1998-08-12 - Re: Internet is rickety

Header Data

From: mgraffam@mhv.net
To: “Vladimir Z. Nuri” <vznuri@netcom.com>
Message Hash: a7f44f36b5d8c5fc110005d81da7a37da2fdc9a18e4d96f5d6c082e4e26cc852
Message ID: <Pine.LNX.3.96.980811192209.10796A-100000@albert>
Reply To: <199808112327.QAA21344@netcom13.netcom.com>
UTC Datetime: 1998-08-12 00:15:47 UTC
Raw Date: Tue, 11 Aug 1998 17:15:47 -0700 (PDT)

Raw message

From: mgraffam@mhv.net
Date: Tue, 11 Aug 1998 17:15:47 -0700 (PDT)
To: "Vladimir Z. Nuri" <vznuri@netcom.com>
Subject: Re: Internet is rickety
In-Reply-To: <199808112327.QAA21344@netcom13.netcom.com>
Message-ID: <Pine.LNX.3.96.980811192209.10796A-100000@albert>
MIME-Version: 1.0
Content-Type: text/plain

On Tue, 11 Aug 1998, Vladimir Z. Nuri wrote:

> you will find most people here will disagree with you.
> cyberspace is very, very weak without crypto. when you
> think about it, 98% of cyberspace is the "stuff between
> the wires". the other 2% are the people on each end.
> now, crypto protects the 98%, but agreed, the 2% is
> still vulnerable.

I never said that the internet would be great without crypto. Crypto
is needed. As long as we are quoting percentages, "87% of statistics is
made up on the fly." 

Seriously, protecting the internet entails more than securing data
transmission, as you imply. 

Explain to me the difference between having a broken web browser that
is vunerable to a buffer overflow attack, and a broken browser that
implements snake-oil crypto?

In both cases we need better programs on the user's end. The ends of
the communication link define the communication itself. You can't
protect the middle without modifying the ends.

> >Certainly, good crypto would plug up some holes but general internet
> >technology is full of cracks. All the crypto in the universe won't
> >stop a buffer overflow in your mail program, or 1000's of nested tags
> >from crashing your browser in a DoS. 
> this is nothing anyone cares about in the cyberspatial world.

You're right about that.. and that is _exactly_ the problem. As I see
it, the primary function of the internet is to communicate, to exchange
information. As such, any security we talk about is going to be
information security. A secure information system not only keeps
unauthorized users out, but it must insure that authorized users can
get to the information when they need it. This means that DoS attacks
are part of our security concerns, just as much as crypto is in keeping
the transmission secret, and authorization is to keep unwanted people
out of the loop. 

> these are thing that happen outside of cyberspace.

I'm not exactly sure what 'cyberspace' is, anyhow.. so I'm just going
to ignore this. It sounds like you mean to tell me that the internet
is just a bunch of wires.. that the only security issues the internet
faces is in the area data transmission. This is false. 

Encryption prevents eavesdropping, yes. This is the only area that
NSA regulates. In reality, the internet faces other, more fundamental
problems as well. The idea of using crypto to fix a problem such a
TCP/IP hijacking is bizarre to me. This is not the optimal solution,
and everyone knows it. It _is_ however, the best practical solution.
Pure encryption is (ie, confidentiality) is not needed for this. A MAC
will suffice.

Internet security runs far deeper than confidentiality.

> the bigtime issue is internet
> commerce, security of your mail. how about if someone reads your
> mail to steal your money?

In my opinion commerce over the internet is insane. Period. Let me
say it again: commerce over the internet is insane. Even if Uncle
Sam let us use any crypto we like with any key size, it is still insane.
There are too many problems with the fundamental network structure.
Confidentiality doesn't help us here. 

Lets be factual: NSA doesn't regulate authentication technology and
most of what we need to fix these problems is secure authentication,
not confidentiality. 

You brought up email. We have secure email: PGP. So does the rest
of the world. Confidential email is available. Does NSA like it?
They certainly don't like the theory. They probably don't like us
using the algorithms. 

If, by "strong crypto" you mean any cryptographic technology used
for authentication, confidentiality, or otherwise then I must
agree with you. But no one regulates this.. they only regulate
a subset of this. It happens to be a subset that I like, but it
is not _the_ most vital thing needed for securing the internet.

It is not necessarily even the most important thing for e-commerce. 

> p.s.-- can you quote to me how many billions go to the nsa every
> year? and would you care to calculate how much of your own
> salary  from your paycheck is sent to them?  and you think
> you are getting your money's worth? rather than paying someone
> to hold you down?

This is irrelevent for me: I don't pay income tax. Even if I did,
I can't say whether or not I am getting my money's worth, because
I do not know what NSA is capable of. If NSA can factor 2048 bit
numbers easily or other such things, then yes.. I would say I am
getting my money's worth. 

Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
"..subordination of one sex to the other is wrong in itself, and now
one of the chief hindrances to human improvement.." John Stuart Mill
"The Subjection of Women"