July 2018 - cypherpunks-legacy

New Security/Privacy Regs for Federal Agencies - OMB 7-16 - Over
by Government Best Practices Training Series 06 Jul '18

06 Jul '18

200 government execs in attendance Date: Sat, 14 Jul 2007 16:57:56 -0400 To: rah(a)ibuc.com ***Excellent networking opportunity for government support contractors and product suppliers ***See below for detailed list of speakers and early registrants. To subscribe to your complimentary copy of Homeland Defense Journal visit our home page at www.homelanddefensejournal.com. Homeland Defense Journal's AM*BriefingTM Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Capital Hilton Washington, D.C. ***PLEASE NOTE CHANGE OF VENUE*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton. Registrations exceeded original estimates. ***Complimentary to Government Employees*** Keynote Speaker: Karen Evans, Administrator of E-Government and Information Technology, OMB About this Conference After multiple agency exposures to identity theft, in May 2006 President Bush created the Identity Theft Task Force to develop a comprehensive strategic plan for steps that the federal government could take to combat identity theft and provide recommended actions that could be taken by the public and private sectors. In April 2007 the task force submitted its plan to combat identity theft to the President. As a response to the plan, on May 22, 2007 the OMB released M-07-16, which requires federal agencies to develop and implement breach and notification policies within 120 days. M-07-16 requires that federal agencies develop notification policies that: Review existing requirements with respect to privacy and security Include existing and new requirements for incident and handling Include existing and new requirements for external breach notification Develop policies that concern the responsibilities of individuals authorized to access personally identifiable information With the agencies required to develop and implement policies and procedures in such a short period of time, the Strategies for Data Breach Prevention, Mitigation and Notification Briefing is designed to break down the requirements of M-07-16 and provide guidance and suggestions for agencies in developing policies and plans. You will be given a complete overview of the mandate and learn tactics and solutions available to develop policies in cost-effective ways that fulfill the requirements of the mandate and strengthen agencies' information systems and data. What You Will Learn - How to address the requirements of M-07-16 - Cost effective solutions and strategies to develop sound identity theft policies - How to train staff to adhere to new policies - Government, Industry, Analyst and Media perspective on identity theft and M-07-16 Who Should Attend - Security personnel responsible for collecting and maintaining identity information - Executive level managers & administrators: network, systems, infrastructure, and security - Executives responsible for implementing, planning or maintaining information systems - Federal, state and local managers with security responsibilities - Security infrastructure executives - IT public sector systems integrators Speakers - Karen Evans, Administrator of E-Government and Information Technology, Office of Management and Budget - Hugo Teufel III, Chief Privacy Officer, Department of Homeland Security - Marc Groman, Chief Privacy Officer, Federal Trade Commission - Mischel Kwon, Department of Justice Early Registrants Include Organization/Company Title U.S. General Services Administration Agency Expert, Federal PKI U.S. Courts AO-OIT-IT Security Office EMC Corporation Area Manager, DoD U.S Census Bureau Assistant Division Chief CACI Assistant to DON CIO Mission Assurance Team Lead BoozAllenHamilton Associate FDIC Associate Director National Gallery of Art Associate General Counsel TSA Asst Chief Counsel, Information Law Pension Benefit Guaranty Corporation Asst. Inspector General for Investigations TSA Attorney -Advisor TSA Attorney Advisor, Procurement Law SSA Attorney, Office of General Law TSA Attorney, Office of the Special Counselor TSA Attorney-Advisor TSA Attorney-Advisor U.S. Courts Audit Manager IRM/OPS/ITI/ISI/PKI BLADE program manager Info Sec, Inc Business Development Northrop Grumman Business Development Manager National Gallery of Art Chief Information Officer Federal Trade Commission Chief Information Security Officer SSA Chief Information Security Officer U.S. Coast Guard Chief of Office of Information & Security Management Office of Personnel Management Chief, Plans and Policies Group U.S. Department of State CIRT Analyst DHHS Contract Compliance Officer DOD COTR Pension Benefit Guaranty Corporation Criminal Investigator Department of Commerce Data Management & Stewardship Staff National Gallery of Art Deputy Administrator National Gallery of Art Deputy Chief of Special Projects / Information Technology National Gallery of Art Deputy Personnel Officer National Gallery of Art Deputy Secretary, General Counsel Department of Veterans Affairs Deputy, ADAS Office of Privacy & Records Management SSA DII Policy Lead EMC Corporation Director Sales, DoD & Intelligence Community Department of the Treasury Director, Information Services Directorate USDA Director, Information Technology Division EMC Corporation Director, Sales Operations OPIC Director, Security & Administrative Services Engineering Systems Solutions, Inc Director, Veterans Affairs SSA Executive Director, Office of Public Disclosure NSF FOIA/Privacy Act Officer EMC Corporation Global Acct Manager, Northrop Grumman APPTIS Information Security Architect Office of Administrative Law Judges Information Security Officer Department of Labor Information Security Officer CMS/ OIS Information Security Specialist Federal Election Commission Information System Security Officer U.S. Courts Information Technology Security Officer Department of Veterans Affairs Information Technology Specialist U.S. Department of State Information Technology Specialist Pension Benefit Guaranty Corporation Investigator PBGC Investigator Pension Benefit Guaranty Corporation Investigator Technician Fairfax County IT Assistant US Government Printing Office IT Security U.S. Office of Personnel Management IT Security Officer Department of Labor, OIG IT Specialist U.S. Department of Labor IT Specialist Office of the Inspector General, Department of Labor IT Specialist U.S. Office of Personnel Management IT Specialist U.S. EPA IT Specialist U.S. EPA IT Specialist Department of the Treasury IT Specialist U.S. Department of State IT Specialist U.S. State Department IT Specialist/Security Federal Trade Commission Law Clerk U.S. EPA Management Integrity Advisor DOC Manager, Critical Infrastructure Protection Program AAMVA Manager, State Government Affairs Niksun, Inc National Account Manager IMS, Inc Network Administrator IMS, Inc Network Administrator U.S. Department of Commerce OCIO U.S. Department of Commerce OCIO, Chief of Staff Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Justice Operations Services Staff U.S. Office of Personnel Management OPM Forms, PRA, Records and GPEA Officer DOD PM SSA Policy Analyst U.S. Department of State Policy and Awareness Team NASA Privacy Act and Records Officer EPA Privacy Act Officer Peace Corps Headquaters Privacy Act Specialist NSF Privacy Advocate TSA Privacy Analyst California Dept of Public Health Privacy Officer and General Counsel OPM Privacy Program Manager Department of Veterans Affairs Program Analyst SSA Program Analyst Treasury- FMS Program Analyst Department of Veterans Affairs Program Analyst FDA Program Analyst Department of Veterans Affairs Program Manager Niksun, Inc Regional Sales Manager Secure Agent Software Sales Executive Department of the Treasury Security Specialist National Gallery of Art Security Specialist Overseas Private Investment Corporation Senior Advisor BoozAllenHamilton Senior Associate Intersections Inc Senior Director, Security Services APPTIS Senior IT Security Analyst APPTIS Senior IT Security Analyst FDIC Senior IT Specialist U.S. Department of State Senior Legal Analyst United States Mint Senior Risk Analyst IRS Senior Security Architect DOC CIRT Senior Security Specialist RSA Security Sr. Manager, Americas Field Marketing OPM Sr. Project Manager Department of Veterans Affairs Staff Assistant Department of the Treasury Summer Intern U.S. Courts Supervisory Human Resources Specialist SSA/ODAR Systems Security Officer Department of Commerce Team Lead, Data Management & Stewardship Staff EMC Corporation Technology Business Consultant DHS Technology Trends Engineer Az-Tech VP Engineering Systems Solutions, Inc VP, Business Development SRA International VP, Deputy Director Business Technology Offerings Northrop Grumman EMC Corporation Department of Veterans Affairs Woodrow Wilson In't Center for Scholars Department of Justice DoD National Gallery of Art Sponsors - EMC - RSA - Patriot - Government Horizons - Carrolls Publishing - Homeland Defense Journal Registration Charges Industry - $195 per person Government - Complimentary - Must register by contacting Katie Smith at (703) 807-2758, emailing her at ksmith(a)marketaccess.org or faxing the provided Registration Form to (703) 807-2728 Registration Options [1] Register on-line at www.homelanddefensejournal.com [2] Phone Katie Smith at (703) 807-2758 [3] E-mail Katie Smith at ksmith(a)marketaccess.org [4] Fax the Registration Form provided below to: (703) 807-2728 [5] Mail the Registration Form provided below to: Homeland Defense Journal 4301 Wilson Blvd. #1003 Arlington, VA 22203 Location Information ***Please Note the Change of Venue*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton, just a few blocks away The conference will be held at the Capital Hilton, 1001 16th Street, NW, Washington, DC 20036 (202) 393-1000. The hotel is located only a few blocks from 3 different Metro Stations: Farragut North (Red Line), Farragut West (Blue & Orange Lines), McPherson Square (Blue & Orange Lines). Contact Us * For registration information, contact Katie Smith, (703) 807-2758 * For government speaking and best practices presentation opportunities, contact Brian Lake, (703) 807-2753 ------------------------------------------------------------------------------- --- REGISTRATION FORM ---- Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Attendee name: Title: Company/Agency: Address: City, State, and Zip Code: Telephone Number: Fax Number: Attendee E-mail Address: Training Coordinator E-mail Address: Phone #: REGISTRATION CHARGES (CIRCLE ONE): Industry - $95 per person Government - Complimentary Method of Payment: Company Check (payable to Homeland Defense Journal) - Tax ID: 01-057-705-9 Credit Card Government P.O. (please attach) Type of Credit Card (check one): ____Visa____MasterCard____American Express Card Number: ____________________________________ Exp. Date:____________________ Name Printed on Card: ___________________________________________________ Signature (required): ___________________________________________________ Please fax this form, complete with payment information, to (703) 807-2728 or mail it with your payment to: Homeland Defense Journal, 4301 Wilson Blvd, Suite 1003, Arlington, VA 22203 If you have questions about registration/payment, please call Katie Smith at (703) 807-2758. Thank you -------------------------------------------------------------------------------- Email Recipient Instructions If you do not wish to participate in this Training List, please REPLY to this announcement and place the word STOP in the SUBJECT line. The email address (rah(a)ibuc.com) used to send this announcement will not be used for future training announcements. Please allow 5 days to complete. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

New Security/Privacy Regs for Federal Agencies - OMB 7-16 - Over
by Government Best Practices Training Series 06 Jul '18

06 Jul '18

200 government execs in attendance Date: Sat, 14 Jul 2007 16:57:56 -0400 To: rah(a)ibuc.com ***Excellent networking opportunity for government support contractors and product suppliers ***See below for detailed list of speakers and early registrants. To subscribe to your complimentary copy of Homeland Defense Journal visit our home page at www.homelanddefensejournal.com. Homeland Defense Journal's AM*BriefingTM Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Capital Hilton Washington, D.C. ***PLEASE NOTE CHANGE OF VENUE*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton. Registrations exceeded original estimates. ***Complimentary to Government Employees*** Keynote Speaker: Karen Evans, Administrator of E-Government and Information Technology, OMB About this Conference After multiple agency exposures to identity theft, in May 2006 President Bush created the Identity Theft Task Force to develop a comprehensive strategic plan for steps that the federal government could take to combat identity theft and provide recommended actions that could be taken by the public and private sectors. In April 2007 the task force submitted its plan to combat identity theft to the President. As a response to the plan, on May 22, 2007 the OMB released M-07-16, which requires federal agencies to develop and implement breach and notification policies within 120 days. M-07-16 requires that federal agencies develop notification policies that: Review existing requirements with respect to privacy and security Include existing and new requirements for incident and handling Include existing and new requirements for external breach notification Develop policies that concern the responsibilities of individuals authorized to access personally identifiable information With the agencies required to develop and implement policies and procedures in such a short period of time, the Strategies for Data Breach Prevention, Mitigation and Notification Briefing is designed to break down the requirements of M-07-16 and provide guidance and suggestions for agencies in developing policies and plans. You will be given a complete overview of the mandate and learn tactics and solutions available to develop policies in cost-effective ways that fulfill the requirements of the mandate and strengthen agencies' information systems and data. What You Will Learn - How to address the requirements of M-07-16 - Cost effective solutions and strategies to develop sound identity theft policies - How to train staff to adhere to new policies - Government, Industry, Analyst and Media perspective on identity theft and M-07-16 Who Should Attend - Security personnel responsible for collecting and maintaining identity information - Executive level managers & administrators: network, systems, infrastructure, and security - Executives responsible for implementing, planning or maintaining information systems - Federal, state and local managers with security responsibilities - Security infrastructure executives - IT public sector systems integrators Speakers - Karen Evans, Administrator of E-Government and Information Technology, Office of Management and Budget - Hugo Teufel III, Chief Privacy Officer, Department of Homeland Security - Marc Groman, Chief Privacy Officer, Federal Trade Commission - Mischel Kwon, Department of Justice Early Registrants Include Organization/Company Title U.S. General Services Administration Agency Expert, Federal PKI U.S. Courts AO-OIT-IT Security Office EMC Corporation Area Manager, DoD U.S Census Bureau Assistant Division Chief CACI Assistant to DON CIO Mission Assurance Team Lead BoozAllenHamilton Associate FDIC Associate Director National Gallery of Art Associate General Counsel TSA Asst Chief Counsel, Information Law Pension Benefit Guaranty Corporation Asst. Inspector General for Investigations TSA Attorney -Advisor TSA Attorney Advisor, Procurement Law SSA Attorney, Office of General Law TSA Attorney, Office of the Special Counselor TSA Attorney-Advisor TSA Attorney-Advisor U.S. Courts Audit Manager IRM/OPS/ITI/ISI/PKI BLADE program manager Info Sec, Inc Business Development Northrop Grumman Business Development Manager National Gallery of Art Chief Information Officer Federal Trade Commission Chief Information Security Officer SSA Chief Information Security Officer U.S. Coast Guard Chief of Office of Information & Security Management Office of Personnel Management Chief, Plans and Policies Group U.S. Department of State CIRT Analyst DHHS Contract Compliance Officer DOD COTR Pension Benefit Guaranty Corporation Criminal Investigator Department of Commerce Data Management & Stewardship Staff National Gallery of Art Deputy Administrator National Gallery of Art Deputy Chief of Special Projects / Information Technology National Gallery of Art Deputy Personnel Officer National Gallery of Art Deputy Secretary, General Counsel Department of Veterans Affairs Deputy, ADAS Office of Privacy & Records Management SSA DII Policy Lead EMC Corporation Director Sales, DoD & Intelligence Community Department of the Treasury Director, Information Services Directorate USDA Director, Information Technology Division EMC Corporation Director, Sales Operations OPIC Director, Security & Administrative Services Engineering Systems Solutions, Inc Director, Veterans Affairs SSA Executive Director, Office of Public Disclosure NSF FOIA/Privacy Act Officer EMC Corporation Global Acct Manager, Northrop Grumman APPTIS Information Security Architect Office of Administrative Law Judges Information Security Officer Department of Labor Information Security Officer CMS/ OIS Information Security Specialist Federal Election Commission Information System Security Officer U.S. Courts Information Technology Security Officer Department of Veterans Affairs Information Technology Specialist U.S. Department of State Information Technology Specialist Pension Benefit Guaranty Corporation Investigator PBGC Investigator Pension Benefit Guaranty Corporation Investigator Technician Fairfax County IT Assistant US Government Printing Office IT Security U.S. Office of Personnel Management IT Security Officer Department of Labor, OIG IT Specialist U.S. Department of Labor IT Specialist Office of the Inspector General, Department of Labor IT Specialist U.S. Office of Personnel Management IT Specialist U.S. EPA IT Specialist U.S. EPA IT Specialist Department of the Treasury IT Specialist U.S. Department of State IT Specialist U.S. State Department IT Specialist/Security Federal Trade Commission Law Clerk U.S. EPA Management Integrity Advisor DOC Manager, Critical Infrastructure Protection Program AAMVA Manager, State Government Affairs Niksun, Inc National Account Manager IMS, Inc Network Administrator IMS, Inc Network Administrator U.S. Department of Commerce OCIO U.S. Department of Commerce OCIO, Chief of Staff Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Justice Operations Services Staff U.S. Office of Personnel Management OPM Forms, PRA, Records and GPEA Officer DOD PM SSA Policy Analyst U.S. Department of State Policy and Awareness Team NASA Privacy Act and Records Officer EPA Privacy Act Officer Peace Corps Headquaters Privacy Act Specialist NSF Privacy Advocate TSA Privacy Analyst California Dept of Public Health Privacy Officer and General Counsel OPM Privacy Program Manager Department of Veterans Affairs Program Analyst SSA Program Analyst Treasury- FMS Program Analyst Department of Veterans Affairs Program Analyst FDA Program Analyst Department of Veterans Affairs Program Manager Niksun, Inc Regional Sales Manager Secure Agent Software Sales Executive Department of the Treasury Security Specialist National Gallery of Art Security Specialist Overseas Private Investment Corporation Senior Advisor BoozAllenHamilton Senior Associate Intersections Inc Senior Director, Security Services APPTIS Senior IT Security Analyst APPTIS Senior IT Security Analyst FDIC Senior IT Specialist U.S. Department of State Senior Legal Analyst United States Mint Senior Risk Analyst IRS Senior Security Architect DOC CIRT Senior Security Specialist RSA Security Sr. Manager, Americas Field Marketing OPM Sr. Project Manager Department of Veterans Affairs Staff Assistant Department of the Treasury Summer Intern U.S. Courts Supervisory Human Resources Specialist SSA/ODAR Systems Security Officer Department of Commerce Team Lead, Data Management & Stewardship Staff EMC Corporation Technology Business Consultant DHS Technology Trends Engineer Az-Tech VP Engineering Systems Solutions, Inc VP, Business Development SRA International VP, Deputy Director Business Technology Offerings Northrop Grumman EMC Corporation Department of Veterans Affairs Woodrow Wilson In't Center for Scholars Department of Justice DoD National Gallery of Art Sponsors - EMC - RSA - Patriot - Government Horizons - Carrolls Publishing - Homeland Defense Journal Registration Charges Industry - $195 per person Government - Complimentary - Must register by contacting Katie Smith at (703) 807-2758, emailing her at ksmith(a)marketaccess.org or faxing the provided Registration Form to (703) 807-2728 Registration Options [1] Register on-line at www.homelanddefensejournal.com [2] Phone Katie Smith at (703) 807-2758 [3] E-mail Katie Smith at ksmith(a)marketaccess.org [4] Fax the Registration Form provided below to: (703) 807-2728 [5] Mail the Registration Form provided below to: Homeland Defense Journal 4301 Wilson Blvd. #1003 Arlington, VA 22203 Location Information ***Please Note the Change of Venue*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton, just a few blocks away The conference will be held at the Capital Hilton, 1001 16th Street, NW, Washington, DC 20036 (202) 393-1000. The hotel is located only a few blocks from 3 different Metro Stations: Farragut North (Red Line), Farragut West (Blue & Orange Lines), McPherson Square (Blue & Orange Lines). Contact Us * For registration information, contact Katie Smith, (703) 807-2758 * For government speaking and best practices presentation opportunities, contact Brian Lake, (703) 807-2753 ------------------------------------------------------------------------------- --- REGISTRATION FORM ---- Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Attendee name: Title: Company/Agency: Address: City, State, and Zip Code: Telephone Number: Fax Number: Attendee E-mail Address: Training Coordinator E-mail Address: Phone #: REGISTRATION CHARGES (CIRCLE ONE): Industry - $95 per person Government - Complimentary Method of Payment: Company Check (payable to Homeland Defense Journal) - Tax ID: 01-057-705-9 Credit Card Government P.O. (please attach) Type of Credit Card (check one): ____Visa____MasterCard____American Express Card Number: ____________________________________ Exp. Date:____________________ Name Printed on Card: ___________________________________________________ Signature (required): ___________________________________________________ Please fax this form, complete with payment information, to (703) 807-2728 or mail it with your payment to: Homeland Defense Journal, 4301 Wilson Blvd, Suite 1003, Arlington, VA 22203 If you have questions about registration/payment, please call Katie Smith at (703) 807-2758. Thank you -------------------------------------------------------------------------------- Email Recipient Instructions If you do not wish to participate in this Training List, please REPLY to this announcement and place the word STOP in the SUBJECT line. The email address (rah(a)ibuc.com) used to send this announcement will not be used for future training announcements. Please allow 5 days to complete. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

