Re: Blacknet & Lotus Notes
At 19:13 01.18.1996 -0500, Adam Shostack wrote:
So, lets buy the espionage enabling secret key. Its an obvious target, not just for cypherpunks, but for the KGB, Mossad, Toshiba, IBM, and anyone else who wants to read their competitors correspondance. Lets face it, this key will get out there, and be available to all the big players; lets make it available to everyone!
I think people are missing the point... even if we assume the absolute worst case, that the private key is broken and becomes publicly available, international Notes users are no worse off than before. That said, it shouldn't happen soon. One of the things Ray said in his announcement was that the government agreed to both generate and then guard this key with the same diligence with which they guard their most important secrets (he specifically mentioned nuclear missile controls). While it makes for a nice sound bite, I'm comfortable that there's probably also a lot of truth to it. Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter (herbs@connobj.com) Connected Object Solutions 2228 Urwin - Suite 102 voice 416-618-0184 http://www.connobj.com/ Oakville ON Canada L6L 2T2 fax 905-847-6019
Herb Sutter wrote: | At 19:13 01.18.1996 -0500, Adam Shostack wrote: | > So, lets buy the espionage enabling secret key. Its an | >obvious target, not just for cypherpunks, but for the KGB, Mossad, | >Toshiba, IBM, and anyone else who wants to read their competitors | >correspondance. Lets face it, this key will get out there, and be | >available to all the big players; lets make it available to everyone! | | I think people are missing the point... even if we assume the absolute worst | case, that the private key is broken and becomes publicly available, | international Notes users are no worse off than before. I don't give a damn about 'international Notes' users; they're (IMHO) screwed coming and going. What I do care about is the ability of American firms to compete with secure products in the international market. That, fundamentally, is what the ITARs are about. The US Government removing the ability of American firms to compete becuase of some idiotic notion that no one else can implement DES, 3des or IDEA. Can IBM/Lotus compete with Intranets now being created, based on HTTP with 128 bit rc4, or IDEA encryption? Theres a large body of evidence that people are dumping Notes for the Web; the lack of security in notes could well be a part of that. It can't help. These regulations cost American business up to $60billion per year. Those businesses are no worse off after sending hundereds of people to Washington to tell the Department of Commerce and NIST that they need the ITARs changed. They're not much better off either. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
I think people are missing the point... even if we assume the absolute worst case, that the private key is broken and becomes publicly available, international Notes users are no worse off than before.
This sentiment is why this is such a clever move on the part of the government. There are a number of problems with the Lotus plan. First of all, 40 bits isn't secure. That's what international users have, not 64 bits, and it's just not good enough. International Notes customers know it, we know it, Lotus knows it, and the government knows it. Second of all, any restriction on algorithms and key lengths is unacceptable. People and businesses have the right to protect their privacy. American software companies have to be able to deliver privacy if they want to remain competitive in the global market. It's essential that the government acknowledge these facts. Finally, this agreement sets a very dangerous precdent. The government is holding keys and compelling people to "trust" them. This is real, live gak. You're right -- in a sense no one's any worse off than they would be with 40 bit keys. But in another sense, there's a slippery slope problem here. Gak is absolutely unacceptable in any way, shape, or form. It's completely beyond the scope of what the government ought to be doing. If we sit by idly while they set up the comparatively toothless gak, it will make things that much easier for them when more ambitious gaks come down the pike. We need to do whatever we can to convince international customers that Notes isn't secure. And we need to make Lotus understand why this deal isn't in anyone's interest.
On Tue, 23 Jan 1996 09:06:45 -0500, Herb Sutter <herbs@connobj.com> wrote: <quoted material deleted>
I think people are missing the point... even if we assume the absolute worst case, that the private key is broken and becomes publicly available, international Notes users are no worse off than before.
True, but they aren't any better off either. 40-bits is not secure, neither is 64-bits.
That said, it shouldn't happen soon. One of the things Ray said in his announcement was that the government agreed to both generate and then guard this key with the same diligence with which they guard their most important secrets (he specifically mentioned nuclear missile controls). While it makes for a nice sound bite, I'm comfortable that there's probably also a lot of truth to it.
That just means that it will be classified Top Secret and only those with a "need to know" will have access. The government can set the need to know at any level they want. Even if they truly try to restrict access to their key, this does not even imply that they will not allow it to be freely used. If I want a message read and am not cleared for access to the key, I just send it to someone that does. I have seen nothing from the government saying that they agree to only use it if they have a warrant or even any reason to believe that the message contains data that is important to national interests. They are free to decode messages and give the information they obtain to a competing company. IBM made the deal to help provide an illusion of greater security, at least before the insecurity of 40 bits was well known. They are actually doing a diservice to their customers by trying to make them believe that their communitcations are actually secure using just Notes. Does the packaging indicate that the U.S. government has access to more than a third of the key? Dan Weinstein djw@vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche
participants (4)
-
Adam Shostack -
Alex Strasheim -
djw@vplus.com -
Herb Sutter