From: vin@shore.net (Vin McLellan)
Date: Wed, 19 Jun 1996 09:45:02 +0800
To: attila <attila@primenet.com>
Subject: Source Laundering <was: You bet they have/are: NSA/CIA to snoop INSIDE theU.S.???>
Message-ID: <v02140b01adec77b9e9ea@[206.243.160.205]>
MIME-Version: 1.0
Content-Type: text/plain


        Mr. Nobody, an anonymous source of no repute, posted a pretty savvy
analysis of the politics of unauthorized wiretaps a week back:

>   anyone who believes the FBI and a host of other U.S. agencies even
>   less scrupulous does not wiretap without permits, has been standing
>   behind the door. generally, it does not matter if the information
>learned is
>    admissable in court  --they never admit wiretapping in the first place as
>    the agency themselves, in many cases, *did*not*wiretap*  --but the
>  agency does buy info from usually unsavory "contractors" who do wiretap.

        This conforms to my information too.  Back in the mid-80s, I  took
a wiretap counterintelligence class with a lot of cops, PIs, and oil
company securitymen.  (The quietest guy in the class, a balding little
whimp at the tech bench behind me, was a PI by the name of John Walker, who
later drew some attention with his overseas business interests.  The
weirdiest guy in the class was another PI who kept trying to talk to the
other guys about their work but was jerked around because everyone knew he
was always wired and at the end of the day would rush back to his hotel
room to put the tapes through a voice stress analyser.  I would have said
the most dangerous guys in the room were the grizzled Malasian oilmen, but
in hindsight Walker probably takes the prize.)

        The instructors were big Ray Jarvis (now of Jarvis Security,) an
ex-Marine reputed to have recently been the CIA's top wireman, and Allan
Bell (now of Dektor Counterintelligence,) the former director of the US
Army's spy shop R&D (who probably has as many secret patents as Friedman
did) -- both smart, thoughtful, amiable guys who knew their tradecraft
cold.

        What I remember most of the week long class was Ray Jarvis standing
before my classmates and estimating that maybe 10-15 percent of the
domestic wiretapping and bugging -- circa '85 -- by US police agencies was
legally authorized.  He paused and looked around the room for the
consensus. Half the room (mostly big city US cops) paused, looked off in
the distance for a moment, then nodded.

         My sense is that lawmen typically planted the relevant information
in the hands (or mouths) of a maluable "trusted source" when they did the
wire themselves.  If a subcontractor did it for them (on a purposely vague
assignment,) they just didn't ask how the "trusted source" managed to get
the information.  Either way, it worked like money laundering.  Source
laundering, you could call it.

        The cops didn't seem to view themselves as angels, but they were
usually utterly certain the guys they were targeting were the scum of the
earth.  Maybe they were. My expectation was that most of the illicit wires
would be focused on the drug trade (where cops feel like the Border Patrol
in El Paso, hopelessly outclassed by their opponents) but -- at least at
that time -- the scuttlebutt seemed to indicate it was much more broadly
used in criminal investigations. Both wiretaps and bugs are just so damn
easy to place, so cheap, so deniable, and (done properly) so untracable,
the temptation was virtually irresistable.  And there seemed to be a whole
subculture of master wiremen, trained by the US Govt, accepting bids from
both the Law and corporate security agents.

        (Outside the US, particularly in the oil business, it sounded like
the Wild West before Judge Bean showed up.   I've never doubted that the
cost of a DES-cracking special purpose computer has been buried among the
expense chits of many multinationals, certainly in the Big Oil Government
budgets.  I'd love to talk to the NSA guys who went in with Desert Storm to
find out what the Iraqis picked up from Kawaiti government/oil IS
installations;-)

        I don't expect much has changed, except everything has gotten
smaller, cheaper, and (with datacom) vastly more automated.  What those
guys knew in the 80s were the phone systems (poor design left many PBXs
with back doors, some of which could even be triggered remotely) but we've
all learned new tricks -- and the NSA and others always concentrated on
CompSec.

>        as for the NSA/CIA spying on US citizens --they dont, they spy on
>    British citizens with facilities provided by M5 and M6.  in return,
>    British M5/6 agents spy on U.S. citizens from Langely or Gaithersberg, or
>    wherever.  The fact they just happen to share information is an
>    "accident."

         In this, I doubt Mr. Nobody.  I can't see either the Brits nor the
Yanks willing to trust the other nation's bureaucratic system to keep
in-country spying secret.  The rule was: governments leak... eventually.
And the fallout of Revelation would be awesome.  (And there were so many
safer options.)

        I suppose, however, Nobody's scheme fits the "laundered source"
model too.  I recall talk of this sort of arrangement mostly to cover US
citizen to US citizen phone links across the US border.  I'm not even sure
the NSA couldn't legitimately do this, but after the Church Committee
hearings in the 1970s, everyone wanted to keep their numbers low.  (The
extreme was the FBI, of course, which would show up annually to report
what? 7 or 11 authorized wiretaps for the year.   Everyone barely able to
control their snickers.)

        My apologies if Memory Lane took up too much bandwidth, but the
politics of crypto have a heritage that's ever more relevant.  (Witness all
the direct and indirect reference to Kahn and Bamford's work on this List.)

        A thought:  Being pessimistic lately, and assuming our elected US
pols continue their subservience to the spy agencies, I have a question.
How difficult would be it to concoct a encryption-based scheme which would
hold escrow keys in some sort of serialized time-sensitive one-way account
-- a device that would make it all but impossible to get a key out of the
account without leaving a permanent record that it was retrieved.  How many
were retrieved?  When? By whom?

        Is there such a scheme?  How does/could it work?

        In defending privacy,  Accountability is a very powerful weapon.
(Remember those FBI reports of 7-11 wiretaps?) I'd love to see such a
tamperproof recording device imposed upon the FBI's access to its new
Master Wiretap circuits, for example -- with a legislatively-mandated
revelation of the unforgable results,  something comparable to the current
law in criminal cases, and maybe with some 5-year sunshine provison for
national security cases.

        Such a scheme might be all we can get if this Administration or a
future one gets a version of Clipper mandated.

        Cynics like many of you on this list may not realize how
desperately these guys want to keep to the shadows.  Bright Lights and
Accountability ought to be a Cypherpunk Goal -- even when the tide is
running against us.  A well-documented tamperproof accounting scheme to
document the use of these intrusive powers could result in a potentially
powerful piece of legislation.

        Suerte,
                        _Vin

         Vin McLellan +The Privacy Guild+ <vin@shore.net>
      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
                         <*><*><*><*><*><*><*><*><*>