RISKS-LIST: RISKS-FORUM Digest Tuesday 11 May 1993 Volume 14 :

RISKS-LIST: RISKS-FORUM Digest Tuesday 11 May 1993 Volume 14 :
Issue 59

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann,
moderator

Contents:
Worst Computer Nightmare Contest (Shari Steele via Arthur R. McGee)

IFIP resolution on demeaning games (Richard Wexelblat)
Fake ATM Machine Steals PINs (Eric)
Teller Users Beware (Tapper)
More on Census imposters invading Cary (George Entenman)
NIST Advisory Board Seeks Comments on Crypto (Clipper-Capstone Chip
Info)
New NIST/NSA Revelations (Dave Banisar)

The RISKS Forum is a moderated digest discussing risks; comp.risks
is its
Usenet counterpart. Undigestifiers are available throughout the
Internet,
but not from RISKS. Contributions should be relevant, sound, in
good taste,
objective, cogent, coherent, concise, and nonrepetitious.
Diversity is
welcome. CONTRIBUTIONS to [email protected], with appropriate,
substantive
"Subject:" line. Others may be ignored! Contributions will not
be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET
FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to
[email protected].

Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login
anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 14, j always TWO
digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>"
logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" =
"128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username,
password.

For information regarding delivery of RISKS by FAX, phone
310-455-9300
(or send FAX to RISKS at 310-455-2364, or EMail to
[email protected]).

ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL
DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular
issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state
otherwise.

-----------------------------------------------------------------
-----

Date: Sat, 8 May 1993 08:44:37 -0700 (PDT)
From: "Arthur R. McGee" <[email protected]>
Subject: Worst Computer Nightmare Contest (fwd)

---------- Forwarded message ----------
Date: Fri, 7 May 1993 09:48:07 -0400
From: [email protected] (Shari)
Subject: Worst Computer Nightmare Contest

COMPUTER NIGHTMARES
The San Diego Computer Fair '93 is looking for the most awful,
woeful tale
of "abuse suffered by a human at the hands of a computer." The
suffering
human will win a weekend in beautiful San Diego to try and forget
that
horrible episode in his or her life. Send your 1,000 word
submission to
Computer Nightmare Contest, ComputerEdge Magazine, P.O. Box
83086, San Diego
CA 92138.

-----------------------------

Date: Mon, 3 May 93 13:13:06 EDT
From: [email protected] (Richard Wexelblat)
Subject: IFIP resolution on demeaning games

According to the "Newstrack" in CACM (2/93; p.13), IFIP has adopted
a
resolution condemning the production, distribution, and use of
computer games
that demean human beings and advocate malicious behavior by the
players. The
resolution points to the growth of brutal war games, sexist games,
and games
based on themes of racial, ethnic, or religious hatred. The
document states:
"IFIP appeals to everybody worldwide to censure harmful games, to
raise
awareness of the issues involved, and to support only computer
games that
respect human dignity."

(Does anyone know the origin of the issue within IFIP or whether a
more
complete description exists.)

[I hope everyone catches de meaning. PGN]

------------------------------

Date: Tue, 11 May 93 10:52:57 -0400
From: [email protected]
Subject: Fake ATM Machine Steals PINs

Everyone knows you're supposed to be VERY careful about not
revealing your PIN
number for your ATM card. How are you supposed to stop this new
trick??? At
the Buckland Hills Mall, in Manchester CT, last week, some scam
artists
installed a fake ATM machine. They had negotiated with the Mall
officers,
pretending to be Bank officials, and had gotten permission.
Apparently, they
even got the phone company to come in and lay down some lines.
Then, they
installed an ATM machine they had stolen.

It was programmed to read off the account numbers, remember the PIN
as it was
typed, then claim some kind of error and refuse to give out money.
They left
the machine in the mall for a WEEK, collecting PINs, then they came
back, took
it machine back to "repair", and have since printed up new cards,
and have
been using the PINs to siphon off money.....

Why didn't I think of that??

[New trick? This is one of the oldest scams going, but it still
recurs. PGN]

------------------------------

Date: Mon, 10 May 93 12:52:56 PDT
From: [email protected]
Subject: Teller Users Beware

Any of you that use an automated telephone transaction system to do
your
banking (or to make balance inquiries, etc.) may be interested in
an
experience I had today.

I dialed in and was connected to a session in progress that
belonged to
another user (who probably hung up after receiving whatever
information he/she
requested). I immediately transferred all their money into my
account...no
just kidding :) I would hate to think that might happen to me,
especially
since some of these services allow you to move money around.

I would like to suggest to anyone using these type of services
(including
voice-mail services) to back all the way out of the system before
hanging up.
Some systems (like Aerospace voice-mail) allow you to disconnect
via a
command, before hanging up, but many do not. My banking system does
not allow
me to disconnect without hanging up, but it does allow me to back
out of the
menus until I reach the main menu which prompts for user password
before
proceeding. From now on I'm going to make sure I back out to that
level before
hanging up.

Signed,

Could-have-been-rich.

[Another old classic. The TENEX undetected-hangup problem years
ago had
similar properties, leaving a dial-up port still active, waiting
for the
next dial-up to randomly stumble upon a logged-in user session.
PGN]

------------------------------

Date: Mon, 10 May 93 12:32:57 -0400
From: George Entenman <[email protected]>
Subject: More on Census imposters invading Cary (RISKS-14.58)

Saturday's News and Observer had a little article saying that the
Census
workers in Cary might really have been working for the US Census
Bureau.

[But George's item does suggest that there is a problem anyway!
PGN]

------------------------------

Date: Tue, 11 May 93 13:42:18 EDT
From: Clipper-Capstone Chip Info <[email protected]>
Organization: National Institute of Standards and Technology (NIST)
Subject: NIST Advisory Board Seeks Comments on Crypto

Note: This file has been posted to the following groups:
RISKS Forum, Privacy Forum, Sci.crypt, Alt.privacy.clipper

and will be made available for anonymous ftp from
csrc.ncsl.nist.gov,
filename pub/nistgen/cryptmtg.txt and for download from the NIST
Computer Security BBS, 301-948-5717, filename cryptmtg.txt.

Note: The following notice is scheduled to appear in the Federal
Register this
week. The notice announces a meeting of the Computer System
Security and
Privacy Advisory Board (established by the Computer Security Act of
1987) and
solicits public and industry comments on a wide range of
cryptographic issues.
Please note that submissions due by 4:00 p.m. May 27, 1993.

DEPARTMENT OF COMMERCE
National Institute of Standards and Technology

Announcing a Meeting of the
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD

AGENCY: National Institute of Standards and Technology

ACTION: Notice of Open Meeting

SUMMARY: Pursuant to the Federal Advisory Committee Act, 5 U.S.C.
App., notice
is hereby given that the Computer System Security and Privacy
Advisory Board
will meet Wednesday, June 2, 1993, from 9:00 a.m. to 5:00 p.m.,
Thursday, June
3, 1993, from 9:00 a.m. to 5:00 p.m., and Friday, June 4, 1993 from
9:00 a.m.
to 1:00 p.m. The Advisory Board was established by the Computer
Security Act
of 1987 (P.L. 100-235) to advise the Secretary of Commerce and the
Director of
NIST on security and privacy issues pertaining to Federal computer
systems and
report its findings to the Secretary of Commerce, the Director of
the Office
of Management and Budget, the Director of the National Security
Agency, and
the appropriate committees of the Congress. All sessions will be
open to the
public.

DATES: The meeting will be held on June 2-4 1993. On June 2 and 3,
1993 the
meeting will take place from 9:00 a.m. to 5:00 p.m. and on June 4,
1993 from
9:00 a.m. to 1:00 p.m.

Public submissions (as described below) are due by 4:00 p.m. (EDT)
May 27,
1993 to allow for sufficient time for distribution to and review by
Board
members.

ADDRESS: The meeting will take place at the National Institute of
Standards
and Technology, Gaithersburg, MD. On June 2, 1993, the meeting
will be held
in the Administration Building, "Red Auditorium," on June 3 the
meeting will
be held in the Administration Building, "Green Auditorium," and on
June 4,
1993 in the Administration Building, Lecture Room "B."

