Interesting People mailing list archives
IP: A Pentagon gift to the terrorists.
From: David Farber <dfarber () earthlink net>
Date: Thu, 23 May 2002 07:56:49 -0400
-----Original Message----- From: "David P. Reed" <dpreed () reed com> Date: Thu, 23 May 2002 06:48:01 To: farber () cis upenn edu, ip <ip-sub-1 () majordomo pobox com> Subject: A Pentagon gift to the terrorists. This little paragraph (and the "prohibition" it refers to) indicate that 25 years of computer security research has had zero impact where it matters. At 03:44 AM 5/23/2002 -0400, Dave Farber wrote:
Stenbit said the debate is academic and that what matters is how secure a given piece of software is. To that end, the Defense Department is now prohibited from purchasing any software that has not undergone security testing by the NSA. Stenbit said he is unaware of any open-source software that has been tested.
To presume that "security testing" of software has any benefit at all, one would have to presume that the NSA would be aware of exactly how the software is used - exactly where it fits in the systems environment. For example, exactly how is Microsoft Word tested by NSA? Or for that matter, Windows XP? The bulk of the security problems relate to the interconnection of software components in a human system. You cannot "approve" a software component as secure in and of itself. For example, suppose Microsoft Word is indeed certified to be perfectly secure by a team of NSA mathematical analysts (and NSA really does have some of the smartest people in government). Does that prevent a spy from saving a document to a floppy disk and walking off with it? Or take Windows XP. Does certifying its "security" prevent a stolen password from being used to sabotage critical files? Of course not. Any "purchasing department" definition of "security" on a product basis has no meaning at all - because to be useful, secure systems must be evaluated in terms of their specific use, with a use context. So all we have created here is another case where our government regulatory process has handed out market monopolies to a few companies rich enough to play the game. And in this case, in the name of "security" has HARMED the DoD's mission and security, by preventing effective software from being developed or deployed that might fit the mission better. And creating essentially a monoculture of software that can be systematically attacked across the government. What a great gift to the terrorists. Security is hard enough to achieve without rules like this one that effectively define "security" as equivalent to "market dominance". For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: A Pentagon gift to the terrorists. David Farber (May 23)