http://www.ejovi.net/archives/2004/11/japanese_govern.html November 12, 2004 [JUKI net is Japan's national ID system. Ejovi performed a security audit of the system for Nagano Prefecture one year ago] Its been a long day. I am greatly disappointed that Soumushou, the Japanese government that maintains JUKI net, prevented me from speaking today at the PacSec security conference. Soumushou prevented my talk by threatening the Japanese event who currently are seeking contracts from the government The Japanese government gave me two options. 1) Do not talk 2) Drastically change your slides to say what they want me to. When I offered to not use slides at all and give my own opinion they told me that I would not be permitted to speak AT ALL. It is obvious to me that they did not have an issue with my slides or presentation. They were afraid that I would draw attention to problems in JUKI net. Soumushou thinks that they can hide from the issues. They think that if they keep people from speaking about the issues, it will go away. I thought I would be immune from such Japanese government pressures however I underestimated Soumushou's ability to manipulate those around me. Soumushou's reason for forbidding me to speak was this "Since we are endorsing the convention we have to right to tell you not to speak" if this is the case, the Japanese government needs only sponsor or endorse ANY event in which they don't agree with and force the organizers to change the content. If this is the case Japan will never make any progress towards a safer environment. What is most upsetting to me is the fact that I HAD NO PLANS TO CRITIZE the Japanese government. My talk was going to be extremely fair and balanced addressing the issues raised by both sides. In fact I invited Soumushou to meet with me directly so that I can address any issues they may have. I told them this on the telephone and by email. Instead they choose to pressure the Japanese representatives of the conference. They never attempted to talk with me directly. Why is this? If they had issues with something I may say why not ask me about it? Why pressure a company they relies on government contracts? Is this fair? The purpose of my talk was to present both sides of JUKI net security systems. I have no vested interest in seeing it fail or in seeing it succeed. I only wanted to recommend how best to make it safer, how best to improve the system. But Soumushou believed that my recommendations on how to improve its security alone would mean that JUKI net has problems and they refused to admit this. I'm sorry to tell them but it does have security problems. The good news is that the technical issues can be easily resolved. However the greatest problem with JUKI net is not technical but Soumushou's inability to even acknowledge that they exist! How can a system become secure if the Japanese government are not willing to listen to someone who points out issues. Today was a sad day for Japan and a frustrating day for me. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'