1997-09-30 - Re: sounds just like the snitch you are [was]RE: engineering infowar disasters

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: hallam@ai.mit.edu
Message Hash: 735503cbe8e15c629f2bd5de2dd085371bcb63bc6127c131e6fc97f0c8bfc59f
Message ID: <199709301836.TAA00939@server.test.net>
Reply To: <01BCCD99.5C581CA0.hallam@ai.mit.edu>
UTC Datetime: 1997-09-30 19:10:04 UTC
Raw Date: Wed, 1 Oct 1997 03:10:04 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Wed, 1 Oct 1997 03:10:04 +0800
To: hallam@ai.mit.edu
Subject: Re: sounds just like the snitch you are [was]RE: engineering infowar disasters
In-Reply-To: <01BCCD99.5C581CA0.hallam@ai.mit.edu>
Message-ID: <199709301836.TAA00939@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
> Attila T Hun <attila@primenet.com> writes:
> 
> I never promised any sabateur that I would keep any secret of theirs. I
> have worked with law enforcement and the security services for many
> years. If I catch someone damaging my property or property I am 
> responsible for I call the authorities.

You know, Phill, life is not black and white.

Let's say for the sake of argument that you are admin for a system
which is based on the security of MD4.  Then along comes Boesslaers
and co, and trashes it.  You going to call for him to be locked up?

How about if someone then uses this new cryptanalysis to write some
code which demonstrates the weakness... do you figure they should be
locked up for demonstrating the flaw.  (Note they haven't gone within
a mile of your precious systems).

How about if some cypherpunks used this code to demonstrate that they
could decrypt something which was encrypted by a webserver running on
a machine you are admin for.  Should these cypherpunks also be locked
up?

Perhaps those of us who spent some time a couple of years back
trashing Netscapes browser and server security in various ways should
be grateful that the people at Netscape were a a lot less closed
minded than yourself.  Let me guess .. your response to the
demonstration code showing how to exploit the RNG seed flaw Goldberg &
Wagner found in netscapes browser would be ... "lock them up?"

Jeeze ever heard of "Kerckhoffs principle?"

I can assure you that kerckhoffs principle applies doubly to infowar
attacks, a hostile foreign government is hardly going to be cowed by
your suggestion that you will call the feds if anyone breaks anything
you've got anything to do with.  I can see it now, Sadam Hussien's
hired system-crackers, his inforwar attack team, will really be
quaking in their boots, "better not trash US internet infrastructure
-- that brit Phill Hallam-Barker guy will narc us out".

> If someone is breaking into a bank and someone recognises the theif
> thats not a snitch, thats a hero.

Uh, ok.

> I believe that people who do bad things should go to prison.

Personally I would rather see murderers and rapists locked up than
teenage recreational crackers who go around breaking into poorly
maintained systems for the challenge, but break nothing.

Malicious hacking (breaking and rm -rf'ing the disk) is poor form.
The correct method of informing people of flaws you happen across is
to tell them.  People involved in system cracking do so at their own
risk, but don't over-react man.

I'm kind of wondering if _you_ as the security person who was
responsible for security at the site, feel no responsibility to secure
your systems.  ("Oh don't worry about security, if anyone breaks in
we'll call the feds").

> I completely reject your pseudononymous attempt to posit that there 
> is a 'them and us' and that I somehow have a responsibility towards
> anarchist thugs. When you grow up a bit you will learn that the real
> world is not like your high school.

I would hardly describe a bit of cryptanalysis of infowar risks as the
work of `anarchist thugs'.

Applying said cryptanalysis to in practice take out root DNS might not
be such a friendly thing though.  But hey, if someone does it, the
real people to blame are Freeh and co for hindering use of crypto
techniques to protect the infrastructure.

> People depend on infrastructure. Lives depend on it. 

If people are depending on the internet for mission critical
information, of the sort where people will die quickly if information
isn't getting through, they need their heads examining.  If they have
been advised to use the internet for this kind of information they
need to get better advice.

> If people screw it up someone is likely to be killed. Freeh will
> have a party. Indeed its the sort of thing Nixon might have done on
> purpose to take advantage of the backlash.

Uhh... could you explain the logic there a bit please?

Someone demonstrates that there is a flaw in some internet protcols.
The flaw in the protocols is that there is no cryptographic protection
against DoS attacks.

Freeh will use this to show what?  That they need laws to ban domestic
use of crypto meaning even less protoection against DoS attacks?

I would kind of hope that the military folks into infowar would speak
up and say that more crypto must be used to protect against this type
of attack.

Adam
-- 
Now officially an EAR violation...
Have *you* violated EAR today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread