Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] email privacy/security

On 08/05/2013 11:30 AM, Richard Pieri wrote:
> S/MIME is that it depends on a certificate authority to issue X.509 
> certificates. 

And we know that they can't be trusted.  But, a big realization I had 
recently is that even flawed crypto is valuable.

Okay, maybe ROT-13 isn't worth much.  But ROT-12, being a bit more 
obscure, starts to be useful.  And something that requires a 
man-in-the-middle attack, is very valuable.

Why?  Because it is expensive to mount an active crypto attack--at least 
when their apparent goal is to snoop on *everything*.  And even 
something that yields immediately to a trained human requires drawing on 
the limited supply of trained humans.

Snooping on everything is expensive and technically challenging to begin 
with.  Mounting separate active MitM attacks is orders of magnitude more 
difficult.  Making a human pay look at specific instances screws their 
automated vacuum cleaner entirely.

Good cryptography is great. Flawed cryptography--even just using obscure 
non-standard compression and binary data formats--makes your foes work 
for it.  And active MitM attacks completely changed the economics.  
Don't give them plaintext for the price of a tap and a data path back to 
their servers.  Make them work for it.  Make them wonder whether the 
work will even be worth it (because maybe you are using good 
cryptography with a good key).  Send pure high-quality random data if 
you are so inclined, just to worry them.


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /