We all have pet theories and a side effect of these is that we often look at information in such a way that it can be made to fit with our pre-concieved ideas. It is simply called bias and is the bane of scientific experiments. Scientists go to great lengths to design experiments which reduce the possible bias to a minimum.
Security is not immune from it either as the latest issue of Crypto-Gram seems to indicate.
While reading the section on wiretaps and encryption I thought that something was not quite right.
If you read it carefully you will notice that there are fundamentally two points being made:
1) Only about 1% of wiretapped phone lines used encryption,
2) The quality of the encryption was so bad that it did not pose a problem.
At first glance that is perfectly correct but as a matter of fact it is carrying the author's bias. Quite rightly Bruce Schneier thinks that one of the banes of modern security is snakeoil encryption and "closed" products like encryption devices for phones are part of this category.
The problem with the above is that it is not necessarily true that the trivially wiretapped encrypted phone lines had anything to do with encryption devices for phones.
If we consider mobile phones, in particular GSM phones, their transmissions are encrypted while in transit over the airwaves. The algorithm itself, A5, is not particularly secure but still a worthy challenge. There is one small catch: the moment the call reaches a base station it is no longer encrypted.
So strictly speaking a GSM mobile phone call is encrypted and might well fall in the 1% of calls which carried encryption. At the same time you don't actually wiretap the airwaves, you stick your tap at the base station where the traffic has already been decrypted for you.
By applying a more skeptical bias we have actually found a situation in which it is not the snakeoil encryption which is to blame but the lack of end-to-end encryption which is making wiretapping easy.
Both fit the information presented but the GSM mobile phone theory does not fit the "all encryption products are snakeoil" rant.
Posted by arrigo at May 15, 2003 05:15 PM