Return-Path: <sentto-279987-5271-1030586384-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 28 Aug 2002 19:10:08 -0700 (PDT) Received: (qmail 27344 invoked by uid 510); 29 Aug 2002 02:06:52 -0000 Received: from n25.grp.scd.yahoo.com (66.218.66.81) by all.net with SMTP; 29 Aug 2002 02:06:52 -0000 X-eGroups-Return: sentto-279987-5271-1030586384-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.192] by n25.grp.scd.yahoo.com with NNFMP; 29 Aug 2002 01:59:44 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_1_0_1); 29 Aug 2002 01:59:44 -0000 Received: (qmail 27384 invoked from network); 29 Aug 2002 01:59:43 -0000 Received: from unknown (66.218.66.216) by m10.grp.scd.yahoo.com with QMQP; 29 Aug 2002 01:59:43 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 29 Aug 2002 01:59:40 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g7T20Es06800 for iwar@onelist.com; Wed, 28 Aug 2002 19:00:14 -0700 Message-Id: <200208290200.g7T20Es06800@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 28 Aug 2002 19:00:14 -0700 (PDT) Subject: [iwar] [fc:Lobbying.for.Insecurity] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Lobbying for Insecurity The NSA's Linux security project was so good it almost made up for that whole Echelon thing. Then politics entered the picture. By Jon Lasser Aug 28, 2002 The U.S. National Security Agency's contribution to open-source security, Security-Enhanced Linux, found broad approval and support in geek forums from Wired News to Slashdot that are typically suspicious of the government. It's not surprising that it couldn't last, however, and a recent CNET article suggests that the NSA may not make further contributions to software released under the GNU General Public License, and perhaps other open-source licenses. What prompted this decision? Not abuse of their code by script kiddies, nor the ungrateful trolling of the hordes, but lobbying by the U.S. software industry against the government giving away something that could compete with products sold commercially. Microsoft in particular allegedly conducted intense lobbying to block further open-source development by the NSA, according to CNET. The most secure software in the world doesn't improve security if nobody runs it, or if it's incompatible with what the vast majority of people run. We already knew that security is less a technical problem than a human problem. If true, Microsoft's alleged NSA coup demonstrates that it's a political one as well. Anything which encourages the use or development of proprietary systems that are difficult to certify for even the most basic levels of security creates additional risk to computer systems; reducing government support for security development for any widely-available and widely-used operating system creates additional risk; and suppressing the development of a competitor's secure software on the basis of market concerns creates a security risk for your customers as well as your competitor's customers. None of which is to say that Microsoft is doing anything wrong. They're a business, and they are doing what they need to do to win in the marketplace. What's wrong is the rest of the industry allowing them to get away with it. So what can be done about it? I believe that developing code that runs securely is a good first step, as News.com columnist Declan McCullagh suggests in a recent opinion piece. However, it's hardly a complete solution. No, what we need to do now is something we haven't been very good at. We have to start playing politics. The most secure software in the world doesn't improve security if nobody runs it, or if it's incompatible with what the vast majority of people run. Standard is better than better. VINES networks might be more secure than TCP/IP but it does little to secure the Internet as a whole. MD5 password hashing was always more secure than old Unix crypt password hashes, but until vendors started shipping the code, and integrating it via Pluggable Authentication Modules, it made little difference. Politics is an essential element in the success of any given technology. The quality matters some, as do other factors, but the people and organizations with a knack for the for political are the ones who get to the finish line first. I'm using the term "politics" broadly here: it includes standards-setting, personal relationships between major personalities, and marketing. We've seen politics at work in our own community. Quite a number of people feel that Linux is technically inferior to FreeBSD, OpenBSD, or even NetBSD. That makes Linux's success in the marketplace the quintessential triumph of politics: Linux succeeded by being in the right place at the right time, having a unified front in public (if not behind-the-scenes), having a recognizable name and logo, and a number of popular, well-liked people to provide a public face for the effort. The security community, and the open-source security community in particular, can use that as a roadmap to ensuring that secure open-source solutions aren't buried by proprietary competitors. There's no harm in writing your Senator or the President; it might help to submit comments to the FTC. But it takes a lot of money and a lot of power to influence the NSA. We should focus our main efforts, instead, on battles that we can win. These are the battles within standards organizations and within our workplaces. Convince the W3C to reject patent-encumbered standards. Make it a policy to rely on open, documented protocols instead of proprietary monstrosities. If we don't want to lose future market share, if we don't want Microsoft to dictate its terms to the security community, if we don't want to be stuck with whatever they choose to offer the marketplace, we have to play politics. The only alternative is to let Microsoft dominate the marketplace and dictate future standards. I can't imagine how ------------------------ Yahoo! Groups Sponsor ---------------------~--> 4 DVDs Free +s&p Join Now http://us.click.yahoo.com/pt6YBB/NXiEAA/MVfIAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT