an eternity ago in cyberspatial time (a few days ago in real time) P. Wayner posted some comments about the latest CSSPAB meeting. He hasn't appeared to have gotten any direct feedback on the list to that report, which I think is a pity, because he's one of the few cypherpunk `infiltrators' not only consistently attending important national government meetings, but conscientiously reporting them on the list (which involves a significant amount of labor) often to no reward but flames! (there's been quite a bit of indirect reaction to the `software Skipjack CRADA proposal he illuminated.) Anyway, my personal thanks! Cypherpunks, its in these kinds of reports that very important clues of future NSA directions are buried, and I'll start off with a gem:

A group of computer scientists from NIST came to discuss their plan for the Federal Criteria for secure systems and the new "Common Criteria" that may emerge. This is an updated version of the old Orange Book classification scheme of C2 and B1 and stuff like that. The scientists said the draft is being finished but it isn't ready for release. But now, they're working on "Something Better." This is a new plan to standardize the grading of secure systems with other countries and evolve a "Common Criteria." In general, the board groused about the fact that the public and industry have never been invited to give comments during the process. The summary of this talk is: "We might be able to tell you something someday."

`other countries'? `Common Criteria'? holy cow, this is something *very big* in the works. The U.S. can barely figure out its *own* cryptographic policies, and imagine the sheer logistical nightmare of trying to come to an agreement between the most isolated and imperious agencies! I suspect GCHQ (Britain's NSA) would be involved in this at least. (There is a very cozy relationship between NSA and GCHQ that Kahn was harassed for revealing in _CodeBreakers_.)What other agencies? Mr. GraveDigger, the man in charge of NSA's Key Escrow:

He filled the hour with more descriptions with all of the restrictions that they place on wiretaps at the Justice department. Once again, I found myself wondering why they are going through so much trouble over something that just seems to cause them grief. The taps cost money. They divert manpower. Etc. Yet, the FBI and the rest of the community is willing to go through a full court press on this topic. The taps are essential in crime encapsulated in conversations (i.e. influence peddling, bribery).

but this only suggests how much of a crutch they have become for these agencies. They are terrified of losing this tool, for which they have come to rely on disproportionately. They have come to associate their job security with wiretapping -- a very dangerous proposition for freedom.

Some people from the Social Security Agency came to tell the board about their internal security procedures that they use to track down people inside the agency generating information for outsiders like private detectives. They routinely run sting operations where they call up information brokers and ask them to get a Social Security file for an individual. Then they watch for accesses to that record and flag the miscreant.

fascinating. has this ever been noted before? the IRS would have benefited from this a few months ago. Or, on second thought, nevermind! all the tax evaders on the list will object to the IRS getting any help!

Dorothy Denning came to say that there was no final report from the outside team performing an outside review of the Clipper algorithm. In general, she said that the comments have been favorable to their work. Several members of the board questioned the independence of the review given that it was done at the NSA using NSA's computers and NSA's programmers. They also wondered about the depth of the review because it was apparent that Denning leaned heavily on the NSA's analysis.

reassuring to hear Dingaling is still alive and plugging away... I wonder what her next Lead Balloon will be? [EFF's Digital Privacy & Security Working Group]

The group feels that it can accept Clipper if any participation in the key escrow program is completely volutary. They proposed to test the administration's committment to volunteerism by noting whether they relaxed export requirements.

To me, the statement was little more than a political gambit. All of the companies involved in the DPSWG really, really, really want export restrictions eased. So they offered their support for Clipper as a quid pro quo. Let us export anything (not just Clipper) and we'll support it.

This is a very interesting stance, and IMHO not a bad tradeoff, if `support' means `lack of active attack and criticism'. But the NSA would never agree to this in a cyberspatial lifetime. We *still* don't even have any substantial promise that Clipper is guaranteed to be voluntary, let alone export restrictions relaxed. (Hypocritically, the announcements have always touted Clipper as Voluntary, the last redeeming feature cited by scoundrels like Dingaling and Sternlight, without ever guaranteeing it, and potentially even hiding the plan of *revoking* that aspect.) The plan, very likely, is quite to the contrary: increase market penetration of Clipper to the point that restricting other cryptography in subtle and insideous ways becomes possible. And I'm still waiting for the announcement in blaring fanfare that Clipper-based hardware can be freely exported, nothing else. I think its close on the horizon. Once they get chips that work :) [crafting official group report]

Most of the board wanted to say that the Clipper chip was a pain in the neck that wasn't worth the trouble [...] The fight seemed to break down between government employees and non-government employees. Those outside the government kept arguing for stronger language and those inside kept saying things like, "But expensive relative to what? We don't have any concrete cost estimates."

hee, hee. the U.S. Civilization in a microcosm.