Sunday, January 06, 2008

Méfie-toi sans cesse

Paul Valéry put the words “Méfie-toi sans cesse” on his wall.  Most aren’t so careful.  P.T. Barnum allegedly said:   “There's a sucker born every minute.”  Some examples of what I suppose could be called gross breaches of the Sale of Goods Act:

  1. An internet ‘anonymizer’ called SafeWeb turned out to be owned in part by the CIA.  The funny part is that some people continued to use it even after this information came out, on the theory that it must be secure as the CIA had never done anything underhanded before.

  2. Crypto AG is a Swiss manufacturer of encryption machines.  These were used around the world by countries that wanted secure communication but didn’t want to set up their own systems.  The only problem is that there are suspicions that Crypto – possibly owned by the German secret service – did a deal with the Americans to put a NSA backdoor in their machines.  The reason for these suspicions is a series of cases of famous breaches of security – cases where the Americans mysteriously obtained information they should not have had – when the Crypto machines were used.

  3. is an Israeli-owned ‘encrypted’ e-mail provider.  Since it does not strip your IP address from your e-mail, and will disclose all information about your e-mail to government authorities on request, and exists at the discretion of the Israeli government, it is secure to the extent (or here) “you have reason to trust the Israeli government.”  What could be safer than that?

  4. It has been alleged that Safe-mail, Hushmail and Guardster all have direct NSA connections, and rely on NSA-owned secure socket layer services.  All three deny any NSA connection, which is what you would expect them to do.

  5. The leading computer security firms apparently don’t regard snooping through the ports that the NSA likes to use to be worthy of alerts to the owner of the computer being snooped upon.  By the way, has anyone else noticed that the Norton/Symantec security stuff is actually worse than the viruses it is supposed to prevent?  Just try removing it from a computer supplied by a manufacturer which has ‘helpfully’ preinstalled it.

  6. Encryption based on random-number generation won’t work if the numbers generated aren’t ‘random’, and the NSA appears to have approved a random-number generating system that has been engineered to allow it to easily break the code (and note the first comment to the Wired article).

Part of the problem that intelligence gatherers have is sorting the tiny amount of wheat from the huge amount of chaff.  People with the biggest and most important secrets are kind enough to identify those secrets by employing special measures to secure them.  It is thus a ‘no-brainer’ that the NSA and similar organizations infiltrate as many of these security systems that they can.  Anyone who relies on self-serving and unverifiable representations of security is a fool.