Why "carnivore" type systems can't be (entirely) open source

Brian Gladman Brian Gladman" <brg at gladman.plus.com
Sun, 4 Feb 2001 12:55:59 -0000 

From: "Richard Clayton" <richard@highwayman.com>
To: <UKcrypto@chiark.greenend.org.uk>
Sent: Sunday, February 04, 2001 12:22 PM
Subject: Re: Why "carnivore" type systems can't be (entirely) open source

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In article <004701c08972$bc66baa0$3e0a989e@eloka>, Owen Lewis
> <oml@eloka.demon.co.uk> writes [using a machine whose clock appears to
> be wildly inaccurate :(]
>
> >That's a bit silly. The intelligence agencies of the govts of countries,
> >great and small, wherever GSM is deployed, have not needed to crack GSM.
> >They always have access, according to the arrangements that pertain in
each
> >country, to the clear voice that is passed on from each cell base
station.
> >Those whom GSM security has kept out, gnashing their teeth, are those not
> >allowed much or any access to the clear voice part of the communications.
> >Dependent on circumstances and on country, these groups might include all
of
> >some of the following:  police, DSS, IR, C&E, private dicks, kibbitzers
et
> >al.
>
> I think you should probably include in the list that is expected to be
> "kept out" - the intelligence agencies of other countries....
>
> ... and then you should observe that anyone party to the true details of
> GSM (and appreciating the cryptographic implications) will be able to
> capture material off the air in all other countries that have fielded
> the system.
>
> >Thus, for the purposes for which they were intended, GSM and its methods
of
> >maintaining privacy in personal telecommunication  have been a roaring
> >success.
>
> I'm sure that the relevant agencies have welcomed that

I am sure you are right here.

First they ensured that they could steal information by stopping crypto
being deployed.

Then they ensured they could steal it by conning people into using broken
crypto.

And when this fails (which it has not done yet) they will steal information
from end systems.

The latter hole is the most worrying one since it is open to people with
very limited resources. I don't see much point in spending a lot of money to
break algorithms when other doors are left wide open and unprotected.

   Brian