Monday, February 01, 2016


The NSA admitted to recording phone metadata on a vast number of people. Not the phone calls themselves--that would be a gigantic heap to try to filter--but the "who contacted who" and when. That can give an outline of a network, and if one person in that network is of interest you can identify others in that subnet that are also of interest. Then you can drill down and try to tap the phones.

One pundit brought up the old problem that security and encryption have generally been add-on afterthoughts, and opined that from now on encryption should be the default. OK, cool--though there might be a few gotchas with unpacking things later if the file undergoes a little bit rot. At least in theory it should be possible to ship email around with public key encryption, handle payments with the same key, and generally be able to identify yourself with the same password everywhere. It makes life a little simpler, no?

At some point the secret part of the key has to be validated. There are ways to manage chains of trusted keys. But I wonder about the round-trip for validating a password. What sort of metadata can you collect? Financial transaction information wouldn't be part of the query, only who you were dealing with.

No comments: