RE: CDR: Re: Lions and Tigers and Backdoors, oh, my...
---------- From: Ray Dillinger[SMTP:bear@sonic.net] Sent: Wednesday, September 27, 2000 4:39 PM To: Trei, Peter Cc: cypherpunks@cyberpass.net Subject: RE: CDR: Re: Lions and Tigers and Backdoors, oh, my...
On Wed, 27 Sep 2000, Trei, Peter wrote:
Can you document this claim of the existance of 'help fields' in Netscape?
Not directly I can't, at least not without betraying someone. In retrospect, I should've used a nym to make the statement to keep him out of trouble.
I don't accept this. You should be able to: generate traffic dumps pointing to the 'help field', and showing where it fits within the SSL specifications. This is hardly rocket science. There is no need to compromise anyone whatsoever. Put forward the evidence, so we can independently confirm it. This sort of thing happens every year or two on this list. Someone makes a claim which, if true, has interesting and/or important implications. However, the nature of the claim is one which is quite capable of verification. The onus is placed on the claiment to 'put up or shut up'. Usually, they shut up. Examples of such claims include: * PGP has a secret backdoor. (OK: Here's the source: Where is it?) * gcc is hacked to stick secret backdoors into PGP. (OK: Here's the source: Where is it?) * All gcc binaries will stick the PGP hacking code into gcc when compiling gcc. (Here's a dump: show us.) * Emily Dickinson hid her boyfriends initials in her poems. (Here's some statistical tests you need to run: Show us). So I call upon you: Put up or Shut up.
I am (to put it mildly) astonished by this claim, and more than a little skeptical. I was aware of the Workfactor Reduction field in the export 'aka International' version of Lotus Notes (which this 'help field' seems identical to), but was not aware of it being included in any other application.
Okay, let's forget what I know from people I don't want to drag into the fire and go through it from the "circumstantial" angle.
What does it mean when Lotus Notes has to put a work reduction field in their product in order to get export approval status, and then doesn't talk about it? But lots of other companies who also don't talk about it, with stronger-seeming crypto get export approval status?
Huh? "Doesn't talk about it"? It was announced with fanfare at the RSA Data Security conference a few years ago. There were press releases. It was widely discussed on this list. I invented the term 'espionage enabled' to describe this kind of application. Lotus got a lot of flack about it, but persisted. Some customers even bought it, noteably the Swedish government (See Risks Digest http://catless.ncl.ac.uk/Risks/19.52.html#subj1).
What does it mean when banks refuse to work with earlier versions of Netscape claiming it's because the security certs are expired -- but when new security certs are downloaded and installed, they still refuse to work with earlier versions of netscape and refuse to tell you why? (This, btw, was what made me suspicious in the first place and why I started digging...) http://banking.wellsfargo.com/
Well, it could mean that they want to use Web features available in later versions but not in earlier ones. Or maybe there are known security holes in earlier editions. Wells Fargo has actually been ahead of the curve at times: they were one of the first sites to require 128 bit encryption.
What does it mean when Lew Giles, even after the rules change to the BXA-controlled system, made a living going around convincing engineers working for american companies to compromise their products' security? With or without knowledge of the companies' execs? http://www.counterpane.com/crypto-gram-9902.html#backdoors
Is it after BXA? Bruce notes that the stories are all at least two years old, which would place them in very early 1997 at latest. I can't remember when the switch took place. Of course, if LG was doing this (and I have no real doubt that the NSA might try), it's excreable, but what is the relevance to products today? He can no longer seriously threaten to hold up export.
What does it mean when PGP has a "flaw" introduced into its Additional Decryption Keys at the same time NAI is seeking export approval for it? And NAI gets export approval, and then nobody notices the flaw for several years after, and then they go oops, it was just a mistake?
What does it mean when a CEO who actually can and does review code, so subverted engineers can't seem to get one past him, in a meeting with NSA officials refuses to compromise -- and one of the spooks loses his cool and offers to run the guy over in the parking lot? I'll explain this one to you... it means that spook _HAD_NEVER_SEEN_ anyone refuse to compromise, and had no fucking clue what to do. That's if you buy the "he just lost his cool" story. On the other hand, death threats may be policy and this was just the first time they were needed. And on the gripping hand, maybe it's just the first time it was *reported*. Not very many execs would talk about something like that, and I figure most who've experienced it probably just shut up and gave the spooks whatever they wanted.
Lew Giles and its ilk had to have some kind of bargaining position, and if export approval was forthcoming without subverting security in some way, would have had none. The only way a spook could lose his cool and offer Bidzos a death threat would be if that spook were totally unfamiliar with people not compromising.
Actually, I know of at least one other case where a major exec at a crypto company threw NSA people out on their ears after they offered to write some software to help with a project. I think you're confusing two different types of subversion. 1. Company policy based subversion. This is the type where word comes down from above to put in 'helper fields', etc. I can't see this happening in any company which was not simply a LEA front (such as Crypto-AG). The liability would be simply too great, the exposure too likely. This would require a large number employees and former employees to know, yet keep their mouths shut. When exposed, the officers of the company would be subject to criminal fraud and conspiracy charges, as well a variety of civil suits. It's simply a non-starter. Lew Giles can make as many pleas as he wishes; but I don't think he'll get many results. 2. Individual treachery. This type involves corrupting one or more engineers, whether via money, threats, or misplaced appeals to patriotism. This is more likely to succeed in the short term than type 1, but is very fragile for several reasons familiar to anyone who has done commercial software development. * Peer code reviews mean that many eyes look at the code. * Employee turnover in the field is high - 30-50% year. Thus, bugs inserted by earlier compromised employees are unlikely to last through many release cycles, as new employees come in and say 'Oops - Joe forgot to init the PRNG properly - lets fix that!' * Source code management systems make it very difficult to a single actor to monkey with code secretly, and even harder to cover his tracks.
You may consider me paranoid, but I'm telling you that the case of Lotus Notes was just the one that people found out about. If Lotus had to do that to get export approval from the BXA, then so did everybody else. I do not buy the story that what happened to PGP was an accident; on the contrary, it was just NAI doing what they had to do to get approval to put it up for international downloads, the same as Lotus just did what it had to do. And, I'm telling you now, the same as AOL and Microsoft did what they had to do with the browsers.
Ray
Actually, it's pretty clear what happened with most of those cases where companies were allowed to ship strong crypto overseas before most of the restrictions were lifted. They all involved products where at least one party of the communications was a large organization or company which was subject to, and could be counted on complying with, sub poenas and court orders. Thus the authorities had another route by which to acquire content in which they were interested. I have little doubt that government organizations have attempted to subvert commercial crypto at various times in various ways. However, the 'help fields' you describe are simply implausible in open protocols such as SSL. Again, I ask you to point to the evidence. I and others have already run the searches you suggested and come up dry. Where are the URLs? As it stands, you are spreading FUD. Peter Trei
"Trei, Peter" wrote: <<NSA et al inducing a company to write bad crypto software>>
2. Individual treachery.
This type involves corrupting one or more engineers, whether via money, threats, or misplaced appeals to patriotism. This is more likely to succeed in the short term than type 1, but is very fragile for several reasons familiar to anyone who has done commercial software development.
* Peer code reviews mean that many eyes look at the code. * Employee turnover in the field is high - 30-50% year. Thus, bugs inserted by earlier compromised employees are unlikely to last through many release cycles, as new employees come in and say 'Oops - Joe forgot to init the PRNG properly - lets fix that!' * Source code management systems make it very difficult to a single actor to monkey with code secretly, and even harder to cover his tracks.
I'm less sanguine. What follows is mainly based on my experience as a consulting or contract programming, but it matches the comments of other programmers. I've never worked at a company which made privacy software, though several companies rolled their own crypto for their products. - Code review? What's that? We can't waste time having programmers look over each others work. Besides, we don't want to make it look like we don't trust them. Even in shops which did have code reviews, they usually consisted of Johnny-on-the-spot explaining in broad terms what a function did and going over a piece of which he was particularly proud while everyone else nodded sagely while thinking about their kid's soccer practice. I wouldn't want to testify that any of the "reviewers" had even read the code before or during the meeting. - Depending on the shop, code which is difficult to understand may remain untouched for years. So long as it does what it's supposed to do, or its shortcomings can be compensated for at lower immediate cost than rewriting the blob, many places just leave it be. The code chunk might well be looked at by many eyes, but they'll all roll up before making much headway. So the moral for the subverted programmer is to write his poison pill very badly and don't explain how it works. - Many places I've worked have been too cheap to buy a version contol license for every developer, so everyone just logs in as PVCS and checks in changes. And hardly anyone looks at the comments, except to scan for comments like "Fixed bug #521". Now, I think your general point is right, that it would be somewhat difficult for a subverted programmer to insert deliberately broken crypto, and a very bet to expect it to stay in for any length of time. However, if the privacy software companies operate anything like the companies I've worked for or consulted at, it could well happen. Disgustedly, SRF -- Steve Furlong, Computer Condottiere Have GNU, will travel 518-374-4720 sfurlong@acmenet.net
Steven Furlong wrote:
Now, I think your general point is right, that it would be somewhat difficult for a subverted programmer to insert deliberately broken crypto, and a very bet to expect it to stay in for any length of time. ^--- However, if the privacy software companies operate anything like the companies I've worked for or consulted at, it could well happen.
