545463==--

home help back first fref pref prev next nref lref last post