Ex BibliothecaThe life and times of Zack Weinberg.
Sunday, 29 December 2002# 10:05 PMunsuccessful experimentYou ever read one of those novels in which someone steams open an envelope so that the recipient won't know it's been tampered with? Such as Bagthorpes Abroad (if my hazy twelve-years-ago memory is accurate)? I'm here to tell you it doesn't work. Or anyway it doesn't work with modern envelope glue and very little care taken over the operation. The full story goes, I wrote out this month's rent check early and put it in an envelope to be mailed at the end of the month. Then I got a note stuck under my door saying "please deduct $30 from your rent this month, as compensation for interest earned on your deposit." So I had to change it somehow. Rather than just destroy the envelope and make out a new one I thought I'd steam it open and put a new check in. The steam did indeed soften the glue -- but only in the center of the envelope, where it also softened the paper to the point where it tore at a touch. Meantime, water condensed on the edges of the envelope where it was touching the pot, ruining it. After some thought, I did the sensible thing, which was to make out a new check and envelope, cut the stamp off the old envelope, and glue it on the new one. weather musingIn Seattle, the weather was consistently in the low forties. Here, the weather is consistently in the low fifties. Yet I am much colder in this apartment than I was in my aunt's house. I suspect the apartment's lack of central heating and insulation has something to do with this. political tangentOn some blog or other, I read an entry which points out that Clinton's "Clipper chip" proposal, if implemented, would have provided us all with more privacy than we do now; it would have made all network traffic secure against eavesdropping by anyone other than law enforcement officials with legitimate warrants. The status quo is that almost all network traffic is cleartext and can be eavesdropped upon with relative ease by anyone. This is true on the face of it, but misses three points: one technical, one sociological, one political. The technical point is simply that the chip would not have become universal, because that would have required revisions to every protocol and every operating system in use today. Right now, when you fill in your credit card number on that secure web page, no one can read the dialogue between your browser and the remote server, but there's a decent chance your transaction will be lumped with a whole bunch of others and emailed somewhere in cleartext. And it's actually easier to intercept that message than the original. The sociological point is that the crypto is never the weakest link in a security perimeter. It is always easier to steal information by social engineering tactics: for instance, call up the helpdesk and claim to be someone with access to the data you want, who has forgotten their password. This attack has been successfully carried out in the wild; and it can be made a lot more subtle. Consult your friendly local con man for ideas. Or read Secrets and Lies. And the political point is that it wasn't just a Republican smear job that sent Clipper down in flames. The people in the computer security community who would have needed to approve of it, for it to go anywhere, tend to be of the opinion that the presence of a back door — any back door at all — in a cryptosystem renders it totally worthless. Furthermore, they generally have a deep-seated, considered distrust of government proposals, and the Clinton administration did two things which ruined its credibility on the issue. The design and implementation of the chip was classified, so it could not be reviewed. Contrast the process leading to the promulgation of the AES cipher, which was open to the public; that algorithm is now in wide use. Also, at the same time that the government was pushing Clipper, it was stifling development of secure protocols by preventing the code from being exported from the USA or even discussed with researchers outside the country. (This policy has now been relaxed but there are still awkward bureaucratic hoops to jump through, and active court cases challenging what remains.) So I don't think it's correct to blame Republican dirty politics for the failure of Clipper, and I don't think it would have been as helpful as the blog-author suggests. (If anyone knows which author and which post I am responding to, please tell me.) |