Slashdot Mirror
EPIC Report On International Cryptography
kalifa writes: "The EPIC (Electronic Privacy Information Center) has just published its annual report on international cryptography. It is available here.
It's pretty informative, and I hope it will help changing many false misconceptions (and, by the way, put an end to the same good old francophobic stuff, which is obviously unjustified after the study of this report). "
As an old-time reader of comp.org.eff.talk back when the Clipper chip was first introduced, my favorite quote from the beginning of the article is:
"There is little international support today for key escrow encryption. It has been abandoned by most counties and is no longer enforced in the few countries where laws requiring its use still remain.
Does anyone else out there remember David Sternlight, the guy on c.o.e.t back in 1994 who ferociously defended Clipper as a Good Thing? What happened to him, anyway?
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
And what part of the economy would that be? Is that the all-too-crucial overblown speculative-bubble part? I haven't heard of any e-companies that are in the black yet. How many points did Nasdaq drop when Microsofts stock crashed? Have I made my point yet?
The US likes other countries to take risky action first. That way we can see if it works and then implement it ourselves. We avoided socialized medicine and related fiascoes that way. If we have an interesting idea ourselves we try it out on the state level. Again, there's less risk of a major fiasco.
The US is always more worried about national security because it still believes its the bastion of democracy. Also, most of Europe didn't have to worry about national security too much because they had large numbers of American troops on military bases on their soil. It shocked me to find out that many European countries (like Germany) don't have professional standing armies, but its true.
Also most European countries are the size of American STATES. France is the size of Texas. Shouldn't they be capable of moving faster on things than the US?
So far I've gotten all my Karma from telling people they are wrong... :)
Publically available crypto is very strong. Anything based on an RSA public key scheme is extremely hard to crack (that includes SSL (secure web transactions) PGP (for your email) and SSH (for telnet)). Keep in mind that while it's possible that the government could figure out efficient ways of factoring numbers on the order of 10^350, I seriously doubt it. (Why would the feds have harassed Phil Zimmerman so much if they could crack PGP?) Anyway, properly encrypted stuff is certainly safe from nefarious evildoers or terrorists. If you start doing credit card transactions on line, keep in mind that the information is only as safe as the business establishment and the credit csrd companies keep it - just like using your credit card in meatspace.
I'm sure that there are plenty of Credit Card thieves out there who would be overjoyed to hear this attitude from their victims... er, clients.
I don't know about you, but I would be just as happy if certain information is not publicly available for anyone who wants to view it.
Gonzo
The threat isn't that your card will get compromised in route (today), but rather that the company you are buying from will be storing your credit card number on a publicly reachable server running an insecure service.
If you'd like to learn more about how crypto works, and keep up to date on it, I'd recommend checking out www.counterpane.com (where Bruce Schneier will tell you to buy Applied Cryptography (which is a good read, and makes a good armrest, too).
Information wants to be free
Information wants to be free
So what? Guns want to kill, but we have laws against that.
From the section of the report concerning the state of US law, the following notable paragraph illustrates a trend:
If they can't get the laws they want, just make sure that the dominant OS has backdoors in it. I feel so secure.
With the web, I dont think it is very difficult to get a copy of the US edition of PGP anyway - doesnt really matter where you are. Get real! How can you restrict someone in the US from emailing an US version of some encryption software to someone in another country? I think the recent relaxation of export control legitimizes this export as successfully as the Netherlands legitimized the sale of drugs.
Ok, I'm a relative newbie at Slashdot. I haven't even been actively posting here for a year yet. I can't talk about the golden age of slashdot or any of that crap. I moderate when I'm chosen. I try to do a good job and sometimes I screw up. Sorry.
As for the "sold-out" comments, thats pretty much crap. I don't see any instances of /. censoring the articles it posts. I haven't seen any articles on how great Andover and VA are. I haven't seen any on how they suck. For the most part its a non-issue. /. is owned by a big corporation to pay overhead. Deal with it. If anything Taco is probably so sensitive about the whole thing that he's avoiding all related issues for fear that he isn't objective.
