Why "carnivore" type systems can't be (entirely) open source

[Brian Gladman]

From: "Owen Lewis" <oml@eloka.demon.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Sunday, February 04, 2001 1:43 AM
Subject: Re: Why "carnivore" type systems can't be (entirely) open source

This debate is getting unmanageable so I am cutting out the existing text in
order to get back to the key point.

It seems that we both agree that GSM contains one or more deliberately
introduced security weakness.  Moreover we also agree that STO is being used
to prevent both ourselves and many others from knowing the extent or the
nature of these weaknesses.

As a result I conclude that GSM should be treated in security design terms
as if it is insecure.

In contrast you conclude that it can be treated as either secure or insecure
depending on the circumstances of use even though STO prevents you from
having any direct evidence on which to base your assessment of its security
properties.  Unknown to you it could have truly catastrophic security
weaknesses and yet you would still consider it secure in some circumstances.

Turning to STO itself, I claim that when this is applied to hide aspects of
a system's design [*] from the information owner who is relying on it, this
is overwhelmingly more likely to create a detriment to their security than
it is to achieve any enhancement of it.   It appears that you dispute this.

Nothing you have said changes my view on this in any way and I consider it
unlikely in the extreme that there is anything that you can say that will
lead to a change in my position.

I am sure that others on the list have already reached a conclusion about
which of these two approaches to security better suits their own interests.

   Brian

[*] the term 'design' here covers the design itself but not the techniques
used to achieve it.