[nycbug-talk] Elliptic Curve Backdoor? [was] RSA/DSA for encryption: has it's time come?

George Rosamond george at ceetonetechnology.com
Tue Sep 17 21:31:55 EDT 2013 

Okan Demirmen:
> On Fri, Sep 13, 2013 at 2:52 PM, George Rosamond
> <george at ceetonetechnology.com> wrote:
>> Pete Wright:
>>> On 09/13/2013 07:58 AM, Okan Demirmen wrote:
>>>
>>>>> So throwing it back to list...
>>>>>
>>>>> What have you changed?
>>>>>
>>>>> What changes have taken place in your organization, whether or not
>>>>> influenced by you?
>>>>
>>>> Zero.
>>>
>>> same here - although the incompetent IT department at my day-job is not
>>> insisting on not allowing encrypted IM's because..."compliance".  so
>>> that's awesome.
>>
>> I have some technical clients who are very conscious of the fact that
>> there has been a shift for non-technical people.
>>
>> The argument that privacy has to be designed, as opposed to being
>> promises or policy is has reasserted itself.  If a provider *can* access
>> data of its clients, then there isn't privacy.
> 
> I'm curious to see what sort of shift is real and what is just talk.
> Users, mostly non-technical who happen to be the vast majority)
> willingly give up privacy for convience.  Why do financial
> institutions have online presences when they are so expensive to
> build, maintain and protect - for the consumer who has shown the
> willingness to drop the bar - financials later win since they can now
> save money on the physical side, yet haven't applied any of those
> concepts to the virtual - why should they when the public barely asks
> for it; the only protections they take are ones for themselves.
> Nothing wrong with that.

I took some time to reply to this email... you're hitting the core of
the question: what *is* the net effect, at the end of the day.

End users?  Do some web searching... the articles are out there.  Some
are surveys (vague, shallow polling, really) which point to habit and
perception changes.

But you can't ignore the larger 'policy' shifts... whether governments
or organizations.

There has been some significant rifts in Congress.  No, I don't follow
it closely, and don't find it meaningful, but I will say, such a series
of harsh votes reflects something larger in society.

Brazil's initiatives are enormous, plus the obvious geo-political
push-backs from lots of governments, whether they actually mean it or
not.  I mean, if the Mexican government goes ballistic about some of the
Snowden disclosures, you don't think it has an impact on the population
there?

And then we have some vendors, who while not uber-popular, are certainly
known by a layer of the population: Lavabit's shutdown, and Silent
Circle's cessation of their email service.

Look at the fear in the US cloud space from non-US entities.  You don't
think that's a shift?

> 
> Take a survey of your non-technical friends and families - what's
> really different?  They expect their favorite online shoe store to
> suddenly not have the ability to do what exactly?
> 

Well, while I love using a mom-o-meter, anecdotes aren't the full picture.

I do note, conversation-wise, I've had some revealing discussions.  Many
in technology weren't surprised by many of the earlier disclosures.  We
knew that level of surveillance *could* happen, and when there's a way,
well, a large 3-letter government agency will find a way.  Then we know
Echeleon, Carnivore, the impact of the USA Patriot Act on online service
providers, etc.

But before the disclosures, how far did you actually discussing these
things, without sounding creepy?

Now the most non-technical people around have this embedded in their
consciousness.  It's there.  Scratch and you'll find it.

> We talk about "tools" and "technology" fixes; one example: we still
> have mysterious sources of SPAM, no?  Don't we have a mail spec that
> allows one to trace the origin of an email address being "sold" or
> "leaked"?  Yes, we certainly have had that for ages - super duper
> simple "tech" fix for an end user....how many times have your friends
> and/or family members used it?  Heck, how many online providers even
> allow for such email addresses? - why would they want to protect the
> user's address if it will bite them in the ass later on???

Oh, yes, the market.  Well, that's the direction that goes into.  The
reality is that online service providers will not face a brick wall with
privacy-concerned consumers, but there may very well some online service
providers that start doing things different.  The recent Google Voice
auth changes, despite the obvious irony.

I will bet that in the next few months, it won't be about a wave of
principled shutdowns a la Lavabit, as much as authentication changes in
many online systems that were considered hindrances before.

There is a significant shift in privacy enhancing tools.  The number of
Tor relays has gone through the ceiling over the past few months.  It's
huge.  Look at metrics.torproject.org.

> 
> How many non-tech users read the fine print?  Of course, I barely read
> the fine print when I crack open a bottle of soda, but at least I know
> what I'm getting into.

No one does.  Look for that Carnegie Mellon study on the years it would
take someone to read all the convoluted and frankly irrelevant privacy
policies they encounter on a daily basis.

> 
> I am not saying things will never change, I'm just saying the vast
> majority of the internet, which is now a business, doesn't entirely
> care.  Users at large are not demanding it; they might want someone
> else (ie the service provider they are using) to make changes -
> somehow, sometime, but they will not walk away if the provider does
> nothing.
> 

Well, I argued pretty hard how they had changed above, and we've had the
discussion offline a bit too.

But I am convinced that there will increasing shifts in how online
service providers do things, more messiness in the clouds, and some
vendors will begin to brag about their privacy measures.

Go ask people at Duck Duck Go about their dramatic usage stat changes.
I am not arguing they are a valid solution, but it certainly does
reflect something very real.

> Signed,
> Mr Negativity

It's fine to be critical and even pessimistic.  But if you add blind to
it by not seeing the streams of articles in policy-focused web sites
(say, Foreign Policy), the uncomfortable rationalization of the
marketing people (yeah, stop the NSA... but *we're* different), etc,
then you're missing the larger trends.

<snip>

g and his $0.03

More information about the talk mailing list