Re: NSA enhancing Linux security?

From: Christopher Browne (cbbrowne_at_acm.org)
Date: 03/05/04


Date: 5 Mar 2004 02:48:49 GMT

Centuries ago, Nostradamus foresaw when Jeff Nothing <BashingShrub@EveryChance.gov> would write:
> On Sun, 29 Feb 2004 03:42:16 +0000, Christopher Browne wrote:
>
>> The latter might actually be possible for a _different_ reason, namely
>> the NSA's other traditional function, namely signals interceptions.
> <snip>
>> Putting it another way, why spend a billion dollars on a building of
>> code-cracking computers if you can instead spend $2500 to bribe a
>> minimum wage security guard?
>
> Now I know I may get "blasted" by the conspiracy hacks out there, but I am
> one person who takes NSA at their word in this matter. SE Linux has been
> an ongoing programs for some time now. I have known about it for about 2
> years now. So to see all these people get "oh the NSA wants to see my
> system", it a bit funny.
>
> Without going into detail, the NSA is thousands of times better then
> the FBI or CIA. If people think the NSA is "out to get you" then
> replace those three letters with the FBI and the politically
> motivated head of it. It is quite obvious most hacks have a clue
> about who and what the NSA is all about.

Well, it seems to me that there's room for some paranoia alongside the
reasonable expectation that they are doing some things that do not
deserve to attract such suspicion.

It is well known and understood that the NSA is in the "business" of
managing the security of US communications, including a few specific
things:

 - Intercepting foreign communications (which certainly has some
   "spooky" elements).

   This is the clearly spooky part.

 - Designing/evaluating communications systems for US government use
   for applications requiring private communications.

   This is the clearly _non-spooky_ part. It is in their interests to
   provide secure systems where they are clearly needed.

 - Evaluating and certifying communications and computer systems for
   private use.

   Here comes in programs like TPEP and DES and AES. There may be
   reason for them to want technologies to be somewhat, but not TOO,
   secure, but there is BIG danger in them doing anything TOO massive
   to make OTC systems less secure in that they are not the only
   agency in the world capable of doing these sorts of analysis.

Canada has an equivalent agency as part of the Department of National
Defence that is known as the Communications Security Establishment. A
lot of the work is likely relatively mundane, albeit highly
classified.

It is also known that there have been some "hidden spooks" working at
CSE; in the '70s, they fielded agents operating in the Soviet Union.

Between things like that and "politicized" things like COCOM,
Skipjack, and the lawsuit against Phil Zimmerman, it is pretty evident
that these agencies engage in some activities that people are wise to
be suspicious of.

But it seems clear to me that these agencies are large enough to have
room for both suspicious and non-suspicious activity. Being paranoid
of _everything_ isn't particularly useful.

-- 
(format nil "~S@~S" "cbbrowne" "cbbrowne.com")
http://www.ntlug.org/~cbbrowne/security.html
"How much more helpful could I be than to provide you with the
appropriate e-mail address? I could engrave it on a clue-by-four and
deliver it to you in Chicago, I suppose." -- Seen on Slashdot...