On Thu, Sep 5, 2013 at 9:36 PM, Brian E Carpenter <
brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com> wrote:
I'm sorry, I don't detect the emergency.
I'm not saying there's no issue or no work to do, but what's new about
any of this?
Was PRISM a surprise to anyone who knew that the Five Eyes sigint
organisations have been cooperating since about 1942 and using
intercontinental data links since 1944)? Was Xkeyscore a surprise
to anyone who's been observing the whole Big Data scene? Is any
ISP or router vendor actually unaware of the security issues in
routers? Aren't most of them o/s implementation issues in any case?
Hasn't the IETF been working on BGP4 security for quite a while now?
I'm very glad we did RFC 1984 and RFC 2804 when we did, but it's
probably more important that we did RFC 3552. We certainly need
to apply it.
I am against any panic response to the hype. If someone can identify
any specific, new, protocol-based threats in the recent media stories,
that would be worth an I-D and appropriate IETF action.
Regards
Brian Carpenter
As I have suggested to several people, we can turn lemons into lemonade.
The NSA has conspicuously failed to keep the state secrets of the US
secret. Clapper should be forced to resign or be sacked. The NSA is too big
to keep secrets.
But they have also failed on the technical mission to develop and deploy
technology to protect secrets. They have harassed people trying to deploy
strong crypto, myself included. I don't think it is exactly a coincidence I
had my car searched three times on a round trip between Geneva and London
when I started working on security. Or that the harassment suddenly stopped
after I used my family connections to make a complaint.
I knew that the CERN hub was compromised when I was at CERN. I have known
that the System-X telephone system in the UK is expressly designed to allow
any telephone handset in the UK to be turned into a passive room bug. But
until the Snowden materials were released I have found it difficult to
convince other people of the extent of those capabilities or the risks that
they pose.
The CIA has finally admitted that they were behind the Operation Ajax coup
that replaced democracy in Iran with a convenient dictator. At least until
the rabble rouser the US embassy hired to set up the riots that brought the
government down toppled the convenient despot in the 1979 revolution. What
has not yet come out is that the coup was only possible because the NSA had
cracked the Iranian ciphers and that is how the CIA knew which army
officers might be sympathetic.
So I don't think that the unrestricted ability to read other gentlemen's
mail is quite the boon that some imagine.
Now I also have known for over twenty years that when some of us were
trying to bring the East German government down because the communist
system was a disgrace to humanity my own Prime Minister was meeting with
Gorbachev begging him to send in the tanks and stop the regime collapsing.
There are many things that I know and have known but I don't generally
mention because mentioning such things without the ability to prove them
tends to make you look like a bloody fool. Thanks to Snowden I can now
confirm that HEPNET was tapped at CERN without looking a bloody fool.
S/MIME is almost what we need to secure email. What is missing is an
effective key discovery scheme. We could add that and add Ben Laurie's
Certificate Transparency and have a pretty good start on a PRISM Proof
email scheme.
What we lack is not the technology, it is demand for deployment. Snowden
supplies that demand in two ways. First by revealing the extent of NSA and
GCHQ surveillance, second by exposing the fact that the agency is badly,
sloppily run and likely riddled with Snowdens from Russia, China and
goodness knows where else.
At this point the closure of PRISM and BULLRUN and the rest is
inevitable. Likely not under this President but the next won't owe the
same debts.Clapper has to go and so has Alexander. Heads have to roll when
there is a security breach caused by such abject incompetence and a failure
of the NSA mission to protect US government secrets, especially their own.
What we can achieve instead is to secure the Internet. I don't care what
bogeyman is that motivates people to do what is necessary provided that
they do it. We have to lock down the nuclear power stations that have
control systems based on MODBUS and no authentication controls whatsoever.
We have to lock down electricity, water, gas.
The mission here is to make our countries safe. Making our countries unsafe
to protect the ability of idiots to play wargames is notthe act of a
patriot, it is the act of a traitor.
--
Website: http://hallambaker.com/