Computer underground Digest Sun Aug 23, 1992 Volume 4 : Issue 38 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Copy Editor: Etaion Shrdlu, III Archivist: Brendan Kehoe Shadow-Archivist: Dan Carosone CONTENTS, #4.38 (Aug 23, 1992) File 1--Retraction & apology to Ripco File 2--THE GARBAGE DUMP BBS Purges Adult Gifs File 3--Canada busts Pirate File 4--Lotus NYT As against Borland File 5--Secret Service -- the TV show File 6--"The Hacker Files" Comic Book File 7--ZEN AND THE ART OF THE INTERNET (Review 1) File 8--ZEN AND THE ART OF THE INTERNET (Review 2) File 9--CPSR Letter on Crypto Policy Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Fri, 21 Aug 1992 11:41:44 -0600 From: Evan.Hendricks@EFF.ORG(hendricks@washofc.cpsr.org) Subject: File 1--Retraction & apology to Ripco ((MODERATORS' NOTE: CuD #4.37 reported an inadvertent, but unfortunate, phrasing of a reference to Ripco BBS, in an article in Privacy Times. We contacted the editor, Evan Hendricks, who shared our concern. He indicated that, if CuD's version of events were correct, he would rectify the mistake. His response is below may be one reason why Privacy Times is judged by many as as a first-rate and reputable resource. His response should also be an example of integrity for other journalists.)) The following retraction was printed in the Aug. 21, 1992 issue of Privacy Times ++++++++++++++++++++++++++++ RETRACTION In the previous issue, Privacy Times reported incorrectly that a manual for breaking into TRW's credit bureau database was published on the Ripco bulletin board. In fact, Ripco officials refused to publish it. Our mistake was made worse by the fact that Ripco had been the previous victim of unwarranted government persecution after controversial matters were published on the board, sources said. Privacy Times apologizes for this mistake. We regret any misconceptions that this may have caused. ------------------------------ Date: Thu, 20 Aug 92 15:46:13 MDT From: bbx!yenta!weenie@UNMVAX.CS.UNM.EDU(Dean Kerl) Subject: File 2--THE GARBAGE DUMP BBS Purges Adult Gifs FOR RELEASE AUGUST 17, 1992 GARBAGE DUMP BBS PURGES ADULT GRAPHIC FILES DataSafe, owners and operators of The Garbage Dump Bulletin Board Service (BBS) in Albuquerque, NM and Denver, CO announce the immediate removal of all adult graphic files from its online service. This action was taken to free up system and personnel resources which will be used to enhance and expand current services such as DOS, Windows and OS/2 shareware downloadable files. Shareware files will be promoted as a primary product along with interactive chat, message areas and online multiplayer games. Simon Clement, VP of Marketing said, "These graphic files have never been an integral part of our business and this action will allow us to market to a much wider audience. We feel that this new market strategy will position us to serve more customers with better and more valuable services. We would like to encourage our customers to continue using our expanding services. Any customer who is dissatisfied with our market emphasis will be given a full refund, on request, for any time remaining on their account." The Garbage Dump BBS will continue to offer and promote uncensored Chat, E-mail, and Message Areas. This uncensored format allows for open discussion of a wide range of controversial topics including politics, consumer issues, freedom of speech, alternative lifestyles and current events. The Garbage Dump BBS can be reached via modem in Albuquerque, NM at (505)-294-5675 and in Denver, CO at (303)-457-1111. If you have any questions about our new policy or would like further information about our services, please contact Dean Kerl at (505)-294-4980 Voice. ------------------------------ Date: 20 Aug 92 21:41:18 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 3--Canada busts Pirate Centre d'ordinateurs Microbec, a chain of four computer stores, has been handed the largest software-copyright fine in the province's history. The company was fined C$63,000 for selling computers loaded with illegal copies of the MS-DOS operating system. The fine is not the worst of it for Microbec. When the Royal Canadian Mounted Police raided the company last October, they seized about 140 computers carrying the illegal software as evidence. Since the company was convicted, the seized hardware will not be returned, said Allan Reynolds, manager of the Canadian Alliance Against Software Theft (CAAST), a Toronto-based group of major software vendors set up to fight software piracy. Reynolds said the value of the seized computers is "more than double the fine amount in terms of revenue value." (Reprinted from ST Report 8.33 with permission) ------------------------------ Date: Thu, 20 Aug 92 11:49:51 PDT From: name_withheld@by.request Subject: File 4--Lotus NYT As against Borland In case you missed it, there was a full page ad by Lotus in the August 20 issue of the New York Times (Business section, p. 3) about their lawsuit against Borland. With a banner headline saying "There's nothing innovative about copying, parts of it read: On Friday, July 31, 1992, a U.S. District Court ruled that Borland's Quattro(r) and Quattro Pro(r) spreadsheets infringe the copyrights of Lotus(r) 1-2-3. In its ruling, the court concluded tht "...the Quattro programs derive from illicit copying," holding that "Lotus has sued" and "Borland is liable." Lotus goes for the jugular in the ad. In a large-print subhead, it announces: "_Lotus innovated. Borland copied," and another says: "Who should