[liberationtech] FW: The security and ethics

Jacob Appelbaum jacob at appelbaum.net
Wed Feb 9 18:22:39 PST 2011 

On 02/09/2011 05:59 PM, Graham Webster wrote:
> 
> On Feb 9, 2011, at 4:36 PM, Jacob Appelbaum <jacob at appelbaum.net>
> wrote:
> 
>> On 02/09/2011 11:24 AM, Graham Webster wrote:
>>> Apologies for the fast follow-up. I did not mean to say there
>>> were _no_ certification mechanisms (obviously RSA does
>>> certification, as I assume do other entities), but rather that
>>> the knowledge about whom to trust is not widely distributed, as
>>> it is with lawyers or doctors. Perhaps a key difference is that
>>> huge numbers of people _know_ how lawyers and doctors are held
>>> accountable, whereas knowing what qualification would be
>>> appropriate for an individual or organization's needs is not a
>>> common thing. -gw
>>> 
>> 
>> What good is certification of people? Are my criticisms of Skype
>> more or less valid when I have a CISSP or some piece of paper from
>> RSA?
>> 
>> Certification of software such as FIPS ratings are *interesting*
>> but there are lots of problems involved.
> 
> Certification is good if people don't have the resources to evaluate
> on their own the reputation of an individual but do have the
> resources to evaluate the reputation of a certifying authority. In my
> example of a lawyer, we know the court system in the united states is
> pretty decent for all its follies, and that lawyers have to perform
> within acceptable parameters (no negligence please; confidentiality
> guaranteed under most circumstances). So bar membership and standing
> before the court use the reputation of the government to communicate
> minimal standards that we can't very well study up to ourselves.
> 

I guess?

That says almost nothing of their performance, reputation, or abilities.
I don't pick a lawyer based on knowing that they have bar membership
alone. I pick a lawyer based on their previous case history, our ability
to have a personal/professional relationship, and the seriousness of the
risks when I've made a bad choice.

> So, if my imaginary NGO wants to secure it's communications with
> potentially vulnerable individuals, the preceding discussion suggests
> that we should probably consult experts rather than configuring our
> own communication system and secure storage. Unfortunately, the
> security world is a black box to most social actors. A trusted and
> trustworthy reputation management scheme would let non-experts figure
> out who has the skills to help. Judging whether they are acting in
> good faith would have to depend on intuition, contract law, etc.
> 

This is pretty much the core problem. Managers without a clue relating
to the things they manage. That's a bad combo.

> So, your critiques of Skype are just as good one way or another, but
> if there existed a reputation-based accountability mechanism such as
> a certification regime, I wouldn't have to look up your background as
> thoroughly before trusting that i can or cannot safely use the
> technology for my purposes.
> 

There are certification systems and I reject basically all of them. I
know that I am not alone. I have no interested in chasing the paper
tiger or being certified by anyone; many good security people feel
similarly. If someone can't be bothered to do your homework, I can't
imagine that it would be a joy to work with them. I mean that in the
nicest possible way - really, there is no substitute for having a clue.

Having a CISSP isn't an indicator that someone provides good advice or
would know anything about Skype.

> This is why I didn't initially think to include RSA, because outside
> of certain corporate contexts, such a certification has little
> meaning to potential clients. I for one have one of those two-factor
> authentication dongles on my keychain but don't know whether i can
> trust that the rest of the system is secure enough to make this
> little artifact useful.

It's fine to not include RSA - it's basically meaningless.

> 
> As for certifying software, my sense is you still need someone
> competent to run a reasonably secure server, which is nontrivial for
> non-experts.

Yes, of course. I'd argue that it's probably the same for every other
step along the way too.

All the best,
Jacob

More information about the liberationtech mailing list