Official Anonymizing

Wed Sep 5 12:46:01 PDT 2001

At 02:37 PM 9/5/2001 -0400, Faustine wrote:

> >And, in the spirit of full disclosure, I'll mention that at C2Net we did
> >sell our software to the government/intelligence agencies who wanted it -
> >they paid the same prices as any other customers, signed the same sales
> >contracts (we'd negotiate some on warranty terms for big purchases), and
> >otherwise got what everyone else got - not more, not less.
>
>Your honesty is admirable--and unlike certain other cases, I don't have any
>real reason to doubt what you say. But are you sure you have adequate
>security and counter-economic espionage measures in place? Have you had
>anyone do penetration testing lately? How much do you trust the people you
>work with?

Everything I've mentioned about C2Net is now several years old - I left the 
company in the last few months of 1998, and they've since been acquired and 
swallowed-up by Red Hat (RHAT), and (almost?) everyone who worked there 
when I was there has also left. If I weren't confident that I'm talking 
about history, not current events, I wouldn't be saying anything. (.. and 
there are some parts of the C2Net history which I'll likely never be in a 
position to disclose, ethically speaking, because of the nature of my 
relationship (general counsel) with the organization. Caveat emptor.)

We did take an active interest in the security of our systems and codebase 
- I don't think we were perfect, with respect to physical or electronic 
security, but we were pretty paranoid, perhaps at some cost to the personal 
lives of the principals involved.

But your points about insider risks are well taken - especially given that 
most security incidents have an inside, not outside, source. I believe that 
the software we published was free of intentional holes or errors, and was 
built as carefully as we knew how; that belief is based on my familiarity 
with the build environment, and my knowledge over several years of the 
people involved in the development process, and my impressions of their 
competence and integrity.

Still, people's expectations and faith in other people can be misplaced - 
c.f. Aldrich Ames, Robert Hanssen (a personal friend of James [Puzzle 
Palace, Body of Secrets] Bamford, who never suspected), and Brian Regan - I 
don't know of any method or practice which can prevent hidden betrayal, for 
love or money or boredom or personal animus. And Ken Thompson's 
"Reflections on Trusting Trust" <http://www.acm.org/classics/sep95/> serves 
as a reminder of how subtle a betrayal or compromise can be, yet remain 
active and dangerous.

A big part of our counter-economic-coercion resistance was ideological - if 
people really believe that they're working to protect and defend freedom 
and privacy, it's hard to tempt them with money, at least not just a little 
money. On the other hand, it's easier to tempt them with ideological 
arguments, which are cheaper; or for them to become so entranced with each 
other's political correctness that they lose sight of basic personal 
integrity and decency. (We didn't have trouble with that at C2Net, but it's 
historically been a problem inside ideologically-motivated organizations or 
groups.)

>With a lot of
>young tech companies having spent the last few years feeling fat, happy,
>and oh-so-much smarter than those fusty old feds, you've got a potentially
>massive disaster in the making.

Pride goeth before destruction; and a haughty spirit before a fall.

--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids