INTELLIGENCE No. 271, 11 Sept 1995 Publishing since 1980 Copyright ADI 1995. Reproduction in any form forbidden without explicit authorization from the ADI. A one-year subscription (23 issues) is US $280. Technology: CLIPPER TECHNOLOGY TO BE IMPOSED & OTHERS FORBIDDEN The Electronic Privacy Information Center (EPIC) in Washington recently revealed that NSA and FBI documents obtained under the Freedom of Information Act (FOIA) revealed that federal agencies were lying when they declared that "the key-escrow encryption initiative [Clipper Chip] is a voluntary one", in the words of Assistant Attorney General Jo Ann Harris testifying before a Senate Judiciary Subcommittee on 3 May 1994. The declassified government documents obtained by EPIC show that, more than two years ago, federal agencies concluded that Clipper Chip will only succeed if alternative security techniques are outlawed. EPIC and other critics of the government's initiative have long maintained that government- sanctioned key-escrow encryption techniques would only serve their stated purpose if made mandatory. According to the FBI documents, that view is shared by the Bureau, the NSA and the Department of Justice. All three sent a report entitled "Encryption - The Threat, Applications and Potential Solutions," to the National Security Council in February 1993, stating: "Technical solutions, such as they are, will work only if they are incorporated into all encryption products. To ensure that this occurs, legislation mandating the use of Government-approved encryption products or adherence to Government encryption criteria is required." The FBI's report, "Impact of Emerging Telecommunications Technologies on Law Enforcement", confirms that "a national policy embodied in legislation is needed" and should ensure "real-time decryption by law enforcement" and "prohibit (...) cryptography that cannot meet the Government standard." This information has resulted in the new nickname of "Clipper II" for the Clinton Administration's "new" 17 August 1995 cryptography policy, of which the only essential change is a willingness to consider the export of 64-bit encryption systems (if "properly escrowed"). Given the background revealed by the FOIA documents and the lack of security of 64-bit keys, computer experts and the business and finance community expect little from other rumored changes in Washington's crypto policy or from the public key-escrow workshop last week and the one this week on 15 September organized by the National Institute of Standards and Technology (NIST) which produced Clipper Chip under secret and illegal NSA guidance. * USA: KEY-ESCROWED ENCRYPTION AT ISSUE ONCE AGAIN Given the troubled context in which the National Institute of Standards and Technology (NIST) developed, at the request of Congress, the Clipper Chip public encryption system based on escrowed code keys but allowed it to be secretly and illegally engineered by the NSA, computer professionals and the business community are expecting little of the Clinton administration's "new" cryptography policy. This is especially true now that secret FBI documents have revealed that the government intended from the start to force Clipper Chip upon the public (see p. 2 in this issue). Nonetheless, the NIST has made an effort at public dialog by organizing two "Key Escrow Workshops", one last week on 6-7 September and this week on 15 September. Edward Roback of NIST has made two discussion papers available that lay out the major questions on which the administration is willing to receive public feedback. In "Issues - Export of Software Key Escrowed Encryption", NIST states: "On 17 August 1995, the Administration announced its proposal to permit the ready export of software encryption provided the products use algorithms with key space that does not exceed 64 bits and that the key(s) required to decrypt messages/files are escrowed with approved escrow agents." The questions remaining open to discussion are: avoiding multiple encryption; avoiding disabling the key escrow mechanism; authorized [government] access to escrow information; non- escrowed use; protection of keys during communication; access to escrowed keys over extended periods of time, called "practical key access"; guaranteeing that only properly- escrowed software is marketed; ability to change escrowed keys; and defining and installing acceptable escrow agents. With public feedback, the NIST hopes to "make formal conforming modifications to export regulations before the end of 1995." The second discussion paper, "Desirable Characteristics for Key Escrow Agents", sets out ten points for debate concerning "appropriate" key escrow agent qualifications. The ten points are: what organizations should be excluded from being escrow agents; what legal agreement should exist between an escrow agent and the U.S. government; how will unauthorized key releases be handled; should unauthorized key release be declared a criminal act; guaranteeing confidentiality of government requests for key release; should escrow agents by tied to a public key encryption infrastructure; procedures for storing and safeguarding keys; performance and availability requirements for escrow agents; possibility of foreign key escrow agents; and how will escrow agents be approved. COMMENT - What first strikes specialists consulted by "Intelligence" is the similarity between the issues raised by these two "discussion papers" and the points that have already come up during heated public debate concerning the imposition of Clipper Chip in 1994, about which we have written extensively. The Clinton administration's attitude during public debate was far from forthcoming and official opinions expressed at that time all pointed to the fact that what was an "appropriate" key escrow agent had already been worked out. The NIST is going to have do some very hard work in the public's favor to make any specialist believe that these recent meetings are anything more than a political gesture and a sop to the media for public relations purposes. * UPDATE ON INTELLIGENCE INFORMATION IN CIABASE Former CIA officer Ralph McGehee has recently updated his excellent CIABASE system (P.O. Box 5022, Herdon VA 22070) adding information from a number of new on-line or printed