From: John Young <jya@pipeline.com>
Date: Sun, 10 Aug 1997 08:49:53 +0800
To: cypherpunks@toad.com
Subject: HOPE Not
Message-ID: <1.5.4.32.19970810000911.00697704@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain



Comments on two of the many HOPE sessions: those of 
L0pht and Bruce Schneier:

L0pht summarized their current campaign to test
security on behalf of the consumer, having found
that corporations refuse to publicize or correct
holes L0pht reported in confidence.

L0pht cited, among others, the Mac security features 
and products coming to market, which they think have 
been too hastily readied for grafting onto other 
programs and and are vulnerable due to inadequate 
design, integration and testing. Like too many MS 
flood-the-market programs.

Bruce outlined the principal elements of the security
challenge and the role of cryptography among those
of people, hardware, facilities, law and policy. He
warned of the weakness of relying on crypto in the overall 
security matrix and cautioned that crypto is not the 
main answer to the security problem, which is primarily 
one of human frailty and criminal behavior, and that 
it will take a combination of solutions involving: 

  Strong and efficient encryption -- key length is 
  not critical

  Tamper resistant hardware -- software can be protected 
  by math

  Trust management -- reliable authentication and 
  certification; GAK is too complicated to ever work

  Jurisdiction -- criminals must not be able to operate 
  from the most obliging state

  Law -- punishment for criminal acts

He emphasized that mathematics and software are not the 
problem of insecure systems, it is humans and the impossibility
of predictable interface with machines. Every system is vulnerable
to attack, not at its strongest but at its weakest. Brute force
is not an attack worth worrying about, although it gets most
of the publicity. What's worrisome is the out of the way fault
in the fortress, the one nobody expects, the one the enemy
ever seeks by hook, crook, bribe and trick. (HOPE's agenda?)

It was a provocative, informative, many-faceted presentation,
and could become an article, maybe a book, surely an
effective business lure.

He closed by citing "Those who think cryptography is the answer
to security do not understand the problem and do not understand 
cryptography."

Bruce did not provide paper copy of the slides but said he
will send it upon e-mail request to:

   schneier@counterpane.com

Coda:

Most surprising about HOPE was that everyone, M/F, was dressed in 
brass-button blazers, oxford whites, rep ties and gray flannels;
spit-shined caps, Shasti barbered, smelled of Camay; murmured 
"well said" to the eloquent speakers, softly sniffed for salient 
points, chatted at tea, "swell show, don't you think."

None of the ripe rank of cavities and pits,dreadlocks and skulls, 
vulgar tees and shreds, toilet squalor and slime,  chest-caving 
music, vile hoots and whistles of "phreak Ma B, crack Mr. Softie," 
crazed eyeballs assaulting gameboxes, deformed bods struggling 
to get in against those escaping Bedlam, none of that at Beyond 
Hope, not at all, that was outside in the gutters of Manhattan, 
defiling a tux and gown wedding party upstairs at Puck.