you trust?" The ad concludes: But perhaps most importantly, Borland lost what matters most to customers: credibility. For instance, Borland told the Court they needed to copy our menus to achieve macro compatibility with 1-2-3. Now they tell their customers that the 1-2-3 menus aren't critical to compatibility. So ask yourself: To what extent can you trust a company that values what is expedient over what is legal? And to what extent can you rely on the product it wants you to buy? Here's our advice: Choose the product, and the company, you can trust. Choose Lotus. After all, we're the best in the business at building innovative spreadsheets. Always hae been, always will be. Case closed. Lotus ------------------------------ Date: 17 Aug 1992 12:24:24 -0400 (EDT) From: Stephen Tihor 212 998 3052 Subject: File 5--Secret Service -- the TV show Last night NBC broadcast an episode of "Secret Service" in NY at least that featured a straightforwards nut who wants to kill the President plot and then a rather confusing account of their high technology defense of a fuzzy city power system against sabotage by a fired employee. I hope someone taped it and caught the exact wording of the disclaimer at the end because it was hard to follow the logic and determine what was the original incident and what was Hollywoodisms. The piece was prefaced with a brief discussion some of the risks of power outages. The expert quickly diagnosed the problem as a VIRUS. Persistent references to virus in the context of a electric power control system seemed odd. Since they appeared to be running pre-existing VIRUS checking software on the system one might suspect the "main frame" was an IBM PC or Apple Macintosh running standard software rather than a real time control system or perhaps something larger and safer. Interesting references were made to viruses lurking WITHIN modems. Then they identified the source of the attacking codes as the local font storage in what appeared to be a old DECwriter dot matrix printer. With some external clues the agents attempt to confront the criminal in house, which is wired with many falling metal screen, sounds effects, and gas but which lacks reinforced walls. The culprit is classic middle aged computer geek who appears uncaring about possible loss of life although the agents do not mention to him the risk of a life sentence of death penalty of others die as a result of his sabotage. He refuses to help them disarm the problem. The expert has announced that this is a logic bomb and eventually realizes that since the bug code is not in the copy of the system on disk as long as they shutdown without writing memory to disk they can reboot bug free. So a brief deliberate blackout is used to save the city. I am obvious very curious about the TRUE FACTs of this can if the show plans to show such other SS triumphs in the war on electronic crime as almost destroying Steve Jackson Games. ------------------------------ Date: Fri, 21 Aug 92 09:18:22 MDT From: gambit@unijak.label.com(queen's gambit) Subject: File 6--"The Hacker Files" Comic Book _The Hacker Files_, if you've missed them, is the name of a new DC comic book. At $1.95 each, I plunked down my six bucks and took the first three of the 24 page monthly back to my digs and zap through them between hacks. Reading took a lot less time than I thought. I should have watched a double showing of Ishtar instead. The premise of the story, which is continued in serial form from one issue to the next, is that a virus has invaded Arpanet and threatens the Pentagon's computer system and could trigger a nuclear set-to. No matter that the collapse of Russia stretches the credibility of the Dr. Strangelove plot. The hacker-not-cracker hero is Jack Marshall, a scruffy looking peacenik who dresses in a t-shirt with a prominent peace sign, jeans, and an army shirt-as-jacket. He's been dismissed from his last company, Digitronix, under mysterious circumstances and was black-balled from the industry. Digitronix, coincidentally, installed the Pentagon's computers, and Jack Marshall, coincidentally, wrote the operating system for it before his dismissal. Not coincidentally, there's friction between Marshall and the Digitronix crowd when he pops on the scene. Not coincidentally, this tension may or may not have something to do with the plot. Marshall, handle of "Hacker," calls a few of his younger hacker friends (Sue Denim and Dr. Zen) to help track down the virus planter. Was it some curious kids? Was it Digitronix? Was it some nasty foreign government? Do we really care? I'm not sure who _The Hacker Files- is aimed at. It presents a rather sympathetic view of hackers, so it's probably aimed at a younger, techno-sophisticated audience. The unfolding of the plot is too slow and twisted to hold the attention of the MTV generation, and pre-teens would probably find the story line incomprehensible. The dialogue in the book is R-rated, with "bullshits" and "goddamns" liberally sprinkled in. The graphics include unnecessary snapshot scenes of houses and neighborhoods that probably are intended for a touch of realism, but do nothing but take up space. At 12 cents a page, the space could be better used. The ads every few pages are distracting. Simulated computer screens showing what the characters see on the screen abound, but they don't add anything except maybe some vicarious thrill for kids. The story line needs a stronger set of ideas describing hackers and their activities and some coherent purpose in using a hacker as hero or