September 1, 2000: A pocket guide to NSA sabotage

The NSA engages in sabotage, much of it against American companies and products. One campaign apparently occurred at about the time when PGP's most serious vulnerability was added. To understand the whole story requires some background.

 In Bruce Schneier's newsletter Crypto-Gram he told us last year about Lew Giles, said to be an NSA saboteur wrecking American privacy products in 1997. Schneier says that according to several sources Giles went from company to company, asking them to destroy the security of their own products, and arranging cover stories to protect them. According to Crypto-Gram sometimes Giles worked directly with engineers, with no managers around. The sabotage was always supposed to look like a mistake. At about the same time, PGP introduced "key recovery" with the hidden flaw recently covered worldwide, including Schneier's own clear description in Slashdot.

Other serious vulnerabilities have been found in the PGP versions released then. For example, just last May PGP was found to generate weak keys on Linux and OpenBSD. The original report in BugTraq says the bug was introduced in version 5.0, released in 1997... http://cryptome.org/nsa-sabotage.htm

No comments:

Post a Comment