Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Garrett D'Amore <email@example.com>
Date: 04/10/2006 20:44:30
Steven M. Bellovin wrote:
> On Mon, 10 Apr 2006 14:35:51 -0700, "Garrett D'Amore"
> <firstname.lastname@example.org> wrote:
The other thing I'll point out is, that history bears this out with the
US government too. There was much wringing of hands over NSAs
modifications of the S-boxes with DES, many folks fearing that NSA was
adding a secret back door. In retrospect, it appears that all they did
was strengthen the algorithm against cryptanalysis techniques that they
had in their repertoire. (And the reason they didn't make this known
was that they were regularly using techniques to crack Russian crypto,
There are forces for good within even organizations like the DHS and
NSA, I think. :-)
>> They may or may not be contributing funding. DHS wants the Internet to
>> be more, not less, secure. In any case, who cares who pays for it if
>> the end result is positive?
> I can second that. I regularly work with DHS on cybersecurity issues --
> most recently this afternoon. I have *never* heard a suggestion from them
> on the subject that was in any way improper, nor any suggestion that we
> (for any value of "we") do anything that would in any way weaken security,
> to the very best of my technical judgment. The areas where I've seen them
> do the most -- DNS and routing security -- are straight from a National
> Research Council study I helped write; in fact, those two areas were from
> a chapter where I was the primary author. (If you're curious, it's
> Chapter 2 of "Trust in Cyberspace", National Academies Press, 1999,
> http://www.nap.edu/readingroom/books/trust/ .) I've also never heard them
> say anything about, say, hindering crypto.
> A lot of the Internet depends on open source. DHS knows this, and wants
> to help improve it. The open source community as a whole can't afford the
> $250,000,000 that Microsoft is spending on its security issues.
> Yes, some of DHS does, shall we say, dubious things. This isn't one of
> those parts. As best I can tell, their hands are completely clean here.
> Disclaimer: It's not connected in any way with the cybersecurity stuff
> I've seen at DHS, but I was a member of their Science and Technology
> Advisory Committee until its statutory authority expired.
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
Phone: 951 325-2134 Fax: 951 325-2191