Firewall Wizards mailing list archives
Foreign Ownership, Control, and Influence (was RE: Apology - not necessary)
From: "Loomis, Rip" <rloomis () python ideas com>
Date: Sat, 26 Sep 1998 11:44:03 -0400
On Saturday, September 26, 1998 12:57 AM, Marcus J. Ranum [SMTP:mjr () nfr net] wrote:
Since his posting I've made a number of enquiries of unquotable nonexistent sources. None of them have pointed to a single substantive "smoking gun." Clearly the DOD may have problems with Israelis...
[[S N I P]]
While Frank's points about national security make sense (especially in the light of Crypto AG and related tales) this is about squashing mud-slinging attempts, not security.
Marcus (and everyone) First, a disclosure. From 1995-1997, I was a Navy officer stationed at NSA, and the company I work for (SAIC) does some work for NSA and other parts of the government. At the same time, I do not now nor have I ever spoken on behalf of either organization about FW-1 (or in fact much else). I only <delurk> to try to enhance understanding and reduce FUD. Hopefully I don't bore anyone with this... In the Communications Security (COMSEC) world (which includes NSA cryptography), there are certain rules about doing work with FOCI companies--that is, companies that have Foreign Ownership, Control, or Influence. From that point of view, CheckPoint is a FOCI company and would not normally be granted permission to fabricate or be involved with NSA cryptographic equipment that uses strong classified (Type I) algorithms. (This should not come as a huge surprise to anyone). In the COMPUSEC world, the concepts that led to the FOCI rules do still apply--but I believe that NSA is finding it harder and harder to apply the rules even in the COMSEC world. I believe (although I have no special insight) that one of the driving reasons for allowing the FORTEZZA/CAPSTONE/SKIPJACK algorithms to be declassified was not only to allow software implementations, but also to allow hardware fabrication in offshore facilities. I know that for the military GPS receivers (the Precise Positioning Service requires NSA keying material), the requirement to do all chip fabrication in US-controlled facilities has a noticeable impact on prices and technology. The biggest problem here is, in fact, FUD. With changes to the procurement regulations, it is difficult to justify purchasing "US ONLY" products if foreign products are competitive--and it's getting more and more difficult to tell the difference. NAI's "CyberCop Scanner" is a product from a US company, but the original product/company (Ballista, from SNI) was Canadian with modules written all over the world (e.g. CORE SDA, in South America). In May, I was at a Sun presentation for US Government personnel and contractors, during which the FW-1 question was specifically raised--and even though Sun (as a major reseller) had source code access, all that anyone was able to say was, "We hear that NSA has a problem with it." In the end, as with many things, there may be individual people within NSA and other parts of the government who believe that DoD should not use FW-1 and other products that are not free of FOCI concerns. Those people are not misguided or stupid; they may raise valid concerns--see Frank's original message for a really good summary of those. I *do* agree with Frank's statement that "Any prudent DoD or Corporate Network/Information Security Officer should look at all of the factors involved before using *any* given product and choose the product which offers the highest security, and poses the least potential risk." But the bottom line is that I sincerely doubt that there is a directly exploitable back-door in FW-1. I also doubt that anyone at the policy-making levels of NSA, DISA, or other such organizations is going to go on record as saying "FW-1 is prohibited". That does *not* mean that NSA is going to rush out and buy it, though. *Many* factors get involved in any government purchasing decision... If anyone has a hard spot with anything I said, or wants clarification, please e-mail me privately at home <rip () clark net>, since I think this is *real* close to being off-topic for PyroWiz already. And now back to our regularly scheduled SPF vs AG vs Shrinkwrapped tools vs M$ evils vs.....hey, has anyone tried putting together an FAQ yet? We're starting to need it.... --Rip Loomis (speaking as a private citizen) Security Engineer, SAIC Gilbert.R.Loomis () cpmx saic com rip () clark net P.S. Looked around for a copy of the FOCI regs on the web, and couldn't find them. I suspect (can't find my printed copy) that that means the regs are For Official Use Only, so I can't disseminate them.
Current thread:
- Foreign Ownership, Control, and Influence (was RE: Apology - not necessary) Loomis, Rip (Sep 26)