From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Wed, 22 Sep 93 22:23:08 PDT
To: cypherpunks@toad.com
Subject: P. Wayner on CSSPAB meeting
Message-ID: <9309230520.AA18417@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


an eternity ago in cyberspatial time (a few days ago in real time) P.
Wayner posted some comments about the latest CSSPAB meeting. He hasn't
appeared to have gotten any direct feedback on the list to that report,
which I think is a pity, because he's one of the few cypherpunk
`infiltrators' not only consistently attending important national
government meetings, but conscientiously reporting them on the list
(which involves a significant amount of labor) often to no reward but
flames! (there's been quite a bit of indirect reaction to the `software
Skipjack CRADA proposal he illuminated.) Anyway, my personal thanks!

Cypherpunks, its in these kinds of reports that very important clues of
future NSA directions are buried, and I'll start off with a gem:

>A group of computer scientists from NIST came to discuss their plan
>for the Federal Criteria for secure systems and the new "Common
>Criteria" that may emerge. This is an updated version of the old
>Orange Book classification scheme of C2 and B1 and stuff like that.
>The scientists said the draft is being finished but it isn't ready
>for release. But now, they're working on "Something Better." This
>is a new plan to standardize the grading of secure systems with 
>other countries and evolve a "Common Criteria." In general, the 
>board groused about the fact that the public and industry have never
>been invited to give comments during the process. The summary
>of this talk is: "We might be able to tell you something someday." 

`other countries'? `Common Criteria'? holy cow, this is something *very
big* in the works. The U.S. can barely figure out its *own*
cryptographic policies, and imagine the sheer logistical nightmare of
trying to come to an agreement between the most isolated and imperious
agencies! I suspect GCHQ (Britain's NSA) would be involved in this at
least. (There is a very cozy relationship between NSA and GCHQ that
Kahn was harassed for revealing in _CodeBreakers_.)What other agencies?

Mr. GraveDigger, the man in charge of NSA's Key Escrow:
>He filled the hour with more descriptions with all of the restrictions
>that they place on wiretaps at the Justice department. Once again, I
>found myself wondering why they are going through so much trouble 
>over something that just seems to cause them grief. The taps cost
>money. They divert manpower. Etc. Yet, the FBI and the rest of the 
>community is willing to go through a full court press on this topic.
>The taps are essential in crime encapsulated in conversations (i.e.
>influence peddling, bribery). 

but this only suggests how much of a crutch they have become for these
agencies. They are terrified of losing this tool, for which they have
come to rely on disproportionately. They have come to associate their
job security with wiretapping -- a very dangerous proposition for freedom.

>Some people from the Social Security Agency came to tell the board
>about their internal security procedures that they use to track down
>people inside the agency generating information for outsiders like
>private detectives. They routinely run sting operations where they
>call up information brokers and ask them to get a Social Security
>file for an individual. Then they watch for accesses to that record
>and flag the miscreant.

fascinating. has this ever been noted before? the IRS would have
benefited from this a few months ago. Or, on second thought, nevermind!
all the tax evaders on the list will object to the IRS getting any help!

>Dorothy Denning came to say that there was no final report from the
>outside team performing an outside review of the Clipper algorithm.
>In general, she said that the comments have been favorable to their
>work. Several members of the board questioned the independence of the
>review given that it was done at the NSA using NSA's computers and
>NSA's programmers. They also wondered about the depth of the review
>because it was apparent that Denning leaned heavily on the NSA's
>analysis. 

reassuring to hear Dingaling is still alive and plugging away... I
wonder what her next Lead Balloon will be?

[EFF's Digital Privacy & Security Working Group]

>The group feels that it can accept
>Clipper if any participation in the key escrow program is completely
>volutary. They proposed to test the administration's committment
>to volunteerism by noting whether they relaxed export requirements.

>To me, the statement was little more than a political gambit. All
>of the companies involved in the DPSWG really, really, really want
>export restrictions eased. So they offered their support for 
>Clipper as a quid pro quo. Let us export anything (not just Clipper)
>and we'll support it. 

This is a very interesting stance, and IMHO not a bad tradeoff, if
`support' means `lack of active attack and criticism'. But the NSA
would never agree to this in a cyberspatial lifetime. We *still* don't
even have any substantial promise that Clipper is guaranteed to be
voluntary, let alone export restrictions relaxed. (Hypocritically, the
announcements have always touted Clipper as Voluntary, the last
redeeming feature cited by scoundrels like Dingaling and Sternlight,
without ever guaranteeing it, and potentially even hiding the plan of
*revoking* that aspect.) The plan, very likely, is quite to the
contrary: increase market penetration of Clipper to the point that
restricting other cryptography in subtle and insideous ways becomes
possible. And I'm still waiting for the announcement in blaring fanfare
that Clipper-based hardware can be freely exported, nothing else. I
think its close on the horizon. Once they get chips that work :)

[crafting official group report]
>Most of the board wanted to say that the Clipper chip was
>a pain in the neck that wasn't worth the trouble [...]
>The fight seemed to break down between government employees and
>non-government employees. Those outside the government kept arguing
>for stronger language and those inside kept saying things like,
>"But expensive relative to what? We don't have any concrete cost
>estimates." 

hee, hee. the U.S. Civilization in a microcosm.