[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Shimomura on BPF, NSA, Crypto
Shimomura on BPF, NSA and Crypto:
One of the tools I modified for my work was a sophisticated
piece of software called the Berkeley Packet Filter. ...
Unlike the original BPF, my version was designed to bury
itself inside the operating system of a computer and watch
for certain information as it flowed through the computer
from the Internet. When a packet from a certain address, or
for that matter any other desired piece of information
designated by the user flashed by, BPF would grab it and
place it in a file where it could be kept for later
viewing.
I had developed my initial version of the faster BPF in the
expectation that I would receive additional research
funding for the work from the National Security Agency. The
Agency had begun supporting my work under a Los Alamos
National Labs research grant in 1991, and had promised to
extend their support for my work, but the funding was never
forthcoming. I developed the tool, but after I completed
the work, in early 1994, the bureaucrats in the agency
reneged on funding.
The idea of working with the NSA is controversial in the
community of security professionals and civil libertarians,
many of whom regard the NSA as a high-tech castle of
darkness.
Libertarian by inclination or by the influence of their
colleagues, the nation's best computer hackers tend to
possess a remarkable sensitivity to even the slightest hint
of a civil liberties violation. They view with deep
distrust the work of the National Security Agency, which
has the twin missions of electronic spying around the globe
and protecting the government's computer data. This
distrust extends to anyone who works with the agency. Am I
contaminated because I accepted research funding from the
NSA? The situation reminds me of the scene in the movie Dr.
Strangelove where General Jack D. Ripper is obsessed by the
idea of his bodily fluids being contaminated. I think the
idea of guilt by association is absurd.
My view is very different. First of all, I don't believe in
classified research and so I don't do it. The work I was
undertaking on packet-filtering tools was supposed to be
funded by the agency for public release. The tools were to
be made widely available to everyone, to use against the
bad guys who were already using similar tools to invade
people's privacy and compromise the security of machines on
the Internet.
But even more to the point, I believe that the agency,
rather than inherently evil, is essentially inept. Many
people are frightened of the NSA, not realizing that it is
like any other bureaucracy, with all of a bureaucracy's
attendant failings. Because the NSA staff lives in a
classified world, the government's normal system of checks
and balances doesn't apply. But that doesn't mean that
their technology outpaces the open computer world; it just
means they're out of touch and ponderous.
In any case, I feel strongly that tools like BPF are
absolutely essential if the Internet is to have real
security, and if we are to have the ability to trace
vandals through the Net. If people are concerned that
individual privacy is at stake, they should probably worry
less about who should have the right to monitor the
networks, and instead focus their efforts on making
cryptographic software widely available. If information is
encrypted it doesn't matter who sees it if they can't read
the code. Cryptography is another example of my point that
a tool is just a tool. It was, after all, used primarily by
kings, generals, and spies until only two decades ago. Then
work done by scientists at Stanford, MIT, and UCLA, coupled
with the advent of the inexpensive personal computer, made
encryption software available to anyone. As a result, the
balance of power is dramatically shifting away from the NSA
back toward the individual, and toward protecting our civil
liberties.
["Takedown," pp. 102-04]