New Security/Privacy Regs for Federal Agencies - OMB 7-16 - Over
by Government Best Practices Training Series 06 Jul '18

06 Jul '18

200 government execs in attendance Date: Sat, 14 Jul 2007 16:57:56 -0400 To: rah(a)ibuc.com ***Excellent networking opportunity for government support contractors and product suppliers ***See below for detailed list of speakers and early registrants. To subscribe to your complimentary copy of Homeland Defense Journal visit our home page at www.homelanddefensejournal.com. Homeland Defense Journal's AM*BriefingTM Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Capital Hilton Washington, D.C. ***PLEASE NOTE CHANGE OF VENUE*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton. Registrations exceeded original estimates. ***Complimentary to Government Employees*** Keynote Speaker: Karen Evans, Administrator of E-Government and Information Technology, OMB About this Conference After multiple agency exposures to identity theft, in May 2006 President Bush created the Identity Theft Task Force to develop a comprehensive strategic plan for steps that the federal government could take to combat identity theft and provide recommended actions that could be taken by the public and private sectors. In April 2007 the task force submitted its plan to combat identity theft to the President. As a response to the plan, on May 22, 2007 the OMB released M-07-16, which requires federal agencies to develop and implement breach and notification policies within 120 days. M-07-16 requires that federal agencies develop notification policies that: Review existing requirements with respect to privacy and security Include existing and new requirements for incident and handling Include existing and new requirements for external breach notification Develop policies that concern the responsibilities of individuals authorized to access personally identifiable information With the agencies required to develop and implement policies and procedures in such a short period of time, the Strategies for Data Breach Prevention, Mitigation and Notification Briefing is designed to break down the requirements of M-07-16 and provide guidance and suggestions for agencies in developing policies and plans. You will be given a complete overview of the mandate and learn tactics and solutions available to develop policies in cost-effective ways that fulfill the requirements of the mandate and strengthen agencies' information systems and data. What You Will Learn - How to address the requirements of M-07-16 - Cost effective solutions and strategies to develop sound identity theft policies - How to train staff to adhere to new policies - Government, Industry, Analyst and Media perspective on identity theft and M-07-16 Who Should Attend - Security personnel responsible for collecting and maintaining identity information - Executive level managers & administrators: network, systems, infrastructure, and security - Executives responsible for implementing, planning or maintaining information systems - Federal, state and local managers with security responsibilities - Security infrastructure executives - IT public sector systems integrators Speakers - Karen Evans, Administrator of E-Government and Information Technology, Office of Management and Budget - Hugo Teufel III, Chief Privacy Officer, Department of Homeland Security - Marc Groman, Chief Privacy Officer, Federal Trade Commission - Mischel Kwon, Department of Justice Early Registrants Include Organization/Company Title U.S. General Services Administration Agency Expert, Federal PKI U.S. Courts AO-OIT-IT Security Office EMC Corporation Area Manager, DoD U.S Census Bureau Assistant Division Chief CACI Assistant to DON CIO Mission Assurance Team Lead BoozAllenHamilton Associate FDIC Associate Director National Gallery of Art Associate General Counsel TSA Asst Chief Counsel, Information Law Pension Benefit Guaranty Corporation Asst. Inspector General for Investigations TSA Attorney -Advisor TSA Attorney Advisor, Procurement Law SSA Attorney, Office of General Law TSA Attorney, Office of the Special Counselor TSA Attorney-Advisor TSA Attorney-Advisor U.S. Courts Audit Manager IRM/OPS/ITI/ISI/PKI BLADE program manager Info Sec, Inc Business Development Northrop Grumman Business Development Manager National Gallery of Art Chief Information Officer Federal Trade Commission Chief Information Security Officer SSA Chief Information Security Officer U.S. Coast Guard Chief of Office of Information & Security Management Office of Personnel Management Chief, Plans and Policies Group U.S. Department of State CIRT Analyst DHHS Contract Compliance Officer DOD COTR Pension Benefit Guaranty Corporation Criminal Investigator Department of Commerce Data Management & Stewardship Staff National Gallery of Art Deputy Administrator National Gallery of Art Deputy Chief of Special Projects / Information Technology National Gallery of Art Deputy Personnel Officer National Gallery of Art Deputy Secretary, General Counsel Department of Veterans Affairs Deputy, ADAS Office of Privacy & Records Management SSA DII Policy Lead EMC Corporation Director Sales, DoD & Intelligence Community Department of the Treasury Director, Information Services Directorate USDA Director, Information Technology Division EMC Corporation Director, Sales Operations OPIC Director, Security & Administrative Services Engineering Systems Solutions, Inc Director, Veterans Affairs SSA Executive Director, Office of Public Disclosure NSF FOIA/Privacy Act Officer EMC Corporation Global Acct Manager, Northrop Grumman APPTIS Information Security Architect Office of Administrative Law Judges Information Security Officer Department of Labor Information Security Officer CMS/ OIS Information Security Specialist Federal Election Commission Information System Security Officer U.S. Courts Information Technology Security Officer Department of Veterans Affairs Information Technology Specialist U.S. Department of State Information Technology Specialist Pension Benefit Guaranty Corporation Investigator PBGC Investigator Pension Benefit Guaranty Corporation Investigator Technician Fairfax County IT Assistant US Government Printing Office IT Security U.S. Office of Personnel Management IT Security Officer Department of Labor, OIG IT Specialist U.S. Department of Labor IT Specialist Office of the Inspector General, Department of Labor IT Specialist U.S. Office of Personnel Management IT Specialist U.S. EPA IT Specialist U.S. EPA IT Specialist Department of the Treasury IT Specialist U.S. Department of State IT Specialist U.S. State Department IT Specialist/Security Federal Trade Commission Law Clerk U.S. EPA Management Integrity Advisor DOC Manager, Critical Infrastructure Protection Program AAMVA Manager, State Government Affairs Niksun, Inc National Account Manager IMS, Inc Network Administrator IMS, Inc Network Administrator U.S. Department of Commerce OCIO U.S. Department of Commerce OCIO, Chief of Staff Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Justice Operations Services Staff U.S. Office of Personnel Management OPM Forms, PRA, Records and GPEA Officer DOD PM SSA Policy Analyst U.S. Department of State Policy and Awareness Team NASA Privacy Act and Records Officer EPA Privacy Act Officer Peace Corps Headquaters Privacy Act Specialist NSF Privacy Advocate TSA Privacy Analyst California Dept of Public Health Privacy Officer and General Counsel OPM Privacy Program Manager Department of Veterans Affairs Program Analyst SSA Program Analyst Treasury- FMS Program Analyst Department of Veterans Affairs Program Analyst FDA Program Analyst Department of Veterans Affairs Program Manager Niksun, Inc Regional Sales Manager Secure Agent Software Sales Executive Department of the Treasury Security Specialist National Gallery of Art Security Specialist Overseas Private Investment Corporation Senior Advisor BoozAllenHamilton Senior Associate Intersections Inc Senior Director, Security Services APPTIS Senior IT Security Analyst APPTIS Senior IT Security Analyst FDIC Senior IT Specialist U.S. Department of State Senior Legal Analyst United States Mint Senior Risk Analyst IRS Senior Security Architect DOC CIRT Senior Security Specialist RSA Security Sr. Manager, Americas Field Marketing OPM Sr. Project Manager Department of Veterans Affairs Staff Assistant Department of the Treasury Summer Intern U.S. Courts Supervisory Human Resources Specialist SSA/ODAR Systems Security Officer Department of Commerce Team Lead, Data Management & Stewardship Staff EMC Corporation Technology Business Consultant DHS Technology Trends Engineer Az-Tech VP Engineering Systems Solutions, Inc VP, Business Development SRA International VP, Deputy Director Business Technology Offerings Northrop Grumman EMC Corporation Department of Veterans Affairs Woodrow Wilson In't Center for Scholars Department of Justice DoD National Gallery of Art Sponsors - EMC - RSA - Patriot - Government Horizons - Carrolls Publishing - Homeland Defense Journal Registration Charges Industry - $195 per person Government - Complimentary - Must register by contacting Katie Smith at (703) 807-2758, emailing her at ksmith(a)marketaccess.org or faxing the provided Registration Form to (703) 807-2728 Registration Options [1] Register on-line at www.homelanddefensejournal.com [2] Phone Katie Smith at (703) 807-2758 [3] E-mail Katie Smith at ksmith(a)marketaccess.org [4] Fax the Registration Form provided below to: (703) 807-2728 [5] Mail the Registration Form provided below to: Homeland Defense Journal 4301 Wilson Blvd. #1003 Arlington, VA 22203 Location Information ***Please Note the Change of Venue*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton, just a few blocks away The conference will be held at the Capital Hilton, 1001 16th Street, NW, Washington, DC 20036 (202) 393-1000. The hotel is located only a few blocks from 3 different Metro Stations: Farragut North (Red Line), Farragut West (Blue & Orange Lines), McPherson Square (Blue & Orange Lines). Contact Us * For registration information, contact Katie Smith, (703) 807-2758 * For government speaking and best practices presentation opportunities, contact Brian Lake, (703) 807-2753 ------------------------------------------------------------------------------- --- REGISTRATION FORM ---- Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Attendee name: Title: Company/Agency: Address: City, State, and Zip Code: Telephone Number: Fax Number: Attendee E-mail Address: Training Coordinator E-mail Address: Phone #: REGISTRATION CHARGES (CIRCLE ONE): Industry - $95 per person Government - Complimentary Method of Payment: Company Check (payable to Homeland Defense Journal) - Tax ID: 01-057-705-9 Credit Card Government P.O. (please attach) Type of Credit Card (check one): ____Visa____MasterCard____American Express Card Number: ____________________________________ Exp. Date:____________________ Name Printed on Card: ___________________________________________________ Signature (required): ___________________________________________________ Please fax this form, complete with payment information, to (703) 807-2728 or mail it with your payment to: Homeland Defense Journal, 4301 Wilson Blvd, Suite 1003, Arlington, VA 22203 If you have questions about registration/payment, please call Katie Smith at (703) 807-2758. Thank you -------------------------------------------------------------------------------- Email Recipient Instructions If you do not wish to participate in this Training List, please REPLY to this announcement and place the word STOP in the SUBJECT line. The email address (rah(a)ibuc.com) used to send this announcement will not be used for future training announcements. Please allow 5 days to complete. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

