IP: Security Czar Points Finger of Blame (should be at Governments)

[Dave Farber <dave () farber net>]

For years , many of us have been fighting the GovernmentS desire to restrict
cryptography endlessly warning them that the inability to use strong
encryption (or in some places any) weakens the security of the electronic
world.  Yet endlessly we have seen attempts to control the use of
cryptography or so weaken it as to be ineffective.  Our cell phones are
insecure, our email is insecure and worse our internet is painfully
insecure. Our computer systems and their software are so insecure as to be
laughable. 

I only hope Clarke can change that attitude but I doubt it. The position of
law enforcement has been and will, I suspect remain, that strong encryption
and secure systems makes it hard to catch crooks so we will all continue to
live in cyber-houses without locks and suffer .

Dave

------ Forwarded Message
From: "David P. Reed" <dpreed () reed com>
Date: Sat, 03 Aug 2002 07:50:46 -0400
To: farber () cis upenn edu, ip <ip-sub-1 () majordomo pobox com>
Subject: Re: IP: Security Czar Points Finger of Blame

Since the NSA itself, in 1976-77, blocked a fully worked out end-to-end
encryption approach created at MIT for TCP, we might want to point the
finger elsewhere.

Perhaps at the government itself.

Quite a number of us who participated in the early Internet protocol design
were from the computer security research side, and did our best to make the
Internet architecture secure from the start.  But the NSA (I am told) told
DARPA that any attempt to introduce security mechanisms into TCP/IP's
architecture would be viewed very negatively.   (This happened at about the
same time that Rivest, et al. received a mysterious threatening letter from
a senior military official claiming that their work on the RSA cipher must
be stopped immediately).

Despite this, the TCP and IP designers insured that the architecture of TCP
and IP were such that end-to-end encryption and other crucial protections ,
along the lines of the banned proposals, could be introduced at any point.

And in fact, IPSEC does this.   But part of the difficulty with
implementing IPSEC is that it is too late - popular fads such as NAT and
stateful inspection firewalls have been deployed too widely.   Firewalls
(which provide faux security at best) make real security much harder to
deploy.

Later, when my friend Ray Ozzie wanted to put end-to-end RSA encryption in
Lotus Notes, again the government required that the civilian users get a
weakened form of encryption.   And the government blocked PGP.  And more
recently, the government called for Lotus to introduce security holes in
Lotus Notes that would weaken users' protection.

In one respect I agree with Mr. Clarke - it is important to have good
security in the Internet.   But as a representative of the gov't security
community, he should stop pointing fingers, because the real finger needs
to be pointed back at himself.

Many, many of the folks who worked on secure systems architectures in the
'70's foresaw these vulnerabilities in the so-called "civilian sector" and
called them to the attention of policymakers, and also proposed solutions.

It makes me more than a little angry to see a public figure who works for
the government implicitly blaming the very people who pointed out the
problem.

The reason I don't work in the security field (despite my recognition of
its importance, and my own early work in secure protocols) is that the
government of the US made it impossible to do good work.   I'm sure that
others who might have made contributions, or did make contributions, made
the same career decisions.


At 06:15 PM 8/2/2002 -0400, Dave Farber wrote:

> Speaking at the Black Hat Security conference is Las Vegas, White
> House cyber security advisor Richard Clarke cited five groups
> responsible for the vulnerability of the Internet:  ISPs,
> software makers, wireless network makers and users, the ...
>
> <http://www.acm.org/technews/articles/2002-4/0802f.html#item7>
>
> For archives see:
> http://www.interesting-people.org/archives/interesting-people/


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/