Possibly compromised account

[David Farber <farber () central cis upenn edu>]

Date: Thu, 24 Feb 94 13:08:50 -0500
From: shap () viper cis upenn edu (Jonathan Shapiro)
To: farber () central cis upenn edu
Cc: interesting-people () eff org
Subject: Possibly compromised account


This is to alert you to the possibility that Dorothy Denning's login
may have been compromised.


In a recent mailing to the "interesting people" list, a party alleging
to be Dorothy Denning made a number of statements in support of the
SkipJack initiative that were erroneous or deliberately misleading.
The suspect in question makes remarkably subtle use of misdirection to
twist the facts of the case.  This is not consistent with the sort of
integrity one expects from Dorothy's statements.


In order that you will be able to spot future mailings from this
unknown party, I will point them out.


   [Suspect]


   I expect their [the NSA's] concern is that if a product with a very
   strong algorithm such as SKIPJACK were to be manufactured without keys
   being escrowed, then such products would be very attractive on the
   foreign black market (presumably, such products would not be
   exportable) where they could interfere with foreign intelligence.


Note the subtle misdirection embedded in the words "I suspect."  The
author wishes you to believe that the stated position is the NSA
position, and is distracting attention from the fact that they are
supporting the opinion by promulgating it.


The position described is ludicrous.  It says that the focus market
for SkipJack-derived systems is characterized as follows:


        1) Customer is a criminal or terrorist.


        2) Customer trusts the NSA, and all organizations that
           NSA collaborates with, either officially or covertly,
           legally or otherwise.


        3) Aside from the fact that they are a criminal or a
           terrorist, customer is basically law abiding, and
           therefore will not use some other encryption
           algorithm as a substitute or layered on top of SkipJack.


        4) Customer is smarter than your average turnip, which
           is why we need to tap their phones in order to catch them.


No question that I'ld choose SkipJack for all of my illegal and/or
terrorist activities.  I'll hop right out and buy one.


   > An FBI legislative proposal now under consideration at the White
   > House would mandate a Clipper-like scheme.  That proposal is
   > backed by fines up to $10,000 per day and jail time.


   [Suspect]


   Everything I've seen has said Clipper is voluntary.  Quoting from
   the standard: "This standard does not mandate the use of escrowed
   encryption devices by Federal government agencies, the private
   sector or other levels of government."


Note that the suspect has not responded to the issue at hand.
Standards are not legally binding, so it would hardly matter if the
NIST standard mandated SkipJack.  FBI legislative proposals, on the
other hand, stand a disturbing chance of becoming law.


   [Suspect]


   Before I supported Clipper, I already knew quite a bit about how the
   whole system was going to be structured, so I felt confident that the
   goal of high security would be achieved.  Nothing I have seen so far
   has changed my assessment.


I encourage you all to take a few minutes to browse the CPSR and/or
EFF FTP archives.  It has some fascinating material obtained from the
allegedly secure contractor whose job is to produce the keys.


Dorothy Denning's reputation is one of integrity.  Clearly, the
comments above could not have originated with her.


It's an interesting question, however, to ask who is employing the
suspect.




Jonathan




SkipJack.  Because We're Not Listening.