American Airlines Is Third Company To Share Data
by brian-slashdotnews＠hyperreal.org 06 Jul '18

06 Jul '18

Link: http://slashdot.org/article.pl?sid=04/04/14/0259250 Posted by: timothy, on 2004-04-14 11:34:00 Topic: privacy, 87 comments from the thanks-fellas-no-really dept. [1]crem_d_genes writes "American Airlines has become the third U.S. airline to [2]admit sharing passenger records with the government. They were proceeded in admissions by [3]Northwest Airlines and [4]JetBlue Airways. At the heart of the matter is the implementation of the of [5]U.S. Transportation Security Administration's (TSA) use of the provisions known as [6]CAPPS II. Some privacy advocates have expressed strong dissent with this plan. [7]Some concerns have even been brought up in Congress, though for different reasons. The Department of Homeland Security has a site entitled [8]CAPPS II: Myths and Facts." References 1. mailto:watershed_ne1@mac.com 2. http://cbs2chicago.com/topstories/topstories_story_101163959.html 3. file://yro.slashdot.org/article.pl?sid=04/01/21/1641251&tid=123 4. file://yro.slashdot.org/article.pl?sid=03/09/18/0142221&tid=158 5. http://www.tsa.gov/public/ 6. http://www.eff.org/Privacy/cappsii/ 7. http://www.fcw.com/fcw/articles/2004/0315/web-capps-03-17-04.asp 8. http://www.dhs.gov/dhspublic/display?content=3163 ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[cryptography] Diginotar summary
by Peter Gutmann 06 Jul '18

06 Jul '18

The following is an attempt to gather all the information on the Diginotar meltdown in one place. There's references to external sources ("[REF...]") and cross-links ("!!!!!!") which aren't present in the text, but apart from that it should be pretty complete. I've posted it here in case anyone finds it useful, and if there's anything I've missed or that's incorrect, please let me know. Peter. -- Snip -- A far more serious CA compromise occurred a few months later. The problem was first noticed when Iranian users of Google's chrome browser, which contains hardcoded knowledge of the certificates that are expected from Google sites (a technique known as "certificate pinning"), started getting warnings that the sites were serving unexpected certificates [REF: 1a, 1b]. This problem, which ultimately affected up to 300,000 users [REF: 1d] was caused by certificates for a whole range of major sites being replaced by new ones from a Dutch trusted root CA called Diginotar (the suggestion to check for suspicious certificate issuance for high-value sites dating from the last CA compromise had been ignored). This CA, which already had a long history of compromises by different hacker groups in different countries going back over two years [REF: 2d], was compromised in the current breach in around June 2011 [REF: 2f] with 283 rogue certificates issued on 10 July and another 124 issued on 18 July [REF: 2e]. Diginotar finally realised that there was a problem on 19 July [REF: 2b], possibly after the attacker(s) left a note on Diginotar's site informing them of this [REF: 2a][XREF: 2d] since they hadn't been aware of the previous several years' worth of breaches. In response to this the CA then tried to revoke the rogue certificates and thought that they'd succeeded, but an independent check carried out at that point couldn't find any evidence of this, with the investigator concluding that "I'd love to see the \\\*dozens\\\* of revocations [...] but I simply cannot find them" [REF: 2e]. In the meantime more rogue certificates were being issued, and Diginotar again tried to revoke them [REF: 2c], again without much apparent effect (despite the hacker activity at Diginotar ceasing on 22 July, new rogue certificates were still being discovered as late as September [REF: 2f]). The Dignotar breach was a fairly serious one since the attacker(s) were able to issue not only generic web-server certificates but also high-value EV certificates, European Qualified Certificates (these are discussed in "!!!!!!!!X.509 in Practice" on page !!!!!), and Dutch government (PKIoverheid) certificates. The latter group included certificates for use by Dutch notaries, which could be used to notarise high-value transactions like house sales, after which they were transferred to an automated central government registry. While the Dutch government initially believed Diginotar when they said that they'd got the situation under control [REF: 6c], a claim that was backed up by an audit by the Dutch CERT GovCERT, a second evaluation by security company Fox-IT [REF: 4a], combined with the appearance of further rogue certificates as well as OCSP responder queries for even further yet-to-be-discovered certificates, including high-value Qualified Certificates and PKIoverheid certificates [REF: 2f] indicated that the problem hadn't actually been fixed. After an all-night crisis meeting, the Dutch government discontinued all use of Diginotar certificates [REF: 6a], leaving all government sites that had used Diginotar with invalid certificates until they could buy new ones from other CAs [REF: 6a]. In all a total of 58,000 certificates had to be replaced, a problem so massive that the Dutch government went so far as to ask browser vendors to postpone taking any action because of the disruption that it would cause. The replacement process itself required extensive coordination with users "to prevent the total collapse of all M2M [machine-to-machine] communication" [REF: 6e]. Shortly afterwards the Dutch government took over the administration of Diginotar [REF: 6b], prevented them from issuing further high-value certificates like Qualified Certificates, and had them revoke all (known) existing ones [REF: 6f]. A catastrophe on this scale was something that even the browser vendors couldn't ignore. Diginotar had issued a vanishingly small number of general-purpose public certificates (its cash cow was the highly lucrative business of selling to the Dutch government and government users, not to the general public), totalling a mere 700-odd certificates [REF: 3a], of which only 29 featured in the Alexa top million sites, all of them in the Netherlands [REF: 3b]. Up against this were at least 531 known rogue certificates (and an unknown number of further ones that hadn't been discovered), including 124 that were issued after Diginotar detected the compromise, indicating that there were further compromised systems or that the supposedly re-secured systems remained compromised [REF: 3c]. As with previous CA compromises, the browser vendors had to resort to hardcoding blacklists into the browsers because the standard PKI revocation mechanisms didn't work [REF: 5a, 5b, 5c]. Browsers either hardcoded in hundreds of certificates (at least the ones that they knew about) [REF: 5d], or blacklisted the issuing CA's certificates [REF: 5a] (this continuing inability to deal with invalid certificates later led one observer to comment that "revocation only works when you don't need it" [REF: 4b]). Not long afterwards, realising that they were sitting on a bottomless well of liability, Diginotar's parent company Vasco wound the company up [REF: 7a]. In response to this disaster, and with an eye on moves by the Dutch government to make breach disclosure notification mandatory [REF: 6d], when the Dutch telco KPN discovered that the web site that it used to issue its certificates had been compromised for up to four years (!!), it immediately suspended certificate issuance and notified the government [REF: 8b, 8c]. A later study of certificate revocations among global CAs that was carried out in response to the Diginotar catastrophe indicated that as many as fourteen commercial CAs had been compromised at one time or another [REF: 8a]. There's no evidence that any of these CAs notified their users or anyone who relied on the certificates that they issued of the existence of any problem. While earlier CA compromises had received fairly extensive coverage within the technical community, Diginotar was novel in that it gained attention outside the field as well. For example an attendee at a law conference in the US reported that Diginotar was a topic of discussion among non-technical lawyers there, indicating that in the future more attention may need to be paid to liability issues when working with PKI. In the meantime a likely attacker came forward: the same one who had compromised Comodo some months earlier [REF: X.a, X.b]. The attacker authenticated the claim by using one of the fraudulent certificates to code- sign Windows Calculator [REF: X.c], something that only the genuine attacker (or at least someone with access to their private keys) would have been able to do. The attacker further claimed to control four more CAs, including fairly complete access to GlobalSign [REF: X.e] (GlobalSign acknowledged that their server was compromised but denied that there was any further damage [REF: X.f]), and a partial breach of StartCom that was prevented by additional controls that the CA had in place [REF: X.d]. Debate over whether it really was a lone Iranian hacker, the Iranian government (performing a man-in-the-middle attack on huge numbers of Iranian users would be well beyond the capabilities of an individual hacker), or the Bavarian Illuminati, will no doubt continue for some time. _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Secrecy News -- 05/14/12
by Steven Aftergood 06 Jul '18

