On Tue, 2007-01-16 at 09:15 -0600, Steve Siegfried wrote: > On January 14'th, Claude Jones kicked off this thread with a question > about the NSA'a involvement (if any) in SELinux. > > I'm a subscriber to Bruce Schneier's CRYPTO-GRAM newsletter (currently > in its 10'th year of publication), the January 15'th edition of which > contained: > CGNL> > CGNL> ** *** ***** ******* *********** ************* > CGNL> > CGNL> NSA Helps Microsoft with Windows Vista > CGNL> > CGNL> > CGNL> > CGNL> The NSA "helped" Microsoft with Windows Vista. They're not disclosing > CGNL> what they did, of course, but Microsoft insiders have told me that it > CGNL> was nothing more than assisting with assurance testing. > CGNL> > CGNL> But I am suspicious. > CGNL> > CGNL> It's called the "equities issue." Basically, the NSA has two roles: > CGNL> eavesdrop on their stuff, and protect our stuff. When both sides use > CGNL> the same stuff -- Windows Vista, for example -- the agency has to decide > CGNL> whether to exploit vulnerabilities to eavesdrop on their stuff or close > CGNL> the same vulnerabilities to protect our stuff. In its partnership with > CGNL> Microsoft, it could have decided to go either way: to deliberately > CGNL> introduce vulnerabilities that it could exploit, or deliberately harden > CGNL> the OS to protect its own interests. > CGNL> > CGNL> A few years ago I was ready to believe the NSA recognized we're all > CGNL> safer with more secure general-purpose computers and networks, but in > CGNL> the post-9/11 take-the-gloves-off eavesdrop-on-everybody environment, I > CGNL> simply don't trust the NSA to do the right thing. > CGNL> > CGNL> http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801352.html > CGNL> or http://tinyurl.com/ycgv9f > CGNL> > CGNL> Another opinion: > CGNL> http://www.computerworld.com/blogs/node/4330 > CGNL> > CGNL> > CGNL> ** *** ***** ******* *********** ************* > CGNL> > > I should point out that Mr. Schneier is founder and CTO of BT Counterpane, > a well respected computer security company, invented the Blowfish and > Twofish algorithms and is often the "go-to guy" for media on computer > security issues. > > Now here's the fun part: If you read the two articles Schneier points to, > you'll also find this nugget in the first (from the Washington Post's > online site): > > WP> > WP> Other software makers have turned to government agencies for security > WP> advice, including Apple, which makes the Mac OS X operating system. "We > WP> work with a number of U.S. government agencies on Mac OS X security and > WP> collaborated with the NSA on the Mac OS X security configuration guide," > WP> said Apple spokesman Anuj Nayar in an e-mail. > WP> > WP> Novell, which sells a Linux-based operating system, also works with > WP> government agencies on software security issues, spokesman Bruce Lowry > WP> said in an e-mail, "but we're not in a position to go into specifics of > WP> the who, what, when types of questions." > WP> > WP> The NSA declined to comment on its security work with other software > WP> firms, but Sager said Microsoft is the only one "with this kind of > WP> relationship at this point where there's an acknowledgment publicly." > WP> > > So it would seem that MS is farther in cahoots with the NSA than most, but > also that Linux (via Novell) isn't exempt from NSA "oversight", either. > > Just trying to inject some facts'idly, > > -S > Thank you Steve, that was an enlightening post. It also fits in well with the big picture. LX
