The NSA engages in sabotage, much of it against American
companies and products. One campaign apparently occurred at about the time
when PGP's [Pretty Good Privacy encryption soaftware] most serious vulnerability
was added. To understand the whole story requires some background. In Bruce
Schneier's newsletter, Crypto-Gram, he told us last year about Lew
Giles, said to be an NSA saboteur wrecking American privacy products
in 1997.
Schneier says that according to several sources Giles went from company
to company, asking them to destroy the security of their own products, and
arranging cover stories to protect them. According to Crypto-Gram, sometimes
Giles worked directly with engineers, with no managers around. The sabotage
was always supposed to look like a mistake. At about the same time, PGP
introduced "key recovery" with the hidden flaw recently covered
worldwide, including Schneier's own clear description in Slashdot. Other
serious vulnerabilities have been found in the PGP versions released then.
For example, just last May, PGP was found to generate weak keys on Linux
and OpenBSD. The original report in BugTraq says the bug was introduced
in version 5.0, released in 1997.
Undoubtedly most security bugs are just bugs. But it's also
very possible that some are backdoors. CNN and Network World detailed how
the NSA openly strong arms companies, "leaning on software, switch
and router vendors" to make them "add a government-approved back
door into network gear." Companies working with the NSA, however unwillingly,
include Netscape, Sun, and Microsoft.
Chris Tolles of Sun says, "Everyone in Silicon Valley,
including us, has to have specific staff -- highly paid experts -- to deal
with them." If everyone's dealing with them, are any products secure?
Taher Elgamal, who wrote Netscape's so called "data-recovery plan"
as demanded by the spooks, said they didn't have a choice. Exports are about
half the income for these businesses. In practice companies need NSA's permission
to export security products, except for "export grade" junk. NSA
only gives permission if the security is crippled in some way.
Duncan Campbell reported in Interception
Capabilities 2000 that NSA succeeded in compromising browsers from both
Microsoft and Netscape, as well as Lotus Notes. The browsers' security was
openly gutted by NSA's insistence on reducing key sizes to whatever the
NSA can easily crack at the time. In the case of Lotus Notes the keys appeared
to be longer, but just enough of each key was secretly given to the NSA.
According to Network World, the NSA "forced MasterCard International,
Inc. to dumb down the Secure Electronic Transaction (SET) credit-card encryption
standard."
NSA insisted that most of every transaction not be encrypted
at all. When someone steals a lot of money using SET we'll know why. Sabotaging
friends and foes isn't new for the NSA. It's life long behavior. In Crypto
AG: The NSA's Trojan Whore you'll find the intriguing but very disturbing
story of how 50 years ago NSA rigged the crypto systems sold by Crypto AG
so that NSA could read the supposedly secret messages. Customers of Crypto
AG include embassies, military, banks, and rogue nations such as the Vatican.
We can stop this sabotage if we're willing to do the work.
There are some obvious steps. First, we can continue to insist on open source.
We all know similar vulnerabilities are in closed source products, but they
are almost never found. Would anyone have found these flaws in PGP without
reading the code? Second, we have to do security reviews of the code. With
PGP most of us believed -- or hoped -- someone else had carefully studied
the code. Almost no one has. Third, we need code review support services,
extending what Sourceforge gives us. Finally -- and this will be very tough
for those of us who write code -- we have to give good security reviewers
the same kind of credit open source coders get. We can do the security reviews,
or we can settle for NSA trojans. I'm going to go read some Freenet code.
All information posted on this web site is
the opinion of the author and is provided for educational purposes only.
It is not to be construed as medical advice. Only a licensed medical doctor
can legally offer medical advice in the United States. Consult the healer
of your choice for medical care and advice.