Computer underground Digest Sun July 5, 1992 Volume 4 : Issue 28 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Copy Editor: Etaion Shrdlu, Jr. Firstbooksisoutmeister: B. Kehoe Ex-Arcmeister: Bob Kusumoto Koalameister: Dan Carosone CONTENTS, #4.28 (July 5, 1992) **CONT Back issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie in the PF*NPC RT libraries, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Mon, 22 Jun 1992 21:10:20 EDT From: Dave Banisar Subject: May '92 Version of FBI Digital Telephony Proposal The following is the latest version of the FBI Digital Telephony Proposal, introduced in May 1992. This version removes the previous language that authorized the FCC to set standards and now places it solely in the hands of the Attorney General. Fines are $10,000/day for non compliance with services within the public switched network having 18 months to comply and services outside having three years. The proposal now mandates that the capability for remote government wiretapping must be included into the system. This proposal clearly enhances the ability of the FBI to monitor communications. It takes the unprecedented step of placing control over certification of telecommunications equipment in the hands of the Attorney General and requires that the equipment be constructed to allow government have the ability to monitor communications from a "government monitoring facility remote from the target facility." All telecommunications users should be concerned by the privacy and security implications of creating systems that have holes for the government or any other knowledgeable user to plug into. David Banisar CPSR Washington Office banisar@washofc.cpsr.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 102nd Congress 2nd Session S. _____ [H.R. _____] IN THE SENATE [IN THE HOUSE OF REPRESENTATIVES] M. ________________ introduced the following bill; which was referred to the Committee on__________________ A BILL To ensure the continuing access of law enforcement to the content of wire and electronic communications when authorized by law and for other purposes. Be it enacted by the Senate and the House of Representatives of the United States of America in Congress assembled, SEC. 1. FINDINGS AND PURPOSES. (a) The Congress finds: (1) that telecommunications systems and networks are often used in the furtherance of criminal activities including organized crime, racketeering, extortion, kidnapping, espionage, terrorism, and trafficking in illegal drugs; (2) that recent and continuing advances in telecommunications technology, and the introduction of new technologies and transmission modes by the telecommunications industry, have made it increasingly difficult for government agencies to implement lawful orders or authorizations to intercept wire and electronic communications and thus threaten the ability of such agencies effectively to enforce the laws and protect the national security; and (3) that without the assistance and cooperation of providers of electronic communication services and private branch exchange operators, the introduction of new technologies and transmission modes into telecommunications systems without consideration and accommodation of the need of government agencies lawfully to intercept wire and electronic communications would impede the ability of such agencies effectively to carry out their responsibilities. (b) The purposes of this Act are to clarify the responsibilities of providers of electronic communication services and private branch exchange operators to provide such assistance as necessary to ensure the ability of government agencies to implement lawful court orders or authorizations to intercept wire and electronic communications. SEC. 2. (a) Providers of electronic communication services and private branch exchange operators shall provide within the United States capability and capacity for the government to intercept wire and electronic communications when authorized by law: (1) concurrent with the transmission of the communication to the recipient of the communication; (2) in the signal form representing the content of the communication between the subject of the intercept and any individual with whom the subject is communicating, exclusive of any other signal representing the content of the communication between any other subscribers or users of the electronic communication services provider or private branch exchange operator, and including information on the individual calls (including origin, destination and other call set-up information), and services, systems, and features used by the subject of the interception; (3) notwithstanding the mobility of the subject of the intercept or the use by the subject of the intercept of any features of the telecommunication system, including, but not limited to, speed- dialing or call forwarding features; (4) at a government monitoring facility remote from the target facility and remote from the system of the electronic communication services provider or private branch exchange operator; (5) without detection by the subject of the intercept or any subscriber; and (6) without degradation of any subscribers telecommunications service. (b) Providers of electronic communication services within the public switched network, including local exchange carriers, cellular service providers, and interexchange carriers, shall comply with subsection (a) of this section within eighteen months from the date of enactment of this subsection. (c) Providers of electronic communication services outside of the public switched network, including private branch exchange operators, shall comply with subsection (a) of this section within three years from the date of enactment of the subsection. (d) The Attorney General, after consultation with the Department of Commerce, the Small Business Administration and Federal Communications Commission, as appropriate, may except from the application of subsections (a), (b) and (c) of this section classes and types of providers of electronic communication services and private branch exchange operators. The Attorney General may waive the application of subsections (a), (b) and (c) of this section at the request of any provider of electronic communication services or private branch exchange operator. (e) The Attorney General shall have exclusive authority to enforce the provisions of subsections (a), (b) and (c) of this section. The Attorney General may apply to the appropriate United States District Court for an order restraining or enjoining any violation of subsection (a), (b) or (c) of this section. The District Court shall have jurisdiction to restrain and enjoin violations of subsections (a) of this section. (f) Any person who willfully violates any provision of subsection (a) of this section shall be subject to a civil penalty of $10,000 per day for each day in violation. The Attorney General may file a civil action in the appropriate United States District Court to collect, and the United States District Courts shall have jurisdiction to impose, such fines. (g) Definitions--As used in subsections (a) through (f) of this section-- (1) provider of electronic communication service or private branch exchange operator means any service or operator which provides to users thereof the ability to send or receive wire or electronic communication, as those terms are defined in subsections 2510(1) and 2510(12) of Title 18, United States code, respectively, but does not include the government of the United States or any agency thereof; (2) communication means any wire or electronic communication, as defined in subsections 2510(1) and 2510(12), of Title 18, United States Code; (3) intercept shall have the same meaning as set forth in section 2510(4) of Title 18, United States Code; and (4) government' means the Government of the United States and any agency or instrumentality thereof, any state or political subdivision thereof, the District of Columbia, and any commonwealth, territory or possession of the United States. DIGITAL TELEPHONY AND INTERCEPTION BY CRIMINAL LAW ENFORCEMENT AGENCIES The telecommunications systems and networks are often used to further criminal activities including white collar and organized crime, racketeering, extortion, kidnapping, espionage, terrorism, and trafficking in illegal drugs. Accordingly, for many years, one of the most important tools in the investigation of crime for Federal and State criminal law enforcement agencies has been the court authorized interception of communications. As illustrated below, the majority of original authorizations to intercept wire or electronic communications are conducted by State criminal law enforcement agencies. Interception Applications Authorized State Federal Total 1984 512 289 801 1985 541 243 784 1986 504 250 754 1987 437 236 673 1988 445 293 738 1989 453 310 763 1990 548 324 872 Total 3,440 1,945 5,385 Approximately, 3/8 of authorized interceptions were conducted by Federal agencies, while 5/8 of the authorized interceptions were conducted by State criminal law enforcement agencies.1 The recent and continuing advances in telecommunications technology, and the introduction of new technologies by the telecommunications industry, have made it increasingly difficult for government agencies to implement lawful orders or authorizations to intercept wire and electronic communications, as well as to implement pen register and trap-and-trace court orders or authorizations. These new technologies inadvertently undermine the ability of criminal law enforcement agencies to enforce effectively the criminal laws and protect the national security. Without the assistance and cooperation of the telecommunications industry, these new technologies will impede the ability of the telecommunications industry, these new technologies will impede the ability of the government to enforce the criminal law. Accordingly, the purpose of this bill is to clarify the existing responsibilities of electronic communication services providers and private branch exchange operators, as established, for example, in 18 U.S.C. ____ 2518(4), 3124(A), (B), to provide such assistance as necessary to ensure the ability of government agencies to implement lawful orders or authorizations to intercept communications. Over the past twenty-five years, the working relationship between the criminal law enforcement community, particularly the Federal Bureau of Investigation as the federal governments primary criminal law enforcement agency, and the telecommunications industry, in response to the appropriate court orders or authorizations, has provided government agencies with timely access to the signals containing the content of communications covered by the court orders or authorizations. As a general proposition, this has involved providing the means to acquire the communication as it occurs between two individual telephone users at a remote location, not dissimilar to a call in which the two originating parties do not know that a third party is listening, and in which the third party (the criminal law enforcement agency) records the authorized and relevant calls. Historically, and with relatively few exceptions, the telecommunications industry has provided the criminal law enforcement community with the ability to monitor and record calls: 1. at the same time as the call is transmitted to the recipient; 2. in the same form as the content of the call was transmitted through the network, notwithstanding the use by the target of custom features of the network; 3. whether stationary or mobile; 4. at the government monitoring facility; 5. without detection by the target or other subscribers; and without degrading any subscribers service. However, the introduction of new technology has begun to erode the ability of the government to fully effectuate interceptions, pen registers and trap-and-race court orders or authorizations that are critical to detecting and prosecuting criminals. As technology has developed, the telecommunications industry has not always ensured the continued ability to provide the same services to the criminal law enforcement community. The telecommunications industrys introduction of certain types of new technology poses real problems for effective criminal law enforcement. Legislation is necessary to ensure that the government will be provided with this capability and capacity in the future by all providers and operators and to maintain a level playing field among competitive providers and operators in the telecommunications industry. There have been instances in which court orders authorizing the interception of communications have not been fulfilled because of technical limitations within particular telecommunications networks. For example, as early as 1986, limited capabilities became apparent in at least one network which will only be corrected later in 1992. This technical deficiency in a new technology forced criminal law enforcement agencies to prioritize certain interceptions to the exclusion of other court orders. Accordingly, for approximately six years, there have been court orders that have not been sought by the criminal law enforcement community or executed by the telecommunications industry and, as a consequence, important criminal investigations have not been brought to fruition or have been less than efficiently concluded. This is one classic example of new technology affecting adversely the criminal law enforcement community: a microcosm of what may be expected on a nationwide basis without enactment of this legislation. Section 1 of the bill states Congressional findings and purpose. Section 2 is divided into seven subsections. Subsection (a) establishes as a matter of law the responsibility of electronic communication services providers and private branch exchange operators to continue to provide, within the United States, the capability and capacity for criminal law enforcement agencies to intercept wire and electronic communications when authorized by law. These subsections delineate the existing attributes of wire or electronic communication interception. 1. Concurrent with Transmission. The application for a court order to intercept telecommunications conversations or data transmissions is rarely a leisurely process. For example, on the Federal side, the development of the required affidavits, submission to the Criminal Division of the Department of Justice for approval, transmission of approval to the Assistant United States Attorney, the appearance of the Assistant before a judge to request the order and the delivery of the judges order to the appropriate telecommunications company is frequently completed in a very short time. However, crime waits for no one and the system for approval of interceptions must and does conform with the realities of the activity that is sought to be investigated and, if appropriate, prosecuted as criminal offenses. Since time is of the essence, current law requires that service providers and operators provide the government forthwith all information, facilities and technical assistance necessary to accomplish its mission. It is critical that the telecommunications industry respond quickly to execute the court order or authorization. The ultimate problem of timeliness, however, is the real-time monitoring of the intercepted communications. As serious and potentially life- threatening criminal conduct is detected, it may be necessary to move quickly to protect innocent victims from that conduct. Accordingly, real-time monitoring is critical. 2. Isolated Signal and Services Used. Nearly all of the communications network is partially Ranalogs at this time. In conducting an interception, for example, of a telephone conversation, the government is allowed to monitor and record criminal conversation such as a conspiracy, minimizing the acquisition of non-criminal or innocent conversation. When an electronic communication services provider or private branch exchange operator introduces a new technology--such as a digital signal--the communications are converted into a different and more efficient form for transmission, but a more difficult form to monitor during interception. The bill requires only that the provider or operator isolate and provide access to the electronic signal that represents the content of the communications of the target of the intercept2 from the stream of electronic signals representing other communications. This provision seeks to ensure that, in the new electronic environment in which signals are mixed for transmission and separated at another switch for distribution, the government does not receive the communications of any individual other than the individuals using the targets communications point of origin and receipt; the government must remain subject to the minimization standards of 18 U.S.C. __ 2518(5). This provision also makes it clear that an electronic communication services provider or private branch exchange operator is not required to provide for reconversion of the isolated communication to analog or other form. The government expects that this process will be accomplished by the government. 3. Mobility and Features. Increasingly, criminal acts are being conducted or discussed over cellular telephones or by using special telecommunications features. As this mobility is introduced, the electronic communication services providers and private branch exchange operators would be required to assure the capability and capacity for criminal law enforcement agencies to continue lawful interception. Further, this subsection makes it clear that features used by the target do not defeat the court order or authorization. For example, communications which have been addressed to the telephone number of the target, but which may have been programmed through a call-forwarding feature to another, otherwise innocent, telephone number, must be captured and made available to criminal law enforcement authorities pursuant to court order or authorization. This requirement will obviate the need for applications for authority to monitor otherwise innocent telephone numbers that receive, only intermittently, calls forwarded by the target. The effect of this provision is to further minimize monitoring of calls of innocent parties. Similarly, certain speed dialing features that mask the telephone number called by the target must be identified for criminal law enforcement investigation. The ability to consistently determine the destination of calls is critical to minimizing the monitoring of innocent calls. 4. Government Monitoring Facility. Government agencies do not normally request the use of telecommunications industry physical facilities to conduct authorized interceptions nor is it encourage by the industry. Normally, the government leases a line from the electronic communication services providers or private branch exchange operators switch to another location owned or operated by the government. This minimizes the cost and intrusiveness of interceptions, which benefits the service provider or operator, as well as the government. Accordingly, the ability to monitor intercepted communications remotely is critical. 5. Without Detection. One of the reasons that governments operate their own facilities is to reduce the risk of detection of the interception, which would render the interception worthless. At the present time, the existence of an interception is unknown to any subscriber and is not detectable by the target, notwithstanding folklore and spy novels. This provision merely ensures that the secrecy of effective interceptions will be maintained. 6. Without Degradation. Maintaining the quality of the telephone network is in the interest of the government, the industry and the public. Presently, the existence of an interception has no effect on the quality of the service provided by any network to the target or any subscriber. This provision ensures that the quality of the network will continue to be uncompromised. Absent the assistance delineated by this legislation, the execution of court orders and authorizations by the government could well disrupt service of the newer technological systems, a result that this legislation seeks to avoid. Subsection (b) provides that electronic communication services providers and private branch exchange operators with the public switched networkS must be in compliance with the minimum intercept attributes within eighteen months after enactment. Thereafter, new technologies must continue to meet these minimum attributes. Subsection (c) provides that electronic communication service providers and private branch exchange operators that are not within the public switched networkS must be in compliance with the minimum intercept attributes within eighteen months after enactment. Thereafter, new technologies must continue to meet these minimum attributes. Subsection (d) provides that the Attorney General may grant exceptions to the affirmative requirements of subsection (a), as well as the implementation deadlines of subsections (b) and (c). In considering any request for exception, the Attorney General will consult with Federal Communications Commission, the Small Business Administration and the Department of Commerce, as appropriate. Accordingly, the Attorney General has the authority to except, for example, whole classes, categories or types of private branch exchange operators where no serious criminal law enforcement problems are likely to arise, such as hospital telephone systems. This subsection also permits the Attorney General to waive the requirements of subsections (a), (b) and (c) on application by an electronic communication services provider or private branch exchange operator. Accordingly, if a particular company can not comply with one or more of the requirements of subsection (a), or needs time additional to that permitted under subsections (b) or (c), the Attorney General may grant an appropriate waiver. Subsection (e) provides that the Attorney General has exclusive authority to enforce the provisions of the bill. While a number of States have authority to seek and execute interception orders, they will be required to seek the assistance of the Attorney General if enforcement of this legislation is required. This section also provides for injunctive relief from violations of the provisions of the bill. Subsection (f) provides for enforcement of the provisions of the bill through imposition of civil fines against any company that is not excepted from the provisions of the bill, does not acquire a waiver of the provisions of the bill, and fails to meet the requirements of subsection (a) after the effective dates set out in subsection (b) or (c), as appropriate. A fine of up to $10,000 per day for each day in violation may be levied; for most companies in the telecommunications industry this amount is sufficient to ensure that compliance will be forthcoming. Although this provision is not expected to be used, it is critical to ensure that compliance with the provisions of the bill will occur after the effective dates of the requirements of subsection (a). Subsection (g) carries forward a number of definitions from the current provisions for the interception of wire or electronic communications under Ritle III.S The definition of government that is currently in use includes all States, territories and possessions of the United States, as well as the United States, is made applicable to the bill. [Footnotes] 1 Interceptions for foreign intelligence and counterintelligence purposes are not counted within the figures used here, but would likewise benefit from enactment of the legislation. 