[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NSA and competence



An anonymous author comments on my comments...

>> I think that this message betrays a serious misconception that a number of
>> people likely share, and that has to do with the levels of security offered 
by
>> commercial versus military methods.

>I think that this reply betrays a serious lack of reading competence.  The
>breakthroughs cited were the most important  breakthroughs in the 
>science of cryptography, period.  There are no branches of mathematics
>called "military" and "commercial".  The techniques have both
>military and commercial application.  There is no evidence that the NSA 
>knows about _any_ fundamental technique that has not been published 
>in the literature.  Nor is there any evidence (save the hearsay about
>S-boxes, which were actually developed at IBM) that they have made
>any major contribution to the science of cryptography, despite the
>massive resources they throw into it.  But they do want to preserve their 
>jobs, so they would like you to think they do.  Their ability to drop 
>hints here and there without having to demonstrate they actually know 
>anything, to make people believe that Skipjack is an "advanced" algorithm 
>without having to actually publish it, in general their ability
>to use their top secret status for the purpose of selective
>revelation, is perfectly suited to this kind of PR. 

I always love it when they try to get a personal attack in first; be that as it 
may, I prefer to think my reading competence is quite adequate, thank you.  As 
for there not being any branches of mathematics that differentiate between 
application, you make a serious error when you fall into the standard academic 
'if they didn't publish it, they didn't do it' mentality.  Unlike corporations 
such as AT&T with the old Bell System Technical Journal or IBM with their 
internal publication of their own filed patents (and technical papers designed 
to act as prior art to prevent *others* from filing patents), NSA and the others
who make advances do not publish, but build systems that stay in the defense 
sector and remain classified.  If you want an interesting clue as to what sort 
of things they will leak into the commercial domain every so often, research the
creation of relational databases and the involvement of CIA; it is quite 
educational.

As for their making advances, they have done it on a number of occassions, and I
think you would benefit by reading a good primer on the history of the topic and
organizations.  Kahn or Bamford would do nicely.  As for rumours...  I am 
uncertain of which rock you have been hiding under, but until recently, they 
weren't even officially recognized, and capabilities that we know about are 
known more from leaks or defectors.  NSA is a military organization and is run 
as one; the snake pit that the anonymous author works in may operate on rumour, 
but these people do not.

>Thus they can claim to "contribute to American competitiveness" by
>releasing Skipjack, an algorithm for which there is _not even
>any evidence that it is stronger than DES_, much less state of
>the art algorithms like IDEA.  This has the actual efffect
>of shooting the American computer security industry in the balls,
>while making Congress believe they are helping it.

Actually, the argument they are truly using is one of 'the child down the street
can listen to your portable and cell phone conversations, and this will stop 
that.'  What Skipjack and Clipper provide is a higher floor for the average 
person; it also, incidentally, kills the viability of the marketplace for 
alternate solutions.  No money, no advances.  Life gets simpler for them.  I 
have pointed this out in my two earlier posts, which you in fact are commenting 
on.

>Note that I am _not_ accusing the NSA of political incompetence.
>Any organization that can get a Congressional intelligence committee
>to vote its way 13-0, that can keep pushing a warmed-over DES
>crippled with a last-minute Rube Goldberg version of key escrow,
>in the face of 70% public opposition (and nearly unanimous and quite
>vocal opposition in the hi-tech industries) is no political slouch.  
>Any organization that can increase their budget after their mission
>has gone away, knows the ropes in D.C.  They are simply much better 
>lobbyists than cryptographers.

NSA didn't get anyone to do anything; the situation is status quo--crypto wasn't
liberalized for export, which is what Cypherpunks want, and would have 
constituted a change.  NSA has a very real function, which I would like to 
remind you of--they are responsible for the introduction of technology security 
into the Defense Department.  Based on track record, from 'spy birds' capable of
picking up a conversation on the ground, to creating the first evaluation rigor 
of computer security (even though Orange was out of date when instituted), they 
have been doing it.  As for political ability, of course they are no slouch; 
they view it much as I do, a form or warfare, which they are very good at.  Has 
their mission gone away?  Not in the least; they are still the watchdog of the 
airwaves.  People who think that NSA and CIA have no remaining mission are 
people who have no understanding of what they do.

>> integration style 'one shot' systems for military use created a number of 
>> companies, such as the Honeywell Secure Computing Technology Center, as well 
as 
>> a number of DARPA funded groups such as Cray and Thinking Machines.

>Of course with their budget, they can buy lots of slick hardware.  
>That doesn't mean they know how to use it well.

>Let's face it, our awe of NSA stems entirely from their budget
>and their ability to stamps their incompetence top secret.  

I don't think you know *how* they use the gear they have, so I recommend you 
don't make comments that you are not informed to make.  My awe of NSA comes from
viewing them as a powerful opponent with incredible resources, but as one who is
limited by their own tradecraft; a healthy respect, but we hold our own.

You do raise an interesting point, and that is the ability of groups such as NSA
to abuse their Classification priviledge.  They do.  Everyone in the 
intelligence community does.  Far too much material is considered classified.  
The hazards of professional intelligence organizations stem from classification;
they aren't open to outside review, analyses can end up driven by political 
agendas rather than available facts (see Casey and his positions vis a vis 
terrorism and State sponsorship by the Sovs and Libyans, neither of which is 
accurate), and sometimes gross errors are covered by the same cloak of secrecy. 
Do not, however, assume that they do not know and perform their job to the best 
of their abilities, or you will be in the position of the mark talking to a 
cardsharp:  'I'm not any good at cards, but I sure do like to play for money.'

Michael Wilson
Managing Director, The Nemesis Group

[The Maryland Procurement Office, which was the shell used to purchase budgeted 
items of a 'black' nature by the intelligence community, actually published (by 
accident) their complete records during the hottest part of the Cold War.  You 
can find them if you look in the right place, and see what it was that NSA, CIA,
etc. were spending their money on.  Capability is augmented by resource, 
including such hardware, and so this gives vital clues as to the lines they were
developing themselves along.]