imaginary munitions

I've been thinking a lot about weaponizing of code in it's various forms. Exploit frameworks, web malware, and spyware come to mind. It's been a while since the notion of computer code as a weapon / munition has been discussed outside private circles. My concern is that bad crypto and bad code is being passed off as useful to the general public. Well, maybe not bad code, but certainly incomplete code.

It was not too long ago that that strong crypto was considered a munition. The Clinton era clipper chip fiasco seemed to be the last overt attempt at controlling crypto and crypto key management.

Fast forward to 2008 and this seems almost a laughable proposition, the idea that a law could prevent free movement of ideas and moreover that in a democracy, a totalitarian cryptographic infrastructure could exist. These were the days when PKI was solving wold hunger, and the NIST bridge certificate authorities would broker all secure transactions globally. Cool stuff at the time.

While we don't have government key management, we have seen in practice the ability for the government to access any information it needs, encrypted or not. This is all based on Bruce comments from long ago that the crypto itself is the easy part, the implementation and use of crypto is very difficult to get right. So forensics teams can either find keys, or break a specific implementation to get to the data, rather than rely on some elaborate key escrow capability.