1996-07-19 - Re: Gorelick testifies before Senate, unveils new executive order

Header Data

From: Jeff Barber <jeffb@issl.atl.hp.com>
To: david@sternlight.com (David Sternlight)
Message Hash: a64c19aab0d0728a6401f0fa861606be2a5686aa18fd42bfd2ea5877d22a2fcc
Message ID: <199607191255.IAA00550@jafar.issl.atl.hp.com>
Reply To: <v03007601ae14f5fa1d3d@[]>
UTC Datetime: 1996-07-19 17:36:22 UTC
Raw Date: Sat, 20 Jul 1996 01:36:22 +0800

Raw message

From: Jeff Barber <jeffb@issl.atl.hp.com>
Date: Sat, 20 Jul 1996 01:36:22 +0800
To: david@sternlight.com (David Sternlight)
Subject: Re: Gorelick testifies before Senate, unveils new executive order
In-Reply-To: <v03007601ae14f5fa1d3d@[]>
Message-ID: <199607191255.IAA00550@jafar.issl.atl.hp.com>
MIME-Version: 1.0
Content-Type: text/plain

David Sternlight writes:
> At 8:04 PM -0700 7/18/96, Jeff Barber wrote:

> >> Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's,
> >> or AT&T's domestic computer networks has little to do with crypto export
> >> policy.
> >
> >Big companies like IBM, AT&T, etc. have *international* networks.  Hence,
> >the connection to the crypto export policy, which prevents comprehensive
> >security programs from being deployed.  As a "senior techinical executive"
> >(oxymoron alert) to Fortune 50 companies, I assume you know that and are
> >simply choosing to ignore it for the sake of your current argument.
> There are exceptions to ITAR for this purpose (overseas offices of US
> companies). In addition, like the argument that we shouldn't jail anyone
> until all social evils are cured, your argument fails. IBM can secure their
> domestic network (at least) without having to secure their global network.
> As for your suggestion that I am special pleading, that's just unsupported
> defamation. I suppressed nothing--it is you who are omitting the facts I
> mention just above. Only a fool would accuse another of special pleading
> when the possibility the accuser doesn't understand the argument, or have
> all the data exists. If you have any integrity you'll apologize.

Yeah, right.  You clearly chose not to address the requirements of
international company networks in your argument.  You admit that such
companies have international networks, and that you knew it.  It was
obviously relevant and you could have and should have addressed it.
The fact that you chose not to speaks to your own lack of integrity.
To gain the upper hand in the argument is clearly your supreme objective;
any point that doesn't fit the argument is simply not addressed.

> >> >Putting the government in charge of fixing security problems is likely
> >> >to result in an infrastructure optimized for surveillance, as we've seen
> >> >with other government-sponsored initiatives (Clipper, DigitalTelephony,
> >> >etc.).
> >>
> >> The subject matter of the Commission's inquiry has more to do with
> >> authentication than message encryption, and more to do with infrastructure
> >> and network security. And as it happens there is no problem getting export
> >> licenses for authentication-only software with as secure a key as you like
> >> and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page
> >> as this issue.
> >
> >There is more to security than authentication, as I'm sure you also know
> >but are choosing to ignore.
> Another attempt to accuse, read minds, and impute motives. We're talking
> about securing networks such as communications, transportation, and power,
> against hacker attacks. Authentication is the core, not encryption. A main
> problem is the spoofer instructing the network to self-destruct. Long-key
> authentication can address this when coupled with the safeguarding of keys.
> and some system precautions not related to encryption.

In the last round, you mentioned financial networks.  You conveniently
left those out here.  I argue that these as well as others require
encryption.  Again, the fact that you fail to exclude any "inconvenient"
scenarios in whatever happens to be the matter under discussion destroys
your credibility (well, it would have, if you had any amongst the members
of this list).

> > Authentication alone may suffice in some
> >situations but clearly not all.
> So what? What part of "more to do with....than" don't you understand? I
> never said "all"--that's a straw man to try to shift the ground of the
> discussion rather than attempting a direct refutation.

On the contrary, you are the one who responds to each objection by 
pointing out that there is at least one situation where the current
regulations do not completely rule out solutions.  As one who has dealt
with security problems in the trenches, I have been involved in numerous
attempts to tiptoe through the mine-field of crypto regulations in search
of solutions.  I would prefer not to have to do so as it's a huge waste
of my time, and my (and everyone else's) money and other resources.

> >> Again, you are trying to fight a different battle in the wrong arena.
> >> This isn't about your ability to encrypt your traffic. It's about securing
> >> the domestic infrastructure against information warfare. I know this is
> >> beginning to sound tiresome, but you'd better do your homework.

> >  This isn't a different battle, though; it's all interwoven.
> So what? Everything is connected to everything else.

Ouch, David, stop it.  Once again, I'm skewered by your rapier wit.

> >I don't want the government responsible for "securing the domestic
> >infrastructure..." for the same reason that I don't want them telling
> >me where or to whom I can sell crypto.

> >  They haven't any right to, IMO,
> Read the Constitution.

I have.  News flash for David: not everyone agrees on the meaning of
various clauses in the Constitution.  Believe it or not, reasonable
people hold opinions that differ from the gospel-according-to-Sternlight.
The constitution means whatever the Supreme Court says it means and
that changes from time to time even though the constitution generally
does not.

> >and besides, I don't trust them to look out for my interests.
> At least some of one's interests we might both agree. There's the old joke
> "I'm from Washington and I'm here to help you."

Unfortunately, you seem to believe them most of the time, and want us
to believe them too in this case, while I choose to believe them rarely
if ever.

As this debate has now deteriorated to the "Sternlight claims
defamation, demands apology" point, and the substantive content is
quickly approaching zero, I'll try to make this my last post.  (List
breathes collective sigh of relief.)

-- Jeff