IP: Re: -RE: GOVNET? Not the brightest idea.

[David Farber <dave () farber net>]

> From: "Jonathan S. Shapiro" <shap () eros-os org>
>
>
> A minor correction on one of Perry Metzger's comments...
>
> > > >I will now say something politically incorrect in the extreme. The
> > > >reason we face horrible security problems these days on the net is to
> > > >a large extent (although by no means solely) because we've developed
> > > >an operating system software monoculture on the internet, with a
> > > >single supplier being responsible for the overwhelming bulk of
> > > >software installs.... This supplier is about as incompetent as you
> > > >can possibly imagine at handling security issues
>
> I am no defender of Microsoft, but the statement above is unfair in the
> extreme. Microsoft is indeed incompetent at security, but they haven't yet
> achieved a monopoly on incompetence. The fact that we have no secure
> commodity operating system is a direct result of fifteen years of Federal
> policy.
>
> Years ago (I don't know when this passed, but I'm guessing somewhere around
> 1986, because the legislation makes reference to the 1985 TCSEC standard),
> secure operating system technology was placed on the munitions list. Items
> on the munitions list are not exportable without special licenses. The goal
> was to stop secure operating system technology from proliferating to other
> nations. This policy originated within one of the computer security
> technical groups at the NSA. The NSA technologists very quickly realized
> their mistake, and have tried repeatedly to get this policy changed, but the
> policy developed a life of its own. Not until 2000 was it effectively
> changed, and even now the change is incomplete.
>
> If you tell a commercial business "you cannot export X", the business simply
> won't produce X at all. We live in a global market, and businesses cannot
> affort to give up foreign markets unless they are somehow subsidized. The
> government chose not to subsidize secure operating systems.
>
> A direct result is that several operating system products that came near to
> obtaining high assurance were withdrawn or cancelled when it became clear
> that they could not be exported. In fact, *every* operating system that got
> close to being secure was withdrawn. There weren't many. Secure operating
> systems are extremely difficult and expensive to build, and the companies
> who had the ability to build one decided that there wasn't any money in
> producing them. In defense of Perry I'll add that Microsoft has never been
> in any danger of ever shipping a securable operating system, so this was
> never a problem for them.
>
> This policy is not just a problem for you and me. The U.S. military
> services, which rely on the commercial sector for such software, cannot get
> acceptably secure systems either. Many of our critical military command and
> control functions run on Windows. They get viruses, just like you and I do.
> Ultimately, this is why GOVNET won't work.
>
> Things have gotten better. Now that it is far too late for a new operating
> system to establish market share on the desktop, it is legal once again to
> export a secure operating system. Ironically, this came about because of a
> lawsuit against the government concerning PGP, which is now for sale. In
> this case, Phil Zimmerman -- viewed by some as a privacy extremist, though
> unfairly so -- argued that code is speech, and that control of software is
> prior restraint of speech and unlawful under the U.S. First Ammendment. The
> case did not decide all of these issues, but it did force secure software
> off of the munitions list.
>
> So consider this as you ponder the results of the recent vote on the PATRIOT
> legislation. It's not your government who has been working to ensure your
> computer security. It's the privacy nuts. The government has done everything
> possible to delay and derail the introduction of secure information
> processing technology to the general public.
>
>
> Jonathan S. Shapiro, Ph.D.
> Johns Hopkins University Information Security Institute


For archives see: http://lists.elistx.com/archives/interesting-people/