Originally published at: https://boingboing.net/2018/09/04/illegal-math.html
…
Hey - enough of the language in the headlines. These things show up in other places (newsfeeds, etc). I’m sure you can get your point across without lowering yourself to f-bombs.
I am beginning to believe that people go into politics because they are bad with science and never got math, Welp, that cuts off those high-paying STEM jobs doesn’t it?
Not on my to-do list. Share and Enjoy!
Let me try to put this into phraseology our betters might understand:
You break crypto, all your money go bye-bye. Crypto make bank work. Bank good.
Given their cavalier attitude to mathematics they’ve adopted it’s only a matter of time before they solve the energy crisis by demanding that scientists stop with this ‘conservation of energy’ nonsense.
Hello new user… are you fucking disappointed with BoingBoing?
It is kind of a nitpick, but this is wrong:
You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption.
Bad crypto will keep your neighbor’s kid out of it. Or some guy who finds your laptop at the airport.
And probably Russian credit card fraudsters that target you as an individual.
Just not (say) the Chinese government.
A chink in the armor does not mean anyone is able to get through–just the more sophisticated and determined attackers. If you are a bank, this is going to be a much higher proportion of attackers than if you are an individual.
Bad crypto is still bad, and we should not accept it.
Also does everyone remember when BB recommended running your wireless AP open?
Those were simpler, friendlier times friend.
Yes and no. If the encryption is broken it takes only so much time for this to leak, and then only a bit longer for someone to write a tool that exploits this. At that point anyone with the tool can make full use of the vulnerability.
If it is merely a sabotaged bit of crypto that’s much easier to brute-force than expected, then you are correct, and it’s only anyone with a given level of technical sophistication and sufficient resources that can break it with the caveat that this amount of resources will fall with time.
However, knowing the insatiable cravings of the state security aparat, they’ll want to read all the messages, not just have the option of breaking one in human-comprehensible timescales. The end game is AI-driven total surveillance used for algorithmic (in)justice, after all. Therefore I suspect they’ll want a backdoor that can be exploited instantly which means they’ll want it fully broken.
True enough. There’s also the case of a secret, master key. Which, if it leaks everything is horribly compromised.
And that totally has happened with Sony and Microsoft IIRC.
Yup. Admittedly, Sony also used really bad crypto, if memory serves. The algorthim was sound by they implemented it with a reused IV which you really shouldn’t do. It was like skywriting the data.
Nah, fuck that.
BB has a long tradition of NSFW content - if you don’t like that, well then I dunno what to say…
There’s a saying in the industry - bad crypto is far worse than no crypto.
With no crypto, at least you know your data isn’t safe. With bad crypto you think your data is safe but it actually isn’t.
Welcome to BoingBoing!
(The cursing is far less of an issue compared to the pot smoking supplies posts)
I was looking into some fiddly SSL problems (I guess it wants Server Name Indication) and came across this:
Can you imagine trying to protect online banking and similar activities using encryption with the stopping power of soap suds?
When factoring threats, keep in mind that anything in the “nation state actors only” threat box is probably now in range of anyone with a serious cryptocoin farm. (They might not have the knowledge and expertise, but they can rent their hardware to someone who does.)
I remember back when cryptography was considered a munition and software needed to have special “export ready” versions with weakened/no encryption.
If I never have to hear about ECCNs again it will be too soon.
Indeed.
In this disturbing day and age, “Oh, for fuck’s sake; not this fucking bullshit again!” is a sentiment that I express aloud regularly, pretty much verbatim.
Even walled gardens such as IOS doesn’t really work to prevent installation of crypto. Sure, you can ban such apps on a country basis. And then a developer licence that lets you run whatever code you’d like is $99. Even with the everything-must-be-a-walled-garden model you would also have to somehow severely restrict access to development licences, which runs counter to all business models for these companies which counts on a relatively low barrier to entry for app developers.
And which part of this do you think would be of meaningful concern to security services/politicians who have already repeatedly committed to this level of stupidity/wilful ignorance?