villain. The characters, except for the youngest hackers, aren't either exciting or sympathetic, and like Gertrude Stein said about Oakland, after three issues there just ain't no there there. As I see it, the "to be continued" format is just a device to entice readers to get the next issue, but it's is as lame and drawn out as the first three, the promised "conclusion" in the fourth issue will be the last. ------------------------------ Date: 20 Aug 1992 09:46:11 U From: "Anne" Subject: File 7--ZEN AND THE ART OF THE INTERNET (Review 1) ((MODERATORS' NOTE: The following two posts review ZEN AND THE ART OF THE INTERNET: A BEGINNER'S GUIDE, by Brendan P. Kehoe. Englewood Cliffs (N.J.): Prentice-Hall. 122 pp. $22 (paper).)) Brendan Kehoe's _Zen and the Art of the Internet: A Beginner's Guide_ is an eminently usable handbook of information and tips for navigating the Internet. Despite its title, beginners aren't the only ones who can benefit from it. The novice will enjoy it as a guided tour of the net; more experienced netters will find it a valuable resource as an all-in-one-place source for tips and tricks. Although some of his examples do betray an excessive fondness for Unix, Kehoe stays for the most part platform-neutral, so anyone can benefit from this book. All the basics are covered: email, FTP, Usenet and Telnet; plus some of everybody's favorite fun things, such as Finger, Ping, Talk and WHOIS. One of the more interesting sections is Chapter 4, which is given over entirely to explaining Usenet. Besides describing what Usenet is ("a set of machines that exchange articles"), it also tells what Usenet is not ("an organization," "the Internet," "fair"). Here the author really seems to swing into his own; he's obviously very comfortable in the world of newsgroups and this is some of his best writing. Although the entire book is readable and easy to comprehend, it's fun in the Usenet chapter. Perhaps echoing the anarchy of Usenet itself, Kehoe's prose takes on a slightly more freewheeling bent, and his advice, never heavy-handed, becomes more lively. _Zen_ is also crammed with factoids that are great to know, but sometimes hard to remember, such as directions for telnetting into the Naval Observatory Automated Data Service and listings of email gateways to. For the beginner, these are great guideposts for learning what's what; the veteran will appreciate having a ready reference to favorite services. Like most people, I had to learn net behavior the hard way, but maybe future generations will be spared this trauma by reading the section on netiquette. Although having a more aware crop of newbies entering the net may not be as amusing to the old timers, it has the potential for freeing up substantial chunks of bandwidth that were previously occupied by flames sent to the clueless ones. One feature of the book that could still stand some improvement is the appearance of the printed text itself. According to Kehoe, it was output on a 300 dpi laser. In the mid-1980's that was a great "taking control of our own property" kind of statement, but now it's easy to get much higher-quality text out of felt that a book of this quality deserved more attractive typefaces and higher-res output, such as what could have easily been obtained from a Linotronic imagesetter. However, this is a minor qualm and no reason for missing _Zen and the Art of the Internet_. It's a book to keep handy by the computer, whether you are a hardened veteran or a net.virgin. Although clearly slanted towards the novice, there's lots here for everyone. I wish I'd had it by my side when I first got on the net; it would have saved asking a million clueless FAQs. Anne Harwell harwell@panam.edu ------------------------------ Date: Wed, 20 Aug 92 18:01:31 CDT From: Jim Thomas Subject: File 9--CPSR Letter on Crypto Policy CPSR Letter on Crypto Policy The following is the text of a letter Computer Professionals for Social Responsibility (CPSR) recently sent to Rep. Jack Brooks, chairman of the House Judiciary Committee. The letter raises several issues concerning computer security and cryptography policy. For additional information on CPSR's activities in this area, contact banisar@washofc.cpsr.org. For information concerning CPSR generally (including membership information), contact cpsr@csli.stanford.edu. ==================================================== August 11, 1992 Representative Jack Brooks Chairman House Judiciary Committee 2138 Rayburn House Office Bldg. Washington, DC 20515-6216 Dear Mr. Chairman: Earlier this year, you held hearings before the Subcommittee on Economic and Commercial Law on the threat of foreign economic espionage to U.S. corporations. Among the issues raised during the hearings were the future of computer security authority and the efforts of government agencies to restrict the use of new technologies, such as cryptography. As a national organization of computer professionals interested in the policies surrounding civil liberties and privacy, including computer security and cryptography, CPSR supports your efforts to encourage public dialogue of these matters. Particularly as the United States becomes more dependent on advanced network technologies, such as cellular communications, the long-term impact of proposed restrictions on privacy-enhancing techniques should be carefully explored in a public forum. When we had the opportunity to testify before the Subcommittee on Legislation and National Security in May 1989 on the enforcement of the Computer Security Act of 