On 08/11/17 09:16, Brian Trammell (IETF) wrote: > Indeed, I've been disappointed and perplexed that so much of the > rhetoric around encryption post-Snowden (as epitomized by 7258) has > focused exclusively on a nation-state Ahem:-) 7258 says: "The motivation for PM can range from non-targeted nation-state surveillance, to legal but privacy-unfriendly purposes by commercial enterprises, to illegal actions by criminals. " I think we got that right. I agree that there has been too little focus put on the non-state actor cases. > or co-opted/evil > large-network-operator attacker model, which is certainly a point of > concern but not really where the biggest threat to collective privacy > lies these days. I'm concerned that in our drive to Encrypt All The > Things, absolutely the correct response when your only concern is a > nation-state on the wire, we risk making it difficult to understand > and defend against (what I'll call) the corporate-data-hording > attacker model. To date, most of the evil toys phoning home and other > such nastiness that I've heard of has been discoverable in part > because said evil toys were using circumventable, crap, or no > crypto. Yea, a different thread. I agree with Ted though, our job is partly to ensure that the bits on the wire don't give the game away in all cases. I'd also note that those exfiltrating data have plenty of standard and non-standard tools available to try hide their actions so us making standards such that exfiltration seems easier to spot doesn't change the problem much for the exfiltrator. So I don't agree that the tension here is between standard crypto protocols and spotting exfiltration as the latter can be done via stego or covert channels or other non crypto ways of hiding data. The following may well work regardless of crypto: "I'll send you the marketing slides, in one of which will be an image that you can zoom until you can read the paper the actor is holding and on that you'll find the secret formula":-) I do however think it could be worthwhile someone documenting the myriad ways in which exfiltration can be done or has been done (esp. from home/enterprise networks) but I don't recall one of those. Anyone know of a good survey that is not aiming to sell some specific product/service? But yes, S.
Attachment:
signature.asc
Description: OpenPGP digital signature