2 Whether the content is voice, facsimile, imagery (e.g. video), computer data, signalling information, or other forms of communication, does not matter; all forms of communication are intercepted. ------------------------------ Date: Wed, 24 Jun 92 18:02:18 CDT From: Joe.Abernathy@HOUSTON.CHRON.COM(Joe Abernathy) Subject: Chronicle Crypto Article This cryptography article appeared Sunday, June 21. It is being forwarded to Risks as a way of giving back something to the many thoughtful participants here who helped give shape to the questions and the article. In a companion submission, I include the scanned text of the NSA's 13-page response to my interview request, which appears to be the most substantial response they've provided to date. I would like to invite feedback and discussion on the article and the NSA document. Please send comments to edtjda@chron.com "PROMISING TECHNOLOGY ALARMS GOVERNMENT" "Use of super-secret codes would block legal phone taps in FBI's crime work" By JOE ABERNATHY Copyright 1992, Houston Chronicle Government police and spy agencies are trying to thwart new technology that allows conversations the feds can't tap. A form of cryptography _ the science of writing and deciphering codes _ this technology holds the promise of guaranteeing true privacy for transactions and communications. But an array of federal agencies is seeking to either outlaw or severely restrict its use, pointing out the potency of truly secret communications as a criminal tool. "Cryptography offers or appears to offer something that is unprecedented,'' said Whitfield Diffie, who with a Stanford University colleague devised public key cryptography,'' an easily used cryptography that is at the center of the fight. "It looks as though an individual might be able to protect information in such a way that the concerted efforts of society are not going to be able to get at it. "No safe you can procure has that property; the strongest safes won't stand an hour against oxygen lances. But cryptography may be different. I kind of understand why the police don't like it.'' The National Security Agency, whose mission is to conduct espionage against foreign governments and diplomats, sets policy for the government on matters regarding cryptography. But the FBI is taking the most visible role. It is backing legislation that would address police fears by simply outlawing any use of secure cryptography in electronic communications. The ban would apply to cellular phones, computer networks, and the newer standard telephone equipment _ already in place in parts of Houston's phone system and expected to gain wider use nationwide. "Law enforcement needs to keep up with technology,'' said Steve Markardt, a spokesman for the FBI in Washington. "Basically what we're trying to do is just keep the status quo. We're not asking for anything more intrusive than we already have.'' He said the FBI uses electronic eavesdropping only on complex investigations involving counterterrorism, foreign intelligence, organized crime, and drugs. "In many of those,'' he said, we would not be able to succeed without the ability to lawfully intercept.'' The State and Commerce departments are limiting cryptography's spread through the use of export reviews, although many of these reviews actually are conducted by the NSA. The National Institute of Standards and Technol ogy, meanwhile, is attempting to impose a government cryptographic standard that critics charge is flawed, al though the NSA defends the standard as adequate for its intended, limited use. "It's clear that the government is unilaterally trying to implement a policy that it's developed,'' said Jim Bidzos, president of RSA Data Security, which holds a key cryptography patent. "Whose policy is it, and whose interest does it serve? Don't we have a right to know what policy they're pursuing?'' Bidzos and a growing industry action group charge that the policy is crippling American business at a critical moment. The White House, Commerce Department, and NIST refused to comment. The NSA, however, agreed to answer questions posed in writing by the Houston Chronicle. Its purpose in granting the rare, if limited, access, a spokesman said, was "to give a true reflection'' of the policy being implemented by the agency. "Our feeling is that cryptography is like nitroglycerin: Use it sparingly then put it back under trusted care,'' the spokesman said. Companies ranging from telephone service providers to computer manufacturers and bankers are poised to introduce new services and products including cryptography. Users of electronic mail and computer networks can expect to see cryptography-based privacy enhancements later this year. The technology could allow electronic voting, electronic cash transactions, and a range of geographically separated _ but secure _ business and social interactions. Not since the days before the telephone could the individual claim such a level of privacy. But law enforcement and intelligence interests fear a world in which it would be impossible to execute a wiretap or conduct espionage. "Secure cryptography widely available outside the United States clearly has an impact on national security,'' said the NSA in its 13-page response to the Chronicle. "Secure cryptography within the United States may impact law enforcement interests.'' Although Congress is now evaluating the dispute, a call by a congressional advisory panel for an open public policy debate has not yet been heeded, or even acknowledged, by the administration. The FBI nearly