Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: Garrett D'Amore <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 04/10/2006 22:22:09
On Mon, 10 Apr 2006 14:35:51 -0700, "Garrett D'Amore"
> They may or may not be contributing funding. DHS wants the Internet to
> be more, not less, secure. In any case, who cares who pays for it if
> the end result is positive?
I can second that. I regularly work with DHS on cybersecurity issues --
most recently this afternoon. I have *never* heard a suggestion from them
on the subject that was in any way improper, nor any suggestion that we
(for any value of "we") do anything that would in any way weaken security,
to the very best of my technical judgment. The areas where I've seen them
do the most -- DNS and routing security -- are straight from a National
Research Council study I helped write; in fact, those two areas were from
a chapter where I was the primary author. (If you're curious, it's
Chapter 2 of "Trust in Cyberspace", National Academies Press, 1999,
http://www.nap.edu/readingroom/books/trust/ .) I've also never heard them
say anything about, say, hindering crypto.
A lot of the Internet depends on open source. DHS knows this, and wants
to help improve it. The open source community as a whole can't afford the
$250,000,000 that Microsoft is spending on its security issues.
Yes, some of DHS does, shall we say, dubious things. This isn't one of
those parts. As best I can tell, their hands are completely clean here.
Disclaimer: It's not connected in any way with the cybersecurity stuff
I've seen at DHS, but I was a member of their Science and Technology
Advisory Committee until its statutory authority expired.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb