Routing all mail through comcast

Chris Devers cdevers at pobox.com
Thu Oct 23 11:53:47 EDT 2003


On Thu, 23 Oct 2003, eric wrote:

> i don't know about this.  "encryption will do no good with big brother".
> do you mean that uncle sam can crack my encryption or that he will use
> another method to get the my key (key logger, informant, club to head,
> etc.)?  if you mean that the possibility exists that he can crack it
> (time, resources) then ok.  if you mean that an algorithm exist that can
> crack my GPG like my nephew with a candy wrapper, i must ask, how do you
> know?

It's doubtful that he *knows* this, but it's a widely held, and presumably
safe, assumption that various three letter agencies have access to
cryptographic techniques that are much better than anything available to
the general public. How much better? Who knows.

The default assumption should be that, at a minimum, they have access to
everything that the public does, and the likelihood that they have
anything better (either marginally or significantly better, it doesn't
matter here) is pretty good.

By way of anecdotal example -- that unfortunately I can't provide a
citation for at the moment -- the NSA suggested that various subtle
changes be made to the DES algorithm over the years, with hints that
there were certain crackable defects in the technique. In 1998, the EFF
built a "cheap" ($220k) machine that could brute-force DES encrypted data
in 4.5 days (adjust prices & speeds to imagine what's possible now, six
years later), and I seem to remember research that found problems with the
algorithm itself -- verifying the NSA's hints -- in recent years. The
latter point is the part I can't find a citation for at the moment, but
the EFF demonstration is widely documented, e.g. by Bruce Schneier, here:

    <http://www.schneier.com/crypto-gram-9808.html>

Again, that was with a cheap, cobbled together machine, done by civil
liberties advocates, not cryptographers. It seems safe to assume that what
the EFF demonstrated in public in 1998 was already being done in secret
with more advanced equipment years earlier.

Granted, DES is getting to be an archaic algorithm now, but I for one
think it's prudent to assume that more modern algorithms have similar
issues today.

There are different levels of people one may want to protect data against:
casual, opportunistic intruders; skilled & dedicated professionals; and
governments with presumably vast resources. Figuring out how much effort
you want to put into protecting your data is a matter of evaluating which
of those you want to protect against, and how much effort you are able to
put into protecting it. Keeping out casual intruders is pretty easy;
keeping out the professionals takes more work (PGP/GPG may or may not be
enough at this level); but it should be assumed that if you want to
protect against the government level intruders, they will always have the
advantage, and if you want to keep your data from them, it probably
shouldn't be in some kind of electronic format to begin with.



-- 
Chris Devers
really liked _Secrets & Lies_,
now plans to read _Beyond Fear_



More information about the Discuss mailing list