06 Jul '18

Format Note: If you cannot easily read the text below, or you prefer to receive Secrecy News in another format, please reply to this email to let us know. SECRECY NEWS from the FAS Project on Government Secrecy Volume 2012, Issue No. 45 May 14, 2012 Secrecy News Blog: http://www.fas.org/blog/secrecy/ ** NSA DECLASSIFIES SECRET DOCUMENT AFTER PUBLISHING IT ** UNDERSTANDING CHINA'S POLITICAL SYSTEM, AND MORE FROM CRS NSA DECLASSIFIES SECRET DOCUMENT AFTER PUBLISHING IT The National Security Agency last week invoked a rarely-used authority in order to declassify a classified document that was mistakenly posted on the NSA website with all of its classified passages intact. The article is a historical study entitled "Maybe You Had to Be There: The SIGINT on Thirteen Soviet Shootdowns of U.S. Reconnaissance Aircraft." It was written by Michael L. Peterson and was originally published in the classified journal Cryptologic Quarterly in 1993. Late in the afternoon of May 11 (not May 9 as stated on the NSA website), the NSA published a formally declassified version of the article with the annotation "Declassified and approved for release by NSA... pursuant to E.O. 13526 section 3.1(d)...." http://www.fas.org/irp/nsa/maybe_declass.pdf Section 3.1(d) of executive order 13526 permits the declassification of properly classified information when there is an overriding public interest in doing so. It is almost never cited and it is hard to think of another occasion when it has been used by any government agency to justify declassification. It reads: "3.1(d) It is presumed that information that continues to meet the classification requirements under this order requires continued protection. In some exceptional cases, however, the need to protect such information may be outweighed by the public interest in disclosure of the information, and in these cases the information should be declassified. When such questions arise, they shall be referred to the agency head or the senior agency official. That official will determine, as an exercise of discretion, whether the public interest in disclosure outweighs the damage to the national security that might reasonably be expected from disclosure...." So what was "exceptional" about this particular NSA historical study? What was the overriding public interest in it that justified its complete declassification despite its presumed eligibility for continued classification? What unavoidable damage was expected to result from its disclosure? The NSA Public Affairs Office refused to answer these questions, despite repeated inquiries. In fact, NSA was being disingenuous by invoking section 3.1(d). There was nothing exceptional about the contents of the document, and there was no overriding public interest that would have compelled its disclosure if it had been properly classified. Nor is any national security damage likely to follow its release. Rather, the hasty NSA declassification action was intended to conceal the fact that NSA had mistakenly published the full classified text of the document on its website two days earlier, after having rebuffed regular requests for declassification. In response to a May 2009 Mandatory Declassification Review request from aerospace writer Peter Pesavento, NSA had previously released a heavily redacted version of the article. Mr. Pesavento appealed the case to the Interagency Security Classification Appeals Panel, and last month the Panel agreed that some additional portions of the document could be declassified, while the rest should remain classified. The partially declassified document was still working its way through the appeal system and had still not been provided to Mr. Pesavento. But then on May 9, the National Security Agency inexplicably published the entire document on its website. Instead of censoring the text by blacking out the classified portions, those portions were actually highlighted, leaving the document fully available to startled readers. After we contacted the NSA on May 10 to inquire about the classification status of the document, it was immediately removed from the NSA site. But we retained a copy of the uncensored classified article as published by the NSA, which is available here: http://www.fas.org/irp/nsa/maybe_you.pdf Secrecy News submitted several questions to NSA Public Affairs last week about the classified document, and we indicated our intention to publish it ourselves since it did not appear to meet current classification standards. NSA officials asked for a four-day extension of our deadline to give them time to respond to our questions, and we agreed. But that proved to be a futile gesture on our part, since the NSA Public Affairs Office in the end refused to answer any of the questions we posed. In retrospect, it appears that NSA never intended to answer any of our questions but simply wanted to preempt the reposting of the classified document by hastily declassifying it. The newly disclosed article was originally classified SECRET SPOKE. SPOKE is a now-defunct classification compartment for communications intelligence, explained intelligence historian Jeffrey Richelson, who first spotted the uncensored NSA publication online. (It so happens that Dr. Richelson's own work is cited in the article.) In the classified version of the article that was posted online by NSA, all of the classified paragraphs of the article were marked with the basis for their classification. In most cases, this was section 1.4(c) of the executive order on classification, which pertains to "intelligence activities, intelligence sources or methods, or cryptology." In some cases, the basis for classification was section 1.4(d) on "foreign relations or foreign activities of the United States, including confidential sources.' In a couple of other cases, the justification cited was Public Law 86-36, which is the National Security Agency Act, a statutory non-disclosure provision. A week ago, this material purportedly posed a threat of "serious damage" to national security if disclosed. Now all of it has been made public. While communications intelligence is among the most sensitive categories of national security information, this article is clearly remote from any contemporary security issues. It reviews the record of signals intelligence coverage of thirteen episodes in which Soviet forces shot down U.S. aircraft. But those incidents occurred between 1950 and 1964 -- or many generations ago in terms of intelligence technology and practice. On the other hand, the article does present what appears to be some valuable "new" information including some fine details about SIGINT coverage of the U-2 incident in May 1960. But the author himself acknowledged that all of this is ancient history. "Looking back over forty years," he wrote in the conclusion of his 1993 paper, "it may be difficult to give sufficient weight to the level of anxiety over and ignorance about the Soviet Union experienced by Americans. Moreover, the fear of another Pearl Harbor was very real. The airborne reconnaissance program helped reduce these fears by erasing the ignorance." "Little of this concern prevails today," he noted. "Why all the fuss? Maybe you had to be there." But even "being there" does not help one to understand the erratic NSA classification practices reflected in this case. NSA classification policy seems to be completely untethered from contemporary national security threats. Among other things, the NSA's abrupt declassification of the document shows that the Interagency Security Classification Appeals Panel needs to recalibrate its document review procedures. It is now clear that the Panel was unduly deferential to NSA, and that it erred last month by giving credence to the NSA's claims that portions of the document warranted continued classification. Today, not even the NSA says that. UNDERSTANDING CHINA'S POLITICAL SYSTEM, AND MORE FROM CRS New and updated reports from the Congressional Research Service that Congress has instructed CRS not to make publicly available include the following. Understanding China's Political System, May 10, 2012: http://www.fas.org/sgp/crs/row/R41007.pdf Youth and the Labor Force: Background and Trends, May 10, 2012: http://www.fas.org/sgp/crs/misc/R42519.pdf Vulnerable Youth: Employment and Job Training Programs, May 11, 2012: http://www.fas.org/sgp/crs/misc/R40929.pdf Pakistan's Nuclear Weapons: Proliferation and Security Issues, May 10, 2012: http://www.fas.org/sgp/crs/nuke/RL34248.pdf Comparison of Rights in Military Commission Trials and Trials in Federal Criminal Court, May 9, 2012: http://www.fas.org/sgp/crs/natsec/R40932.pdf Immigration-Related Worksite Enforcement: Performance Measures, May 10, 2012: http://www.fas.org/sgp/crs/homesec/R40002.pdf Same-Sex Marriages: Legal Issues, May 9, 2012: http://www.fas.org/sgp/crs/misc/RL31994.pdf Afghanistan Casualties: Military Forces and Civilians, May 10, 2012: http://www.fas.org/sgp/crs/natsec/R41084.pdf _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. The Secrecy News Blog is at: http://www.fas.org/blog/secrecy/ To SUBSCRIBE to Secrecy News, go to: http://www.fas.org/sgp/news/secrecy/subscribe.html To UNSUBSCRIBE, go to http://www.fas.org/sgp/news/secrecy/unsubscribe.html OR email your request to saftergood(a)fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Support the FAS Project on Government Secrecy with a donation: http://www.fas.org/member/donate_today.html _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood(a)fas.org voice: (202) 454-4691 twitter: @saftergood ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

