1995-09-14 - Re: NSA on GAK

Header Data

From: Adam Shostack <adam@bwh.harvard.edu>
To: patrick@Verity.COM (Patrick Horgan)
Message Hash: ae7dcb2888ecc81b0fc82c0efd15ef1c7e75a9fec83971da1667a98194533fae
Message ID: <199509141601.MAA06167@calloway.bwh.harvard.edu>
Reply To: <9509141525.AA21098@cantina.verity.com>
UTC Datetime: 1995-09-14 16:12:58 UTC
Raw Date: Thu, 14 Sep 95 09:12:58 PDT

Raw message

From: Adam Shostack <adam@bwh.harvard.edu>
Date: Thu, 14 Sep 95 09:12:58 PDT
To: patrick@Verity.COM (Patrick Horgan)
Subject: Re: NSA on GAK
In-Reply-To: <9509141525.AA21098@cantina.verity.com>
Message-ID: <199509141601.MAA06167@calloway.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


| 
|           Senate Subcommittee on Technology and the Law
|  Hearing on the Administration's Key Escrow Encryption Standard
| 
|         Written Questions for Vice Admiral McConnell, NSA

| *Questions from Senator Murray:
| 
| Q:    In my office in the Hart building this February, I downloaded
| from the Internet an Austrian program that uses DES encryption.
[...]

| With at least 20 million people hooked up to the
| Internet, how do U.S. export controls actually prevent criminals,
| terrorists, or whoever from obtaining DES encryption software?
| 
| Answer:  Serious users of encryption do not entrust their
| security to software distributed via networks o bulletin boards.
| There is simply too much risk that viruses, Trojan Horses,
| programming errors, and other security flaws may exist in such
| software which could not be detected by the user.  Serious users of
| encryption, those who depend on encryption to protect valuable data
| and cannot afford to take such chances, instead turn to other
| sources in which they can have greater confidence.  Such serious
| users include not only entitles which may threaten U.S. national
| security interests, but also businesses and other major consumers
| of encryption products.  Encryption software distribution via
| Internet, bulletin board, or modem does not undermine the
| effectiveness of encryption export controls.   

	"Help me understand here.  You say that serious users of
encryption don't use software distributed via network.  In that case,
you would have no objection to PGP being exported, as serious users of
encryption don't use it?"











Thread