 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 08/05/2013 11:30 AM, Richard Pieri wrote: > S/MIME is that it depends on a certificate authority to issue X.509 > certificates. And we know that they can't be trusted. But, a big realization I had recently is that even flawed crypto is valuable. Okay, maybe ROT-13 isn't worth much. But ROT-12, being a bit more obscure, starts to be useful. And something that requires a man-in-the-middle attack, is very valuable. Why? Because it is expensive to mount an active crypto attack--at least when their apparent goal is to snoop on *everything*. And even something that yields immediately to a trained human requires drawing on the limited supply of trained humans. Snooping on everything is expensive and technically challenging to begin with. Mounting separate active MitM attacks is orders of magnitude more difficult. Making a human pay look at specific instances screws their automated vacuum cleaner entirely. Good cryptography is great. Flawed cryptography--even just using obscure non-standard compression and binary data formats--makes your foes work for it. And active MitM attacks completely changed the economics. Don't give them plaintext for the price of a tap and a data path back to their servers. Make them work for it. Make them wonder whether the work will even be worth it (because maybe you are using good cryptography with a good key). Send pure high-quality random data if you are so inclined, just to worry them. -kb
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
