House armed services committee members tie crypto to kidnappings

1999-10-22 Thread Declan McCullagh 

[Yes, Virginia, many Congresscritters are babbling birdbrains. Take Rep. Neil
Abercrombie (D-Hawaii). He apparently thinks that encryption export controls
are somehow linked to private-sector databases. Go figure. He's not dumb --
has
a sociology PhD -- but seems to have a thing about terrorists. Co-authored a
novel "Blood of Patriots" in which a pair of 'em wipe out 125 legislators. And
Rep. John Kasich's (R-Ohio) comments are, if possible, even more inane. --DBM]



HEARING OF THE HOUSE ARMED SERVICES COMMITTEE
SUBJECT: RELEASE OF REPORT FROM
THE COMMISSION ON NATIONAL SECURITY
IN THE 21ST CENTURY

CHAIRED BY: REPRESENTATIVE FLOYD D. SPENCE (R-SC)
WITNESSES: GARY HART, FORMER U.S. SENATOR;
NORMAN R. AUGUSTINE, FORMER CHAIR, LOCKHEED MARTIN CORPORATION;
WARREN B. RUDMAN, FORMER U.S. SENATOR;
ANDREW YOUNG, FORMER U.S. AMBASSADOR TO THE UNITED NATIONS

2118 RAYBURN HOUSE OFFICE BUILDING
WASHINGTON, DC
OCTOBER 5, 1999, TUESDAY

...

REP. ABERCROMBIE: Thank you very much.  I hope you will also take up the
question of encryption.  I probably find myself to the -- as long as we have
syndromes here of left and right and so on -- I'm probably way, way, way to
the
right of most everybody, I guess, on this committee, and certainly where the
administration is at the moment, on the question of encryption.  
I find it ironic that there would be a proposal to give the FBI tens of
millions
of dollars to try to overcome the encryption that we're going to sell to
everybody, so's people can make money while we put our, I believe, put our
security at risk.  Just as a case in point, from today's Miami Herald, on the
kidnapping taking place in Bogota -- in Colombia, rather, by the ELN, the
point
made -- the present kidnapping, guerrillas take -- "roadblocks are common in
Colombia" -- I'm quoting now -- "and guerrillas often take numerous people.
Rebels at roadblocks have begun using portable computers to check databases to
determine the assets of potential kidnap victims." (Mild laughter.)

This, on one hand, is amusing, but in the technological world we're dealing
with
now it's a reality and it has to do with bioterrorism, it has to do with all
the
other possibilities that might be taken up.  So I would hope that you would
address the question of encryption in the overall context.
On that, then, finally, for me, I hope you will take up in the second and
third
phases, when you deal with the question of bioterrorism, weapons of mass
destruction and so on, some of the actual costs and logistical difficulties
that
we will face internally, domestically in the United States. 

...

MR. AUGUSTINE: This is a subject, of course, of the next two phases of our
report.  I'd hate to keep reiterating that, but these are exactly the kinds of
things we are going to try to come to grips with.
I think -- back to an observation I made earlier -- we are going to have
thinkdifferently.  We are going to have to think about the threats that are
new
and
think about them, to use the buzzword of the time, "outside the box" that
is to
say, outside conventional traditional military solutions.
The response to threats of these kinds -- OF cyberthreats, biological,
chemical
-- are going to have to engage the American population.  I am a great advocate
of, I guess, remodeling and revitalizing the National Guard and Reserve.  I --
and I am now just one person talking -- I think the defense of the homeland is
going to have to involve those branches of our Armed Services in ways that the
traditional military cannot, and probably should not, respond to, for a lot of
constitutional reasons.

We are going to have to think of nonmilitary assets; how to engage the private
sector, with all of the talent and capability it has, at becoming part of the
homeland defense; that we can't just say to the Defense Department, "Defend
our
country against these kinds of threats."

...

So if we are entering a century and an era where we at home are under
attack or
could be under attack, we are going to have to think totally different; I
mean,
the only solution isn't the 82nd Airborne Division and Trident submarines and
so
on.  In fact, those are probably not the right solutions.

...

REP. KASICH: ...drive the government, Mr. Augustine, away from sales and more
in the direction
of how we get a handle on proliferation.  They say, well, if we don't sell,
the
British will sell.  Well, I mean, I thought we were a leader of the world.  If
we're a leader of the world, then why don't we break some knuckles and force
some people to understand the consequence of selling high technology items to
the enemy?  And I would hope that you would consider that.  And maybe you
might
comment, Mr. Augustine, about the proliferation, argument, profits, and
what we
can do to march together in the world.  

Technology, Mr. Young, may be -- you know, I know about the tremendous poverty
that we see around the world.  But, you know, the Internet may offer us a
great
opportunity for the American citizen

NSA transitioning to commercial services model

1999-10-22 Thread Robert Hettinga 

The NSA continues to discover that financial cryptography is the only 
cryptography that matters.

As Whit Diffie has said in the same vein, "InfoWar", whatever *that* 
means, will be "fought" between businesses and private individuals, 
and not governments. There's little that government crypto/security 
agencies can do to assist entities in those conflicts, any more than 
post-feudal religion could help much in conflicts between secular 
nation-states.