Submissions (as described below), including copyright waiver if
required,
should be addressed to: Cryptographic Issue Statements, Computer
System
Security and Privacy Advisory Board, Technology Building, Room
B-154, National
Institute of Standards and Technology, Gaithersburg, MD, 20899 or
via FAX to
301/948-1784. Submissions, including copyright waiver if required,
may also
be sent electronically to "[email protected]".

AGENDA:

- Welcome and Review of Meeting Agenda
- Government-developed "Key Escrow" Chip Announcement Review
- Discussion of Escrowed Cryptographic Key Technologies
- Review of Submitted Issue Papers
- Position Presentations & Discussion
- Public Participation
- Annual Report and Pending Business
- Close

PUBLIC PARTICIPATION:

This Advisory Board meeting will be devoted to the issue of the
Administration's recently announced government-developed "key
escrow" chip
cryptographic technology and, more broadly, to public use of
cryptography and
government cryptographic policies and regulations. The Board has
been asked
by NIST to obtain public comments on this matter for submission to
NIST for
the national review that the Administration's has announced it will
conduct of
cryptographic-related issues. Therefore, the Board is interested
in: 1)
obtaining public views and reactions to the government-developed
"key escrow"
chip technology announcement, "key escrow" technology generally,
and
government cryptographic policies and regulations 2) hearing
selected
summaries of written views that have been submitted, and 3)
conducting a
general discussion of these issues in public.

The Board solicits all interested parties to submit well-written,
concise issue papers, position statements, and background
materials on areas such as those listed below. Industry input is
particularly encouraged in addressing the questions below.

Because of the volume of responses expected, submittors are asked
to identify
the issues above to which their submission(s) are responsive.
Submittors
should be aware that copyrighted documents cannot be accepted
unless a written
waiver is included concurrently with the submission to allow NIST
to reproduce
the material. Also, company proprietary information should not be
included,
since submissions will be made publicly available.

This meeting specifically will not be a tutorial or briefing on
technical
details of the government-developed "key escrow" chip or escrowed
cryptographic key technologies. Those wishing to address the Board
and/or
submit written position statements are requested to be thoroughly
familiar
with the topic and to have concise, well-formulated opinions on its
societal
ramifications.

Issues on which comments are sought include the following:

1. CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES

Public and Social policy aspects of the government-developed "key
escrow" chip
and, more generally, escrowed key technology and government
cryptographic
policies.

Issues involved in balancing various interests affected by
government
cryptographic policies.

2. LEGAL AND CONSTITUTIONAL ISSUES

Consequences of the government-developed "key escrow" chip
technology and,
more generally, key escrow technology and government cryptographic
policies.

3. INDIVIDUAL PRIVACY

Issues and impacts of cryptographic-related statutes, regulations,
and
standards, both national and international, upon individual
privacy.

Issues related to the privacy impacts of the government-developed
"key escrow"
chip and "key escrow" technology generally.

4. QUESTIONS DIRECTED TO AMERICAN INDUSTRY

4.A Industry Questions: U.S. Export Controls

4.A.1 Exports - General

What has been the impact on industry of past export controls on
products with
password and data security features for voice or data?

Can such an impact, if any, be quantified in terms of lost export
sales or
market share? If yes, please provide that impact.

How many exports involving cryptographic products did you attempt
over the
last five years? How many were denied? What reason was given for
denial?

Can you provide documentation of sales of cryptographic equipment
which were
lost to a foreign competitor, due solely to U.S. Export
Regulations.

What are the current market trends for the export sales of
information
security devices implemented in hardware solutions? For software
solutions?

4.A.2 Exports - Software

If the U.S. software producers of mass market or general purpose
software
(word processing, spreadsheets, operating environments, accounting,
graphics,
etc.) are prohibited from exporting such packages with file
encryption
capabilities, what foreign competitors in what countries are able
and willing
to take foreign market share from U.S. producers by supplying file
encryption
capabilities?

What is the impact on the export market share and dollar sales of
the U.S.
software industry if a relatively inexpensive hardware solution for
voice or
data encryption is available such as the government-developed "key
escrow"
chip?

What has been the impact of U.S. export controls on COMPUTER
UTILITIES
software packages such as Norton Utilities and PCTools?

