1997-09-30 - RE: sounds just like the snitch you are [was]RE: engineering infowar disasters

Header Data

From: Phillip Hallam-Baker <hallam@ai.mit.edu>
To: “‘Adam Back’” <aba@dcs.ex.ac.uk>
Message Hash: 5ec2b0b9f886d1f3b6c685de90567a69a98fb0882f1816a2836a0211b69ca012
Message ID: <01BCCDB5.14FC1250.hallam@ai.mit.edu>
Reply To: N/A
UTC Datetime: 1997-09-30 19:54:17 UTC
Raw Date: Wed, 1 Oct 1997 03:54:17 +0800

Raw message

From: Phillip Hallam-Baker <hallam@ai.mit.edu>
Date: Wed, 1 Oct 1997 03:54:17 +0800
To: "'Adam Back'" <aba@dcs.ex.ac.uk>
Subject: RE: sounds just like the snitch you are [was]RE: engineering infowar disasters
Message-ID: <01BCCDB5.14FC1250.hallam@ai.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain




>Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
>> Attila T Hun <attila@primenet.com> writes:
>> 
>> I never promised any sabateur that I would keep any secret of theirs. I
>> have worked with law enforcement and the security services for many
>> years. If I catch someone damaging my property or property I am 
>> responsible for I call the authorities.

>You know, Phill, life is not black and white.

>Let's say for the sake of argument that you are admin for a system
>which is based on the security of MD4.  Then along comes Boesslaers
>and co, and trashes it.  You going to call for him to be locked up?

>How about if someone then uses this new cryptanalysis to write some
>code which demonstrates the weakness... do you figure they should be
>locked up for demonstrating the flaw.  (Note they haven't gone within
>a mile of your precious systems).

>How about if some cypherpunks used this code to demonstrate that they
>could decrypt something which was encrypted by a webserver running on
>a machine you are admin for.  Should these cypherpunks also be locked
>up?

This is not what was proposed at all however.

Demonstrating security flaws is one thing,  exploiting the flaws for malice
is quite another.

It is the difference between Ralph Nader demonstrating that the pinto is
"unsafe at any speed" and buying one for your elderly aunt who has promised
you that inheritance.

>I can assure you that kerckhoffs principle applies doubly to infowar
>attacks, a hostile foreign government is hardly going to be cowed by
>your suggestion that you will call the feds if anyone breaks anything
>you've got anything to do with.  I can see it now, Sadam Hussien's
>hired system-crackers, his inforwar attack team, will really be
>quaking in their boots, "better not trash US internet infrastructure
>-- that brit Phill Hallam-Barker guy will narc us out".

That is a deliberate misrepresentation of what I said.

I was pointing out that *anybody* on the list who is responsible for a 
system is going to want a conviction if they are attacked. 

>> I believe that people who do bad things should go to prison.

>Personally I would rather see murderers and rapists locked up than
>teenage recreational crackers who go around breaking into poorly
>maintained systems for the challenge, but break nothing.

I believe the opposite.

So would you if you had had my experience. Even if you know that 
the system is secure and you have the perp under 24 hour 
surveillence by top people you are going to worry like hell. 

One of the people I advised during an incident likened it to rape. I
don't think this is too far fetched. There are many hackers who
see their machine as an extension of the self. 

The anonymity of the net cuts both ways. You don't know whether
its Sadam's storm troopers or teenage shit unless and until you
get a collar.


>I'm kind of wondering if _you_ as the security person who was
>responsible for security at the site, feel no responsibility to secure
>your systems.  ("Oh don't worry about security, if anyone breaks in
>we'll call the feds").

I'm interested in security at every level, including severe reprisals.


>I would hardly describe a bit of cryptanalysis of infowar risks as the
>work of `anarchist thugs'.

Neither did I. Discovering weaknesses is OK. Exploiting them is NOT.

>Applying said cryptanalysis to in practice take out root DNS might not
>be such a friendly thing though.  But hey, if someone does it, the
>real people to blame are Freeh and co for hindering use of crypto
>techniques to protect the infrastructure.

Not in that case. DNS security is taking time to adopt because that 
sort of thing just does. That is an authentication problem and there
has not been a problem. Heck the NSA even published the DSS.

Be exact, not every security problem can be blamed on the Feds.

If you arn't carefull you will end up like Kitty Kelly who when I spoke
with her yesterday began with the lie that truth is not a defense in
british libel law (wasn't in 1776, has been an absolute defense since 
1850 or so) then mixed up Australia and Argentina. Like you have to
make sure the points are accurate.


>> People depend on infrastructure. Lives depend on it. 

>If people are depending on the internet for mission critical
>information, of the sort where people will die quickly if information
>isn't getting through, they need their heads examining.  If they have
>been advised to use the internet for this kind of information they
>need to get better advice.

The assumption that the Internet and the telephone system are 
somehow entirely disjoint when it comes to Infowar is a somewhat
naive one. The fact is that the telephone system is just as prone
to attack, much more likely to use security through obscurity 
and so on than the Internet.


>> If people screw it up someone is likely to be killed. Freeh will
>> have a party. Indeed its the sort of thing Nixon might have done on
>> purpose to take advantage of the backlash.

>Uhh... could you explain the logic there a bit please?

Don't think for a moment that if Joe Cypherpunk screws up the 
national power grid that that means cryptography rights for all. All
it means is that Freeh is going to demand and get a blank cheque
to eliminate crypto to match the blank cheque to eliminate drugs.

One of the strategies Nixon's plumbers used was to deliberately
sabotage their own rallies so that they could claim the violence
came from the anti-war movement.

Don't imagine that because something makes no sense US politicians
won't insist on it. They voted for prohibition, they spend $40billion
on failed drug interdiction policies and they won't stop at giving
Freeh $5 billion to supress crypto.

The symbol of the US government should be changed to a B2 bomber,
hugely expensive ($1.5 billion and counting), with no remaining 
strategic role (Pentagon, RAND, Air Force Chief of Staff statements),
can't be used in the rain (CNN reports) and visible on Marconi-UK
build radar. US congress is insisting on building 20 more despite
statements from DoD they just don't want them.

		Phill






Thread