David Honig wrote:
>
> At 01:56 AM 6/18/00 -0700, Bill Stewart wrote:
> >At 12:12 PM 6/13/00 -0400, David Honig wrote:
> >>When you read about losing laptops in Los Alamos (and London), you have
> >>to wonder: why don't those folks encrypt their drives? They
> >>are somehow thinking physical security is sufficient, and slacking
> >>off otherwise.
> >
> >Probably because the standard PC software doesn't come with
> >military-quality encryption.
>
> But there's good stuff out there free, with source code (e.g,
> Scramdisk). The NSA's budget was too tight to check this out?
> They didn't have anyone qualified to write their own? Please.
>
> >To some extent it may be because publicly available crypto algorithms
> >aren't NSA-approved for military use, so there's no COTS code,
> >though there may be NSA-built similar products.
>
> Not-invented-here is no excuse.
>
>
It isn't not invented here that is the problem -- it is the Not
Developed Here. COTS is developed in a not verifiably secure
environment. With source rarely available for perusal and the
compounding possibility of malicious compilers ever present the
determination was made that COTS could not be guaranteed to be
backdoor-, trapdoor-, and Trojan Horse-free. This is all on top of the
probability of errors in COTS.
OTOH NSA is not error-free and is noted for slipping in its own bag of
tricks -- but they are the ones with the authority to determine
appropriately safe software systems.
PHM
--
Paul H. Merrill, MCNE, MCSE
[EMAIL PROTECTED]
