[Sussex] NSA and Microsoft

Nico Kadel-Garcia nkadel at gmail.com
Sat Jan 13 12:31:23 UTC 2007 

Andrew Guard wrote:
> Well it looks like NSA has work with Microsoft to get product out.
>
> It worth noting past history here.
>
> http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm
> http://www.boycott-riaa.com/article/21113
>
> Also it looks like SUSE Linux has also been look at by NSA to find out
> what they think of the product.  (Is that spooks code for something else,
> I do not know. But knowing Novel they would never do what thinking any
> way)
>   
The NSA has an unfortunate history of handling computer security. They 
are involved in supporting US policiies in exporting encryption, that 
prevented the use of SSL keys longer than 80 bits in US exported 
software for years, and still interfere in attempts to push the key 
length beyond 128 bits. It's clear that they consider protecting their 
ability to generally monitor communications by discouraging public key 
encryption and retaining warrant-free access to private keys.

They are also willing to cooperate in efforts that allow computer users 
to feel secure about their data, but not actually protect it from 
"authorized" access by encrypting it robustly or protecting it from 
local system access. Take a good look at SELinux, which they were 
involved in developing with the Linux security, for examples. Then look 
at the history of the "Skipjack" chip, developed for voice encryption 
but also usable for data encryption. It was developed by the NSA, but 
with no reliable legal protections for the archive of private keys, and 
with features to prevent the use of unregistered private keys. It has 
turned out to be vulnerable to some fascinating attacks. As soon as it 
was found how to use unregistered keys, the attempt to get it adapted 
generally was abandoned.

If that approach of robust encryption but privately held keys looks 
familiar, look at "Trusted Computing". That's going to take a lot of 
work to enable and integrate for Linux use. It'll be necessary to handle 
Microsoft tools and system files in the future, but it's built around 
DRM and about assuring that only vendor-authorized software can access 
specific files,  and that master keys remain held in a repository with 
no warrants needed for federal access.

More information about the Sussex mailing list