From: tcmay@got.net (Timothy C. May)
Date: Mon, 18 Sep 95 21:23:36 PDT
To: cypherpunks@toad.com
Subject: NSA and Netscape Crack (Re: NYT on Netscape Crack)
Message-ID: <ac8391c012021004b6fc@[205.199.118.202]>
MIME-Version: 1.0
Content-Type: text/plain


At 3:00 AM 9/19/95, John Young wrote:
>   The New York Times, September 19, 1995, pp. A1, D21.
>
>
>   Security Flaw Is Discovered In Software Used in Shopping
>
>   By John Markoff

>   The discovery is the second reported security weakness in
>   the Netscape program to be posted on the Cypherpunks list
>   in the last month. In August, Damien Doligez, a student at

Seriously, where's the NSA when you really need 'em?

If the "flaws" are being found by our group, as John notes, just what is
the NSA doing in the _second_ role it is supposed to have, it's "COMSEC,"
or communications security, role?

(Note: As outlined by Bamford, and others, the Agency has a dual role:
penetrating communications it is chartered to penetrate, and helping to
secure communications it is chartered to help secure. Traditionally, the
penetrating side is called SIGINT or COMINT, and the securing side is
called COMSEC. The names may have changed by now.)

Personally, I don't actually _want_ them vetting the work of others, but I
think this whole series of events with Netscape makes it abundantly clear
that the supposed "dual role" of the NSA in both breaking ciphers and in
ensuring higher security is a farce.

If the NSA had not found the flaws our two Berkeley grad students found,
we've grossly overestimated them as a threat. And if they found the flaws
but said nothing, what does this say about their claimed COMSEC benefits to
American interests? (Granted, not all of us are Americans, but I think you
understand my point about the NSA claiming it has a role, then doing
nothing concrete, and even being misleading in its plans and programs.)

If the NSA _really_ wants to really help secure communications against
fraud, eavesdroppers, and foreign intelligence agencies, it can do so by
immediately relaxing the restrictions on crypto export. While this may not
stop things like weak random number generators, it moves us to an era of
"strong" crypto and away from the "toy" crypto the NSA seems to want us to
have.

I think, however, it's clear by now that they have little interest in
helping to secure communications and that weak "toy" systems are their
preference.

--Tim May

---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."