1987, we raised a number of these issues. We write to you now to provide new information about the role of the National Security Agency in the development of the Digital Signature Standard and the recent National Security Directive on computer security authority. The information that we have gathered suggests that further hearings are necessary to assess the activities of the National Security Agency since passage of the Computer Security Act of 1987. The National Security Agency and the Digital Signature Standard Through the Freedom of Information Act, CPSR has recently learned that the NSA was the driving force behind the selection and development of the Digital Signature Standard (DSS). We believe that the NSA's actions contravene the Computer Security Act of 1987. We have also determined that the National Institute of Standards and Technology (NIST) attempted to shield the NSA's role in the development of the DSS from public scrutiny. The Digital Signature Standard will be used for the authentication of computer messages that travel across the public computer network. Its development was closely watched in the computer science community. Questions about the factors leading to the selection of the standard were raised by a Federal Register notice, 56 Fed. Reg. 42, (Aug 30, 1991), in which NIST indicated that it had considered the impact of the proposed standard on "national security and law enforcement," though there was no apparent reason why these factors might be considered in the development of a technical standard for communications security. In August 1991, CPSR filed a FOIA request with the National Institute of Standards and Technology seeking all documentation relating to the development of the DSS. NIST denied our request in its entirety. The agency did not indicate that they had responsive documents from the National Security Agency in their files, as they were required to do under their own regulations. 15 C.F.R. Sec. 4.6(a)(4) (1992). In October 1991, we filed a similar request for documents concerning the development of the DSS with the Department of Defense. The Department replied that they were forwarding the request to the NSA, from whom we never received even an acknowledgement of our request. In April 1992, CPSR filed suit against NIST to force disclosure of the documents. CPSR v. NIST, et al., Civil Action No. 92-0972-RCL (D.D.C.). As a result of that lawsuit, NIST released 140 out of a total of 142 pages. Among those documents is a memo from Roy Saltman to Lynn McNulty which suggests that there were better algorithms available than the one NIST eventually recommended for adoption. If that is so, why did NIST recommend a standard that its own expert believed was inferior? Further, NIST was required under Section 2 of the Computer Security Act to develop standards and guidelines to "assure the cost-effective security and privacy of sensitive information in federal systems." However, the algorithm selected by NIST as the DSS was purposely designed to minimize privacy protection: its use is limited to message authentication. Other algorithms that were considered by NIST included both the ability to authenticate messages and the capability to incorporate privacy-enhancing features. Was NSA's interest in communication surveillance one of the factors that lead to the NIST decision to select an algorithm that was useful for authentication, but not for communications privacy? Most significantly, NIST also disclosed that 1,138 pages on the DSS that were created by the NSA were in their files and were being sent back to the NSA for processing. Note that only 142 pages of material were identified as originating with NIST. In addition, it appears that the patent for the DSS is filed in the name of an NSA contractor. The events surrounding the development of the Digital Signature Standard warrant further Congressional investigation. When Congress passed the Computer Security Act, it sought to return authority for technical standard-setting to the civilian sector. It explicitly rejected the proposition that NSA should have authority for developing technical guidelines: Since work on technical standards represents virtually all of the research effort being done today, NSA would take over virtually the entire computer standards job from the [National Institute of Standards and Technology]. By putting the NSA in charge of developing technical security guidelines (software, hardware, communications), [NIST] would be left with the responsibility for only administrative and physical security measures -- which have generally been done years ago. [NIST], in effect, would on the surface be given the responsibility for the computer standards program with little to say about the most important part of the program -- the technical guidelines developed by NSA. Government Operation Committee Report at 25-26, reprinted in 1988 U.S. Code Cong. and Admin. News at 3177-78. See also Science Committee Report at 27, reprinted in 1988 U.S.C.A.N. 3142. Despite the clear mandate of the Computer Security Act, NSA does, indeed, appear to have assumed the lead role in the development of the DSS. In a letter to MacWeek magazine last fall, NSA's Chief of Information Policy acknowledged that the Agency "evaluated and provided candidate algorithms including the one ultimately selected by NIST." Letter from Michael S. Conn to Mitch Ratcliffe, Oct. 31, 1991. By its own admission, NSA not only urged the adoption of the DSS -- it actually "provided" the standard to NIST. The