[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Gorelick testifies before Senate, unveils new executive order



At 8:04 PM -0700 7/18/96, Jeff Barber wrote:

>
>> Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's,
>> or AT&T's domestic computer networks has little to do with crypto export
>> policy.
>
>Big companies like IBM, AT&T, etc. have *international* networks.  Hence,
>the connection to the crypto export policy, which prevents comprehensive
>security programs from being deployed.  As a "senior techinical executive"
>(oxymoron alert) to Fortune 50 companies, I assume you know that and are
>simply choosing to ignore it for the sake of your current argument.

There are exceptions to ITAR for this purpose (overseas offices of US
companies). In addition, like the argument that we shouldn't jail anyone
until all social evils are cured, your argument fails. IBM can secure their
domestic network (at least) without having to secure their global network.
As for your suggestion that I am special pleading, that's just unsupported
defamation. I suppressed nothing--it is you who are omitting the facts I
mention just above. Only a fool would accuse another of special pleading
when the possibility the accuser doesn't understand the argument, or have
all the data exists. If you have any integrity you'll apologize.

>
>
>> >Putting the government in charge of fixing security problems is likely
>> >to result in an infrastructure optimized for surveillance, as we've seen
>> >with other government-sponsored initiatives (Clipper, DigitalTelephony,
>> >etc.).
>>
>> The subject matter of the Commission's inquiry has more to do with
>> authentication than message encryption, and more to do with infrastructure
>> and network security. And as it happens there is no problem getting export
>> licenses for authentication-only software with as secure a key as you like
>> and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page
>> as this issue.
>
>There is more to security than authentication, as I'm sure you also know
>but are choosing to ignore.

Another attempt to accuse, read minds, and impute motives. We're talking
about securing networks such as communications, transportation, and power,
against hacker attacks. Authentication is the core, not encryption. A main
problem is the spoofer instructing the network to self-destruct. Long-key
authentication can address this when coupled with the safeguarding of keys.
and some system precautions not related to encryption.

> Authentication alone may suffice in some
>situations but clearly not all.

So what? What part of "more to do with....than" don't you understand? I
never said "all"--that's a straw man to try to shift the ground of the
discussion rather than attempting a direct refutation.


>
>> Again, you are trying to fight a different battle in the wrong arena.
>> This isn't about your ability to encrypt your traffic. It's about securing
>> the domestic infrastructure against information warfare. I know this is
>> beginning to sound tiresome, but you'd better do your homework.
>
>Indeed.

So do it.

>  This isn't a different battle, though; it's all interwoven.

So what? Everything is connected to everything else.


>I don't want the government responsible for "securing the domestic
>infrastructure..." for the same reason that I don't want them telling
>me where or to whom I can sell crypto.

Fair comment--you're certainly entitled to your opinion.

>  They haven't any right to, IMO,

Read the Constitution.

>and besides, I don't trust them to look out for my interests.

At least some of one's interests we might both agree. There's the old joke
"I'm from Washington and I'm here to help you."

David