won the fight before anyone knew that war had been declared. Its proposal to outlaw electronic cryptography was slipped into another bill as an amendment and nearly became law by default last year before civil liberties watchdogs exposed the move. "It's kind of scary really, the FBI proposal being considered as an amendment by just a few people in the Commerce Committee without really understanding the basis for it,'' said a congressional source, who requested anonymity. "For them, I'm sure it seemed innocuous, but what it represented was a fairly profound public policy position giving the government rights to basically spy on anybody and prevent people from stopping privacy infringements.'' This year, the FBI proposal is back in bolder, stand-alone legislation that has created a battle line with law enforcement on one side and the technology industry and privacy advocates on the other. "It says right on its face that they want a remote government monitoring facility'' through which agents in Virginia, for instance, could just flip a switch to tap a conversation in Houston, said Dave Banisar of the Washing ton office of Computer Professionals for Social Responsibility. Though the bill would not change existing legal restraints on phone-tapping, it would significantly decrease the practical difficulty of tapping phones _ an ominous development to those who fear official assaults on personal and corporate privacy. And the proposed ban would defuse emerging technical protection against those assaults. CPSR, the point group for many issues addressing the way computers affect peoples' lives, is helping lend focus to a cryptographic counterinsurgency that has slowly grown in recent months to include such heavyweights as AT&T, DEC, GTE, IBM, Lotus, Microsoft, Southwestern Bell, and other computer and communications companies. The proposed law would ban the use of secure cryptogra phy on any message handled by a computerized communications network. It would further force service providers to build access points into their equipment through which the FBI _ and conceivably, any police officer at any level _ could eavesdrop on any conversation without ever leaving the comfort of headquarters. "It's an open-ended and very broad set of provisions that says the FBI can demand that standards be set that industry has to follow to ensure that (the FBI) gets access,'' said a congressional source. "Those are all code words for if they can't break in, they're going to make (cryptography) illegal. "This is one of the biggest domestic policy issues facing the country. If you make the wrong decisions, it's going to have a profound effect on privacy and security.'' The matter is being considered by the House Judiciary Committee, chaired by Rep. Jack Brooks, D-Texas, who is writing a revision to the Computer Security Act of 1987, the government's first pass at secure computing. The recent hearings on the matter produced a notable irony, when FBI Director William Sessions was forced to justify his stance against cryptography after giving opening remarks in which he called for stepped-up action to combat a rising tide of industrial espionage. Secure cryptography was designed to address such concerns. The emergence of the international marketplace is shaping much of the debate on cryptography. American firms say they can't compete under current policy, and that in fact, overseas firms are allowed to sell technology in America that American firms cannot export. "We have decided to do all further cryptographic development overseas,'' said Fred B. Cohen, a noted computer scientist. "This is because if we do it here, it's against the law to export it, but if we do it there, we can still import it and sell it here. What this seems to say is that they can have it, but I can't sell it to them _ or in other words _ they get the money from our research.'' A spokeswoman for the the Software Publishers Association said that such export controls will cost $3-$5 billion in direct revenue if left in place over the next five years. She noted the Commerce Department estimate that each $1 billion in direct revenue supports 20,000 jobs. The NSA denied any role in limiting the power of cryptographic schemes used by the domestic public, and said it approves 90 percent of cryptographic products referred to NSA by the Department of State for export licenses. The Commerce Department conducts its own reviews. But the agency conceded that its export approval figures refer only to products that use cryptology to authenticate a communication _ the electronic form of a signed business document _ rather than to provide privacy. The NSA, a Defense Department agency created by order of President Harry Truman to intercept and decode foreign communications, employs an army of 40,000 code-breakers. All of its work is done in secret, and it seldom responds to questions about its activities, so a large reserve of distrust exists in the technology community. NSA funding is drawn from the so-called "black budget,'' which the Defense Budget Project, a watchdog group, estimates at $16.3 billion for 1993. While the agency has always focused primarily on foreign espionage, its massive eavesdropping operation often pulls in innocent Americans, according to James Bamford, author of "The Puzzle Palace," a book focusing on the NSA's activities. Significant invasions of privacy occurred in the 1960s and 1970s, Bamford said. Much more recently, several computer network managers have acknowledged privately to the Chronicle that NSA has been given access to data transmitted on their networks _ without the knowledge of network users who may view the communications as private electronic mail. Electronic cryptology could block such interceptions of material circulating on regional networks or on Internet _ the massive international computer