tRENDS IN cOMPUTING
SECURITY - PAST VS PRESENT CONDITION
For years , many of us have been fighting the Governments desire to restrict cryptography endlessly
warning
them that the inability to use strong encryption (or in some places any) weakens the security of the
electronic world. Yet endlessly we have seen attempts to control the use of cryptography or so weaken it
as
to be ineffective. Our cell phones are insecure, our email is insecure and worse our internet is painfully
insecure. Our computer systems and their software are so insecure as to be laughable. I only hope Clarke
can
change that attitude but I doubt it. The position of law enforcement has been and will, I suspect remain,
that strong encryption and secure systems makes it hard to catch crooks so we will all continue to live in
cyber-houses without locks and suffer.
Dave
------ Forwarded Message
From: "David P. Reed"
Date: Sat, 03 Aug 2002
Subject: Security Czar Points Finger of Blame
Since the NSA itself, in 1976-77, blocked a fully worked out end-to-end encryption approach created at
MIT
for TCP, we might want to point the finger elsewhere.
Perhaps at the government itself.
Quite a number of us who participated in the early Internet protocol design were from the computer security research side, and did our best to make the Internet architecture secure from the start. But the NSA (I am told) told DARPA that any attempt to introduce security mechanisms into TCP/IP's architecture would be viewed very negatively. (This happened at about the same time that Rivest, et al. received a mysterious threatening letter from a senior military official claiming that their work on the RSA cipher must be stopped immediately).
Despite this, the TCP and IP designers insured that the architecture of TCP and IP were such that end-to-end encryption and other crucial protections , along the lines of the banned proposals, could be introduced at any point.
And in fact, IPSEC does this. But part of the difficulty with implementing IPSEC is that it is too late - popular fads such as NAT and stateful inspection firewalls have been deployed too widely. Firewalls (which provide faux security at best) make real security much harder to deploy.
Later, when my friend Ray Ozzie wanted to put end-to-end RSA encryption in Lotus Notes, again the government required that the civilian users get a weakened form of encryption. And the government blocked PGP. And more recently, the government called for Lotus to introduce security holes in Lotus Notes that would weaken users' protection.
In one respect I agree with Mr. Clarke - it is important to have good security in the Internet. But as a representative of the gov't security community, he should stop pointing fingers, because the real finger needs to be pointed back at himself.
Many, many of the folks who worked on secure systems architectures in the '70's foresaw these vulnerabilities in the so-called "civilian sector" and called them to the attention of policymakers, and also proposed solutions.
It makes me more than a little angry to see a public figure who works for the government implicitly blaming the very people who pointed out the problem.
The reason I don't work in the security field (despite my recognition of its importance, and my own early work in secure protocols) is that the government of the US made it impossible to do good work. I'm sure that others who might have made contributions, or did make contributions, made the same career decisions.
At 06:15 PM 8/2/2002 -0400, Dave Farber wrote:
>Speaking at the Black Hat Security conference is Las Vegas, White House cyber security advisor Richard Clarke
cited five groups responsible for the vulnerability of the Internet: ISPs, software makers, wireless
network
makers and users, the ...
Herb's comments are well taken. But I will still hold that we would be much better prepared if the
governments (and note not just the USA) took a more long view on security in the 90s. Many of us testified
as to the dangers and many were roundly ignored.
Dave
------ Forwarded Message
From: "Herb Lin"
Date: Sat, 3 Aug 2002 11:13:46 -0400
Subject: Re: IP: Security Czar Points Finger of Blame (should be at Governments)
I think the invective being directed at Richard Clarke and the government here is misplaced, though I do
understand the sentiments being expressed. The connection between the crypto that the government tried to
restrict with its 40-bit encryption-key export limitations and today's state of system and network
security seems quite tenuous. Consider:
-- WiFi (802.11b) has a capability to support 128 bit encryption. Was 128 bit encryption a solution to the
security problems of WiFi?
-- Has any documented security flaw in existing software ever been traced to the cryptographic inadequacy of a 40 bit key (as opposed to larger keys)?
I think any serious look at these questions has to result in a "no" to both of them - and if that analysis is right, then it is very hard to argue that attempts to restrict encryption key length has or had anything at all to do with the flaws we see today.
Readers might also do well to consider that the state of world affairs and technolgy deployment is very different now than in the early 1980s and 1990s. Specifically, it's much clearer today that good encryption is relevant to a much wider range of applications and services than it was then. Rather than being the subject of criticism, Clarke should be praised for understanding the importance of security.
None of this is intended to deny the point that there are elements within the law enforcement and national security communities that would much prefer no encryption at all. But the bottom line from my perspective is that the encryption strength is mostly (but not completely) orthogonal to the security problems that plague us today.
Herb Lin
Senior Scientist
(and study director of the 1996 NRC report on cryptography)
CSTB
www.cstb.org
From: "the terminal of Geoff Goodfellow"
Date: Sat, 3 Aug 2002 17:55:16 +0200
Subject: Cell Phone insecurity -- RE: Security Czar Points Finger of Blame
(should beat Governments)
Re: Cell phone insecurity (vs. email, the internet, etc.)
i can speak from ground zero regarding the history and lack of cell phone insecurity. i was there, in the early 80's, in a non-smoke filled room at the EIA headquarters in Washington DC, trying to fix the problem before it became one.
I will never forget that day. I was on the TR-45.2 committee dealing with "back end" issues
such
as automatic roaming at the time. I was told (in)security issues needed to be addressed by the TR-45.1 air
interface "front end" committee. So, on the day of presentation of the insecurity issues to the
TR-45.1 group, I'll never forget how i was told (along with colleague Bob Jesse) or rather scolded, by
the AT&T's rep (Jerry Baker if i recall correctly) that it was not to be a problem! The rep from
Ericsson
suggested we should re-arrange (scramble) the digits around to make it more difficult!! Use strong
encryption? Naaaaah. Forget it!
The TR-45.1 committee just didn't see security as being a problem or an issue worth triffeling with -- thinking that the IS-3 CELLULAR SYSTEM MOBILE STATION - LAND STATION COMPATABILITY SPECIFICATION as it was known at the time -- was just fine with its Electronic Serial Number (ESN) security and the spec surely didn't need to be changed for the sake of "better security".
Astute colleagues Robert Jesse and Andrew Lamothe and I were just flabbergasted by the naivete and just plain uncaring attitude of The Big Equipment Vendors who were committed to burden their customers, the cellular carriers, with future multi-zillion dollar loss exposure from FRAUD!
As a result of the total disinterest on the part of EIA TR-45.1 Big Vendors, we 3 set about to do what just about anyone does when their logic and reasoning is ignored in private -- you go public! As a result, we co-authored the first article on the lack of cell phone security -- November 1985 -- which i just found via Google:
THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'? 'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS
It looks at the history of the lack of security in mobile telephony and, how we predicted, when it was
written in 1985, that cellular would be no more secure than its predecessors. Furthermore, we proposed
what
Should Be Done to nip the coming problem in proverbial bud. I'm sad to say it fell on deaf ears or
went
right over the heads the industry at the time. No one did anything and The rest, as they say, is
history!
=-=-=-=-=-=-=-=-=-=-=-=-=-
geoff.goodfellow
at
iconia.com *
Prague - CZ * telephone +420 603 706 558
"success is getting what you want & happiness is wanting what you get"
http://www.nytimes.com/library/tech/99/01/biztech/articles/17drop.html
http://www.tapsns.com/members-bio/geoff-goodfellow.shtml