Interesting People mailing list archives
IP: Security Czar Points Finger of Blame (should be at Governments)
From: Dave Farber <dave () farber net>
Date: Sat, 03 Aug 2002 10:09:38 -0400
For years , many of us have been fighting the GovernmentS desire to restrict cryptography endlessly warning them that the inability to use strong encryption (or in some places any) weakens the security of the electronic world. Yet endlessly we have seen attempts to control the use of cryptography or so weaken it as to be ineffective. Our cell phones are insecure, our email is insecure and worse our internet is painfully insecure. Our computer systems and their software are so insecure as to be laughable. I only hope Clarke can change that attitude but I doubt it. The position of law enforcement has been and will, I suspect remain, that strong encryption and secure systems makes it hard to catch crooks so we will all continue to live in cyber-houses without locks and suffer . Dave ------ Forwarded Message From: "David P. Reed" <dpreed () reed com> Date: Sat, 03 Aug 2002 07:50:46 -0400 To: farber () cis upenn edu, ip <ip-sub-1 () majordomo pobox com> Subject: Re: IP: Security Czar Points Finger of Blame Since the NSA itself, in 1976-77, blocked a fully worked out end-to-end encryption approach created at MIT for TCP, we might want to point the finger elsewhere. Perhaps at the government itself. Quite a number of us who participated in the early Internet protocol design were from the computer security research side, and did our best to make the Internet architecture secure from the start. But the NSA (I am told) told DARPA that any attempt to introduce security mechanisms into TCP/IP's architecture would be viewed very negatively. (This happened at about the same time that Rivest, et al. received a mysterious threatening letter from a senior military official claiming that their work on the RSA cipher must be stopped immediately). Despite this, the TCP and IP designers insured that the architecture of TCP and IP were such that end-to-end encryption and other crucial protections , along the lines of the banned proposals, could be introduced at any point. And in fact, IPSEC does this. But part of the difficulty with implementing IPSEC is that it is too late - popular fads such as NAT and stateful inspection firewalls have been deployed too widely. Firewalls (which provide faux security at best) make real security much harder to deploy. Later, when my friend Ray Ozzie wanted to put end-to-end RSA encryption in Lotus Notes, again the government required that the civilian users get a weakened form of encryption. And the government blocked PGP. And more recently, the government called for Lotus to introduce security holes in Lotus Notes that would weaken users' protection. In one respect I agree with Mr. Clarke - it is important to have good security in the Internet. But as a representative of the gov't security community, he should stop pointing fingers, because the real finger needs to be pointed back at himself. Many, many of the folks who worked on secure systems architectures in the '70's foresaw these vulnerabilities in the so-called "civilian sector" and called them to the attention of policymakers, and also proposed solutions. It makes me more than a little angry to see a public figure who works for the government implicitly blaming the very people who pointed out the problem. The reason I don't work in the security field (despite my recognition of its importance, and my own early work in secure protocols) is that the government of the US made it impossible to do good work. I'm sure that others who might have made contributions, or did make contributions, made the same career decisions. At 06:15 PM 8/2/2002 -0400, Dave Farber wrote:
Speaking at the Black Hat Security conference is Las Vegas, White House cyber security advisor Richard Clarke cited five groups responsible for the vulnerability of the Internet: ISPs, software makers, wireless network makers and users, the ... <http://www.acm.org/technews/articles/2002-4/0802f.html#item7> For archives see: http://www.interesting-people.org/archives/interesting-people/
------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Security Czar Points Finger of Blame (should be at Governments) Dave Farber (Aug 03)