development of the DSS is the first real test of the effectiveness of the Computer Security Act. If, as appears to be the case, NSA was able to develop the standard without regard to recommendations of NIST, then the intent of the Act has clearly been undermined. Congress' intent that the standard-setting process be open to public scrutiny has also been frustrated. Given the role of NSA in developing the DSS, and NIST's refusal to open the process to meaningful public scrutiny, the public's ability to monitor the effectiveness of the Computer Security Act has been called into question. On a related point, we should note that the National Security Agency also exercised its influence in the development of an important standard for the digital cellular standards committee. NSA's influence was clear in two areas. First, the NSA ensured that the privacy features of the proposed standard would be kept secret. This effectively prevents public review of the standard and is contrary to principles of scientific research. The NSA was also responsible for promoting the development of a standard that is less robust than other standards that might have been selected. This is particularly problematic as our country becomes increasingly dependent on cellular telephone services for routine business and personal communication. Considering the recent experience with the DSS and the digital cellular standard, we can anticipate that future NSA involvement in the technical standards field will produce two results: (1) diminished privacy protection for users of new communications technologies, and (2) restrictions on public access to information about the selection of technical standards. The first result will have severe consequences for the security of our advanced communications infrastructure. The second result will restrict our ability to recognize this problem. However, these problems were anticipated when Congress first considered the possible impact of President Reagan's National Security Decision Directive on computer security authority, and chose to develop legislation to promote privacy and security and to reverse efforts to limit public accountability. National Security Directive 42 Congressional enactment of the Computer Security Act was a response to President Reagan's issuance of National Security Decision Directive ("NSDD") 145 in September 1984. It was intended to reverse an executive policy that enlarged classification authority and permitted the intelligence community broad say over the development of technical security standards for unclassified government and non-government computer systems and networks. As noted in the committee report, the original NSDD 145 gave the intelligence community new authority to set technical standards in the private sector: [u]nder this directive, the Department of Defense (DOD) was given broad new powers to issue policies and standards for the safeguarding of not only classified information, but also other information in the civilian agencies and private sector which DOD believed should be protected. The National Security Agency (NSA), whose primary mission is one of monitoring foreign communications, was given the responsibility of managing this program on a day-to-day basis. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987). The legislation was specifically intended to override the Presidential directive and to "greatly restrict these types of activities by the military intelligence agencies ... while at the same time providing a statutory mandate for a strong security program headed up by [NIST], a civilian agency." Id. at 7. President Bush issued National Security Directive ("NSD") 42 on July 5, 1990. On July 10, 1990, Assistant Secretary of Defense Duane P. Andrews testified before the House Subcommittee on Transportation, Aviation, and Materials on the contents of the revised NSD. The Assistant Secretary stated that the "the new policy is fully compliant with the Computer Security Act of 1987 (and the Warner Amendment) and clearly delineates the responsibilities within the Federal Government for national security systems." On August 27, 1990, CPSR wrote to the Directorate for Freedom of Information of the Department of Defense and requested a copy of the revised NSD, which had been described by an administration official at the July hearing but had not actually been disclosed to the public. CPSR subsequently sent a request to the National Security Council seeking the same document. When both agencies failed to reply in a timely fashion, CPSR filed suit seeking disclosure of the Directive. CPSR v. NSC, et al., Civil Action No. 91-0013-TPJ (D.D.C.). The Directive, which purports to rescind NSDD 145, was recently disclosed as a result of this litigation CPSR initiated against the National Security Council. The text of the Directive raises several questions concerning the Administration's compliance with the Computer Security Act: 1. The new NSD 42 grants NSA broad authority over "national security systems." This phrase is not defined in the Computer Security Act and raises questions given the expansive interpretation of "national security" historically employed by the military and intelligence agencies and the broad scope that such a term might have when applied to computer systems within the federal government. If national security now includes international economic activity, as several witnesses at your hearings suggested, does NSD 42 now grant NSA computer security authority in the economic realm? Such a result would