So, in keeping with the spirit of the following article, I propose 
that the US Government should follow their apparent instincts here, 
privatize the NSA, and take it, heh..., public.

Cheers,
RAH

It's going to happen anyway, of course...



--- begin forwarded text


Mailing-List: contact [EMAIL PROTECTED]
From: "Dan S" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date: Fri, 22 Oct 1999 07:59:31 -0400
Subject: IP: Super-secret NSA transitioning to commercial services model

>From http://www.fcw.com/pubs/fcw/1999/1018/web-nsa-10-21-99.html
-
OCTOBER 21, 1999 . . . 11:29 EDT



Super-secret NSA transitioning to commercial services model

BY DIANE FRANK ([EMAIL PROTECTED])

The National Security Agency, the enigmatic signals intelligence arm of the
Defense Department, is breaking away from its traditional role of building
"black boxes" for encrypting highly classified information in favor of
offering security and certification services similar to those in commercial
industry.

Mike Jacobs, deputy director of information systems at NSA, said that while
the agency "will always have a traditional portion of our business building
'black boxes' . . . we are an organization in transition."

The agency increasingly is offering security assessment, testing, red teams
and diagnostics services to other Defense and civilian agencies, Jacobs said
Wednesday at the National Information Systems Security Conference. "This is
the growth area [and a] burgeoning new business," he said.

Rather than doing all the testing and validation of its own products for
itself, NSA will be relying on the National Information Assurance
Partnership (NIAP), a joint validation effort between NSA and the National
Institute of Standards and Technology.

In the past, NSA endorsed security products and procedures, and encouraged
their use by assuring members of the Defense and intelligence community that
such products would be "bulletproof" solutions, said Lou Giles, a member of
the NIAP from NSA.

Now, instead of products receiving NSA's endorsement, agencies will have to
bring their protection profiles -- the description of their information
environment and security needs -- to NSA, which will then certify that
process as one that meets certain NSA-approved security standards. NSA also
will evaluate and certify proposals from vendors.

"The customer still wants that NSA endorsement, Giles said. "But this is a
new philosophical paradigm of evaluation for commercial products that we're
moving to."

--
Dan S




-
To subscribe, send email to: [EMAIL PROTECTED]
To unsubsubscribe, send email to: [EMAIL PROTECTED]

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

DEA says drug smugglers used crypto & Net but cops got around it

1999-10-22 Thread Declan McCullagh 

Note this sounds a lot like what the DEA and Reno have been saying for years:
inserting backdoors into crypto products to preserve the balance between
privacy and snoopability. So what's changed after the announcement last month?

DEA: "We hope that we don't lose the ability to intercept encrypted
communications." (He doesn't seem to know what he's talking about, but
probably means decrypting and not intercepting.)

Reno: "It is going to be more and more difficult for law enforcement... make
sure that we balance the privacy concerns that are so important with law
enforcement's legitimate concerns."

-Declan

**


PRESS CONFERENCE
WITH U.S. ATTORNEY GENERAL JANET RENO
COLOMBIAN AMBASSADOR ALBERTO MORENO

SUBJECT: ARREST OF COLOMBIAN DRUG TRAFFICKERS
IN OPERATION MILLENNIUM
THE DEPARTMENT OF JUSTICE
WASHINGTON, D.C.
OCTOBER 13, 1999, WEDNESDAY

Acting Administrator Donnie Marshall of the Drug Enforcement Administration

...

MR. MARSHALL: Thank you, Attorney General.  And congratulations to Ambassador
Moreno for a job well done by the law enforcement authorities in his country.
The operation that we're announcing today is, in my opinion, one of the most
significant operations in the history of drug enforcement, Operation
Millennium.
It began when, about a year ago, at the request of the United States
government,
two of the most powerful drug traffickers in the world today were investigated
by the Colombian government, the Colombian national police, and today those
two
traffickers, along with a number of others, were arrested. 

...

In this case, the defendants used very sophisticated communications equipment,
including use of the Internet, encrypted telephones, and cloned cellular
telephones, in what was a vain attempt to avoid detection.  But in the end, it
was these very devices which led to the devastating evidence against them.
Through the use of judicial wiretaps and intercepts in both Colombia and in
the
United States, their communications were intercepted and recorded, thus
producing evidence which comes straight from the defendants' own mouths.  
In addition, Drug Enforcement agents executed a covert search warrant for
evidence contained in a computer located in South Florida at the residence of
one of the defendants, which acted as the center of their operation in South
Florida, thus uncovering the method of communication through the Internet.  
Our prosecutors, agents and investigators in South Florida await the
opportunity
to bring these defendants before a court to face the charges.  Thank you.

...

Q You were talking about the sophisticated kinds of communication devices, and
you mentioned the Internet.  Did that include net phones?

