At 02:43 PM 8/31/2001 -0400, Fausting wrote:
>Tim wrote:
> >But, as with Kirchoff's point, the attacker is going to get the design
> >eventually.
>If getting the design "eventually" were good enough, why the keen interest
>in putting in a large order for the beta? There's a reason.
What's the reason?
If the goal was disassembly and analysis, it wouldn't be necessary to buy
more than one copy - and even buying one copy is mostly a formality, though
it's probably a lot cheaper and faster than any of the other ways people
might get it. Still, it wouldn't exactly be a big problem for them to buy a
single copy (or a few copies) with more-or-less untraceable addresses and
credit cards. If they disclosed their identity, they already had what they
needed, or were sure they could get it one way or another.
The beta was available - I've forgotten the exact timing, by now - to
anybody with a credit card and an Internet connection, and CD-ROM copies of
the beta were handed out at web/internet-oriented conferences.
ZKS was not (nor is anyone else with distribution on any interesting scale)
faced with the choice "Shall I let the various three-letter-agencies have a
copy of my software?". ZKS was faced with the choice "Would we like to get
a lot, a little, or no money from the NSA?", and it's hard to blame them
for taking the cash. Further, they've been open (since late 1999/early
2000, at least) about wanting to encourage and facilitate law enforcement
and intelligence community use of their system, so that those groups come
to see ZKS/Freedom as a system which has good and bad aspects, instead of
just bad ones .. in hopes that a more nuanced (or conflicted) view of
Freedom's utility would slow down or stop regulatory activity aimed at ZKS.
>Maybe in the long run, it's right to view any objections as being little
>more than irrelevant, moralistic hand-waving. But I don't find the "they're
>going to compromise it anyway so why not make a buck when we can" line of
>reasoning particularly satisfying.
Well, no, it's not especially elegant or poetic, but it's simple economics,
which are at the heart of both successful business and successful
cryptography. If ZKS refused to sell to NSA, what would have changed,
except for their ability to crow "We told NSA to fuck off!" ..?
>All place-in-the-pecking-order issues aside, roughly how long do you think
>it's going to take before "dissident-grade untraceability" becomes a
>reality? If anyone deigns to show me why the prospects are better
>than "bleak", I'd love to be proven wrong.
"Dissident-grade untraceability" (DGU) is an elusive goal - if you look at
what's theoretically possible, we've got it now (and have had it for ~ 20
years, albeit with an unfriendly UI). If you look at what's deployed, we'll
probably never get there, because it's a multi-layered problem, where holes
appear in layers far beyond the control of any individual or organization.
Maybe ZKS can give me really great privacy within the 7-layer stack, but
they can't do anything about someone torturing me until I confess to crimes
I did (or didn't) commit, or undercover agents who pretend to be fellow
dissidents but are actually secret policemen, or snoopy busybodies who
notice that every time I use the computer at the local cybercafe, a few
hours later a new issue of The Squealing Rodent hits Usenet full of
irresponsible rumors about the Administration .. or that during the months
I was on "vacation" in solitary confinement, no new issues were published.
DGU is just like other kinds of security - it's not a product or service
you can buy from someone, even if you're really careful to pick the right
vendor. Maybe you can pick a vendor who does a good job within their area
of responsibility - and maybe you can pick a vendor who'll tell you really
clearly which problems they solve and which problems they don't - but it's
silly to expect anyone (be it ZKS or SafeWeb or anonymous remailers or
anyone else) to provide perfect untraceability on a silver platter, such
that users don't need to pay any attention themselves. You'll never get
real-world perfect untraceability if you've got human beings at the ends of
the "anonymous" communication pipes.
--
Greg Broiles
[EMAIL PROTECTED]
"We have found and closed the thing you watch us with." -- New Delhi street kids