[880] in cryptography@c2.net mail archive
Re: Sun Microsystems to try to go around EAR
daemon@ATHENA.MIT.EDU (Adam Shostack)
Thu May 22 01:13:55 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <Pine.LNX.3.95.970521091333.2074A-100000@fractal.mta.ca> from Michael C Taylor at "May 21, 97 09:33:33 am"
To: mctaylor@mta.ca (Michael C Taylor)
Date: Thu, 22 May 1997 00:31:58 -0400 (EDT)
Cc: cryptography@c2.net, risks@csl.sri.com
Is it less risky to sell unevaluated software or crippled export
allowed software?
You know there are security flaws in the latter.
Adam
Michael C Taylor wrote:
| >From http://www.msnbc.com/news/75617.asp by the Associated Press.
|
| In summary (by mctaylor):
| Sun has partnered with Elvis+ Co., a Russian company, to by-pass export
| controls in order to "test the waters."
| The products which were developed by Elvis+ use SKIP, a Sun
| security protocol, but Sun did not provide technical assistances to
| Elvis+. The interesting part is that Sun will sell Elvis+'s Secure Virtual
| Private Network for MS-Windows 3.11, 95 and NT under the name SunScreen
| SKIP E+ in August.
|
| The risks here include can Sun trust a Russian company which Sun provided
| no technical assistance to, therefore I assume no quality control testing.
| It is one thing to bundle a paint program written by another company, but
| to resell a security product with your name on it without doing your own
| quality testing and cryptanalysis is very risky IMHO. Could Sun
| Microsystems find a backdoor that was included at the _request_ of a
| foreign government? I won't even start with the risks of legal action..
|
| --
| Michael C. Taylor <mctaylor@mta.ca> <http://www.mta.ca/~mctaylor/>
| Software Engineer, Mount Allison University, Canada
|
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