New Security/Privacy Regs for Federal Agencies - OMB 7-16 - Over
by Government Best Practices Training Series 06 Jul '18

06 Jul '18

200 government execs in attendance Date: Sat, 14 Jul 2007 16:57:56 -0400 To: rah(a)ibuc.com ***Excellent networking opportunity for government support contractors and product suppliers ***See below for detailed list of speakers and early registrants. To subscribe to your complimentary copy of Homeland Defense Journal visit our home page at www.homelanddefensejournal.com. Homeland Defense Journal's AM*BriefingTM Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Capital Hilton Washington, D.C. ***PLEASE NOTE CHANGE OF VENUE*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton. Registrations exceeded original estimates. ***Complimentary to Government Employees*** Keynote Speaker: Karen Evans, Administrator of E-Government and Information Technology, OMB About this Conference After multiple agency exposures to identity theft, in May 2006 President Bush created the Identity Theft Task Force to develop a comprehensive strategic plan for steps that the federal government could take to combat identity theft and provide recommended actions that could be taken by the public and private sectors. In April 2007 the task force submitted its plan to combat identity theft to the President. As a response to the plan, on May 22, 2007 the OMB released M-07-16, which requires federal agencies to develop and implement breach and notification policies within 120 days. M-07-16 requires that federal agencies develop notification policies that: Review existing requirements with respect to privacy and security Include existing and new requirements for incident and handling Include existing and new requirements for external breach notification Develop policies that concern the responsibilities of individuals authorized to access personally identifiable information With the agencies required to develop and implement policies and procedures in such a short period of time, the Strategies for Data Breach Prevention, Mitigation and Notification Briefing is designed to break down the requirements of M-07-16 and provide guidance and suggestions for agencies in developing policies and plans. You will be given a complete overview of the mandate and learn tactics and solutions available to develop policies in cost-effective ways that fulfill the requirements of the mandate and strengthen agencies' information systems and data. What You Will Learn - How to address the requirements of M-07-16 - Cost effective solutions and strategies to develop sound identity theft policies - How to train staff to adhere to new policies - Government, Industry, Analyst and Media perspective on identity theft and M-07-16 Who Should Attend - Security personnel responsible for collecting and maintaining identity information - Executive level managers & administrators: network, systems, infrastructure, and security - Executives responsible for implementing, planning or maintaining information systems - Federal, state and local managers with security responsibilities - Security infrastructure executives - IT public sector systems integrators Speakers - Karen Evans, Administrator of E-Government and Information Technology, Office of Management and Budget - Hugo Teufel III, Chief Privacy Officer, Department of Homeland Security - Marc Groman, Chief Privacy Officer, Federal Trade Commission - Mischel Kwon, Department of Justice Early Registrants Include Organization/Company Title U.S. General Services Administration Agency Expert, Federal PKI U.S. Courts AO-OIT-IT Security Office EMC Corporation Area Manager, DoD U.S Census Bureau Assistant Division Chief CACI Assistant to DON CIO Mission Assurance Team Lead BoozAllenHamilton Associate FDIC Associate Director National Gallery of Art Associate General Counsel TSA Asst Chief Counsel, Information Law Pension Benefit Guaranty Corporation Asst. Inspector General for Investigations TSA Attorney -Advisor TSA Attorney Advisor, Procurement Law SSA Attorney, Office of General Law TSA Attorney, Office of the Special Counselor TSA Attorney-Advisor TSA Attorney-Advisor U.S. Courts Audit Manager IRM/OPS/ITI/ISI/PKI BLADE program manager Info Sec, Inc Business Development Northrop Grumman Business Development Manager National Gallery of Art Chief Information Officer Federal Trade Commission Chief Information Security Officer SSA Chief Information Security Officer U.S. Coast Guard Chief of Office of Information & Security Management Office of Personnel Management Chief, Plans and Policies Group U.S. Department of State CIRT Analyst DHHS Contract Compliance Officer DOD COTR Pension Benefit Guaranty Corporation Criminal Investigator Department of Commerce Data Management & Stewardship Staff National Gallery of Art Deputy Administrator National Gallery of Art Deputy Chief of Special Projects / Information Technology National Gallery of Art Deputy Personnel Officer National Gallery of Art Deputy Secretary, General Counsel Department of Veterans Affairs Deputy, ADAS Office of Privacy & Records Management SSA DII Policy Lead EMC Corporation Director Sales, DoD & Intelligence Community Department of the Treasury Director, Information Services Directorate USDA Director, Information Technology Division EMC Corporation Director, Sales Operations OPIC Director, Security & Administrative Services Engineering Systems Solutions, Inc Director, Veterans Affairs SSA Executive Director, Office of Public Disclosure NSF FOIA/Privacy Act Officer EMC Corporation Global Acct Manager, Northrop Grumman APPTIS Information Security Architect Office of Administrative Law Judges Information Security Officer Department of Labor Information Security Officer CMS/ OIS Information Security Specialist Federal Election Commission Information System Security Officer U.S. Courts Information Technology Security Officer Department of Veterans Affairs Information Technology Specialist U.S. Department of State Information Technology Specialist Pension Benefit Guaranty Corporation Investigator PBGC Investigator Pension Benefit Guaranty Corporation Investigator Technician Fairfax County IT Assistant US Government Printing Office IT Security U.S. Office of Personnel Management IT Security Officer Department of Labor, OIG IT Specialist U.S. Department of Labor IT Specialist Office of the Inspector General, Department of Labor IT Specialist U.S. Office of Personnel Management IT Specialist U.S. EPA IT Specialist U.S. EPA IT Specialist Department of the Treasury IT Specialist U.S. Department of State IT Specialist U.S. State Department IT Specialist/Security Federal Trade Commission Law Clerk U.S. EPA Management Integrity Advisor DOC Manager, Critical Infrastructure Protection Program AAMVA Manager, State Government Affairs Niksun, Inc National Account Manager IMS, Inc Network Administrator IMS, Inc Network Administrator U.S. Department of Commerce OCIO U.S. Department of Commerce OCIO, Chief of Staff Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Veterans Affairs Office of Privacy & Record's Management Department of Justice Operations Services Staff U.S. Office of Personnel Management OPM Forms, PRA, Records and GPEA Officer DOD PM SSA Policy Analyst U.S. Department of State Policy and Awareness Team NASA Privacy Act and Records Officer EPA Privacy Act Officer Peace Corps Headquaters Privacy Act Specialist NSF Privacy Advocate TSA Privacy Analyst California Dept of Public Health Privacy Officer and General Counsel OPM Privacy Program Manager Department of Veterans Affairs Program Analyst SSA Program Analyst Treasury- FMS Program Analyst Department of Veterans Affairs Program Analyst FDA Program Analyst Department of Veterans Affairs Program Manager Niksun, Inc Regional Sales Manager Secure Agent Software Sales Executive Department of the Treasury Security Specialist National Gallery of Art Security Specialist Overseas Private Investment Corporation Senior Advisor BoozAllenHamilton Senior Associate Intersections Inc Senior Director, Security Services APPTIS Senior IT Security Analyst APPTIS Senior IT Security Analyst FDIC Senior IT Specialist U.S. Department of State Senior Legal Analyst United States Mint Senior Risk Analyst IRS Senior Security Architect DOC CIRT Senior Security Specialist RSA Security Sr. Manager, Americas Field Marketing OPM Sr. Project Manager Department of Veterans Affairs Staff Assistant Department of the Treasury Summer Intern U.S. Courts Supervisory Human Resources Specialist SSA/ODAR Systems Security Officer Department of Commerce Team Lead, Data Management & Stewardship Staff EMC Corporation Technology Business Consultant DHS Technology Trends Engineer Az-Tech VP Engineering Systems Solutions, Inc VP, Business Development SRA International VP, Deputy Director Business Technology Offerings Northrop Grumman EMC Corporation Department of Veterans Affairs Woodrow Wilson In't Center for Scholars Department of Justice DoD National Gallery of Art Sponsors - EMC - RSA - Patriot - Government Horizons - Carrolls Publishing - Homeland Defense Journal Registration Charges Industry - $195 per person Government - Complimentary - Must register by contacting Katie Smith at (703) 807-2758, emailing her at ksmith(a)marketaccess.org or faxing the provided Registration Form to (703) 807-2728 Registration Options [1] Register on-line at www.homelanddefensejournal.com [2] Phone Katie Smith at (703) 807-2758 [3] E-mail Katie Smith at ksmith(a)marketaccess.org [4] Fax the Registration Form provided below to: (703) 807-2728 [5] Mail the Registration Form provided below to: Homeland Defense Journal 4301 Wilson Blvd. #1003 Arlington, VA 22203 Location Information ***Please Note the Change of Venue*** This event is NO longer taking place at the Ronald Reagan Building and International Trade Center. It will be held at the Capital Hilton, just a few blocks away The conference will be held at the Capital Hilton, 1001 16th Street, NW, Washington, DC 20036 (202) 393-1000. The hotel is located only a few blocks from 3 different Metro Stations: Farragut North (Red Line), Farragut West (Blue & Orange Lines), McPherson Square (Blue & Orange Lines). Contact Us * For registration information, contact Katie Smith, (703) 807-2758 * For government speaking and best practices presentation opportunities, contact Brian Lake, (703) 807-2753 ------------------------------------------------------------------------------- --- REGISTRATION FORM ---- Strategies for Data Breach Prevention, Mitigation and Notification An In-depth Look at OMB M-07-16 July 18, 2007 Attendee name: Title: Company/Agency: Address: City, State, and Zip Code: Telephone Number: Fax Number: Attendee E-mail Address: Training Coordinator E-mail Address: Phone #: REGISTRATION CHARGES (CIRCLE ONE): Industry - $95 per person Government - Complimentary Method of Payment: Company Check (payable to Homeland Defense Journal) - Tax ID: 01-057-705-9 Credit Card Government P.O. (please attach) Type of Credit Card (check one): ____Visa____MasterCard____American Express Card Number: ____________________________________ Exp. Date:____________________ Name Printed on Card: ___________________________________________________ Signature (required): ___________________________________________________ Please fax this form, complete with payment information, to (703) 807-2728 or mail it with your payment to: Homeland Defense Journal, 4301 Wilson Blvd, Suite 1003, Arlington, VA 22203 If you have questions about registration/payment, please call Katie Smith at (703) 807-2758. Thank you -------------------------------------------------------------------------------- Email Recipient Instructions If you do not wish to participate in this Training List, please REPLY to this announcement and place the word STOP in the SUBJECT line. The email address (rah(a)ibuc.com) used to send this announcement will not be used for future training announcements. Please allow 5 days to complete. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

