Re: NSA warned Bush it needed to monitor networks

2005-03-28 Thread dan

John Kelsey writes:
 | I think a bigger issue here is a sort of rational (to the bureaucrat) risk a
  | versity: if he declassifies something and it turns out he's leaked somethin
  | g valuable (in the eyes of his boss), he's in trouble.  As long as there's 
  | no cost to stamping secret or FOUO on every document his office produce
  | s, this is safer for him than any other course of action.   Along with this
  | , going through a document to make sure there's nothing secret in there is 
  | a lot more work than just classifying it.  The same logic works in the priv
  | ate world--how much of the stuff you've seen under NDA was genuinely going 
  | to cause a problem to the company that produced it, if someone just posted 
  | it to their website?


Exactly correct.  It is the same reason that
no corporate general counsel will allow data
on successful intrusions to be shared; the 
downside risk is well understood and the upside
benefit is vague, delayed, and does not accrue
to the releasing party.  

Cf. mandatory reporting of communicable diseases
where, presumably, few patients or private docs
would ever voluntarily report that there's a
case of Plague in the house were it not for
compelled disclosure.[1]


--dan


[1]
sample state list, to which you can add gunshot wounds
==
Acquired Immunodeficiency Syndrome (AIDS)
Amebiasis
Anthrax
Botulism
Brucellosis
Campylobacteriosis
Cancer
Chancroid
Chickenpox
Chlamydial Infections
Cholera
Coccidioidomycosis
Colorado Tick Fever
Diphtheria
Echinococcosis
Encephalitis (post-infectious, arthropod-borne, and unspecified)
Food-borne Illness, including food poisoning
Giardiasis
Gonococcal Ophthalmia Neonatorum
Gonorrhea
Granuloma Inguinale
Hemophilus Influenza, Invasive Disease (all serotypes)
Hepatitis A
Hepatitis B, cases and carriers
Hepatitis, other Viral: Type C
Influenza
Legionellosis
Leprosy
Leptospirosis
Lymphogranuloma Venereum
Malaria
Meningitis, Aseptic and Bacterial
Meningococcemia
Mumps
Pelvic Inflammatory Disease
Pertussis
Plague
Poliomyelitis
Q-fever
Rabies (Human and Animal)
Relapsing Fever (tick-borne and louse borne)
Rheumatic Fever
Rocky Mountain Spotted Fever
Rubella
Rubella, Congenital Syndrome
Rubeola
Salmonellosis
Shigellosis
Staphylococcal Diseases
Syphilis
Tetanus
Toxic Shock Syndrome
Trichinosis
Tuberculosis
Tularemia
Typhoid
Typhus
Yellow Fever




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NSA warned Bush it needed to monitor networks

2005-03-25 Thread John Kelsey
...
Obviously any bureaucrat with the authority to categorize
something as secret will more or less automatically so stamp
any information that passes through his hands, to inflate his
importance, and thus his job security and prospects for
promotion.  

I think a bigger issue here is a sort of rational (to the bureaucrat) risk 
aversity: if he declassifies something and it turns out he's leaked something 
valuable (in the eyes of his boss), he's in trouble.  As long as there's no 
cost to stamping secret or FOUO on every document his office produces, this 
is safer for him than any other course of action.   Along with this, going 
through a document to make sure there's nothing secret in there is a lot more 
work than just classifying it.  The same logic works in the private world--how 
much of the stuff you've seen under NDA was genuinely going to cause a problem 
to the company that produced it, if someone just posted it to their website?

...
This results in top secret information being treated as not
very secret at all, as documented by Richard Feynman, which in
turn results in ever higher secrecy classifications, more top
than top, a process of classification inflation and debasement. 

I suspect something very similar happens with the watchlists.  I wonder how 
many different layers of watchlist there are by now

--digsig
 James A. Donald

--John Kelsey

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NSA warned Bush it needed to monitor networks

2005-03-20 Thread Steven M. Bellovin
A few days ago, I posted this:

WASHINGTON (AP) -- The National Security Agency warned President
Bush in 2001 that monitoring U.S. adversaries would require a
``permanent presence'' on networks that also carry Americans'
messages that are protected from government eavesdropping.