What has been the impact of U.S. export controls on exporters of
OTHER
SOFTWARE PACKAGES (e.g., word processing) containing file
encryption
capabilities?

What information does industry have that Data Encryption Standard
(DES) based
software programs are widely available abroad in software
applications
programs?

4.A.3 Exports - Hardware

Measured in dollar sales, units, and transactions, what have been
the historic exports for:

Standard telephone sets
Cellular telephone sets
Personal computers and work stations
FAX machines
Modems
Telephone switches

What are the projected export sales of these products if there is
no change in
export control policy and if the government- developed "key escrow"
chip is
not made available to industry?

What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the
above products are freely available at an additional price of no
more than
$25.00, and the above products are exported WITHOUT ADDITIONAL
LICENSING
REQUIREMENTS?

What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the
above products are freely available at an additional price of no
more than
$25.00, and the above products are to be exported WITH AN ITAR
MUNITIONS
LICENSING REQUIREMENT for all destinations?

What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the
above products are freely available at an additional price of no
more than
$25.00, and the above products are to be exported WITH A DEPARTMENT
OF
COMMERCE LICENSING REQUIREMENT for all destinations?

4.A.4 Exports - Advanced Telecommunications

What has been the impact on industry of past export controls on
other advanced
telecommunications products?

Can such an impact on the export of other advanced
telecommunications
products, if any, be quantified in terms of lost export sales or
market share?
If yes, provide that impact.

4.B Industry Questions: Foreign Import/Export Regulations

How do regulations of foreign countries affect the import and
export of
products containing cryptographic functions? Specific examples of
countries
and regulations will prove useful.

4.C Industry Questions: Customer Requirements for Cryptography

What are current and future customer requirements for information
security by
function and industry? For example, what are current and future
customer
requirements for domestic banking, international banking, funds
transfer
systems, automatic teller systems, payroll records, financial
information,
business plans, competitive strategy plans, cost analyses, research
and
development records, technology trade secrets, personal privacy for
voice
communications, and so forth? What might be good sources of such
data?

What impact do U.S. Government mandated information security
standards for
defense contracts have upon demands by other commercial users for
information
security systems in the U.S.? In foreign markets?

What threats are your product designed to protect against? What
threats do
you consider unaddressed?

What demand do you foresee for a) cryptographic only products, and
b) products
incorporating cryptography in: 1) the domestic market, 2) in the
foreign-only
market, and 3) in the global market?

4.D Industry Questions: Standards

If the European Community were to announce a non-DES, non-public
key European
Community Encryption Standard (ECES), how would your company react?
Include
the new standard in product line? Withdraw from the market? Wait
and see?

What are the impacts of government cryptographic standards on U.S.
industry
(e.g., Federal Information Processing Standard 46-1 [the Data
Encryption
Standard] and the proposed Digital Signature Standard)?

5. QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY

5.A American Business: Threats and Security Requirements

Describe, in detail, the threat(s), to which you are exposed and
which you
believe cryptographic solutions can address.

Please provide actual incidents of U.S. business experiences with
economic
espionage which could have been thwarted by applications of
cryptographic
technologies.

What are the relevant standards of care that businesses must apply
to
safeguard information and what are the sources of those standards
other than
Federal standards for government contractors?

What are U.S. business experiences with the use of cryptography to
protect
against economic espionage, (including current and projected
investment levels
in cryptographic products)?

5.B American Business: Use of Cryptography

Describe the types of cryptographic products now in use by your
organization.
Describe the protection they provide (e.g., data encryption or data
integrity
through digital signatures). Please indicate how these products
are being
used.

Describe any problems you have encountered in finding, installing,
operating,
importing, or exporting cryptographic devices.

Describe current and future uses of cryptographic technology to
protect
commercial information (including types of information being
protected and
against what threats).

Which factors in the list below inhibit your use of cryptographic
products?

Please rank:

-- no need
-- no appropriate product on market
-- fear of interoperability problems
-- regulatory concerns
-- a) U.S. export laws
-- b) foreign country regulations
-- c) other
-- cost of equipment
-- cost of operation
-- other

Please comment on any of these factors.

In your opinion, what is the one most important unaddressed need
involving
cryptographic technology?