link. While proponents of the new technology concede the need for effective law enforcement, some question whether the espionage needs of the post-Cold War world justify the government's push to limit these electronic safeguards on privacy. "The real challenge is to get the people who can show harm to our national security by freeing up this technology to speak up and tell us what this harm is,'' said John Gillmore, one of the founders of Sun Microsystems. "When the privacy of millions of people who have cellular telephones, when the integrity of our computer networks and our PCs against viruses are up for grabs here, I think the battleground is going to be counting up the harm and in the public policy debate trying to strike a balance.'' But Vinton Cerf, one of the leading figures of the Internet community, urged that those criticizing national policy maintain perspective. "I want to ask you all to think a little bit before you totally damn parts of the United States government,'' he said. "Before you decide that some of the policies that in fact go against our grain and our natural desire for openness, before you decide those are completely wrong and unacceptable, I hope you'll give a little thought to the people who go out there and defend us in secret and do so at great risk.'' ------------------------------ Date: Fri, 26 Jun 92 09:10:40 EDT From: Kim Clancy Subject: Re: Subbed to CuD Somebody Watching? Somebody Listening? *** Special Announcement *** KNIGHT LIGHTNING TO SPEAK AT SURVEILLANCE EXPO '92 Washington, DC The Fourth Annual International Surveillance and Countersurveillance Conference and Exposition focusing on Information Security and Investigations Technology will take place at the Sheraton Premiere in Tysons Corner (Vienna), Virginia on August 4-7. The seminars are on August 7th and include Craig Neidorf (aka Knight Lightning) presenting and discussing the following: - Are law enforcement and computer security officials focusing their attention on where the real crimes are being committed? - Should security holes and other bugs be made known to the public? - Is information property and if so, what is it worth? Experience the case that changed the way computer crime is investigated and prosecuted by taking a look at one of America's most talked about computer crime prosecutions: United States v. Neidorf (1990). Exonerated former defendant Craig Neidorf will discuss the computer "hacker" underground, Phrack newsletter, computer security, and how it all came into play during his 7 month victimization by some of our nation's largest telephone companies and an overly ambitious and malicious federal prosecutor. Neidorf will speak about his trial in 1990 and how the court dealt with complex issues of First Amendment rights, intellectual property, and criminal justice. Security professionals, government employees, and all other interested parties are invited to attend. For more information please contact: American Technology Associates, Inc. P.O. Box 20254 Washington, DC 20041 (202)331-1125 Voice (703)318-8223 FAX ------------------------------ Date: Sun, 21 Jun 92 17:46:26 PDT From: jwarren@AUTODESK.COM(Jim Warren) Subject: Govt & Corp Sysops Monitoring Users & Email Last month, I gave a morning talk to an all-day meeting of an organization of systems administrators of mini-class, mostly-shared systems -- most of them employed by Fortune 500 companies and government agencies. Initially titled, "Dodging Pitfalls in the Electronic Frontier," by mutual agreement with the organizers, we re-titled it, "Government Impacts on Privacy and Security." However, it was the same talk. :-) It was based on information and perspectives aired during recent California Senate Judiciary privacy hearings, and those presented at the 1991 and 1992 conferences on Computers, Freedom & Privacy. (I organized and chaired the first CFP and co-authored its transcripts, available from the IEEE Computer Society Press, 714-821-8380, Order #2565.) The talk was long; the audience attentive; the questions and discussion extensive. The attendees were clearly and actively interested in the issues. At one point, I asked "How many have *NOT* been asked by their management or superiors to monitor their users and/or examine or monitor users' email." Only about 20% held up their hands -- even though I emphasized that I was phrasing the question in a way that those who would be proud to hold up their hands, could to do so. ------------------------------ Date: Tue, 30 Jun 1992 17:56:35 EDT From: "PETER B. WHITE" Subject: Call for papers : Digitisation SPECIAL ISSUE MEDIA INFORMATION AUSTRALIA SOCIAL IMPLICATIONS OF DIGITISATION MEDIA INFORMATION AUSTRALIA will be publishing a special issue devoted to the social implications of digitisation in February 1993. Issues to be considered include the social, economic and political implications of digitisation for: - electronic communities - journalism, publishing and broadcasting - telecommunications - privacy and free speech - work practices - gender relations - international communications - leisure, education and training MEDIA INFORMATION AUSTRALIA, founded by the late Professor Henry Mayer, is a peer-reviewed journal with an international orientation, in its sixteenth year of publication. It is published by the Australian Film Television and Radio School. Potential contributors should send abstracts of no more than 300 words by July 15, 1992, Commissioned papers of 3000-5000 words will be due by October 1, 1992 and they will be peer- reviewed in the normal way. Please send abstracts to the Issue Editor : Dr Peter B. White, Media Centre, La Trobe University, Bundoora, Victoria 3083, Australia or EMAIL: PBWHITE@LATROBE.EDU.AU FAX: + 61 3 817 5875. ------------------------------ End of Computer Underground Digest #4.29 ************************************