Secret Stuff in COTS

Bernard Robertson-Dunn brd@dynamite.com.au
Mon, 03 Aug 1998 10:13:32 +1000 

<brd>
It's not only Easter Egss that can hide in COTS (Commercial Off The
Shelf - not Casualties of Telstra) software.

The potential for all sorts of skullduggery is immense once commodity
software starts to implement back-doors and unknown/undocumented
features.

The following item discusses the "US government access to citizens'
encrypted communications". What worries me is the combination of rogue
COTS software doctored by the vendor at the behest of a US Governemnt
Agency.

Example: a word processing system recognises certain key-words and then
emails a message to Big Brother USA containing the document, details of
the user, the machine's address and the contents of the user's
directory.

I know there are Word macro viruses that can do this already but at
least you can see macros and do something about them. Code embedded in
an application is a lot more difficult to deal with.

I wonder what the level of awareness is amongst Non-USA governments and
in the commercial sector?

Am I getting paranoid in my old age? After all, we do have our
democratic government to protect us don't we? Don't we? 

</brd>

from 
Coalition for Constitutional Liberties
Weekly Update for 7/31/98
Volume I, Number 24

Brought to you by the Center for Technology Policy
of the Free Congress Foundation

Lisa S. Dean, Director (mailto:lsdean@fcref.org)
Patrick S. Poole, Deputy Director (mailto:ppoole@fcref.org)
Oliver Black, Research Associate (mailto:oblack@fcref.org)
phone: 202-546-3000
fax: 202-544-2819
http://www.freecongress.org/

For a Web version of this update go to:
http://www.freecongress.org/cfcl/latest.htm

NSA Working Hard for Computer Back Doors

Recovering from the days of complete secrecy regarding their mission,
the National Security Agency is beginning to be well known for their
heavy-handed tactics in getting software and switch and router vendors
to re-tool their products. The agency's goal: to ensure that the
government has access to citizens' encrypted communications.

The computer industry is facing a year-end deadline to add a
government-approved back door into network gear. Vendors that don't
comply face losing export privileges. The pressure seems to be working.

Industry insiders are reporting that It's gotten to the point where no
vendor hip to the NSA's power will even start building products without
checking in with Fort Meade first. This includes even that supposed
ruler of the software universe, Microsoft Corp. "It's inevitable that
you design products with specific [encryption] algorithms and key
lengths in mind," said Ira Rubenstein, Microsoft attorney and a top
lieutenant to Bill Gates. By his own account, Rubenstein acts as a
"filter" between the NSA and Microsoft's design teams in Redmond, Wash.
"Any time that you're developing a new product, you will be working
closely with the NSA," he noted.

In addition, some companies are discovering that dealing with the
Commerce Department for a KMI license means more involvement with the
NSA. The Bureau of Export Control is actually just a front for the NSA,
said Alison Giacomelli, director of export compliance at VPNet
Technologies, Inc., a San Jose, Calif.-based vendor of IP-based
encryption gateways. "The NSA has sign-off authority on these KMI
licenses," Giacomelli said. In return for the KMI license, VPNet opened
itself up for an NSA audit. 

"They've already come out once, and they'll be coming out again,"
Giacomelli said. VPNet remains committed to meeting the deadline for
adding key-recovery to its product but has one major problem:
uncertainty about what the NSA really wants. The confusion means
"there's a lot of risk . . . in terms of engineering and resources,"
Giacomelli said.

But in its attempt to gain access to citizens' electronic data, the NSA
also has urged companies to weaken their commercial encryption programs
to speed their access. In one instance, the spy agency forced MasterCard
to dumb down the Secure Electronic Transaction (SET) credit-card
encryption standard.

When MasterCard first thought of creating SET for credit-card
encryption, "we ran over to the government to tell them what we wanted
to do," said John Wankmuller, MasterCard's principal in charge of
electronic commerce. However, the NSA quickly threw a damper on the
company's enthusiasm. "They told us what we wouldn't do," Wankmuller
said.

The NSA nixed the idea that SET should be able to encrypt the customer's
entire purchase information, limiting the encrypted fields to the
account number, amount and the expiring date, Wankmuller said. "In the
end, it's a very small amount of data that gets encrypted."

Read "The Long, Strong Arm of the NSA":
http://www.cnn.com/TECH/computing/9807/27/security.idg/

-- 
That which does not crash your system only makes it slower.
-- Cameron Heide 

Regards
brd
+-------------------------+
|Bernard Robertson-Dunn   |
|Canberra Australia       |
|brd@dynamite.com.au      |
+-------------------------+