At 11:17 AM -0500 5/25/2000, Rick Smith wrote:
>
>As usual with such discussions, lots of traffic hides substantial amounts
>of agreement with touches of disagreement.
Agreed. Let me summarize what I am trying to say. Then maybe it is
time to move on.
1. I think citizen access to strong cryptography is an important
counter to a growing, seemingly unstoppable trend toward a
surveillance society.
2. My central point was that commercial operating system do not and
will not protect the average user against a directed attack by a high
resource attacker like NSA.
3. I am not suggesting that the NSA is out of control or exceeding
its authority. If they do plant backdoors in commercial products, I
believe they will gotten the blessings of the executive branch and
the intelligence committees of the Congress. I suspect the latter
have been pressuring NSA to do more in this area.
4. I am not addressing the domestic/foreign jurisdiction issues in
the US intelligence community. When I say NSA I am also encompassing
the FBI the "Technical Advisory Center" and whomever else in the US
government is in on this game.
5. Given the sorry state of Microsoft software security, it is
entirely possible that NSA has not had to alter a single bit in any
Microsoft product to accomplish its ends. Or they may find firmware
and processor chip designs a more lucrative target. My point is that
commercial operating systems are a major target for them and they
will do what they need to do to acquire means to attack them.
6. I am not suggesting that NSA has infiltrated covert agents into
Microsoft. I am saying they could. It's more likely they would just
vet selected Microsoft employees (with Microsoft's knowledge) and
that this would suffice for security. The undercover programmer/spy
you seem to find unbelievable probably does exist, but is working
overseas. The intelligence community can handle what ever level of
training is needed to pull this off.
7. I agree that NSA has to worry that any backdoor it plants will be
used against US government and industry. There is always a risk that
your weapons will be used against you. NSA will try to minimize those
risks, develop protections for mission critical government computers,
and find ways to deploy backdoors selectively. In the end, they will
weigh the risks against the likelihood that their stream of signals
intelligence will dry up if they don't act.
8. Usually in discussions about what intelligence agencies might do,
one is limited to citing what is possible and then saying "that's
what I'd do if I were in charge." But in this case there is evidence
of the US governments intentions:
o There have been many leaks indicating NSA's concerns about falling
behind due to Internet technology. (e.g.the Hirsch New Yorker
article about NSAs concerns over the impact of PC's and the
Internet). Leaks like these are often intended to prepare the public
and congress for remedial proposals.
o The US government have not been shy about meeting with senior
computer executives to discuss law enforcements' problems with
encryption and announcing that they had received assurances of
cooperation. This happened right around the time they announce
liberalized crypto export rules.
o There is the proposed legislation I cited earlier to protect these
methods from being revealed in court. These are not aimed at news
reports (that would never get passed the Supreme Court), but would
allow backdoors to be used for routine prosecutions without fear of
revealing their existence.
o The Clinton administration is requesting a large budget for a new
"Technical Assistance Center" as part of a counter terrorism act.
Arnold Reinhold
