I think it's dangerous and entirely to your disadvantage to dismiss everyone doing government work in computer security as a donut- chomping incompetent Barney-Fife-clone imbecile. Anyone can laugh at the department heads on C-SPAN, but did you ever stop to think about who's really doing the hardcore research for the NSA at Ft. Meade--and elsewhere? James A. Donald: To judge by their most recent crypto ballsup, some donut chomping incompetents. That's just as inaccurate as condeming everyone who ever worked for Microsoft as clueless because of their corporate propensity for security lapses. You wouldn't go that far, would you? Microsoft, as a whole, is incompetent at security. All supposedly secure software coming out of Microsoft varies from
Faustine: poor to worthless. Does anyone doubt it? They take standard well known methods and make well known bungles in applying it and customizing it.
Sure, but that doesn't mean the individual people working there are incompentent. It's an institutional problem.
We do not get to see much of the spook output. What we have seen in recent years is not good.
That's not by accident--they have zero incentive to show their true hand and every reason to hide it. For example, if someone from the NSA were to crack PGP, do you think they'd public-mindedly post the vulnerability on Bugtraq and have a big IRC coffee klatch to work on a fix? Hell no. There's no telling how many vulnerabilities in common software government security analysts found and kept secret. And the lousy thing is we all know it only takes one. Another one of their advantages is a fairly straightforward intelligence asymmetry: you have no clue as to who these people are and what they can do, whereas they can go over everything about you with a fine tooth comb at their leisure. People help them and don't even know it: the easiest way to get free security testing is to declare a government system secure, honeypot and fishbowl it to Kingdom Come, and wait for the free data to come rolling in from the too-smart-for-their-own-good suckers who can't wait to broadcast to the world exactly in excruciating detail how they "r00ted the Fedz". Everyone laughs and gloats at how insecure government systems are, but they didn't gain a thing, since all the truly interesting data was far, far away. And the veritable icing on the cake is that the feds turn around and use the very intrusions they invited as a tool to scare the Solid Citizens in Congress into allocating even more money and resources "to protect national security". Depressing.
During world war II the government sucked up all the best people from the open sector, and put them to work in the secret sector. For example most of the words greatest scientists wound up hand making nuclear weapons. However, one would expect, with the passage of time, that people who work in secret would suffer from Parkinson's law, and this appears to be happening.
Maybe. But some of those very same people are still around and sharper than ever. Never underestimate the old guys.
Microsoft produces crap security because most of their customers do not know any better. Therefore NSA will produce crap security because their customers are forbidden to know any better.
Well, I'm not ruling that out. But since none of us knows the first thing about what's happening behind the Silicon Curtain, that remains to be seen. ~Faustine.