(U.S Attorney Tom Scott from Miami)
MR. SCOTT: They had various -- and the DEA people can speak to this, but they
had encrypted phones; they used all types of different phones.  They'd get
phones and throw them away.  And they even used the Internet.  So it was
pretty
sophisticated electronic methods of trying to avoid detection, but the
intercepts, both in Colombia and the United States picked up.
Q And did you have trouble in any way with the state of law enforcement's
abilities to intercept these kinds of devices?  Were there any problems?
MR. SCOTT: No, I think this case demonstrates that through -- we made a
request
on the Colombian government, through the Vienna Convention, through letters
rogatory, and they proceeded immediately to conduct the investigation and to
get
the judicial intercepts to their prosecutors, and I think that was very
effective.
Q There were no technical problems, though, in gaining access to these
conversations?
MR. SCOTT: We were very satisfied with the investigation the way it was
conducted.
Q Mr. Marshall, on her point, please.  The head of the DEA and the FBI have
repeatedly -- and Ms. Reno have repeatedly warned of the dangers of not being
able to break the codes of criminals.  And of course encryption legislation is
being debated at length.  

Is this an indication that maybe that's not so great a problem after all?
MR. MARSHALL: Well, that was not a significant impediment in this particular
investigation.  We've encountered that in many, many other investigations.
We're encountering it ever more frequently. And we hope that we don't lose the
ability to intercept encrypted communications.
Q Mr. Ambassador --
ATTY. GEN. RENO: I would point out -- I would point out in that regard that in
this instance, it was not an obstacle.  But as more and more drug traffickers
and others engaged in organized crime and other activities, including
terrorism,
encrypt their communication, it is going to be more and more difficult for law
enforcement.  And that is the reason it is so important law enforcement work
with the private sector and with others to ensure the protection of our
national
security interests and to make sure that we balance the privacy concerns that
are so important with law enforcement's legitimate concerns.

...


---

RE: NSA transitioning to commercial services model

1999-10-22 Thread Phillip Hallam-Baker 

Too late. Many of the employees have transitioned into the
private sector of their own accord long ago.

What we are seeing however is strong pressure from governments
worldwide on industry to invest in computer security. The
threat of information warfare is certainly being taken seriously
and there is a realization that the military depends on the
civilian infrastructure.

Governments are also positioning themselves to push on this
topic because they realize that the security infrasructure
needed to protect against infowar is also the enabling
infrastructure for electronic commerce. Hence the appointment
in the UK of an 'e-envoy'.

If it wasn't for Y2K and the euro conversion this pressure
would be being felt today. Europe knows exactly what it is
doing with their privacy directive, they are forcing industry
to build infrastructure.

Liberflamage on the morality of this to /dev/null please.
Governments exist, get over it.


Phill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert Hettinga
Sent: Friday, October 22, 1999 9:26 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: NSA transitioning to commercial services model


The NSA continues to discover that financial cryptography is the only
cryptography that matters.

As Whit Diffie has said in the same vein, "InfoWar", whatever *that*
means, will be "fought" between businesses and private individuals,
and not governments. There's little that government crypto/security
agencies can do to assist entities in those conflicts, any more than
post-feudal religion could help much in conflicts between secular
nation-states.

So, in keeping with the spirit of the following article, I propose
that the US Government should follow their apparent instincts here,
privatize the NSA, and take it, heh..., public.

Cheers,
RAH

It's going to happen anyway, of course...



--- begin forwarded text


Mailing-List: contact [EMAIL PROTECTED]
From: "Dan S" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date: Fri, 22 Oct 1999 07:59:31 -0400
Subject: IP: Super-secret NSA transitioning to commercial services model

>From http://www.fcw.com/pubs/fcw/1999/1018/web-nsa-10-21-99.html
-
OCTOBER 21, 1999 . . . 11:29 EDT



Super-secret NSA transitioning to commercial services model

BY DIANE FRANK ([EMAIL PROTECTED])

The National Security Agency, the enigmatic signals intelligence arm of the
Defense Department, is breaking away from its traditional role of building
"black boxes" for encrypting highly classified information in favor of
offering security and certification services similar to those in commercial
industry.

Mike Jacobs, deputy director of information systems at NSA, said that while
the agency "will always have a traditional portion of our business building
'black boxes' . . . we are an organization in transition."

The agency increasingly is offering security assessment, testing, red teams
and diagnostics services to other Defense and civilian agencies, Jacobs said
Wednesday at the National Information Systems Security Conference. "This is
the growth area [and a] burgeoning new business," he said.

Rather than doing all the testing and validation of its own products for
itself, NSA will be relying on the National Information Assurance
Partnership (NIAP), a joint validation effort between NSA and the National
Institute of Standards and Technology.

In the past, NSA endorsed security products and procedures, and encouraged
their use by assuring members of the Defense and intelligence community that
such products would be "bulletproof" solutions, said Lou Giles, a member of
the NIAP from NSA.

Now, instead of products receiving NSA's endorsement, agencies will have to
bring their protection profiles -- the description of their information
environment and security needs -- to NSA, which will then certify that
process as one that meets certain NSA-approved security standards. NSA also
will evaluate and certify proposals from vendors.

"The customer still wants that NSA endorsement, Giles said. "But this is a
new philosophical paradigm of evaluation for commercial products that we're
moving to."

--
Dan S




-
To subscribe, send email to: [EMAIL PROTECTED]
To unsubsubscribe, send email to: [EMAIL PROTECTED]

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".