On Thu, Sep 5, 2013 at 9:36 PM, Brian E Carpenter <brian.e.carpenter@xxxxxxxxx> wrote:
I'm sorry, I don't detect the emergency.
I'm not saying there's no issue or no work to do, but what's new about
any of this?
Was PRISM a surprise to anyone who knew that the Five Eyes sigint
organisations have been cooperating since about 1942 and using
intercontinental data links since 1944)? Was Xkeyscore a surprise
to anyone who's been observing the whole Big Data scene? Is any
ISP or router vendor actually unaware of the security issues in
routers? Aren't most of them o/s implementation issues in any case?
Hasn't the IETF been working on BGP4 security for quite a while now?
I'm very glad we did RFC 1984 and RFC 2804 when we did, but it's
probably more important that we did RFC 3552. We certainly need
to apply it.
I am against any panic response to the hype. If someone can identify
any specific, new, protocol-based threats in the recent media stories,
that would be worth an I-D and appropriate IETF action.
Regards
Brian Carpenter
As I have suggested to several people, we can turn lemons into lemonade.
The NSA has conspicuously failed to keep the state secrets of the US secret. Clapper should be forced to resign or be sacked. The NSA is too big to keep secrets.
But they have also failed on the technical mission to develop and deploy technology to protect secrets. They have harassed people trying to deploy strong crypto, myself included. I don't think it is exactly a coincidence I had my car searched three times on a round trip between Geneva and London when I started working on security. Or that the harassment suddenly stopped after I used my family connections to make a complaint.
The CIA has finally admitted that they were behind the Operation Ajax coup that replaced democracy in Iran with a convenient dictator. At least until the rabble rouser the US embassy hired to set up the riots that brought the government down toppled the convenient despot in the 1979 revolution. What has not yet come out is that the coup was only possible because the NSA had cracked the Iranian ciphers and that is how the CIA knew which army officers might be sympathetic.
So I don't think that the unrestricted ability to read other gentlemen's mail is quite the boon that some imagine.
Now I also have known for over twenty years that when some of us were trying to bring the East German government down because the communist system was a disgrace to humanity my own Prime Minister was meeting with Gorbachev begging him to send in the tanks and stop the regime collapsing.
There are many things that I know and have known but I don't generally mention because mentioning such things without the ability to prove them tends to make you look like a bloody fool. Thanks to Snowden I can now confirm that HEPNET was tapped at CERN without looking a bloody fool.
S/MIME is almost what we need to secure email. What is missing is an effective key discovery scheme. We could add that and add Ben Laurie's Certificate Transparency and have a pretty good start on a PRISM Proof email scheme.
--
Website: http://hallambaker.com/
What we lack is not the technology, it is demand for deployment. Snowden supplies that demand in two ways. First by revealing the extent of NSA and GCHQ surveillance, second by exposing the fact that the agency is badly, sloppily run and likely riddled with Snowdens from Russia, China and goodness knows where else.
At this point the closure of PRISM and BULLRUN and the rest is inevitable. Likely not under this President but the next won't owe the same debts.Clapper has to go and so has Alexander. Heads have to roll when there is a security breach caused by such abject incompetence and a failure of the NSA mission to protect US government secrets, especially their own.
What we can achieve instead is to secure the Internet. I don't care what bogeyman is that motivates people to do what is necessary provided that they do it. We have to lock down the nuclear power stations that have control systems based on MODBUS and no authentication controls whatsoever. We have to lock down electricity, water, gas.
The mission here is to make our countries safe. Making our countries unsafe to protect the ability of idiots to play wargames is notthe act of a patriot, it is the act of a traitor.
Website: http://hallambaker.com/