Please provide your views on the adequacy of the
government-developed "key
escrow" chip technological approach for the protection of all your
international voice and data communication requirements. Comments
on other
U.S. Government cryptographic standards?

6. OTHER

Please describe any other impacts arising from Federal government
cryptographic policies and regulations.

Please describe any other impacts upon the Federal government in
the
protection of unclassified computer systems.

Are there any other comments you wish to share?

The Board agenda will include a period of time, not to exceed ten
hours, for
oral presentations of summaries of selected written statements
submitted to
the Board by May 27, 1993. As appropriate and to the extent
possible,
speakers addressing the same topic will be grouped together.
Speakers,
prescheduled by the Secretariat and notified in advance, will be
allotted
fifteen to thirty minutes to orally present their written
statements.
Individuals and organizations submitting written materials are
requested to
advise the Secretariat if they would be interested in orally
summarizing their
materials for the Board at the meeting.

Another period of time, not to exceed one hour, will be reserved
for oral
comments and questions from the public. Each speaker will be
allotted up to
five minutes; it will be necessary to strictly control the length
of
presentations to maximize public participation and the number of
presentations.

Except as provided for above, participation in the Board's
discussions during
the meeting will be at the discretion of the Designated Federal
Official.

Approximately thirty seats will be available for the public,
including three
seats reserved for the media. Seats will be available on a
first-come,
first-served basis.

FOR FURTHER INFORMATION CONTACT: Mr. Lynn McNulty, Executive
Secretary and
Associate Director for Computer Security, Computer Systems
Laboratory,
National Institute of Standards and Technology, Building 225, Room
B154,
Gaithersburg, Maryland 20899, telephone: (301) 975-3240.

SUPPLEMENTARY INFORMATION: Background information on the
government-developed
"key escrow" chip proposal is available from the Board Secretariat;
see
address in "for further information" section. Also, information on
the
government-developed "key escrow" chip is available electronically
from the
NIST computer security bulletin board, phone 301-948-5717.

The Board intends to stress the public and social policy aspects,
the legal
and Constitutional consequences of this technology, and the impacts
upon
American business and industry during its meeting.

It is the Board's intention to create, as a product of this
meeting, a
publicly available digest of the important points of discussion,
conclusions
(if any) that might be reached, and an inventory of the policy
issues that
need to be considered by the government. Within the procedures
described
above, public participation is encouraged and solicited.

/signed/
Raymond G. Kammer, Acting Director

May 10, 1993

------------------------------

Date: Thu, 6 May 1993 19:24:06 EST
From: Dave Banisar <[email protected]>
Subject: New NIST/NSA Revelations

Less than three weeks after the White House announced a
controversial
initiative to secure the nation's electronic communications with
government-approved cryptography, newly released documents raise
serious
questions about the process that gave rise to the administration's
proposal.
The documents, released by the National Institute of Standards and
Technology
(NIST) in response to a Freedom of Information Act lawsuit, suggest
that the
super-secret National Security Agency (NSA) dominates the process
of
establishing security standards for civilian computer systems in
contravention
of the intent of legislation Congress enacted in 1987.

The released material concerns the development of the
Digital
Signature Standard (DSS), a cryptographic method for authenticating
the
identity of the sender of an electronic communication and for
authenticating
the integrity of the data in that communication. NIST publicly
proposed the
DSS in August 1991 and initially made no mention of any NSA role in
developing
the standard, which was intended for use in unclassified, civilian
communications systems. NIST finally conceded that NSA had, in
fact,
developed the technology after Computer Professionals for Social
Responsibility (CPSR) filed suit against the agency for withholding
relevant
documents. The proposed DSS was widely criticized within the
computer
industry for its perceived weak security and inferiority to an
existing
authentication technology known as the RSA algorithm. Many
observers have
speculated that the RSA technique was disfavored by NSA because it
was, in
fact, more secure than the NSA-proposed algorithm and because the
RSA
technique could also be used to encrypt data very securely.

