CDR: Re: Lions and Tigers and Backdoors, oh, my...
Ray Dillinger
bear at sonic.net
Wed Sep 27 13:47:49 PDT 2000
On Wed, 27 Sep 2000, Trei, Peter wrote:
>Can you document this claim of the existance of 'help fields' in
>Netscape?
Not directly I can't, at least not without betraying someone.
In retrospect, I should've used a nym to make the statement
to keep him out of trouble.
>I am (to put it mildly) astonished by this claim, and
>more than a little skeptical. I was aware of the Workfactor
>Reduction field in the export 'aka International' version of Lotus Notes
>(which this 'help field' seems identical to), but was not aware
>of it being included in any other application.
Okay, let's forget what I know from people I don't want to drag
into the fire and go through it from the "circumstantial" angle.
What does it mean when Lotus Notes has to put a work reduction field
in their product in order to get export approval status, and then
doesn't talk about it? But lots of other companies who also don't
talk about it, with stronger-seeming crypto get export approval
status?
<you brought it up, you document it...>
What does it mean when banks refuse to work with earlier versions
of Netscape claiming it's because the security certs are expired --
but when new security certs are downloaded and installed, they
still refuse to work with earlier versions of netscape and refuse
to tell you why? (This, btw, was what made me suspicious in the
first place and why I started digging...)
<http://banking.wellsfargo.com/>
What does it mean when Lew Giles, even after the rules change to the
BXA-controlled system, made a living going around convincing
engineers working for american companies to compromise their products'
security? With or without knowledge of the companies' execs?
<http://www.counterpane.com/crypto-gram-9902.html#backdoors>
What does it mean when PGP has a "flaw" introduced into its
Additional Decryption Keys at the same time NAI is seeking
export approval for it? And NAI gets export approval, and
then nobody notices the flaw for several years after, and
then they go oops, it was just a mistake?
<in light of recent news, I don't figure I have
to document this one>
What does it mean when a CEO who actually can and does review
code, so subverted engineers can't seem to get one past him, in
a meeting with NSA officials refuses to compromise -- and one of
the spooks loses his cool and offers to run the guy over in the
parking lot? I'll explain this one to you... it means that spook
_HAD_NEVER_SEEN_ anyone refuse to compromise, and had no fucking
clue what to do. That's if you buy the "he just lost his cool"
story. On the other hand, death threats may be policy and this
was just the first time they were needed. And on the gripping
hand, maybe it's just the first time it was *reported*. Not very
many execs would talk about something like that, and I figure most
who've experienced it probably just shut up and gave the spooks
whatever they wanted.
<Considering your address, I figure you know about this one,
so I'm not going to bother documenting it. >
Lew Giles and its ilk had to have some kind of bargaining position,
and if export approval was forthcoming without subverting security
in some way, would have had none. The only way a spook could lose
his cool and offer Bidzos a death threat would be if that spook were
totally unfamiliar with people not compromising.
You may consider me paranoid, but I'm telling you that the case of
Lotus Notes was just the one that people found out about. If Lotus
had to do that to get export approval from the BXA, then so did
everybody else. I do not buy the story that what happened to PGP
was an accident; on the contrary, it was just NAI doing what they
had to do to get approval to put it up for international downloads,
the same as Lotus just did what it had to do. And, I'm telling
you now, the same as AOL and Microsoft did what they had to do with
the browsers.
Ray
More information about the cypherpunks-legacy
mailing list