American Airlines Is Third Company To Share Data
by brian-slashdotnews＠hyperreal.org 06 Jul '18

06 Jul '18

Link: http://slashdot.org/article.pl?sid=04/04/14/0259250 Posted by: timothy, on 2004-04-14 11:34:00 Topic: privacy, 87 comments from the thanks-fellas-no-really dept. [1]crem_d_genes writes "American Airlines has become the third U.S. airline to [2]admit sharing passenger records with the government. They were proceeded in admissions by [3]Northwest Airlines and [4]JetBlue Airways. At the heart of the matter is the implementation of the of [5]U.S. Transportation Security Administration's (TSA) use of the provisions known as [6]CAPPS II. Some privacy advocates have expressed strong dissent with this plan. [7]Some concerns have even been brought up in Congress, though for different reasons. The Department of Homeland Security has a site entitled [8]CAPPS II: Myths and Facts." References 1. mailto:watershed_ne1@mac.com 2. http://cbs2chicago.com/topstories/topstories_story_101163959.html 3. file://yro.slashdot.org/article.pl?sid=04/01/21/1641251&tid=123 4. file://yro.slashdot.org/article.pl?sid=03/09/18/0142221&tid=158 5. http://www.tsa.gov/public/ 6. http://www.eff.org/Privacy/cappsii/ 7. http://www.fcw.com/fcw/articles/2004/0315/web-capps-03-17-04.asp 8. http://www.dhs.gov/dhspublic/display?content=3163 ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[cryptography] Diginotar summary
by Peter Gutmann 06 Jul '18

06 Jul '18

The following is an attempt to gather all the information on the Diginotar meltdown in one place. There's references to external sources ("[REF...]") and cross-links ("!!!!!!") which aren't present in the text, but apart from that it should be pretty complete. I've posted it here in case anyone finds it useful, and if there's anything I've missed or that's incorrect, please let me know. Peter. -- Snip -- A far more serious CA compromise occurred a few months later. The problem was first noticed when Iranian users of Google's chrome browser, which contains hardcoded knowledge of the certificates that are expected from Google sites (a technique known as "certificate pinning"), started getting warnings that the sites were serving unexpected certificates [REF: 1a, 1b]. This problem, which ultimately affected up to 300,000 users [REF: 1d] was caused by certificates for a whole range of major sites being replaced by new ones from a Dutch trusted root CA called Diginotar (the suggestion to check for suspicious certificate issuance for high-value sites dating from the last CA compromise had been ignored). This CA, which already had a long history of compromises by different hacker groups in different countries going back over two years [REF: 2d], was compromised in the current breach in around June 2011 [REF: 2f] with 283 rogue certificates issued on 10 July and another 124 issued on 18 July [REF: 2e]. Diginotar finally realised that there was a problem on 19 July [REF: 2b], possibly after the attacker(s) left a note on Diginotar's site informing them of this [REF: 2a][XREF: 2d] since they hadn't been aware of the previous several years' worth of breaches. In response to this the CA then tried to revoke the rogue certificates and thought that they'd succeeded, but an independent check carried out at that point couldn't find any evidence of this, with the investigator concluding that "I'd love to see the \\\*dozens\\\* of revocations [...] but I simply cannot find them" [REF: 2e]. In the meantime more rogue certificates were being issued, and Diginotar again tried to revoke them [REF: 2c], again without much apparent effect (despite the hacker activity at Diginotar ceasing on 22 July, new rogue certificates were still being discovered as late as September [REF: 2f]). The Dignotar breach was a fairly serious one since the attacker(s) were able to issue not only generic web-server certificates but also high-value EV certificates, European Qualified Certificates (these are discussed in "!!!!!!!!X.509 in Practice" on page !!!!!), and Dutch government (PKIoverheid) certificates. The latter group included certificates for use by Dutch notaries, which could be used to notarise high-value transactions like house sales, after which they were transferred to an automated central government registry. While the Dutch government initially believed Diginotar when they said that they'd got the situation under control [REF: 6c], a claim that was backed up by an audit by the Dutch CERT GovCERT, a second evaluation by security company Fox-IT [REF: 4a], combined with the appearance of further rogue certificates as well as OCSP responder queries for even further yet-to-be-discovered certificates, including high-value Qualified Certificates and PKIoverheid certificates [REF: 2f] indicated that the problem hadn't actually been fixed. After an all-night crisis meeting, the Dutch government discontinued all use of Diginotar certificates [REF: 6a], leaving all government sites that had used Diginotar with invalid certificates until they could buy new ones from other CAs [REF: 6a]. In all a total of 58,000 certificates had to be replaced, a problem so massive that the Dutch government went so far as to ask browser vendors to postpone taking any action because of the disruption that it would cause. The replacement process itself required extensive coordination with users "to prevent the total collapse of all M2M [machine-to-machine] communication" [REF: 6e]. Shortly afterwards the Dutch government took over the administration of Diginotar [REF: 6b], prevented them from issuing further high-value certificates like Qualified Certificates, and had them revoke all (known) existing ones [REF: 6f]. A catastrophe on this scale was something that even the browser vendors couldn't ignore. Diginotar had issued a vanishingly small number of general-purpose public certificates (its cash cow was the highly lucrative business of selling to the Dutch government and government users, not to the general public), totalling a mere 700-odd certificates [REF: 3a], of which only 29 featured in the Alexa top million sites, all of them in the Netherlands [REF: 3b]. Up against this were at least 531 known rogue certificates (and an unknown number of further ones that hadn't been discovered), including 124 that were issued after Diginotar detected the compromise, indicating that there were further compromised systems or that the supposedly re-secured systems remained compromised [REF: 3c]. As with previous CA compromises, the browser vendors had to resort to hardcoding blacklists into the browsers because the standard PKI revocation mechanisms didn't work [REF: 5a, 5b, 5c]. Browsers either hardcoded in hundreds of certificates (at least the ones that they knew about) [REF: 5d], or blacklisted the issuing CA's certificates [REF: 5a] (this continuing inability to deal with invalid certificates later led one observer to comment that "revocation only works when you don't need it" [REF: 4b]). Not long afterwards, realising that they were sitting on a bottomless well of liability, Diginotar's parent company Vasco wound the company up [REF: 7a]. In response to this disaster, and with an eye on moves by the Dutch government to make breach disclosure notification mandatory [REF: 6d], when the Dutch telco KPN discovered that the web site that it used to issue its certificates had been compromised for up to four years (!!), it immediately suspended certificate issuance and notified the government [REF: 8b, 8c]. A later study of certificate revocations among global CAs that was carried out in response to the Diginotar catastrophe indicated that as many as fourteen commercial CAs had been compromised at one time or another [REF: 8a]. There's no evidence that any of these CAs notified their users or anyone who relied on the certificates that they issued of the existence of any problem. While earlier CA compromises had received fairly extensive coverage within the technical community, Diginotar was novel in that it gained attention outside the field as well. For example an attendee at a law conference in the US reported that Diginotar was a topic of discussion among non-technical lawyers there, indicating that in the future more attention may need to be paid to liability issues when working with PKI. In the meantime a likely attacker came forward: the same one who had compromised Comodo some months earlier [REF: X.a, X.b]. The attacker authenticated the claim by using one of the fraudulent certificates to code- sign Windows Calculator [REF: X.c], something that only the genuine attacker (or at least someone with access to their private keys) would have been able to do. The attacker further claimed to control four more CAs, including fairly complete access to GlobalSign [REF: X.e] (GlobalSign acknowledged that their server was compromised but denied that there was any further damage [REF: X.f]), and a partial breach of StartCom that was prevented by additional controls that the CA had in place [REF: X.d]. Debate over whether it really was a lone Iranian hacker, the Iranian government (performing a man-in-the-middle attack on huge numbers of Iranian users would be well beyond the capabilities of an individual hacker), or the Bavarian Illuminati, will no doubt continue for some time. _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Secrecy News -- 05/14/12
by Steven Aftergood 06 Jul '18

06 Jul '18

Format Note: If you cannot easily read the text below, or you prefer to receive Secrecy News in another format, please reply to this email to let us know. SECRECY NEWS from the FAS Project on Government Secrecy Volume 2012, Issue No. 45 May 14, 2012 Secrecy News Blog: http://www.fas.org/blog/secrecy/ ** NSA DECLASSIFIES SECRET DOCUMENT AFTER PUBLISHING IT ** UNDERSTANDING CHINA'S POLITICAL SYSTEM, AND MORE FROM CRS NSA DECLASSIFIES SECRET DOCUMENT AFTER PUBLISHING IT The National Security Agency last week invoked a rarely-used authority in order to declassify a classified document that was mistakenly posted on the NSA website with all of its classified passages intact. The article is a historical study entitled "Maybe You Had to Be There: The SIGINT on Thirteen Soviet Shootdowns of U.S. Reconnaissance Aircraft." It was written by Michael L. Peterson and was originally published in the classified journal Cryptologic Quarterly in 1993. Late in the afternoon of May 11 (not May 9 as stated on the NSA website), the NSA published a formally declassified version of the article with the annotation "Declassified and approved for release by NSA... pursuant to E.O. 13526 section 3.1(d)...." http://www.fas.org/irp/nsa/maybe_declass.pdf Section 3.1(d) of executive order 13526 permits the declassification of properly classified information when there is an overriding public interest in doing so. It is almost never cited and it is hard to think of another occasion when it has been used by any government agency to justify declassification. It reads: "3.1(d) It is presumed that information that continues to meet the classification requirements under this order requires continued protection. In some exceptional cases, however, the need to protect such information may be outweighed by the public interest in disclosure of the information, and in these cases the information should be declassified. When such questions arise, they shall be referred to the agency head or the senior agency official. That official will determine, as an exercise of discretion, whether the public interest in disclosure outweighs the damage to the national security that might reasonably be expected from disclosure...." So what was "exceptional" about this particular NSA historical study? What was the overriding public interest in it that justified its complete declassification despite its presumed eligibility for continued classification? What unavoidable damage was expected to result from its disclosure? The NSA Public Affairs Office refused to answer these questions, despite repeated inquiries. In fact, NSA was being disingenuous by invoking section 3.1(d). There was nothing exceptional about the contents of the document, and there was no overriding public interest that would have compelled its disclosure if it had been properly classified. Nor is any national security damage likely to follow its release. Rather, the hasty NSA declassification action was intended to conceal the fact that NSA had mistakenly published the full classified text of the document on its website two days earlier, after having rebuffed regular requests for declassification. In response to a May 2009 Mandatory Declassification Review request from aerospace writer Peter Pesavento, NSA had previously released a heavily redacted version of the article. Mr. Pesavento appealed the case to the Interagency Security Classification Appeals Panel, and last month the Panel agreed that some additional portions of the document could be declassified, while the rest should remain classified. The partially declassified document was still working its way through the appeal system and had still not been provided to Mr. Pesavento. But then on May 9, the National Security Agency inexplicably published the entire document on its website. Instead of censoring the text by blacking out the classified portions, those portions were actually highlighted, leaving the document fully available to startled readers. After we contacted the NSA on May 10 to inquire about the classification status of the document, it was immediately removed from the NSA site. But we retained a copy of the uncensored classified article as published by the NSA, which is available here: http://www.fas.org/irp/nsa/maybe_you.pdf Secrecy News submitted several questions to NSA Public Affairs last week about the classified document, and we indicated our intention to publish it ourselves since it did not appear to meet current classification standards. NSA officials asked for a four-day extension of our deadline to give them time to respond to our questions, and we agreed. But that proved to be a futile gesture on our part, since the NSA Public Affairs Office in the end refused to answer any of the questions we posed. In retrospect, it appears that NSA never intended to answer any of our questions but simply wanted to preempt the reposting of the classified document by hastily declassifying it. The newly disclosed article was originally classified SECRET SPOKE. SPOKE is a now-defunct classification compartment for communications intelligence, explained intelligence historian Jeffrey Richelson, who first spotted the uncensored NSA publication online. (It so happens that Dr. Richelson's own work is cited in the article.) In the classified version of the article that was posted online by NSA, all of the classified paragraphs of the article were marked with the basis for their classification. In most cases, this was section 1.4(c) of the executive order on classification, which pertains to "intelligence activities, intelligence sources or methods, or cryptology." In some cases, the basis for classification was section 1.4(d) on "foreign relations or foreign activities of the United States, including confidential sources.' In a couple of other cases, the justification cited was Public Law 86-36, which is the National Security Agency Act, a statutory non-disclosure provision. A week ago, this material purportedly posed a threat of "serious damage" to national security if disclosed. Now all of it has been made public. While communications intelligence is among the most sensitive categories of national security information, this article is clearly remote from any contemporary security issues. It reviews the record of signals intelligence coverage of thirteen episodes in which Soviet forces shot down U.S. aircraft. But those incidents occurred between 1950 and 1964 -- or many generations ago in terms of intelligence technology and practice. On the other hand, the article does present what appears to be some valuable "new" information including some fine details about SIGINT coverage of the U-2 incident in May 1960. But the author himself acknowledged that all of this is ancient history. "Looking back over forty years," he wrote in the conclusion of his 1993 paper, "it may be difficult to give sufficient weight to the level of anxiety over and ignorance about the Soviet Union experienced by Americans. Moreover, the fear of another Pearl Harbor was very real. The airborne reconnaissance program helped reduce these fears by erasing the ignorance." "Little of this concern prevails today," he noted. "Why all the fuss? Maybe you had to be there." But even "being there" does not help one to understand the erratic NSA classification practices reflected in this case. NSA classification policy seems to be completely untethered from contemporary national security threats. Among other things, the NSA's abrupt declassification of the document shows that the Interagency Security Classification Appeals Panel needs to recalibrate its document review procedures. It is now clear that the Panel was unduly deferential to NSA, and that it erred last month by giving credence to the NSA's claims that portions of the document warranted continued classification. Today, not even the NSA says that. UNDERSTANDING CHINA'S POLITICAL SYSTEM, AND MORE FROM CRS New and updated reports from the Congressional Research Service that Congress has instructed CRS not to make publicly available include the following. Understanding China's Political System, May 10, 2012: http://www.fas.org/sgp/crs/row/R41007.pdf Youth and the Labor Force: Background and Trends, May 10, 2012: http://www.fas.org/sgp/crs/misc/R42519.pdf Vulnerable Youth: Employment and Job Training Programs, May 11, 2012: http://www.fas.org/sgp/crs/misc/R40929.pdf Pakistan's Nuclear Weapons: Proliferation and Security Issues, May 10, 2012: http://www.fas.org/sgp/crs/nuke/RL34248.pdf Comparison of Rights in Military Commission Trials and Trials in Federal Criminal Court, May 9, 2012: http://www.fas.org/sgp/crs/natsec/R40932.pdf Immigration-Related Worksite Enforcement: Performance Measures, May 10, 2012: http://www.fas.org/sgp/crs/homesec/R40002.pdf Same-Sex Marriages: Legal Issues, May 9, 2012: http://www.fas.org/sgp/crs/misc/RL31994.pdf Afghanistan Casualties: Military Forces and Civilians, May 10, 2012: http://www.fas.org/sgp/crs/natsec/R41084.pdf _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. The Secrecy News Blog is at: http://www.fas.org/blog/secrecy/ To SUBSCRIBE to Secrecy News, go to: http://www.fas.org/sgp/news/secrecy/subscribe.html To UNSUBSCRIBE, go to http://www.fas.org/sgp/news/secrecy/unsubscribe.html OR email your request to saftergood(a)fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Support the FAS Project on Government Secrecy with a donation: http://www.fas.org/member/donate_today.html _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood(a)fas.org voice: (202) 454-4691 twitter: @saftergood ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0