[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] A pocket guide to NSA sabotage
- To: debate@fitug.de
- Subject: [FYI] A pocket guide to NSA sabotage
- From: "Axel H Horns" <horns@ipjur.com>
- Date: Sat, 2 Sep 2000 19:52:46 +0200
- CC: krypto@thur.de
- Comment: This message comes from the debate mailing list.
- Organization: NONE
- Sender: owner-debate@fitug.de
http://cryptome.org/nsa-sabotage.htm
------------------------------- CUT -------------------------------
2 September 2000
September 1, 2000
A pocket guide to NSA sabotage
Doug Porter
The NSA engages in sabotage, much of it against American companies
and products. One campaign apparently occurred at about the time when
PGP's most serious vulnerability was added.
To understand the whole story requires some background.
In Bruce Schneier's newsletter Crypto-Gram he told us last year about
Lew Giles, said to be an NSA saboteur wrecking American privacy
products in 1997. Schneier says that according to several sources
Giles went from company to company, asking them to destroy the
security of their own products, and arranging cover stories to
protect them. According to Crypto-Gram sometimes Giles worked
directly with engineers, with no managers around. The sabotage was
always supposed to look like a mistake.
At about the same time, PGP introduced "key recovery" with the hidden
flaw recently covered worldwide, including Schneier's own clear
description in Slashdot. Other serious vulnerabilities have been
found in the PGP versions released then. For example, just last May
PGP was found to generate weak keys on Linux and OpenBSD. The
original report in BugTraq says the bug was introduced in version
5.0, released in 1997.
Undoubtedly most security bugs are just bugs. But it's also very
possible that some are backdoors.
CNN and Network World detailed how the NSA openly strong arms
companies, "leaning on software, switch and router vendors" to make
them "add a government-approved back door into network gear."
Companies working with the NSA, however unwillingly, include
Netscape, Sun, and Microsoft. Chris Tolles of Sun says, "Everyone in
Silicon Valley, including us, has to have specific staff -- highly
paid experts -- to deal with them." If everyone's dealing with them,
are any products secure?
[...]
------------------------------- CUT -------------------------------