[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NSA and competence
An anonymous author comments on my comments...
>> I think that this message betrays a serious misconception that a number of
>> people likely share, and that has to do with the levels of security offered
by
>> commercial versus military methods.
>I think that this reply betrays a serious lack of reading competence. The
>breakthroughs cited were the most important breakthroughs in the
>science of cryptography, period. There are no branches of mathematics
>called "military" and "commercial". The techniques have both
>military and commercial application. There is no evidence that the NSA
>knows about _any_ fundamental technique that has not been published
>in the literature. Nor is there any evidence (save the hearsay about
>S-boxes, which were actually developed at IBM) that they have made
>any major contribution to the science of cryptography, despite the
>massive resources they throw into it. But they do want to preserve their
>jobs, so they would like you to think they do. Their ability to drop
>hints here and there without having to demonstrate they actually know
>anything, to make people believe that Skipjack is an "advanced" algorithm
>without having to actually publish it, in general their ability
>to use their top secret status for the purpose of selective
>revelation, is perfectly suited to this kind of PR.
I always love it when they try to get a personal attack in first; be that as it
may, I prefer to think my reading competence is quite adequate, thank you. As
for there not being any branches of mathematics that differentiate between
application, you make a serious error when you fall into the standard academic
'if they didn't publish it, they didn't do it' mentality. Unlike corporations
such as AT&T with the old Bell System Technical Journal or IBM with their
internal publication of their own filed patents (and technical papers designed
to act as prior art to prevent *others* from filing patents), NSA and the others
who make advances do not publish, but build systems that stay in the defense
sector and remain classified. If you want an interesting clue as to what sort
of things they will leak into the commercial domain every so often, research the
creation of relational databases and the involvement of CIA; it is quite
educational.
As for their making advances, they have done it on a number of occassions, and I
think you would benefit by reading a good primer on the history of the topic and
organizations. Kahn or Bamford would do nicely. As for rumours... I am
uncertain of which rock you have been hiding under, but until recently, they
weren't even officially recognized, and capabilities that we know about are
known more from leaks or defectors. NSA is a military organization and is run
as one; the snake pit that the anonymous author works in may operate on rumour,
but these people do not.
>Thus they can claim to "contribute to American competitiveness" by
>releasing Skipjack, an algorithm for which there is _not even
>any evidence that it is stronger than DES_, much less state of
>the art algorithms like IDEA. This has the actual efffect
>of shooting the American computer security industry in the balls,
>while making Congress believe they are helping it.
Actually, the argument they are truly using is one of 'the child down the street
can listen to your portable and cell phone conversations, and this will stop
that.' What Skipjack and Clipper provide is a higher floor for the average
person; it also, incidentally, kills the viability of the marketplace for
alternate solutions. No money, no advances. Life gets simpler for them. I
have pointed this out in my two earlier posts, which you in fact are commenting
on.
>Note that I am _not_ accusing the NSA of political incompetence.
>Any organization that can get a Congressional intelligence committee
>to vote its way 13-0, that can keep pushing a warmed-over DES
>crippled with a last-minute Rube Goldberg version of key escrow,
>in the face of 70% public opposition (and nearly unanimous and quite
>vocal opposition in the hi-tech industries) is no political slouch.
>Any organization that can increase their budget after their mission
>has gone away, knows the ropes in D.C. They are simply much better
>lobbyists than cryptographers.
NSA didn't get anyone to do anything; the situation is status quo--crypto wasn't
liberalized for export, which is what Cypherpunks want, and would have
constituted a change. NSA has a very real function, which I would like to
remind you of--they are responsible for the introduction of technology security
into the Defense Department. Based on track record, from 'spy birds' capable of
picking up a conversation on the ground, to creating the first evaluation rigor
of computer security (even though Orange was out of date when instituted), they
have been doing it. As for political ability, of course they are no slouch;
they view it much as I do, a form or warfare, which they are very good at. Has
their mission gone away? Not in the least; they are still the watchdog of the
airwaves. People who think that NSA and CIA have no remaining mission are
people who have no understanding of what they do.
>> integration style 'one shot' systems for military use created a number of
>> companies, such as the Honeywell Secure Computing Technology Center, as well
as
>> a number of DARPA funded groups such as Cray and Thinking Machines.
>Of course with their budget, they can buy lots of slick hardware.
>That doesn't mean they know how to use it well.
>Let's face it, our awe of NSA stems entirely from their budget
>and their ability to stamps their incompetence top secret.
I don't think you know *how* they use the gear they have, so I recommend you
don't make comments that you are not informed to make. My awe of NSA comes from
viewing them as a powerful opponent with incredible resources, but as one who is
limited by their own tradecraft; a healthy respect, but we hold our own.
You do raise an interesting point, and that is the ability of groups such as NSA
to abuse their Classification priviledge. They do. Everyone in the
intelligence community does. Far too much material is considered classified.
The hazards of professional intelligence organizations stem from classification;
they aren't open to outside review, analyses can end up driven by political
agendas rather than available facts (see Casey and his positions vis a vis
terrorism and State sponsorship by the Sovs and Libyans, neither of which is
accurate), and sometimes gross errors are covered by the same cloak of secrecy.
Do not, however, assume that they do not know and perform their job to the best
of their abilities, or you will be in the position of the mark talking to a
cardsharp: 'I'm not any good at cards, but I sure do like to play for money.'
Michael Wilson
Managing Director, The Nemesis Group
[The Maryland Procurement Office, which was the shell used to purchase budgeted
items of a 'black' nature by the intelligence community, actually published (by
accident) their complete records during the hottest part of the Cold War. You
can find them if you look in the right place, and see what it was that NSA, CIA,
etc. were spending their money on. Capability is augmented by resource,
including such hardware, and so this gives vital clues as to the lines they were
developing themselves along.]