[Cryptography] TAO, NSA crypto backdoor program

John Kelsey crypto.jmk at gmail.com
Thu Jan 2 20:43:08 EST 2014 

On Jan 1, 2014, at 3:38 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
...
> One thing to remembrer in this mess: NSA isn't the only capable National Scale Adversary. While I might believe that NSA and GCHQ could, in the future, again be restrained by the rule of law, I don't believe we can use law to control the Russians and Chinese, to name just two. We have a wonderful worked example of the kind of threat we need to defend against. If we manage to rein in our eavesdropping agencies by use of law, we still have ones that aren't ours to worry about.

Amen!  We can and should get the intelligence agencies in democratic countries back under some kind of control, but that only addresses one part of the problem.  National scale attackers are hard to defend against.  However, there are a couple important differences when it's the intelligence agencies of your own country:

a.  If you (an American) figure out that the Chinese are trying to slip malware into a product, you can ask for help from the US authorities.  How much help you will get is probably pretty uneven, but I have to guess that if Cisco or Microsoft asks the FBI for help because they think the Chinese government is trying to slip malware into their products,  they can probably get the attention of some pretty high level people.  If it's your own government attacking your products, you can't reasonably call the FBI, and you may very well be required by law to go along and keep quiet, or may believe you are required to do so. 

b.  Far more Americans are going to be willing to go along with the US government doing anything than with the Chinese government doing it.  The spies trying to plant a weakness have the advantage that they can rely on patriotism, future employment prospects, legal requirements, or simply on trust ("they must have a good reason to tell me to do this.").  A foreign intelligence agency has to rely on much more  blunt methods--bribes, blackmail, threats, etc.  

> Cheers - Bill

--John (definitely speaking only for myself!)

More information about the cryptography mailing list