[nycbug-talk] Elliptic Curve Backdoor? [was] RSA/DSA for encryption: has it's time come?

Okan Demirmen okan at demirmen.com
Tue Sep 17 09:45:22 EDT 2013


On Fri, Sep 13, 2013 at 2:52 PM, George Rosamond
<george at ceetonetechnology.com> wrote:
> Pete Wright:
>> On 09/13/2013 07:58 AM, Okan Demirmen wrote:
>>
>>>> So throwing it back to list...
>>>>
>>>> What have you changed?
>>>>
>>>> What changes have taken place in your organization, whether or not
>>>> influenced by you?
>>>
>>> Zero.
>>
>> same here - although the incompetent IT department at my day-job is not
>> insisting on not allowing encrypted IM's because..."compliance".  so
>> that's awesome.
>
> I have some technical clients who are very conscious of the fact that
> there has been a shift for non-technical people.
>
> The argument that privacy has to be designed, as opposed to being
> promises or policy is has reasserted itself.  If a provider *can* access
> data of its clients, then there isn't privacy.

I'm curious to see what sort of shift is real and what is just talk.
Users, mostly non-technical who happen to be the vast majority)
willingly give up privacy for convience.  Why do financial
institutions have online presences when they are so expensive to
build, maintain and protect - for the consumer who has shown the
willingness to drop the bar - financials later win since they can now
save money on the physical side, yet haven't applied any of those
concepts to the virtual - why should they when the public barely asks
for it; the only protections they take are ones for themselves.
Nothing wrong with that.

Take a survey of your non-technical friends and families - what's
really different?  They expect their favorite online shoe store to
suddenly not have the ability to do what exactly?

We talk about "tools" and "technology" fixes; one example: we still
have mysterious sources of SPAM, no?  Don't we have a mail spec that
allows one to trace the origin of an email address being "sold" or
"leaked"?  Yes, we certainly have had that for ages - super duper
simple "tech" fix for an end user....how many times have your friends
and/or family members used it?  Heck, how many online providers even
allow for such email addresses? - why would they want to protect the
user's address if it will bite them in the ass later on???

How many non-tech users read the fine print?  Of course, I barely read
the fine print when I crack open a bottle of soda, but at least I know
what I'm getting into.

I am not saying things will never change, I'm just saying the vast
majority of the internet, which is now a business, doesn't entirely
care.  Users at large are not demanding it; they might want someone
else (ie the service provider they are using) to make changes -
somehow, sometime, but they will not walk away if the provider does
nothing.

Signed,
Mr Negativity

> Can't find them ATM, but this is a great spot to see useful articles on
> the topic, including a lot of stuff on the changes in people's thinking
> recently:
>
> https://twitter.com/liberationtech
>
> And LibTech's list is a central place for discussions around this stuff
> today.
>
> (hi again Jan!)
>
>>
>>>
>>>> Factors of authentication, keys used, additional encryption added,
>>>> office or home Tor, pgp/gpg....
>>>
>>> Nothing new.
>>>
>>
>> same here, i think being a practical paranoid has prepped me for this
>> inevitable day where it's known that telecomunications is an inherently
>> unsafe communication medium.  as is anything that requires 3rd party trust.
>
> Very much the case for me also.  But I am convinced more of our 'tools'
> will start accounting for the 'new world' and I'm keeping tabs on that.
>
> Thanks for being relevant Pete.  I shifted this thread for a reason.
>
> g
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk



More information about the talk mailing list