Interesting People mailing list archives
IP: Re: -RE: GOVNET? Not the brightest idea.
From: David Farber <dave () farber net>
Date: Sat, 13 Oct 2001 12:07:18 -0400
From: "Jonathan S. Shapiro" <shap () eros-os org> A minor correction on one of Perry Metzger's comments... > > >I will now say something politically incorrect in the extreme. The > > >reason we face horrible security problems these days on the net is to > > >a large extent (although by no means solely) because we've developed > > >an operating system software monoculture on the internet, with a > > >single supplier being responsible for the overwhelming bulk of > > >software installs.... This supplier is about as incompetent as you > > >can possibly imagine at handling security issues I am no defender of Microsoft, but the statement above is unfair in the extreme. Microsoft is indeed incompetent at security, but they haven't yet achieved a monopoly on incompetence. The fact that we have no secure commodity operating system is a direct result of fifteen years of Federal policy. Years ago (I don't know when this passed, but I'm guessing somewhere around 1986, because the legislation makes reference to the 1985 TCSEC standard), secure operating system technology was placed on the munitions list. Items on the munitions list are not exportable without special licenses. The goal was to stop secure operating system technology from proliferating to other nations. This policy originated within one of the computer security technical groups at the NSA. The NSA technologists very quickly realized their mistake, and have tried repeatedly to get this policy changed, but the policy developed a life of its own. Not until 2000 was it effectively changed, and even now the change is incomplete. If you tell a commercial business "you cannot export X", the business simply won't produce X at all. We live in a global market, and businesses cannot affort to give up foreign markets unless they are somehow subsidized. The government chose not to subsidize secure operating systems. A direct result is that several operating system products that came near to obtaining high assurance were withdrawn or cancelled when it became clear that they could not be exported. In fact, *every* operating system that got close to being secure was withdrawn. There weren't many. Secure operating systems are extremely difficult and expensive to build, and the companies who had the ability to build one decided that there wasn't any money in producing them. In defense of Perry I'll add that Microsoft has never been in any danger of ever shipping a securable operating system, so this was never a problem for them. This policy is not just a problem for you and me. The U.S. military services, which rely on the commercial sector for such software, cannot get acceptably secure systems either. Many of our critical military command and control functions run on Windows. They get viruses, just like you and I do. Ultimately, this is why GOVNET won't work. Things have gotten better. Now that it is far too late for a new operating system to establish market share on the desktop, it is legal once again to export a secure operating system. Ironically, this came about because of a lawsuit against the government concerning PGP, which is now for sale. In this case, Phil Zimmerman -- viewed by some as a privacy extremist, though unfairly so -- argued that code is speech, and that control of software is prior restraint of speech and unlawful under the U.S. First Ammendment. The case did not decide all of these issues, but it did force secure software off of the munitions list. So consider this as you ponder the results of the recent vote on the PATRIOT legislation. It's not your government who has been working to ensure your computer security. It's the privacy nuts. The government has done everything possible to delay and derail the introduction of secure information processing technology to the general public. Jonathan S. Shapiro, Ph.D. Johns Hopkins University Information Security Institute
For archives see: http://lists.elistx.com/archives/interesting-people/
Current thread:
- IP: Re: -RE: GOVNET? Not the brightest idea. David Farber (Oct 13)
- <Possible follow-ups>
- Re: IP: Re: -RE: GOVNET? Not the brightest idea. David Farber (Oct 13)
- Fwd: Re: IP: Re: -RE: GOVNET? Not the brightest idea. David Farber (Oct 13)