...


``Make no mistake, NSA can and will perform its missions consistent
with the Fourth Amendment and all applicable laws,'' the document
says.


Today, I happened to learn the URL for the document itself:
http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf .  There's 
little that strikes me as sensitive in it, other than the (redacted) 
budget numbers.  What's someplace between amusing and appalling is some 
of the other things that NSA had considered sensitive.  For example, 
consider this paragraph, from page 5:

The National Security Agency has a proud tradition of serving the
nation.  NSA has been credited with preventing or significantly
shortening military conflicts, thereby saving lives of U.S.
military and civilian personnel.  NSA gives the nation a decisive
edge in policy interactions with other nations, in countering
terrorism, and in helping stem the flow of narcotics into our
country.  NSA has been the premier information agency of the
industrial age, and through ongoing modernization and cutting edge
research, will continue to be the premiere knowledge agency of the
information age.

That paragraph, believe it or not, was classified Secret.  For what
it's worth, the official definition of Secret, from Executive Order
12958 (http://www.dss.mil/seclib/eo12958.htm), is:

 Secret shall be applied to information, the unauthorized
 disclosure of which reasonably could be expected to cause serious
 damage to the national security that the original classification
 authority is able to identify or describe.

What in that paragraph could cause serious damage?  The notion that
NSA gives the U.S. government an edge in policy interactions, i.e.,
it may spy on foreign governments?  I'm shocked, shocked to hear that.

Then there are the paragraphs on pages 16 and 17 that describe
NSA's legislative lobbying on crypto legislation.  Those were marked
FUOO -- For Official Use Only.  DD Form 254 says

The For Official Use Only (FOUO) marking is assigned to
information at the time of its creation in a DoD User
Agency. It is not authorized as a substitute for a security
classification marking but it is used on official government
information that may be withheld from the public under
exemptions 2 through 9 of the Freedom of Information Act.

Why is that information eligible to be withheld?  Because it tells
the public that NSA is interested in legislation about crypto and
exports?

I could go on, but the topic of overclassification is well-worn.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NSA warned Bush it needed to monitor networks

2005-03-20 Thread James A. Donald
--
On 18 Mar 2005 at 22:52, Steven M. Bellovin wrote:
 That paragraph, believe it or not, was classified Secret.
 For what it's worth, the official definition of Secret,
 from Executive Order 12958
 (http://www.dss.mil/seclib/eo12958.htm), is:

   Secret shall be applied to information, the unauthorized 
   disclosure of which reasonably could be expected to cause
   serious damage to the national security that the original
   classification authority is able to identify or describe.

Obviously any bureaucrat with the authority to categorize
something as secret will more or less automatically so stamp
any information that passes through his hands, to inflate his
importance, and thus his job security and prospects for
promotion.  Similarly, he will spend any money he has authority
to spend, thus the never ending conflict between congress and
the SSSI bureacracy, who if they had their way would put every
single american, plus the dead and the pets, on SSSI

This results in top secret information being treated as not
very secret at all, as documented by Richard Feynman, which in
turn results in ever higher secrecy classifications, more top
than top, a process of classification inflation and debasement. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 R4I4vh9JdcWBUfeQFXQ+i/TlFSVcljg/Og6KRDDj
 4qwXmonSAX1xgyPdaB5TsB80yC66PjeWY5mzIpBuo


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


NSA warned Bush it needed to monitor networks

2005-03-13 Thread Steven M. Bellovin
http://www.nytimes.com/aponline/national/AP-Spy-Agency-Documents.html

WASHINGTON (AP) -- The National Security Agency warned President
Bush in 2001 that monitoring U.S. adversaries would require a
``permanent presence'' on networks that also carry Americans'
messages that are protected from government eavesdropping.

...


``Make no mistake, NSA can and will perform its missions consistent
with the Fourth Amendment and all applicable laws,'' the document
says.

...

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]