As for you comments about the signal to noise ratio and moderation, they seem to contradict.
You don't seem to share the group opinion on what constitutes noise. Grits posts aren't noise but Portman posts are? Who's to say? You mister "censorship is wrong"?
I like moderation in many ways, if I don't have enough time to read a lot of posts I can read at 3 and get the "good" ones. The noise drops out almost entirely. If I read at -1, then I get a whole hell of a lot of noise. What's your solution? Stop moderation but let every post? That won't take care of the noise problem. Only let certain people post? Well thats the same as the censorship you were criticizing isn't it?
Now on to my slashdot rant:
At the core of a website that supposedly champions the rights of the individual, we have the moderation system. The moderation system has one great flaw. It systematically allows for oppression of the minority. Have you ever posted a reply which went against the /. group ethic? Were you surprised when it languished at 1 while all the party-liners got 2s or more from replying to it? Were you even more surprised when you realized that their posts weren't even well written when you took an hour to compose yours?
Moderators are only able to be checked and balanced by other moderators. For all intents and purposes there is no community conscience or objective party to reign them it. Moderators for the majority party-line will moderate up posts they like and moderate down posts they don't. It happens even though it shouldn't. Minority moderators don't have enough points to moderate party-line posts down and they lack the numbers to moderate their own good posts up against the wishes of the majority.
In short, there is a glass ceiling that all but the best minority opinion posts can't break. Sure moderators should be objective, but they aren't. It shouldn't be a conflict like this, but it is.
I unfortunately do not share the average /. readers views on many social issues. And my karma suffers for it. This combined with what seems to be an increasing percentage of YRO stories is killing me. Oh well, I'll suck it up and deal. I honestly can't come up with anything better than the moderation system, except possibly making it easier to refer abuses to Taco, etc. for summary judgement.
So far I've gotten all my Karma from telling people they are wrong... :)
The really paranoid answer would be: "To give us a false sense of security". Or, to apply Hanlon's Razor, because the fact that a law might have been broken triggered a reflexive response in the hard-wired brains of some particuarly clueless federal droids.
Remember that public-key crypto is based on the unproven assumption that there is no efficient method to factor the product of two large prime numbers. A good indicator of how secure NSA thinks public-key crypto is would be to find out if they use it for really sensitive communications. (Somehow, I doubt that they do)
My gut feeling is that NSA can crack 128-bit encryption if they want to, but not for large volumes of traffic. Given the fact that the EFF cracked DES in 4 days with 100k in hardware and a few weeks worth of engineering, I'd wager a weeks paycheck that NSA can crack mountains of 56-bit DES traffic in real time after ~48 years of research and countless billions in hardware.
The question isn't really "Can NSA crack strong crypto?", but rather "How long does it take NSA to crack a strongly encrypted message?" and "How many strongly encrypted messages can NSA crack simultaneously?"
"The axiom 'An honest man has nothing to fear from the police'
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Encryption, shmencryption I say. It's a known fact that information wants to be free, and encryption is only one of many ways to stifle this freedom. When you encrypt something, whether it's your email or your grocery list, you are taking away that information's "freedom", and what's more, other people's rights to that information. In an era when Free Software flourishes, it is only fit and proper that Free Information takes a similar path. Much as you must work to make sure that your software stays Free, you must work to keep your information Free.
Encryption is akin to copyright, and thus censorship, in this regard: you are creating a privileged class of people who have the "right" to obtain your information. This system is the antithesis of what we in the Free Software Movement have worked for for years: open access to everything, at all times. If Free Software is the only moral software, then it follows that Free Information is the only moral information.
Just as in a state in which there is only Free Software there is no software hoarding, in a place with only Free Information, there will be no secrets, no plots, no jealousy. There will only be a new era of Freedom and Learning. Imagine if you were able to peer into the collective knowledge of millions: what you could learn, what you could discover. Encryption is a form of censorship which is directly opposed to Freedom. You don't need it.
But what about state secrets and military information, you ask? Without them, there is no need for the military: all nations will know what each other is planning, and all will be too afraid to act without the element of surprise. With no military, the government which it exists to back will disintigrate. All nations will work together without the posion of nationalism to infect them. Only with Free Information can this be achieved.
Just keep in mind that the only choice for Freedom is Free Information.
Well, that's the story for the US. By the looks of things.. all things considered, they should be a "green light" in about 2 years. For crypto. The rest of our privacy laws are woefully lacking. In this respect, I consider the progress the EU and it's member nation's to be making substantial progress - moreso than the US. For a country that prides itself on technical and economic superiority, it comes as a mild shock that we haven't been more quick to adopt EU-like specifications to encourage e-commerce on a wider scale.
I guess though there are some parts of our government which are more interested in "national security" than economic prosperity. All and all, an excellent paper, and one I'll definately be referring to when I set my web server(s) up in the near future.
I gave up moderation on this entire news story to post this reply in this thread.
/. user. I am just some guy like you that wants to read news about technology. Every two weeks or so, I notice that I am a moderator, and I take advantage of it. It is important to note that I do agree with much of your letter to Cmdr Taco, however on the topic of moderation, I disagree.
/., there will be moderators. And if you are a moderator and you do not agree with moderation done, you simply change it accordingly.
You claim that moderation is not censorship but merely a filter that relevant information must pass through. Frankly, that is bullshit. Many on-topic posts are moderated down simply because they disagree with open source dogma or are critical of Linux and VA. In many cases, if the downward moderated post were to say the exact same thing about another company(Microsoft), they would be moderated up.
Who is a moderator? A moderator is any random
Moderation cannot be censorship because it is performed by a cross-section of the registered users on Slashdot. If you are not registered (which is free) then you do not have the rights that you may desire. Take a website that did not have accounts, yet had open posting without moderation; www.segfault.org
This tech-linux-humor site was great until the Natalie Portman epidemic broke out. Sure, the trolls were listened to, but did they stop? No.
Segfault is now a humor site that is dying (just about dead). It is dying because it no longer allows posting by the users, and it is lacking the traffic as a result.
How does a site remain free (as in speech) while getting rid of all the trolls? Simply have the users LOG IN! I have my threshold at 1, and it helps out a ton!
Moderation can be abused by the moderators (moderating down anti-linux stuff) but as long as there are registered users reading
Moderation works, my advise to all that are bothered with moderation is to set up an account and log in when you read Slashdot. You will be heard. Furthermore, if you notice that you have moderator access, USE IT!
It is a very important tool to the success/demise of this site. If you want to enjoy what you read, use your moderation rights!
OK, let's first of all drag out the obvious points.
1) You are only liable for $50 if your credit card is used fraudulently, i.e. if someone steals the number and uses it without your permission.
2) Every time you hand a wait(er/ress) your card in a restaurant, they can steal the number REALLY easily. Same with every other shop that you use your card in. Anytime, anywhere.
Given those, I wouldn't worry much about the security of online transactions.
Regardless, the publically available encryption is FAR more than secure enough to protect your card, especially with its tiny limit. (no offense--I just doubt you have a $10M limit, which might make it worthwhile)
On the other hand, do the browsers use particularly secure encryption? Not great, and outside the US, not good at all. Also, lots of sites are badly written or designed, are full of security holes, etc. There's no guarantee of safety no matter how good the encryption is, because as often as not, the encryption can be bypassed.
But go back to #1 for a second. That $50 limit is pretty reassuring, and you can only be held liable for that under certain circumstances. If there's a massive and documented theft of a thousand numbers, then you probably won't be liable.
So relax, but don't be stupid about giving out your card #. In other words, buy from companies you trust--after all, the easiest way to defraud people is to actually run an 'ecommerce' website where people will send you cards!
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban