1995-10-16 - Re: The NSA Visits Compendium

Header Data

From: “Vladimir Z. Nuri” <vznuri@netcom.com>
To: tcmay@got.net (Timothy C. May)
Message Hash: 0fa77146a88384a453333de38e78b819576af297aa5fddcd523ce2784a65fd6a
Message ID: <199510162105.OAA05055@netcom23.netcom.com>
Reply To: <aca7dbbd26021004fefd@[205.199.118.202]>
UTC Datetime: 1995-10-16 21:40:45 UTC
Raw Date: Mon, 16 Oct 95 14:40:45 PDT

Raw message

From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Mon, 16 Oct 95 14:40:45 PDT
To: tcmay@got.net (Timothy C. May)
Subject: Re: The NSA Visits Compendium
In-Reply-To: <aca7dbbd26021004fefd@[205.199.118.202]>
Message-ID: <199510162105.OAA05055@netcom23.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



re: "Men In Black Study"

I think this is a really excellent project, for the main reason that
the NSA lives and dies by a "nobody is noticing" modus operandii (relative
congressmen, the public, companies, foreign governments, etc.). it
is a sort of "security through obscurity" that can be defeated.  this
has been a topic that has long fascinated me.

I suggest however that the scope of the survey be expanded to the FBI.
there are reports the FBI visited Lotus a long time ago to ask them
to put in a "back door" into their encryption software, because it
was too strong. it seems to me this is very similar to the survey
questions. also keep in mind that the NSA loves to use "front agencies"
like NIST to do their dirty work. so it might be hard to detect an
"NSA visit".

however the NSA like all intelligence agencies is really brilliant in
intimidation. I think one would find that these situations are going
to go "unreported" because the NSA may be leaving the impression that
"not following our suggestion" is one sin, but that "screaming about
this in the public" is going to be another liability. that is the coercion
tactics that they are legendary for, IMHO. "you must do this, but we
can't tell you why. you can't ask anyone else about this, either".

I suspect that the entire crypto industry has been sabotaged in a lot
of subtle ways by the NSA doing this, and nobody is the wiser. I hope
people realize that by not reporting this, you contribute to the problem,
not the solution. as Thomas Paine said, roughly, "the power of tyranny
lies solely in the fear of rebellion".

a study on this would be very significant. (from what I understand, the NSA
tried to do this with public key crypto, i.e. suppress it at the
publication stage. a professor gave a lecture on this in one of my
classes and said that it was even covered in the NYT at the time.
unfortunately I lost the date. I believe it was a long time ago
(maybe the 80's or even the 70's). hopefully someone else has an
encyclopedic brain.

in fact, we might be able to get Levy or Markoff to write on this subject
if we can get any significant results.  that would be *hot*. they could
put a great spin on it, like "the netscape bugs are a problem, but an
even more horrifying and unimaginable thing going on is..."  if the NSA
has visited Netscape, that's virtually an article right there!!

>* Does the NSA really visit companies planning to include crypto modules
>and ask them to weaken or remove the crypto modules?

a rumor was floating around that they visited Mosaic designers.

>* What pressures are brought to bear on companies to induce them to weaken
>crypto, even for domestic-only use, or to remove hooks?

probably just the insinuation that they may be liable. you know the lovely
intimidation tactic, "what you are doing may have LIABILITY". of course
everyone does all kinds of ridiculous things, because, after all, one
might be LIABLE after doing them.

>* Is there concrete evidence of these things?

it is in the NSA's interest to cover up any evidence, and furthermore to
suggest that their program, if it exists, is totally ineffective. I think
otherwise. I think it is prime dirty secret of the NSA and a major
public relations liability that ought to be exploited to the utter,
full extent by cypherpunks.

[Blaze etc.]
> They confirmed that such a panel _does_ exist, but that it is
>fairly ineffectual. Apparently many people publish without approval.

however it may be more effective with commercial companies worried about
liability. sometimes the slightest whiff of liability sends a company
screaming for cover and not touch an entire area with a ten foot pole.
I wonder if cellular phone encryption in the US 
has been delayed for this reason.

>NSA Actions: Visits on a regular basis by two NSA representatives ("always
>two"). Pressured them to drop plans for a strong domestic crypto module.
>
>Source: Personally told to me by programmer at the company, 1995-10-14. He
>wishes the company not to be named.

unfortunately, whenever someone says, "don't name my company", it loses
effectiveness. I would like to point out that people are directly contributing
to their erosion of rights by this behavior that suggests that they
doing something lawbreaking that they are ashamed of.

well, good luck with the study. I'll do what I can to publicize it <g>







Thread