Official Anonymizing
Greg Broiles
gbroiles at well.com
Wed Sep 5 12:46:01 PDT 2001
At 02:37 PM 9/5/2001 -0400, Faustine wrote:
> >And, in the spirit of full disclosure, I'll mention that at C2Net we did
> >sell our software to the government/intelligence agencies who wanted it -
> >they paid the same prices as any other customers, signed the same sales
> >contracts (we'd negotiate some on warranty terms for big purchases), and
> >otherwise got what everyone else got - not more, not less.
>
>Your honesty is admirable--and unlike certain other cases, I don't have any
>real reason to doubt what you say. But are you sure you have adequate
>security and counter-economic espionage measures in place? Have you had
>anyone do penetration testing lately? How much do you trust the people you
>work with?
Everything I've mentioned about C2Net is now several years old - I left the
company in the last few months of 1998, and they've since been acquired and
swallowed-up by Red Hat (RHAT), and (almost?) everyone who worked there
when I was there has also left. If I weren't confident that I'm talking
about history, not current events, I wouldn't be saying anything. (.. and
there are some parts of the C2Net history which I'll likely never be in a
position to disclose, ethically speaking, because of the nature of my
relationship (general counsel) with the organization. Caveat emptor.)
We did take an active interest in the security of our systems and codebase
- I don't think we were perfect, with respect to physical or electronic
security, but we were pretty paranoid, perhaps at some cost to the personal
lives of the principals involved.
But your points about insider risks are well taken - especially given that
most security incidents have an inside, not outside, source. I believe that
the software we published was free of intentional holes or errors, and was
built as carefully as we knew how; that belief is based on my familiarity
with the build environment, and my knowledge over several years of the
people involved in the development process, and my impressions of their
competence and integrity.
Still, people's expectations and faith in other people can be misplaced -
c.f. Aldrich Ames, Robert Hanssen (a personal friend of James [Puzzle
Palace, Body of Secrets] Bamford, who never suspected), and Brian Regan - I
don't know of any method or practice which can prevent hidden betrayal, for
love or money or boredom or personal animus. And Ken Thompson's
"Reflections on Trusting Trust" <http://www.acm.org/classics/sep95/> serves
as a reminder of how subtle a betrayal or compromise can be, yet remain
active and dangerous.
A big part of our counter-economic-coercion resistance was ideological - if
people really believe that they're working to protect and defend freedom
and privacy, it's hard to tempt them with money, at least not just a little
money. On the other hand, it's easier to tempt them with ideological
arguments, which are cheaper; or for them to become so entranced with each
other's political correctness that they lose sight of basic personal
integrity and decency. (We didn't have trouble with that at C2Net, but it's
historically been a problem inside ideologically-motivated organizations or
groups.)
>With a lot of
>young tech companies having spent the last few years feeling fat, happy,
>and oh-so-much smarter than those fusty old feds, you've got a potentially
>massive disaster in the making.
Pride goeth before destruction; and a haughty spirit before a fall.
--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids
More information about the cypherpunks-legacy
mailing list