[nycbug-talk] Hot Story: German Gov. intelligence agencies decrypt PGP, SSH

[Brian Cully]

On Jun 16, 2013, at 22:33 , George Rosamond <george at ceetonetechnology.com> wrote:
> Isaac (.ike) Levy:
>> Agreed, and frustrating. (It's always a last-mile problem- perhaps
>> the true nature of understanding scale are found in the last mile
>> problems.)
> 
> Or, as it should be called, the "Schneier's pole issue."  The best
> encryption is only part of a security equation.  Often it's like having
> a pole 200' in the air in front of a host/home/whatever that takes a lot
> of effort to get over.  However, it's usually much simpler to walk
> *around* that pole.

	IOW, "rubber hose cryptanalysis." There's not much you can do about it short of avoiding detection in the first place, which is why I'm such a big proponent of end-to-end crypto everywhere. For a long time it's been the case that the best way to your secrets is to employ meat-space tactics, from the aforementioned rubber hose to more quotidian social engineering.

	Why crack a password when you can crack a human being?

	Good password policy and encryption is useful for keeping out a subsection of reddit and anonymous, but at the end of the day this is a political issue (politics, defined as human to human interaction). Security only exists in trust, and as you trust networks get larger your security gets weaker. It's a hard problem to scale security because it's ultimately a political issue.

-bjc