NYT: At AT&T, No Joy on Clipper Flaw

Related:

2 June 1994, NYT: Flaw Discovered in Federal Plan for Wiretapping

http://www.nytimes.com/1994/06/03/business/at-at-t-no-joy-on-clipper-flaw.html

June 3, 1994

At AT&T, No Joy on Clipper Flaw

By JOHN MARKOFF

Matthew Blaze did not set out to make trouble for his employer.

When Dr. Blaze, a 32-year-old computer scientist at AT&T Bell Laboratories, discovered a basic flaw in the the Government's cloak-and-dagger Clipper system recently, he was merely doing what he does best: pushing computer code until it breaks.

But AT&T is poised to become a leading supplier of Clipper technology, which the Clinton Administration is promoting as a way to let law enforcement officials wiretap encoded telephone calls and computer transmissions in the digital age. And if Dr. Blaze's research undermines the Clipper, it could scuttle a multimillion dollar business.

Unhappy Executives

No wonder some executives at AT&T did not want Dr. Blaze to publicize his finding that a person with sufficient computer skills could defeat the Government's Clipper technology by using it to encode a message so that even the Government could not crack it.

Before Dr. Blaze began sharing his discovery two weeks ago by circulating a draft research paper to professional peers and Federal agencies -- and well before he shared the information with The New York Times, which reported it on Wednesday -- company executives debated whether the information should be disclosed.

"I supported the concept of publishing it, although I told Matt he needed to talk to people at the National Security Agency before releasing it," said David Maher, chief scientist at AT&T's Secure Communications Systems division in Greensboro, N.C. The National Security Agency, the Government's electronic spying agency, was the primary developer of the Clipper system.

Few other AT&T executives were willing to discuss the internal debate yesterday, although people familiar with the conversations said that some executives had advocated restricting the distribution of Dr. Blaze's paper.

An Unexpected Stir

Dr. Blaze, reached by telephone yesterday, and also by electronic mail, said he was surprised by the stir his discovery has created. He said that at Bell Laboratories, which operates at a certain academic distance from its corporate parent, he had the full backing of his bosses.

"I've been encouraged by my management to pursue this research line vigorously and without regard to a desired result," Dr. Blaze wrote in his E-mail reply. "We regard this as a technical rather than a political result."

AT&T is already one of the Government's biggest suppliers of telecommunications equipment. And at present it is the only supplier to the Government of the 3600 Clipper telephone, which is being used by the Justice Department and other Government agencies for sensitive telephone conversations.

So far sales of equipment containing the Clipper computer chip have been limited -- AT&T declined to provide a dollar figure -- but that business could take off if the Clinton Administration succeeds in making Clipper technology a national standard for scrambling voice and data communications.

Government officials and AT&T executives are seeking to minimize the impact of the defect uncovered by Dr. Blaze, particularly regarding Clipper's use in telephones, because the flaw affects the computer version, not the telephone version.

Yesterday, AT&T issued a statement reaffirming its support of the Clipper program. "It's important to note that the frailty described in the research paper by one of our computer scientists does not exist in those applications of the standard covered by the National Institute of Standards and Technology -- secure voice, fax and low-speed data transmissions." All of those tasks involve the telephone version of Clipper.

But some computer security experts said the company might be drawing too fine a distinction, since many of the more sophisticated uses of Clipper technology would involve computer communications. And some experts say that even if the discovery does not kill the Clipper program outright, it is an awkward issue for the National Security Agency -- and presents problems for future versions of the Clipper technology that are being designed for high-speed computer communications. The Government has already developed a personal-computer version of Clipper, contained on a circuit card called Tessera, which is what Dr. Blaze used in his research.

'A Little Embarrassed'

"I'm a little embarrassed that we didn't ask this question," said Steve Kent, a cryptographer at Bolt Beranek & Newman and a member of the five-person evaluation team that reviewed the secret mathematical algorithm inside the Clipper chip for the Clinton Administration. "And I suspect that the N.S.A. is a little embarrassed as well."

That the disclosure should emanate from inside AT&T, however, is testimony to the company's corporate culture. Bell Laboratories, one of the world's leading research centers is known for a tradition of independence, for being as much a center for pursuing pure science as for corporate research. Its main laboratories are in Murray Hill and Holmdel, N.J., well removed from AT&T headquarters in Basking Ridge, N.J.

As one of an elite group of code-breaking researchers around the world, Dr. Blaze believes that the best way to strengthen computer security is by relentlessly developing new attacks and finding loopholes that designers may have overlooked.

But when Dr. Blaze found a flaw in a "backdoor" that is supposed to allow wiretapping by law enforcement agencies with court orders and Clipper's mathematical keys, it brought his computer-hacker culture into direct conflict with a corporate culture that is based on profitability and on not rocking the boat.

The outcome, said executives both inside and outside AT&T yesterday, may be painful for the company in the short run but strengthen it in the long run by proving its scientific integrity.

"The point is that the backdoor has a broken hinge," said William Ferguson, vice president of the Semaphore Corporation, a Silicon Valley company that makes computer encoding systems. "It was a win-lose situation for AT&T, but it actually looks good for the company in the long run.

"Some of us are sitting here saying, 'Yup, I told you so,' " said an AT&T executive who spoke on the condition that he not be identified. "There are others running around to see who is going to frown or not frown about this in New Jersey."