Re: [Cfrg] Requesting removal of CFRG co-chair

Adam Back <adam@cypherspace.org> Mon, 23 December 2013 10:02 UTC

Return-Path: <adam@cypherspace.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444121ADE7C for <cfrg@ietfa.amsl.com>; Mon, 23 Dec 2013 02:02:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQO9wBdIlzFz for <cfrg@ietfa.amsl.com>; Mon, 23 Dec 2013 02:02:28 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 17A391A1F56 for <cfrg@irtf.org>; Mon, 23 Dec 2013 02:02:28 -0800 (PST)
Received: from netbook (c107-70.i07-27.onvol.net [92.251.107.70]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0M5uD3-1VXKWX0aU5-00yK8w; Mon, 23 Dec 2013 05:02:13 -0500
Received: by netbook (Postfix, from userid 1000) id 766032E283A; Mon, 23 Dec 2013 11:02:05 +0100 (CET)
Received: by flare (hashcash-sendmail, from uid 1000); Mon, 23 Dec 2013 11:02:04 +0100
Date: Mon, 23 Dec 2013 11:02:03 +0100
From: Adam Back <adam@cypherspace.org>
To: Dan Harkins <dharkins@lounge.org>
Message-ID: <20131223100203.GA9389@netbook.cypherspace.org>
References: <201312212237.rBLMbo5i016331@sylvester.rhmr.com> <5FA05FD6-59A5-40EC-A3F6-A542E37C3224@taoeffect.com> <31D844CE-CCC8-4A4A-90A1-064D7B205E13@taoeffect.com> <CEDB64D7.2B148%paul@marvell.com> <CACsn0ckpB+9GHHb37xJ6BrpK3SL1aPe2-_nPwbDZKMAjMFg0Sg@mail.gmail.com> <8ac4396af38c4be34935361ed36ca5f6.squirrel@www.trepanning.net> <CACsn0c=96TPU5+WbkU=k3=S2r14Oho+frMVJ8zcZoEjXpYS9KA@mail.gmail.com> <e48e9ab7885ad9bd9c35def72ad429d7.squirrel@www.trepanning.net> <52B7E1EF.80808@akr.io> <1f646e2f7cad7ec0156536dfcfb6ff2d.squirrel@www.trepanning.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
In-Reply-To: <1f646e2f7cad7ec0156536dfcfb6ff2d.squirrel@www.trepanning.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Hashcash: 1:20:131223:dharkins@lounge.org::TTlEk4ciz39t9PGW:000000000000000000 0000000000000000000000000Yiz
X-Hashcash: 1:20:131223:akr@akr.io::yLj4k2bAjp9MeQQk:000000058Qw
X-Hashcash: 1:20:131223:cfrg@irtf.org::U4p9BPHvBcsEypb+:00001VPq
X-Hashcash: 1:20:131223:adam@cypherspace.org::ZYGe+aTxWFEzqnOJ:00000000000000000 0000000000000000000000001+kV
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V02:K0:t2RMHmYOw5puVDuFmfhkLQCiKB1jprxEdamxPCtNBeU fozC1WT7oJBpAG5IQbLuJlGCdvMAIY/avy09PeQqVSqt/+FAbo NHCd4YGfdzv5aTDEz6Iqg4OnfmfzLhkHPWVprXtmKJCPSumWpO uiZWrzJ9gWg4fVDcV+p4gYn59BB+jVNKp9x3BDPPOZ0JwcU9JQ LznMBUSwC3rhZnuSaHF585lxbvZSlc5E6HA7SuqejfwoGZoaMS srXUBrVw/cGAawdpvofgzTrvdL6SG1K21oYWaYy+MmuYp/YW4+ FxtjJvkouD41UtBMtF2PDoTTGpIO28OSTHRZh8mMF2XXX2d3Fm kkN88Vyrh86smo90Y9IkcG26sfdVvmQChwO4CdURY
Cc: Adam Back <adam@cypherspace.org>, cfrg@irtf.org
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2013 10:02:30 -0000

Dan perhaps this last round is overly focussing on details of how Alyssa
Rowan expressed the post.  Probably modulo the wording you agree at
principle leve, if I had to guess.  I'm more interested to see an
articulation of principle (from you and others).

As I said in my comments this is completely impartial.  It has nothing to do
with Kevin Igoe.  Its his employer the NSA, and the egregious, sustained
well funded, systemic full-spectrum APT attack on societal security. 
Society is the victim, NSA is the outed criminal organization.

Lets make an analogy: 

   Its like you had a massive electronic bank robbery where many ordinary
   people lost their retirement funds, never recovered, to the level of
   affecting US national budget and business reputation globally, and it was
   discovered that it was an insider job, one of the technical consultants
   slipped a backdoor into the security system.  For plea bargaining reasons
   he escaped prosecution (flipped a higher up player) but guilt is
   completely not in doubt.

   Ok now you have a standards body for open peer reviewed design of banking
   security sytems.  Do you invite this guy to chair the group?  Or one of
   his co-consipirators already is co-chair, do you remove him given his
   criminal association.  Lets say despite criminal record these people are
   exceedinly well qualified and clever, so there is real possibility with
   careful closed planning and bribes, hidden contracts etc that they might
   systematically succed in outwitting the public, or gaining some non-zero
   advantage in soft-sabotage/brittleness/disruption of robust architecture
   in plausibly deniable ways.

This is basically what happened.

But now the game is up, should we invite a new chair who was explicitly NSA? 
I think it would be a resounding NO.  

If we would not, why would we sit by inactive while an NSA employee is in
such a position for historical reasons.  What cold considered logical motive
could there be to defend him staying?

The public interest and security of society is much bigger than emotive
attachment to being nice to an individual.  An individual for whatever
reason who chose to align himself with NSA.  Sorry for him, but he made the
choice, informed or not, thats the luck of anyone who worked at NSA and now
faces the employment record implications.  And companies that were outed as
collaborating or taking or falling for bribes.  There are many victims of
this criminal organization, including their technical employees.

But the open standards process, the biggest victim, has the clear obligation
to clean house and avoid any association.  Even as participants everything
an NSA contributor says will be viewed with extreme caution and scepticism. 

To have an NSA personnel as the co-chair is clearly absolutely untennable in
this new reality.

Adam

ps Whether or not something untoward happened with Dragonfly isnt really the
principle, often there will be plausible deniability, soft-sabotage, unknown
collaborators, duped participants etc and there are specific allegations and
academic cryptanalysis as I see you are aware (and various papers).

http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/

But lets please put that detail to one side.  Its not personal to dragonfly
either, nor to you.

On Mon, Dec 23, 2013 at 12:44:14AM -0800, Dan Harkins wrote:
>
>On Sun, December 22, 2013 11:10 pm, Alyssa Rowan wrote:
>>
>> Documented fact: Kevin belongs to an agency with a "SIGINT Enabling
>> Project". Their job is to "enable" [backdoor and/or disrupt] strong
>> cryptography so the NSA can exploit it.
>>
>> That makes his advice untrustworthy. For all we know, it's *literally*
>> his job to lie to us, and mislead us.
>
>  "For all we know…", translation, "What I'm saying is complete
>conjecture…."
>
>> And if he is responsible, as co-chair, for relaying the CFRG's advice
>> to WGs, he is in the perfect position to do just that. The net effect
>> is to taint that advice with the NSA's proven untrustworthiness.
>>
>> That's the central problem here.
>>
>> The only fix is for him to step down as co-chair. (It wouldn't hurt
>> for him to resign from the NSA, or speak out, either; that he hasn't,
>> as Daniel raised, can only be reasonably interpreted as indicative of
>> his approval of the agency's actions.)
>
>  This is another example of the argumentum ad hominem fallacy.
>You're saying that you will judge his statements based on some
>aspect of him and not on their fundamental truth (or falsehood!).
>
>> Do you agree?
>>
>> If not, Dan, why do you wish Kevin to remain co-chair: despite the
>> profound concerns raised, and the fundamental conflict-of-interest
>> between his duties here, and the NSA's mission?
>>
>> Kindly explain your reason. I'm keenly interested to hear it.
>
>  No, I don't' agree. Because I:
>
>  1. don't believe in guilt by association and have no truck with
>      ad hominem attacks; and,
>  2. think that a dangerous precedent would be set if a social media
>      fueled campaign to influence an SDO was successful.
>
>> I mean, what I've heard from you so far is... just look at this gem:
>>
>> On Thu 12 Dec 2013 16:06, on TLS WG, Trevor Perrin wrote:
>>>> The consequences of adopting a protocol we think is secure that
>>>> isn't: dead people.
>>
>> (Correct security engineering thinking, backed up by decades of proven
>>  history, and still just as true today, as Jacob Applebaum or Moxie
>>  would be able to confirm.)
>>
>> On Fri 13 Dec 2013 08:35, on TLS WG, Dan Harkins wrote this reply:
>>> You obviously read too much fiction and have too little practical
>>> experience. Dragonfly is not a threat to human life. Get a grip.
>>
>> (...and well, I think that speaks for itself, doesn't it?)
>
>  Let's stick to the topic, shall we? There will be plenty of opportunity
>in the future to extract sentences from my numerous posts to various
>lists and to bring up irrelevance like death by protocol ("it's true, just
>ask these people who have not been killed by a protocol!"). The topic
>right now is the subject of this email.
>
>  Dan.
>
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg