Interesting People mailing list archives
Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems
From: "Dave Farber" <dave () farber net>
Date: Fri, 16 Jun 2017 07:28:45 +0000
---------- Forwarded message ---------
From: John Gilmore <gnu () toad com>
Date: Fri, Jun 16, 2017 at 2:16 AM
Subject: Re: [IP] Re: In an Era of Russian Hacks, the US Is Still
Installing Russian Software on Government Systems
To: <dave () farber net>
Cc: ip <ip () listbox com>
Do you remember the export controls on crypto? You might've thought
that the whole idea was to stop good crypto getting out of the country.
But that's the side effect.
The MAIN effect was to require anybody selling proprietary crypto
software to provide the FULL SOURCE CODE to NSA for their review, long
before doing any exporting, as part of the highly discretionary
licensing process.
So of course they could take their time looking through it for
zero-days and other weaknesses.
The Bernstein and Junger court decisions modified this regime
somewhat, but I believe it is still in effect for proprietary
"non-mass-market" crypto software, and for all software for
cryptanalysis.
I believe the NSA has plenty of ways to legally get the source code
for Microsoft Windows, Apple iOS, and other major operating systems,
by negotiation. The DoD alone purchases hundreds of millions, or
billions, of dollars worth of such software every year, plus support
contracts and etc. When I was at Sun, certainly such a large customer
could get copies of their source code. All it took was the desire, a
relatively nominal fee, and signing a simple license that they'd
only use it in-house, not release it, and not compete with us.
The point? If it's a major OS or major product -- or an American
product covered by the export controls -- NSA has the source code.
NSA knows as much about the weaknesses of that product as NSA cares to
know. One of the lessons we're learning is that you don't have to
embed security holes in software, they're already there if all you do
is look. NSA does a lot of looking, and listening. ;-/
John
-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170616032903:76F63AE4-5265-11E7-965C-994E8BABEC17
Powered by Listbox: http://www.listbox.com
Current thread:
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 15)
- <Possible follow-ups>
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 15)
- Message not available
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 15)
- Message not available
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 16)
- Message not available
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 16)
- Message not available