On Mar 10, 2017, at 9:02 PM, Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> wrote:
I don't think your optimistic conclusion here follows, for two
reasons. Firstly, we've seen that the adversary here is not
driven by economic concerns and will attack not just a weakest
link, but all possible targets they can afford given their very
very large budgets. [...]
And while I do think that the actions that many people in the
Internet community and in the IETF have taken have probably
made pervasive monitoring harder and/or more costly, I do not
think that's really that relevant to this particular leak. In
this case, I think the much more interesting thing is that
this is yet another demonstration that attack code that is
intended to be used for attacks (as opposed to demonstration)
is in the end hugely counter-productive. (And immoral too IMO,
but I'd not claim that we all need to agree with that last;-)
True OTOH, there's a good editorial in the NY Times recently that speaks to
the points you've raised:
https://www.nytimes.com/2017/03/09/opinion/the-truth-about-the-wikileaks-cia-cache.html
<https://www.nytimes.com/2017/03/09/opinion/the-truth-about-the-wikileaks-cia-cache.html>
I think the main thing is that yes, of course, a state actor with unlimited
resources can hack every hackable device indiscriminately. But widespread
encryption means that they have to do that. And doing that is _much_ harder
than intercepting passively, and more importantly, it's more detectable. I am
surprised that you find my response optimistic. I feel pretty cynical about
the situation. I just believe that we have done some things that have
improved matters, and that's worth mentioning.