clearly contravene congressional intent and eviscerate the distinction between civilian and "national security" computer systems. More critically, the term "national security systems" is used throughout the document to provide the Director of the National Security Agency with broad new authority to set technical standards. Section 7 of NSD 42 states that the Director of the NSA, as "National Manager for National Security Telecommunications and Information Systems Security," shall * * * c. Conduct, *approve*, or endorse research and development of techniques and equipment to secure national security systems. d. Review and *approve* all standards, techniques, systems, and equipment, related to the security of national security systems. * * * h. Operate a central technical center to evaluate and *certify* the security of national security telecommunications and information systems. (Emphasis added) Given the recent concern about the role of the National Security Agency in the development of the Digital Signature Standard, it is our belief that any standard-setting authority created by NSD 42 should require the most careful public review. 2. NSD 42 appears to grant the NSA new authority for information security. This is a new area for the agency; NSA's role has historically been limited to communications security. Section 4 of the directive provides as follows: The National Security Council/Policy Coordinating Committee (PCC) for National Security Telecommuni- cations, chaired by the Department of Defense, under the authority of National Security Directives 1 and 10, assumed the responsibility for the National Security Telecommunications NSDD 97 Steering Group. By authority of this directive, the PCC for National Security Telecommunications is renamed the PCC for National Security Telecommunications and Information Systems, and shall expand its authority to include the responsibilities to protect the government's national security telecommunications and information systems. (Emphasis added). Thus, by its own terms, NSD 42 "expands" DOD's authority to include "information systems." What is the significance of this new authority? Will it result in military control of systems previously deemed to be civilian? 3. NSD 42 appears to consolidate NSTISSC (The National Security Telecommunications and Information Systems Security Committee) authority for both computer security policy and computer security budget determinations. According to section 7 of the revised directive, the National Manager for NSTISSC shall: j. Review and assess annually the national security telecommunications systems security programs and budgets of Executive department and agencies of the U.S. Government, and recommend alternatives, where appropriate, for the Executive Agent. NSTISSC has never been given budget review authority for federal agencies. This is a power, in the executive branch, that properly resides in the Office of Management and Budget. There is an additional concern that Congress's ability to monitor the activities of federal agencies may be significantly curtailed if this NSTISSC, an entity created by presidential directive, is permitted to review agency budgets in the name of national security. 4. NSD 42 appears to weaken the oversight mechanism established by the Computer Security Act. Under the Act, a Computer Systems Security and Privacy Advisory Board was established to identify emerging issues, to inform the Secretary of Commerce, and to report findings to the Congressional Oversight Committees. Sec. 3, 15 U.S.C. Sec. 278g-4(b). However, according to NSD 42, NSTISSC is established "to consider technical matters and develop operating policies, procedures, guidelines, instructions, and standards as necessary to implement provisions of this Directive." What is the impact of NSTISSC authority under NSD 42 on the review authority of the Computer Systems Security and Privacy Advisory Board created by the Computer Security Act? Conclusion Five years after passage of the Computer Security Act, questions remain about the extent of military involvement in civilian and private sector computer security. The acknowledged role of the National Security Agency in the development of the proposed Digital Signature Standard appears to violate the congressional intent that NIST, and not NSA, be responsible for developing security standards for civilian agencies. The DSS experience suggests that one of the costs of permitting technical standard setting by the Department of Defense is a reduction in communications privacy for the public. The recently released NSD 42 appears to expands DOD's security authority in direct contravention of the intent of the Computer Security Act, again raising questions as to the role of the military in the nation's communications network. There are also questions that should be pursued regarding the National Security Agency's compliance with the Freedom of Information Act. Given the NSA's increasing presence in the civilian computing world, it is simply unacceptable that it should continue to hide its activities behind a veil of secrecy. As an agency of the federal government, the NSA remains accountable to the public for its activities. We commend you for opening a public discussion of these important issues and look forward to additional hearings that might address the questions we have raised. Sincerely, Marc Rotenberg, Director CPSR Washington Office ------------------------------ End of Computer Underground Digest #4.38 ************************************