The newly-disclosed documents -- released in heavily
censored form at
the insistence of NSA -- suggest that NSA was not merely involved
in the
development process, but dominated it. NIST and NSA worked
together on the
DSS through an intra-agency Technical Working Group (TWG). The
documents
suggest that the NIST-NSA relationship was contentious, with NSA
insisting
upon secrecy throughout the deliberations. A NIST report dated
January 31,
1990, states that

The members of the TWG acknowledged that the efforts
expended to date in the determination of a public key
algorithm which would be publicly known have not been
successful. It's increasingly evident that it is
difficult, if not impossible, to reconcile the concerns
and requirements of NSA, NIST and the general public
through using this approach.

The civilian agency's frustration is also apparent in a
July 21, 1990,
memo from the NIST members of the TWG to NIST director John W.
Lyons. The
memo suggests that "national security" concerns hampered efforts to
develop a
standard:

THE NIST/NSA Technical Working Group (TWG) has held 18
meetings over the past 13 months. A part of every
meeting has focused on the NIST intent to develop a
Public Key Standard Algorithm Standard. We are
convinced that the TWG process has reached a point where
continuing discussions of the public key issue will
yield only marginal results. Simply stated, we believe
that over the past 13 months we have explored the
technical and national security equity issues to the
point where a decision is required on the future
direction of digital signature standards.

An October 19, 1990, NIST memo discussing possible patent issues
surrounding
DSS noted that those questions would need to be addressed "if we
ever get our
NSA problem settled."

Although much of the material remains classified and
withheld from
disclosure, the "NSA problem" was apparently the intelligence
agency's demand
that perceived "national security" considerations take precedence
in the
development of the DSS. From the outset, NSA cloaked the
deliberations in
secrecy. For instance, at the March 22, 1990, meeting of the TWG,
NSA
representatives presented NIST with NSA's classified proposal for
a DSS
algorithm. NIST's report of the meeting notes that

The second document, classified TOP SECRET CODEWORD, was
a position paper which discussed reasons for the
selection of the algorithms identified in the first
document. This document is available at NSA for review
by properly cleared senior NIST officials.

In other words, NSA presented highly classified material to NIST
justifying
NSA's selection of the proposed algorithm -- an algorithm intended
to protect
and authenticate unclassified information in civilian computer
systems. The
material was so highly classified that "properly cleared senior
NIST
officials" were required to view the material at NSA's facilities.

These disclosures are disturbing for two reasons. First,
the process
as revealed in the documents contravenes the intent of Congress
embodied in
the Computer Security Act of 1987. Through that legislation,
Congress
intended to remove NSA from the process of developing civilian
computer
security standards and to place that responsibility with NIST, a
civilian
agency. Congress expressed a particular concern that NSA, a
military
intelligence agency, would improperly limit public access to
information in a
manner incompatible with civilian standard setting. The House
Report on the
legislation noted that NSA's

natural tendency to restrict and even deny access to
information that it deems important would disqualify
that agency from being put in charge of the protection
of non-national security information in the view of many
officials in the civilian agencies and the private
sector.

While the Computer Security Act contemplated that NSA would provide
NIST with
"technical assistance" in the development of civilian standards,
the newly
released documents demonstrate that NSA has crossed that line and
dominates
the development process.

The second reason why this material is significant is
because of what
it reveals about the process that gave rise to the so- called
"Clipper" chip
proposed by the administration earlier this month. Once again,
NIST was
identified as the agency actually proposing the new encryption
technology,
with "technical assistance" from NSA. Once again, the underlying
information
concerning the development process is classified. DSS was the
first test of
the Computer Security Act's division of labor between NIST and NSA.
Clipper
comes out of the same "collaborative" process. The newly released
documents
suggest that NSA continues to dominate the government's work on
computer
security and to cloak the process in secrecy, contrary to the clear
intent of
Congress.

On the day the Clipper initiative was announced, CPSR
submitted FOIA
requests to key agencies -- including NIST and NSA -- for
information
concerning the proposal. CPSR will pursue those requests, as well
as the
pending litigation concerning NSA involvement in the development of
the
Digital Signature Standard. Before any meaningful debate can occur
on the
direction of cryptography policy, essential government information
must be
made public -- as Congress intended when it passed the Computer
Security Act.
CPSR is committed to that goal.

David L. Sobel, CPSR Legal Counsel, (202) 544-9240
[email protected]

------------------------------

End of RISKS-FORUM Digest 14.59

Downloaded From P-80 International Information Systems 304-744-2253