At 02:37 PM 9/5/2001 -0400, Faustine wrote:

...

And, in the spirit of full disclosure, I'll mention that at C2Net we did sell our software to the government/intelligence agencies who wanted it - they paid the same prices as any other customers, signed the same sales contracts (we'd negotiate some on warranty terms for big purchases), and otherwise got what everyone else got - not more, not less.

Your honesty is admirable--and unlike certain other cases, I don't have any real reason to doubt what you say. But are you sure you have adequate security and counter-economic espionage measures in place? Have you had anyone do penetration testing lately? How much do you trust the people you work with?

Everything I've mentioned about C2Net is now several years old - I left the company in the last few months of 1998, and they've since been acquired and swallowed-up by Red Hat (RHAT), and (almost?) everyone who worked there when I was there has also left. If I weren't confident that I'm talking about history, not current events, I wouldn't be saying anything. (.. and there are some parts of the C2Net history which I'll likely never be in a position to disclose, ethically speaking, because of the nature of my relationship (general counsel) with the organization. Caveat emptor.) We did take an active interest in the security of our systems and codebase - I don't think we were perfect, with respect to physical or electronic security, but we were pretty paranoid, perhaps at some cost to the personal lives of the principals involved. But your points about insider risks are well taken - especially given that most security incidents have an inside, not outside, source. I believe that the software we published was free of intentional holes or errors, and was built as carefully as we knew how; that belief is based on my familiarity with the build environment, and my knowledge over several years of the people involved in the development process, and my impressions of their competence and integrity. Still, people's expectations and faith in other people can be misplaced - c.f. Aldrich Ames, Robert Hanssen (a personal friend of James [Puzzle Palace, Body of Secrets] Bamford, who never suspected), and Brian Regan - I don't know of any method or practice which can prevent hidden betrayal, for love or money or boredom or personal animus. And Ken Thompson's "Reflections on Trusting Trust" <http://www.acm.org/classics/sep95/> serves as a reminder of how subtle a betrayal or compromise can be, yet remain active and dangerous. A big part of our counter-economic-coercion resistance was ideological - if people really believe that they're working to protect and defend freedom and privacy, it's hard to tempt them with money, at least not just a little money. On the other hand, it's easier to tempt them with ideological arguments, which are cheaper; or for them to become so entranced with each other's political correctness that they lose sight of basic personal integrity and decency. (We didn't have trouble with that at C2Net, but it's historically been a problem inside ideologically-motivated organizations or groups.)

With a lot of young tech companies having spent the last few years feeling fat, happy, and oh-so-much smarter than those fusty old feds, you've got a potentially massive disaster in the making.

Pride goeth before destruction; and a haughty spirit before a fall. -- Greg Broiles gbroiles@well.com "We have found and closed the thing you watch us with." -- New Delhi street kids