On January 14'th, Claude Jones kicked off this thread with a question about the NSA'a involvement (if any) in SELinux. I'm a subscriber to Bruce Schneier's CRYPTO-GRAM newsletter (currently in its 10'th year of publication), the January 15'th edition of which contained: CGNL> CGNL> ** *** ***** ******* *********** ************* CGNL> CGNL> NSA Helps Microsoft with Windows Vista CGNL> CGNL> CGNL> CGNL> The NSA "helped" Microsoft with Windows Vista. They're not disclosing CGNL> what they did, of course, but Microsoft insiders have told me that it CGNL> was nothing more than assisting with assurance testing. CGNL> CGNL> But I am suspicious. CGNL> CGNL> It's called the "equities issue." Basically, the NSA has two roles: CGNL> eavesdrop on their stuff, and protect our stuff. When both sides use CGNL> the same stuff -- Windows Vista, for example -- the agency has to decide CGNL> whether to exploit vulnerabilities to eavesdrop on their stuff or close CGNL> the same vulnerabilities to protect our stuff. In its partnership with CGNL> Microsoft, it could have decided to go either way: to deliberately CGNL> introduce vulnerabilities that it could exploit, or deliberately harden CGNL> the OS to protect its own interests. CGNL> CGNL> A few years ago I was ready to believe the NSA recognized we're all CGNL> safer with more secure general-purpose computers and networks, but in CGNL> the post-9/11 take-the-gloves-off eavesdrop-on-everybody environment, I CGNL> simply don't trust the NSA to do the right thing. CGNL> CGNL> http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801352.html CGNL> or http://tinyurl.com/ycgv9f CGNL> CGNL> Another opinion: CGNL> http://www.computerworld.com/blogs/node/4330 CGNL> CGNL> CGNL> ** *** ***** ******* *********** ************* CGNL> I should point out that Mr. Schneier is founder and CTO of BT Counterpane, a well respected computer security company, invented the Blowfish and Twofish algorithms and is often the "go-to guy" for media on computer security issues. Now here's the fun part: If you read the two articles Schneier points to, you'll also find this nugget in the first (from the Washington Post's online site): WP> WP> Other software makers have turned to government agencies for security WP> advice, including Apple, which makes the Mac OS X operating system. "We WP> work with a number of U.S. government agencies on Mac OS X security and WP> collaborated with the NSA on the Mac OS X security configuration guide," WP> said Apple spokesman Anuj Nayar in an e-mail. WP> WP> Novell, which sells a Linux-based operating system, also works with WP> government agencies on software security issues, spokesman Bruce Lowry WP> said in an e-mail, "but we're not in a position to go into specifics of WP> the who, what, when types of questions." WP> WP> The NSA declined to comment on its security work with other software WP> firms, but Sager said Microsoft is the only one "with this kind of WP> relationship at this point where there's an acknowledgment publicly." WP> So it would seem that MS is farther in cahoots with the NSA than most, but also that Linux (via Novell) isn't exempt from NSA "oversight", either. Just trying to inject some facts'idly, -S
