You are not logged in.
Debian is using it, Arch is using it
Just a minor point, but "providing" and "using" are not the same thing. Both imply legitimacy, but the latter much more so.
I mostly agree with your points and share your concerns. Given what I currently know about Speck, I wouldn't trust it and I would gladly see it removed (at least by default). Nevertheless, for better or worse, Arch doesn't take a stance on such issues and provides packages "as-is". That seems unlikely to change in the foreseeable future so efforts would be better spent trying to convince the kernel devs to reconsider the inclusion of Speck. Rescinding it there would have a far greater impact.
Regarding point 2, the truly paranoid don't even trust themselves and they're not wrong. That rabbit hole leads to solipsism and epistemological doubt.
The political aspect of all this is "why do we need to worry?".
The people who ask such questions often cannot conceive of how someone more intelligent, knowledgeable and/or insidious than themselves could abuse the system. It's like trying to explain to a small child to keep their hands away from hot surfaces. Without experiencing the pain or understanding burns, the danger will not be apparent.
Incidentally, the same limitation prevents authors from creating characters that are smarter than they are, which is why so many alleged geniuses in stories do relatively stupid things.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
I just wanted to chime in and thank everyone for the discussion. My hope in posting my question was to do exactly that, even if I did have an agenda to an extent. But I should add that it's only to an extent; in the grand scheme of things, I don't expect this to make a tremendous difference, at least for anyone using Arch.
Nevertheless, for better or worse, Arch doesn't take a stance on such issues and provides packages "as-is". That seems unlikely to change in the foreseeable future so efforts would be better spent trying to convince the kernel devs to reconsider the inclusion of Speck. Rescinding it there would have a far greater impact.
That makes plenty of sense to me, and I certainly understand that it's all but impossible to unring that bell (i.e. if Arch takes a stand on one thing, it becomes much harder not to take a stand on other things).
Offline
The summary of the story, since now graywulf is referring to this page for instructions on how to blacklist the module, nobody came out and gave specific instructions on how to do so.
So unless everyone is ignoring linux upgrades (which eventually become impossible as packages are built requiring linux GE => 4.17) unconsciously they are allowing the use of cryptography that the NSA can easily decode,
I think this should be a different issue than what you describe as Arch having to take a stand, and warn users of this specific backdoor to their systems. Linus is endorsing it, Arch is endorsing it, and now Linux-ck is endorsing it.
So it must be OK then? Right? Right!
Should we make a list of those that don't?
anti-X - artix - obarun - Void - systemD Free Space
Offline
...They are allowing the use of cryptography that the NSA can easily decode,
It may be good to assume that assertion, but you cannot prove it.
And, as I have noted, the US Government may not use it as it is not approved by FIPS-140-2.
But, lost in this discussion, is the purpose of Speck. Speck is an algorithm with the stated intention of providing ultra-low power systems a means of providing encryption services that have a low energy overhead. One of the greatest concerns for the Internet right now is the utter lack of security on IoT systems. Many of these systems simply do not have the power to use AES or TDES. Rather than sending non-sensitive stuff in the clear where it can be sniffed and exploited, Speck was intended to provide encryption of data in transit without everyone in the world being able to read it. Okay -- assume that NSA can see how you are setting your thermostat; fine. I prefer that to my busy-body neighbor knowing, or the power company, or the burglar who is casing my home. Yeah, I am not going to use it for proprietary information, or with banking credentials.
As IoT manufacturers get their act together, some of them are going to use Speck. I want the ability to use my Linux box to communicate with them. It is up to the individual to perform their own risk analysis. Anyone using cryptography without doing so is a fool.
I do not want other well-intentioned, often wrong, individuals who think they understand all of the complex issues to assume they have the right to make decisions for me against my will. (Note that is is a general statement, not necessarily aimed at you)
Last edited by ewaller (2018-06-28 20:43:33)
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
vuudochile wrote:...They are allowing the use of cryptography that the NSA can easily decode,
It may be good to assume that assertion, but you cannot prove it.
And, as I have noted, the US Government may not use it as it is not approved by FIPS-140-2.
Duuhh... nobody who doesn't have the key can prove it, unless by some chance someone runs into it and publishes the key to the door. Naive would be one that would think that the NSA would bother to recommend something that would effectively block them. I would have chosen to "not" get involved unless I had a specific interest to recommend "this" over the "others". PGP? Not GP enough and definitely not pretty.
Law? Have you ever heard of Snowden? You think something changed?
- The law says that the information decoded by them can not be used in court ... Duhhh,... if they have it then they can get what is missing, like the hardware and its owner who is doing the decryption of the data and anything that relates to it. "Accidentally" they may run into it!
