Shared publicly  - 
 
Something I noticed while reading through the report from the NSA review board --- in recommendation 29, it states that the US government should "not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software", but it doesn't say anything about not trying to subvert or undermine generally available hardware.   An oversight?   Or was this a deliberate omission?
65
7
Josef Grahn's profile photoMichael Kleber's profile photoStephen Hemminger's profile photoAndrew Sledge's profile photo
16 comments
 
I suspect it's beyond the review board's level of imagination to consider that hardware might be subvertable.
 
Hardware, firmware, FPGAs, individual gates...down the rabbit hole we go...};-)
Greg S
+
1
3
4
3
 
What about generally available noncommercial software?
 
I doubt it was deliberate; the way it's written makes me thing that they're just not thinking that hardware is an encryption technology. I don't think there's anything to gain from their perspective in making such a deliberate omission if they were so inclined; it's not as though recommendations like this are the language of the law.
 
The NSA review panel was packed with Intelligence Community insiders, who have always thought that the best way to do encryption is in hardware, not software.  Which is why I think the omission was even more telling.
 
The term "hardware" is too broad.

The US sells lots of military hardware to countries that might one day use that hardware on the US.   You can be sure that the missiles and radar systems have special subroutines to deal with the case where they find themselves engaging a US built target.
 
I think it doesn't matter what the review says.  Ultimate secrecy grants them the ability to do whatever they want.  It's been demonstrated time and again that the only reliable checks and balances comes from the people.  The only way we'll know if they're actually doing what they've been told is with more Snowden style leaks.  They're doing their best to make sure that kind of leaking doesn't happen again.

Transparency is the only thing that will ever bring accountability.
 
That is a advertising friendly rather than a real recommendation. They talk about not touching 'generally available commercial software', that is because the people will think: "oh, I am more sure that my legally buyed software does not even have any alterations to spy me". So the people can still continue buying software.
Nothing is said about free software or about hardware.
 
What about noncommercial open-source software like Tor? It's harder to subvert, obviously, but not impossible; suppose for example that they make sure to have people deeply involved in the development process.
 
My guess is it's an oversight, but I really doubt much of the report's recommendations will make it into policy or law. 
 
+Josef Grahn  Free, open, bsd-3, etc software will probably turn to 'commercial' software when it is used in commerce. That would match with various copy clauses that tell what is permitted, when, and for whom. OR at least that makes sense to me even if lawyers & judges in general would disagree.
 
+Sami Kerola Sure, I'm inclined make the same argument. However, what's interesting is how the people such guidelines would apply to interpret their instructions. Would they be able to make the argument that their interpretation (let's say that free software is fair game) is a plausible one? If there is any such ambiguity, the guidelines are more or less ineffective as a tool for accountability.
 
Surely subverting hardware is a way to undermine any software that runs on it.
 
Of course NSA will use any loophole as legal justification. See Sensenbrenner's reaction to how NSA abused the Patriot act.
 
Love how predictable Drupal upload paths are...
Add a comment...