While delivering the usual and useless anarchist rants, Cryptome does a good job of distributing information. In one case, 2014-0214.pdf, one sees hints of something Ive feared for a while.
So family member disclosed something that concerned me. It turns out that certain militaries are using software-certs, on the (military, but SBU-class) PCs. Apparnetly, despite spending millions on fortezza cards and then 727C atmel common access cards, software certs are used in favour of the hardware solution.
Now I grew up with certain design rules; that only hardware crypto had ANY value. Given ANY articulable risk, you use (a hardware) smartcard, say. And SBU is an articulable risk. Especially in military/civilian liason and preparedness, which is where my family member happens to work. There is lots of “sensitive” stuff about the plan for the local city buses to be commandeered – when the asteroid hits… etc. Obviously, its sensitivity is that it SHOULD WORK (when the X contingency happens); and a little discretion will help in that.
Now, typically , the US disclosures lie – in the sense that they spin a bad story as best they can into a story that doesn’t make it sound like the policy is what it is: billions of hardware crypto dollars designed to protect actual secrets were wasted, by allowing in software crypto (“PKI certs”) to be used “because its easier” to adopt by the high-school dropouts i.e. half educated and most self-educed folks employed by NSA.
The whole point about the PIV smartcard was the mixture of physical access control with logical access control role made it REALLY hard to share the “PKI certificate” on the card (since you cannot get through the next door, if you don’t hold onto it physically). Thus any risk of compromise is limited, to you being present (and presumably half aware).
As a said in the Manning issue, I’d hang the General (not Manning) for turning off the computer controls. Here, Id hang the NSA general too (for doing software certs). Both made errors of judgments that have cost lives (so they pay, personally).
Now, Id also hang the general for lying about the quality of the software OS used by the likes of Snowden on their PCs, used apparently for the likes of collecting a pin using a spoofed login prompt. NSA knows how to solve this, and train folks how to assume the computer is compromised and thus able to see when a it is loading uncertified programs that can, then, spoof a Pin collection prompt. This is 40 year old knowhow…
Ok. we see to be back to exceptionalism as the core problem. There is more belief in it, than reality. There seems to be more value placed in imposing the dogma that delivering it. Perhaps, folks were relying on the benefits of cheating by spying on others achievements… to make up for the reality/dogma gap.