> 1. The NSA cannot crack PGP on anything near a > realtime basis, the FBI probably couldn't even > uudecode...
Well, you're probably right about the FBI, they do have a bit of a record of being screw ups from time to time. And I wouldn't suggest that even the NSA can crack PGP on a real-time basis (or at least, that would be a surprise).
> 2. The NSA was 2-10 years ahead but that was > decades ago. The NSA most certainly lost > their "lead" due to the sheer numbers of > mathematicians working in academia and the > private sector. Combine this with the more > talented cryptographers avoiding the NSA for > moral and monetary reasons.
I agree there are a number of mathematicians working in academia and the civilian world. And I do believe the gap has narrowed. However, I also know that the NSA funds quite a few research projects in academia (some obviously, others less so) and has a lot of data that the outside world has just never seen. And they also have a pretty horrendous amount of money to play with. And a lot of compute power. I think all that adds up to them still having a lead, though it may be measured in months rather than years now in some areas.
Of course, unless they opened up their archives and let us see the stuff they know, some parts of this discussion will always be problematic and hypothetical.
3. Dumpster diving / social engineering are not applicable here.
Correct, except insofar as the cry made about the parsing of communications being a call for strong crypto. The truth is, if any of these agencies want to know about you (which admittedly is differentiated from them noticing you by trolling all the data streams), they can certainly find it out by easier methods than cracking your crypto.
As for 1024 or 512 key crypto being uncrackable, just keep believing that. It's probably fairly secure (it would take a fair bit of compute power or some sophisticated routines to crack) but how many times throughout history have unbreakable codes been broken? Lessee....quite a few. How many times throughout history has the government been steps ahead of what anyone thought? A fair few.
I can't prove that PGP is crackable or has been compromised already. I wouldn't think that if I were a government agency who could do so, I'd want it known publicly. I'd probably restrict the number of people who knew about it and tie them down with surveillance and various security agreements.
This (and the process that selects people to work for such bureaux) would serve to effectively prevent comment so the public will probably never really know what a well funded government agency can actually accomplish, and the agencies like it that way.
And of course, everyone that believes in unbreakable crypto or a lack of governement capability in decryption no doubt pleases the powers that be to no end...
As usual, you can think what you like. Until the government perfects its brain wave scanners, anyway.;)
My Grandad on my mothers side used to work double and triple shifts in a Scottish coal mine. Often the second or third shift was unpaid. If it was paid, you might get (as he received one time) a cabbage (literally). And my Grandma was glad of getting that!
The Code Mines are a nasty place to work - RSI, stress, headaches, tendonitis, bad eyes, etc. but the Coal Mines were worse - cave ins, coal dust in your lungs, cancer, naptha fumes, suffocation, never being clean.
And whereas he gets paid in cabbage, I get paid a lot of money to do what I do. I can afford to take a month long LOA. I can afford to take a flight somewhere warm. I can throw the Palm in a drawer, the cell on my dresser, the laptop in my cupboard and bug out.
The modern work world will eat your time IF YOU LET IT. If you decide you are going to work 11 months a year, then you can set that up. Career management. That is the key. Let people know your limits, and live with it. Yes it may impact your success, but that is the decision you have to make. If you feel you need that extra $10K enough to sacrifice your weekends for 5 months, then do it. If family, social life, and health pursuits are more important, then you'll accept that and get on with it.
The old world never was a nice place. Those who think it was wonderful to live in the period of knights and chivalry were idiots. Diseases ran rampant, pogroms massacred minorities, and life expectancy was short. Plumbing was outdoor. Ignorance was the state of affairs.
Similarly, those who cling to the "good old days" like say the 1950's, are clinging to an idea of a period that wasn't. The beginning of the cold war and real nuclear tensions were in existence. People were overconsuming and living in a faux utopia of excess that helped lead us to the sorry state we're in today.
Today isn't the best of times and yesterday wasn't either. Give or take a bit, things are different but pretty much life isn't terribly better or terribly worse. It is different. The threats are different, as are the benefits and boons.
So lets stop crying about the modern world. I have friends who wouldn't be alive without modern medicine. I myself wouldn't be so happy or well employed. And I wouldn't be able to have made so many friends around the world on the Internet.
PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.
Keep in mind, the largest employer of mathematicians in the world is the NSA and that they are one of the largest computer buyers.
They have sealed documents written by Alan Turing was back around WWII and the suspicion is they are 2-10 years ahead of anyone in the "normal world" of encryption/decryption.
And as far as crypto goes, strong crypto is nice. But if you've ever read books on information security that covered the whole field, you'd realize a very small chapter would be devoted to crypto, and a very large chapter to organizational security because social engineering and dumpster diving are both far easier than cracking crypto in most cases. It's easier to pay a secretary $10K than to spend $100K cracking some crypto. And probably more effective to boot.
Frankly, I don't really care if CSE, CSIS, FBI, NSA, CIA, KKK, FSB, - whoever - reads my mail. They'll find the effort not worthwhile. That's the ultimate secret - just be slightly odd and mostly boring...;)
From an insurance point of view, business is business. Threats exist, are catalogued, and defended against. Part of the defence is insurance to help limit loss if a threat manifests itself. An important form of liability insurance that may come into vogue is insurance that protects company A from suits from downstream companies in the event that A is compromised by a cracker. A's own internal loses may pale in comparison to suits mounted by other companies affected via A's site/connection/hardware. This would seem to be the equivalent of Internet enant Insurance. And I wouldn't worry about insurance fraud - insurance companies like to make money. They also like to catch frauds. Bet that this is no less true on the Net. There will be fraud (smart guys get away with stuff), but that's always been the case and slightly impacts premiums. It is the cost of insurance. But the insurance companies (because it hurts their bottom line) and their insured (because higher premiums hurt them) will both have an incentive to drive better security forward. So all in all, this is likely to be a good thing. T.
Perhaps the vast mass of people in the US and other G8 countries only have the conspiracy theorists' viewpoints on how or what the government is up to because almost anybody who is cleared to work on the actual technologies involved in signal intercept, decryption, wiretapping, etc. is totally forbidden to utter one word about what they do and who they do it for (part of some nasty government legislation). I've know people at work who've described their work as being for "the client" (who can't be named), the project name couldn't be named, and who couldn't talk about what they were doing. But a perusal of the web reveals sites like DARPA and others where one gets a glimmering of the kinds of technology they are working towards - like technology to detect and scan underground bunker complexes, technology (from publicly posted RFP/Functional Specs) to intercept and process/parse hundreds of thousands or millions of cellphone calls simultaneously, etc. Plus plenty of legislation has been put in place to make the various Exchange Carriers and Backbone Carriers provide facilities for law-enforcement taps that are seamless and undetectable. There is little doubt that the US, the UK, and even Canada can currently process and study large volumes of communication in real-time and that information is stored in databases. There was just a major scandal in Canada about the data collected in one place by one of our government agencies (HRDC) - and that isn't even a classified database held by CSE, CSIS, or the Solicitor General. And those, no doubt, pale beside their US counterparts. And as for crypto... can you disguise which keys you hit on your keyboard? There are technologies to pick this up from orbiting planes, nanomikes implanted in the areas you are operating in, etc. as well as the ability for lasers to pick this up off of any nearby glass. They can get it from the unencrypted signals down your keyboard wire (wonderful antenna) or from the keyclicks. Simply put, if the gov't wants to know what you are up to, they'll find out. On the one hand, there are concerns about how this data is used or abused. On the other hand, it helps the gov't catch the *actual* bad guys, and it probably helps explain why places like Canada are as (relatively) safe as they are. Besides, it isn't likely to change:)
Apparently Ottawa is the haven for many so called geek gals. In the companies I've worked at, 15-20% of the staff have been very competent geek gals. I'd go so far as to say they combined the best of the technical and non technical (interpersonal) skillsets. As it turns out, today in high tech, geeks (as in people who have to live in closets, get fed through slots, and live to code) are more rare. In a world where the coder is being replaced by the designer, team interactions are becoming even more vital and many women work very well in teams, something a lot of guys have to learn to do. But as it turns out, information technology and computer engineering professionals (regardless of sex/gender) are learning that the soft skills are what makes the industry (especially consulting or contract software development) work and are what translates into those $$$. I'm quite happy to say I've met some awesome gals in high tech - smart, pretty, good in teams, and technically competent. And most of the guys I've worked with have been very happy to see them there, very respectful of their contributions, and more than happy to make a place for them. There are still a few dinosaurs with age-old bias and patriarchal natures, but quite frankly, these beasts will be dead and gone in another decade. For now, gals still run across the occaisional sexist obstruction in the heirarchy. But from what I've seen, most of them are more than capable of dealing well with any such temporary problem. Some have observed there aren't a lot of women CEOs... I say "wait for it". The day is coming. I don't know if we'll ever have a 50-50 balance, because many women want families too and rising to CEO ranks takes time and focus that often precludes that, but things are improving. And any gal that wants to meet nice guys, work in a field that harnesses creativity and where brute strength and testosterone aren't an asset, and who wants to make a good wage, give serious thought to some branch of the computer field. The hours are sometimes long, the commitment sometimes high, but the payoffs are large both in terms of $$$ and satisfaction of having built something and exerted creativity and imagination. Thomas. -- Aut Augere Au Mori!:)
Strange. I know 20 or 30 slashdot readers (maybe more), all of whom are in the age group 25-45, all of whom are working computer professionals scattered across probably 20 companies in Ottawa. I don't know anyone under 19 who reads it. And I don't know non-programmers who read it (well, if you include a few fringe types like DBAs, Web guys, and such).
Perhaps Taco ought to have one of his infamous polls get us some demographic info about the slashdot audience. I suspect you'll find more mature, professional people than you would otherwise suspect. Pleasure in the job puts perfection in the work.
There was never a genius without a tincture of madness.
Slashdot Mirror
> 1. The NSA cannot crack PGP on anything near a > realtime basis, the FBI probably couldn't even > uudecode...
Well, you're probably right about the FBI, they do have a bit of a record of being screw ups from time to time. And I wouldn't suggest that even the NSA can crack PGP on a real-time basis (or at least, that would be a surprise).
> 2. The NSA was 2-10 years ahead but that was
> decades ago. The NSA most certainly lost
> their "lead" due to the sheer numbers of
> mathematicians working in academia and the
> private sector. Combine this with the more
> talented cryptographers avoiding the NSA for
> moral and monetary reasons.
I agree there are a number of mathematicians working in academia and the civilian world. And I do believe the gap has narrowed. However, I also know that the NSA funds quite a few research projects in academia (some obviously, others less so) and has a lot of data that the outside world has just never seen. And they also have a pretty horrendous amount of money to play with. And a lot of compute power. I think all that adds up to them still having a lead, though it may be measured in months rather than years now in some areas.
Of course, unless they opened up their archives and let us see the stuff they know, some parts of this discussion will always be problematic and hypothetical.
3. Dumpster diving / social engineering are not applicable here.
Correct, except insofar as the cry made about the parsing of communications being a call for strong crypto. The truth is, if any of these agencies want to know about you (which admittedly is differentiated from them noticing you by trolling all the data streams), they can certainly find it out by easier methods than cracking your crypto.
As for 1024 or 512 key crypto being uncrackable, just keep believing that. It's probably fairly secure (it would take a fair bit of compute power or some sophisticated routines to crack) but how many times throughout history have unbreakable codes been broken? Lessee....quite a few. How many times throughout history has the government been steps ahead of what anyone thought? A fair few.
I can't prove that PGP is crackable or has been compromised already. I wouldn't think that if I were a government agency who could do so, I'd want it known publicly. I'd probably restrict the number of people who knew about it and tie them down with surveillance and various security agreements.
This (and the process that selects people to work for such bureaux) would serve to effectively prevent comment so the public will probably never really know what a well funded government agency can actually accomplish, and the agencies like it that way.
And of course, everyone that believes in unbreakable crypto or a lack of governement capability in decryption no doubt pleases the powers that be to no end...
As usual, you can think what you like. Until the government perfects its brain wave scanners, anyway.
My Grandad on my mothers side used to work double and triple shifts in a Scottish coal mine. Often the second or third shift was unpaid. If it was paid, you might get (as he received one time) a cabbage (literally). And my Grandma was glad of getting that!
The Code Mines are a nasty place to work
- RSI, stress, headaches, tendonitis, bad eyes, etc. but the Coal Mines were worse - cave ins, coal dust in your lungs, cancer, naptha fumes, suffocation, never being clean.
And whereas he gets paid in cabbage, I get paid a lot of money to do what I do. I can afford to take a month long LOA. I can afford to take a flight somewhere warm. I can throw the Palm in a drawer, the cell on my dresser, the laptop in my cupboard and bug out.
The modern work world will eat your time IF YOU LET IT. If you decide you are going to work 11 months a year, then you can set that up. Career management. That is the key. Let people know your limits, and live with it. Yes it may impact your success, but that is the decision you have to make. If you feel you need that extra $10K enough to sacrifice your weekends for 5 months, then do it. If family, social life, and health pursuits are more important, then you'll accept that and get on with it.
The old world never was a nice place. Those who think it was wonderful to live in the period of knights and chivalry were idiots. Diseases ran rampant, pogroms massacred minorities, and life expectancy was short. Plumbing was outdoor. Ignorance was the state of affairs.
Similarly, those who cling to the "good old days" like say the 1950's, are clinging to an idea of a period that wasn't. The beginning of the cold war and real nuclear tensions were in existence. People were overconsuming and living in a faux utopia of excess that helped lead us to the sorry state we're in today.
Today isn't the best of times and yesterday wasn't either. Give or take a bit, things are different but pretty much life isn't terribly better or terribly worse. It is different. The threats are different, as are the benefits and boons.
So lets stop crying about the modern world. I have friends who wouldn't be alive without modern medicine. I myself wouldn't be so happy or well employed. And I wouldn't be able to have made so many friends around the world on the Internet.
:) Tomb
PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.
;)
Keep in mind, the largest employer of mathematicians in the world is the NSA and that they are one of the largest computer buyers.
They have sealed documents written by Alan Turing was back around WWII and the suspicion is they are 2-10 years ahead of anyone in the "normal world" of encryption/decryption.
And as far as crypto goes, strong crypto is nice. But if you've ever read books on information security that covered the whole field, you'd realize a very small chapter would be devoted to crypto, and a very large chapter to organizational security because social engineering and dumpster diving are both far easier than cracking crypto in most cases. It's easier to pay a secretary $10K than to spend $100K cracking some crypto. And probably more effective to boot.
Frankly, I don't really care if CSE, CSIS, FBI, NSA, CIA, KKK, FSB, - whoever - reads my mail. They'll find the effort not worthwhile. That's the ultimate secret - just be slightly odd and mostly boring...
Tomb
From an insurance point of view, business is business. Threats exist, are catalogued, and defended against. Part of the defence is insurance to help limit loss if a threat manifests itself. An important form of liability insurance that may come into vogue is insurance that protects company A from suits from downstream companies in the event that A is compromised by a cracker. A's own internal loses may pale in comparison to suits mounted by other companies affected via A's site/connection/hardware. This would seem to be the equivalent of Internet enant Insurance. And I wouldn't worry about insurance fraud - insurance companies like to make money. They also like to catch frauds. Bet that this is no less true on the Net. There will be fraud (smart guys get away with stuff), but that's always been the case and slightly impacts premiums. It is the cost of insurance. But the insurance companies (because it hurts their bottom line) and their insured (because higher premiums hurt them) will both have an incentive to drive better security forward. So all in all, this is likely to be a good thing. T.
Perhaps the vast mass of people in the US and other G8 countries only have the conspiracy theorists' viewpoints on how or what the government is up to because almost anybody who is cleared to work on the actual technologies involved in signal intercept, decryption, wiretapping, etc. is totally forbidden to utter one word about what they do and who they do it for (part of some nasty government legislation). I've know people at work who've described their work as being for "the client" (who can't be named), the project name couldn't be named, and who couldn't talk about what they were doing. But a perusal of the web reveals sites like DARPA and others where one gets a glimmering of the kinds of technology they are working towards - like technology to detect and scan underground bunker complexes, technology (from publicly posted RFP/Functional Specs) to intercept and process/parse hundreds of thousands or millions of cellphone calls simultaneously, etc. Plus plenty of legislation has been put in place to make the various Exchange Carriers and Backbone Carriers provide facilities for law-enforcement taps that are seamless and undetectable. There is little doubt that the US, the UK, and even Canada can currently process and study large volumes of communication in real-time and that information is stored in databases. There was just a major scandal in Canada about the data collected in one place by one of our government agencies (HRDC) - and that isn't even a classified database held by CSE, CSIS, or the Solicitor General. And those, no doubt, pale beside their US counterparts. And as for crypto... can you disguise which keys you hit on your keyboard? There are technologies to pick this up from orbiting planes, nanomikes implanted in the areas you are operating in, etc. as well as the ability for lasers to pick this up off of any nearby glass. They can get it from the unencrypted signals down your keyboard wire (wonderful antenna) or from the keyclicks. Simply put, if the gov't wants to know what you are up to, they'll find out. On the one hand, there are concerns about how this data is used or abused. On the other hand, it helps the gov't catch the *actual* bad guys, and it probably helps explain why places like Canada are as (relatively) safe as they are. Besides, it isn't likely to change :)
Apparently Ottawa is the haven for many so called geek gals. In the companies I've worked at, 15-20% of the staff have been very competent geek gals. I'd go so far as to say they combined the best of the technical and non technical (interpersonal) skillsets. As it turns out, today in high tech, geeks (as in people who have to live in closets, get fed through slots, and live to code) are more rare. In a world where the coder is being replaced by the designer, team interactions are becoming even more vital and many women work very well in teams, something a lot of guys have to learn to do. But as it turns out, information technology and computer engineering professionals (regardless of sex/gender) are learning that the soft skills are what makes the industry (especially consulting or contract software development) work and are what translates into those $$$. I'm quite happy to say I've met some awesome gals in high tech - smart, pretty, good in teams, and technically competent. And most of the guys I've worked with have been very happy to see them there, very respectful of their contributions, and more than happy to make a place for them. There are still a few dinosaurs with age-old bias and patriarchal natures, but quite frankly, these beasts will be dead and gone in another decade. For now, gals still run across the occaisional sexist obstruction in the heirarchy. But from what I've seen, most of them are more than capable of dealing well with any such temporary problem. Some have observed there aren't a lot of women CEOs... I say "wait for it". The day is coming. I don't know if we'll ever have a 50-50 balance, because many women want families too and rising to CEO ranks takes time and focus that often precludes that, but things are improving. And any gal that wants to meet nice guys, work in a field that harnesses creativity and where brute strength and testosterone aren't an asset, and who wants to make a good wage, give serious thought to some branch of the computer field. The hours are sometimes long, the commitment sometimes high, but the payoffs are large both in terms of $$$ and satisfaction of having built something and exerted creativity and imagination. Thomas. -- Aut Augere Au Mori! :)
Strange. I know 20 or 30 slashdot readers (maybe more), all of whom are in the age group 25-45, all of whom are working computer professionals scattered across probably 20 companies in Ottawa. I don't know anyone under 19 who reads it. And I don't know non-programmers who read it (well, if you include a few fringe types like DBAs, Web guys, and such).
Perhaps Taco ought to have one of his infamous polls get us some demographic info about the slashdot audience. I suspect you'll find more mature, professional people than you would otherwise suspect.
Pleasure in the job puts perfection in the work.
There was never a genius without a tincture of madness.