On Mon, Sep 16, 2013 at 5:17 PM, Fabio Pietrosanti (naif) <li...@infosecurity.ch> wrote: > http://threatpost.com/uk-cryptographers-call-for-outing-of-deliberately-weakened-protocols-products/102301 > Right now, whistle blowers are vilified in the US. Just ask Jesselyn Radack, Thomas Drake, William Binney, Bradley Manning, et al. The irony is the US recognized the usefulness of whistle blowing hundreds of years ago during colonial times: https://en.wikipedia.org/wiki/Qui_tam. (Thanks CB).
I'm all for monetization of whistle blowing to encourage the behavior. But that would take a proverbial 'paradigm shift', because the sneaky assholes who need to be uncovered are the same assholes who hold the power and control popular thinking. From the article: > ... that calls on authorities in that country and the United States to > conduct an investigation to determine which security products, > protocols and standards have been deliberately weakened by the > countries’ intelligence services. I think MQV and Dual_EC_DRBG events are kind of rare, and I'm not sure about this. Does an intelligence agency need to backdoor code when: (1) architectural and design defects are incumbent; and (2) shitty code is regularly checked-in? I think the agency's best course of action is to do nothing and wait for the defects to become widely available through normal channels. Given the above, an agency probably benefitted by doing nothing with, for example, MQV and Dual_EC_DRBG. In this case, would the panel of scientists be asking to investigate lack of agency action? I think that's going to be pretty tenuous. Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