= The law applies to what the NSA can legally do inside the US border. Arch is based in Canada and all those people outside of Canada have no protection against NSA and "its affiliates". Does the UK have such a law? What prevents the mi5 from using what the nsa supplies them, etc etc..... I shouldn't have to go in detail, but if the NSA can't do it then the Mossad can for the shake of the NSA, right? It is a never ending circle, but what is important is the shortage of memory people have on the importance of the Snowden revelations. He really just verified the validity of what previously was all summed up as conspiracy theories.
Again I will ask, provider X is using Speck encryption to collect and feed mail messages to their clients. Be especially wearry of those that have android apps for such service (as you say it is Speck's selling point). Is anyone really inquiring which algorithm is their provider using? A flea in a haystack is checking on it, can you hear the flea screaming about it?
When you say low power hardware, what exactly do you mean?
Last I remember Arch and many others abandoned x86-32 (which was high powered) and it was no biggy.
Now all of a sudden we are so sentimental about "low powered" hardware! Hello!!! So we mean android devices, and this is what Linux is catering to?
I understand you are the devil's advocate with your arguments but you must do a better job, or the devil may pick a public attorney instead.
Shame on Arch and all of its concerns on "security issues" ....
Why don't they just close all the open tickets and say "we said yes to speck" .... "what security issues?"!
anti-X - artix - obarun - Void - systemD Free Space
Offline
Shame on Arch and all of its concerns on "security issues" ....
Why don't they just close all the open tickets and say "we said yes to speck" .... "what security issues?"!
I was giving you the benefit of the doubt up until this point, but it is clear now that you are concern trolling. Rather than wasting everyone's time here, why not just build your own kernel, if it really matters that much to you.
https://wiki.archlinux.org/index.php/Co … o_trolling
Closing -- but not deleting lest the tinfoil hat brigade start whining about a conspiracy to silence.
Offline
they are allowing the use of cryptography that the NSA can easily decode,
Arch "allows" its users to do just about anything with their own computer. You could use an Arch system to purchase illicit goods on black markets with cryptocurrencies, post all of your bank details to 4chan with scans of your fingerprints or torrent 1 TB of furry porn. It's understandable that a system that doesn't impose a DE, a browser or even a terminal emulator, doesn't impose cryptographic ciphers either. As with all other aspects of their system and its use, Arch users are expected to make rational decisions by and for themselves without having their hand held.
Linus is endorsing it, Arch is endorsing it, and now Linux-ck is endorsing it.
You make it sound as though Linus, Arch and Linux-ck are running informercials to sell Speck. Linux added it to the kernel's toolbox, everyone else ships the toolbox as-is. Over-emphasising this inclusion as active endorsement is hyperbolic and undermines your argument.
So it must be OK then? Right? Right!
Should we make a list of those that don't?
Again, more hyperbole. You can buy 99 ¢ padlocks in plenty of stores and yet somehow people still manage to realize that they're not appropriate for safeguarding all valuables. The analogy here would be a set of padlocks ranging in quality from a very high security rating to an unrated one of poor quality. If you pick the latter to secure your valuables in an environment where they are at risk, just because it was included in the set, that's an unwise decision on your part. I doubt that many people who care about their valuables would do that in that scenario.
By the manufacturer's decision, the set now includes the weaker padlock, which may have some rational uses in certain scenarios. Implying that everyone is going to stop using all the other padlocks just because that one is in the box is not a convincing argument, but rather unnecessarily hyperbolic and alarmist.
edit
Sorry, posted before I saw that the thread had been closed.
Last edited by Xyne (2018-06-28 21:31:52)
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
Have you ever heard of Snowden?
Oh, yes.
Be especially wearry of those that have android apps for such service (as you say it is Speck's selling point).
Nowhere have I ever said such a thing. Nor did I say ARM. (Well, I did say thermostat; it is probably MIPS or ARM)
When you say low power hardware, what exactly do you mean?
Now we are getting somewhere. https://ieeexplore.ieee.org/document/4802199/ (edit) or https://en.wikipedia.org/wiki/Wireless_sensor_network (end edit)
In general, things that power themselves for years using a coincell battery or using energy harvesting https://en.wikipedia.org/wiki/Energy_harvesting and use ultra-low power backhauls https://en.wikipedia.org/wiki/Ultra-wideband
Now all of a sudden we are so sentimental about "low powered" hardware! Hello!!! So we mean android devices, and this is what Linux is catering to?
Um, no. You are talking about Android. That is not what Speck was for.
I understand you are the devil's advocate with your arguments but you must do a better job, or the devil may pick a public attorney instead.
Yep. But, I must state, IANAL. But I do make a living designing embedded systems. And there are alternatives that are coming available.
Edit: This was closed while I was posting. Probably for the better. but do look at the type of system of which I an talking.
Edit 2: Added sensor network article
Last edited by ewaller (2018-06-28 23:06:00)
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline