Interesting People mailing list archives
Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems
From: "Dave Farber" <dave () farber net>
Date: Fri, 16 Jun 2017 07:28:45 +0000
---------- Forwarded message --------- From: John Gilmore <gnu () toad com> Date: Fri, Jun 16, 2017 at 2:16 AM Subject: Re: [IP] Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems To: <dave () farber net> Cc: ip <ip () listbox com> Do you remember the export controls on crypto? You might've thought that the whole idea was to stop good crypto getting out of the country. But that's the side effect. The MAIN effect was to require anybody selling proprietary crypto software to provide the FULL SOURCE CODE to NSA for their review, long before doing any exporting, as part of the highly discretionary licensing process. So of course they could take their time looking through it for zero-days and other weaknesses. The Bernstein and Junger court decisions modified this regime somewhat, but I believe it is still in effect for proprietary "non-mass-market" crypto software, and for all software for cryptanalysis. I believe the NSA has plenty of ways to legally get the source code for Microsoft Windows, Apple iOS, and other major operating systems, by negotiation. The DoD alone purchases hundreds of millions, or billions, of dollars worth of such software every year, plus support contracts and etc. When I was at Sun, certainly such a large customer could get copies of their source code. All it took was the desire, a relatively nominal fee, and signing a simple license that they'd only use it in-house, not release it, and not compete with us. The point? If it's a major OS or major product -- or an American product covered by the export controls -- NSA has the source code. NSA knows as much about the weaknesses of that product as NSA cares to know. One of the lessons we're learning is that you don't have to embed security holes in software, they're already there if all you do is look. NSA does a lot of looking, and listening. ;-/ John ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170616032903:76F63AE4-5265-11E7-965C-994E8BABEC17 Powered by Listbox: http://www.listbox.com
Current thread:
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 15)
- <Possible follow-ups>
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 15)
- Message not available
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 15)
- Message not available
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 16)
- Message not available
- Re: In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems Dave Farber (Jun 16)
- Message not available