At 06:31 PM 8/20/96 -0500, Frank Stuart wrote:

Since we don't know how the intruders broke in, we can only speculate. I can think of several scenarios where cryptographic techniques could help. I can also think of several where they wouldn't. When you've only got 20 seconds to explain to a non-technical audience, I don't think it's dishonest to say that it might have prevented it.

Off the top of my head, here are a couple examples:

1. It's possible that a DOJ employee logged in from a remote site while the intruders were snooping somewhere along the way. If the link had been encrypted, that would have made things much more difficult or impossible for the attackers.

2. Perhpas the intruders used IP spoofing and .rhosts to break in. If machines had to be cryptographically authenticated, a rsh from the wrong machine wouldn't work.

One of the best comments I have seen (from another list) was: "These are the people who want us to escrow our encryption keys with them and yet they can't protect their own web site." I think this can be used as a very valid example as to why they are untrustworthy to be in charge of keeping anything private and/or protected, let alone private encryption keys. --- | "Remember: You can't have BSDM without BSD. - alan@ctrl-alt-del.com "| |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano@teleport.com |