Duh, that's supposed to be "very bad bet". Also, I should note that an ISO-900x shop will have procedures that should be followed for all aspects of development. The procedures aren't a cure-all, but they do make surreptitious bad behavior much less likely. Alas, not many software shops have ISO-900x certification. -- Steve Furlong, Computer Condottiere Have GNU, will travel 518-374-4720 sfurlong@acmenet.net
On Thu, 28 Sep 2000, Steve Furlong wrote:
Also, I should note that an ISO-900x shop will have procedures that should be followed for all aspects of development. The procedures aren't a cure-all, but they do make surreptitious bad behavior much less likely. Alas, not many software shops have ISO-900x certification.
The trick would be to subvert the code management system and the build shop. That would generaly require higher access than the programmers have. Not that it couldn't be hacked, but you'd have a lot of logs (and if they're using a journaling filesystem that adds yet another layer) to wipe. That means time. Such a hack would take a planned extended effort. It generaly wouldn't be spur of the moment. Then again, code reviews on future releases of that code base and the patch shop roaming around would provide post facto mechanisms for finding such kludges. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
At 09:06 PM 28/09/00 -0500, Jim Choate wrote:
On Thu, 28 Sep 2000, Steve Furlong wrote:
Also, I should note that an ISO-900x shop will have procedures that should be followed for all aspects of development. The procedures aren't a cure-all, but they do make surreptitious bad behavior much less likely. Alas, not many software shops have ISO-900x certification.
The trick would be to subvert the code management system and the build
of a system that inserts "CDR"'s would it not? so we could avoid subject lines like "Re: CDR: Re:" in the subject line??? What? Speak louder, use English too. traffic analysis? For WHAT? why do you need to anal-ize the traffic? who's your daddy? who's paying the bill? or is there a sword of Damocles dangling not far from you? Bad Coding Practices, heh. You're busted, big time pal,,,
shop. That would generaly require higher access than the programmers have. Not that it couldn't be hacked, but you'd have a lot of logs (and if they're using a journaling filesystem that adds yet another layer) to wipe. That means time. Such a hack would take a planned extended effort. It generaly wouldn't be spur of the moment.
Then again, code reviews on future releases of that code base and the patch shop roaming around would provide post facto mechanisms for finding such kludges.
____________________________________________________________________
He is able who thinks he is able.
Buddha
The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
At 09:00 PM 9/28/00 -0400, Steven Furlong wrote:
"Trei, Peter" wrote:
<<NSA et al inducing a company to write bad crypto software>>
2. Individual treachery.
This type involves corrupting one or more engineers, whether via money, threats, or misplaced appeals to patriotism. This is more likely to succeed in the short term than type 1, but is very fragile for several reasons familiar to anyone who has done commercial software development.
On the flip side: In yesterday's news the FAA was getting abuse for hiring lots of furriner-contractors with lapsed clearances to do y2k and other work. The feds fear the same subversion that citizens fear of the NSA.
David Honig wrote:
In yesterday's news the FAA was getting abuse for hiring lots of furriner-contractors with lapsed clearances to do y2k and other work. The feds fear the same subversion that citizens fear of the NSA.
I didn't see yesterday's news, but I've been watching this little would-be drama for a year. Late last year it came to the attention of the newsies that furriners were hired for a lot of the Y2K remediation coding. Oh, no! They're probably deliberately breaking it so the US will come crumbling down and they can take over! Well, Jan 1 came and went and the light didn't even flicker. Maybe six months ago the panic-mongers announced that the furriners might have been putting in back doors all along. I don't know whether the mongering comes from newsies anxious to sell copy or from crats wanting to increase their budgets. Unspoken collusion, most likely. Speaking from my own experience in working with a _lot_ of foreign contract programmers, most of them are as capable and conscientious as a randomly chosen selection of American programmers. A very large fraction, 3/4 or more, want to stay here indefinitely. Ta, SRF -- Steve Furlong, Computer Condottiere Have GNU, will travel 518-374-4720 sfurlong@acmenet.net
participants (6)
-
David Honig -
Jim Choate -
Reese -
Steve Furlong -
Steven Furlong
-
Trei, Peter