IP: A Pentagon gift to the terrorists.

[David Farber <dfarber () earthlink net>]

-----Original Message-----
From: "David P. Reed" <dpreed () reed com>
Date: Thu, 23 May 2002 06:48:01 
To: farber () cis upenn edu, ip <ip-sub-1 () majordomo pobox com>
Subject: A Pentagon gift to the terrorists.

This little paragraph (and the "prohibition" it refers to) indicate that 25 
years of computer security research has had zero impact where it matters.

At 03:44 AM 5/23/2002 -0400, Dave Farber wrote:
> Stenbit said the debate is academic and that what matters is how
> secure a given piece of software is. To that end, the Defense
> Department is now prohibited from purchasing any software that has not
> undergone security testing by the NSA. Stenbit said he is unaware of
> any open-source software that has been tested.

To presume that "security testing" of software has any benefit at all, one 
would have to presume that the NSA would be aware of exactly how the 
software is used - exactly where it fits in the systems environment.   For 
example, exactly how is Microsoft Word tested by NSA?   Or for that matter, 
Windows XP?

The bulk of the security problems relate to the interconnection of software 
components in a human system.   You cannot "approve" a software component 
as secure in and of itself.

For example, suppose Microsoft Word is indeed certified to be perfectly 
secure by a team of NSA mathematical analysts (and NSA really does have 
some of the smartest people in government).

Does that prevent a spy from saving a document to a floppy disk and walking 
off with it?

Or take Windows XP.  Does certifying its "security" prevent a stolen 
password from being used to sabotage critical files?

Of course not.   Any "purchasing department" definition of "security" on a 
product basis has no meaning at all - because to be useful, secure systems 
must be evaluated in terms of their specific use, with a use context.

So all we have created here is another case where our government regulatory 
process has handed out market monopolies to a few companies rich enough to 
play the game.

And in this case, in the name of "security" has HARMED the DoD's mission 
and security, by preventing effective software from being developed or 
deployed that might fit the mission better.  And creating essentially a 
monoculture of software that can be systematically attacked across the 
government.  What a great gift to the terrorists.

Security is hard enough to achieve without rules like this one that 
effectively define "security" as equivalent to "market dominance".

For archives see:
http://www.interesting-people.org/archives/interesting-people/