publications including "Intelligence": "a computerized as well as printed magazine published in Paris, France, is particularly informative." According to McGehee, Intelligence Watch Report," published in Boston, provides daily and periodic substantive coverage of world-wide developments in intelligence and "NY Transfer News" is another valuable computerized report. McGehee also selects, edits and summarizes the most relevant material from informed email available on Internet and incorporates it with information from his usual sources: "Covert Action Quarterly," "Military Intelligence," "Extra!," "Unclassified," "Top Secret," "The Nation," "Mother Jones," "The Progressive," "Washington Post," "Washington Times," news weeklies, etc. The new update also includes material from recently-published books: K. Conboy and J. Morrison, 1995, "Shadow War - CIA's Secret War in Laos," an encyclopedic volume describing the CIA's paramilitary operation that built various PM units from primarily Laos hill tribes; W. Blum, 1995, "Killing Hope - U.S. Military and CIA Interventions since World War II," Monroe, Maine, Common Courage Press, an encyclopedia of CIA covert operations which can be used as a textbook for studies of the CIA and military interventions since the end of World War Two; Robert Strange McNamara, 1995, "In Retrospect - The Tragedy and Lessons of Vietnam," New York, Times Books, a superficial and selective mea culpa by a former Secretary of Defense who claims the U.S. governing elite had little understanding of the Vietnamese and the war; E. L. Howard, 1995, "Safe House - The Compelling Memoirs of the only CIA Spy to Seek Asylum in Russia," Bethesda MD, National Press Books, in which Howard says he had no contact with the Soviets until FBI harassment operations forced him to flee the United States and seek sanctuary in the U.S.S.R.; James Adams, 1995, "Sell Out - Aldrich Ames and the Corruption of the CIA," New York, Penguin Books USA, the story of Ames' betrayal foreshadowing a series of other such books on Ames. Bob Gonsalves at Pink Noise Studios has set up a "trial- size" version of CIABASE on his web page but requires a forms-capable World Wide Web brower to access it. * ENCRYPTION - Zimmermann Keeping on the Ball. The Chrysler Corporation has recognized Philip Zimmermann and his PGP encryption system as one of the five recipients of its 1995 Chrysler Award of Innovation in Design. At the time Zimmermann said he was planning a voice communications version of PGP. According to IWR in Boston, PGPfone is to be released this month and will work under Windows 95. As for his legal situation, he told IWR, "I'm still not indicted, and we are still awaiting word from the Justice Department on whether they will decide to indict me. I don't know why it's taking so long." * Software: CIA Is Now ICE. Competitive Intelligence Agent or CIA (IN, N. 251/4) in Alameda, California, has now become Intelligence Competitive Engine (ICE), supposedly at the request of the CIA because "the program's function is too similar to our agency's mission." This relatively inexpensive computer program ($39) has also been updated and expanded to 25,000 sources of competitive intelligence, twice the number CIA had. ICE has telephone numbers and Internet sites on foreign, federal, state and county agencies, BBS, courts, and licensing offices, trade associations, newspapers, industry specialists, business data bases, market researchers, information brokers, document retrievers, Web sites, embassies, unions, research laboratories, hacker joints, and other strategic resources. It comes with an autodialer, a data base directory and a research assistant. * VIRUS - "Hitchhiker" Rides with Windows 95. The Royal Australian Navy has banned the use of Windows 95 on its 8,000 computers while awaiting results of data security tests concerning the software's Registration Wizard utility mentioned in our last issue (IN, N. 270/10). There are also "some security concerns" at the U.S. Defense Information Systems Agency concerning the software. In addition to these worries is the discovery of the first confirmed Internet virus, "Hitchhiker," which is specific to Microsoft Word word- processing documents made under Windows 95, but will surely not be limited to only that in the near future. * HACKERS - Frenchman Hacks Netscape. The media has been disturbed by the fact that Damien Doligez decoded a message encrypted by the Netscape 40-byte key used for business transactions in Europe. But Doligez, who works at the official French Institut National de Recherche en Informatique et en Automatique computer research center as a specialist in parallel computing, said that Adam Back of England, Eric Young of Australia and David Byers of Sweden had cracked Netscape before he did. What he didn't mention, and may not have known, is that a similar "amateur" team of Anglo-American enthusiasts in parallel computing had not only decoded a PGP-encoded message this summer but factored the 384-byte key used to encoded messages (IN, N. 270/7). This means that no currently available non-military encryption system is safe from serious "professionals" even if they do not work for a national intelligence service. * SNIFFERS - Canine Technology Causes Bomb Problem. The Secret Service's explosive-sniffing dogs are supposed to avoid incidents not cause them. But when the dogs sniffed out aging bombs, rockets, artillery shells and cannonballs under stands of Spartan Stadium at Michigan State University this summer, they caused a real problem. President Bill Clinton was to give a commencement address just above the explosives which were so unstable they couldn't be moved very far. They were detonated unnoticed in a specially dug hole on campus rather than to try to ship them away. * FRANCE - Secret U.S. Nuclear Agreement Confirmed. In several previous issues we have mentioned that France and the U.S. were secretly cooperating in the construction of their respective multiple-laser nuclear simulation research centers: the National Ignition Facility for the U.S. (IN, N. 251/10) and Megajoule for France (IN, N. 264/49). The French Commissariat a l'Energie Atomique (CEA) recently confirmed that in June 1994 the two countries signed a ten-year agreement on joint research concerning the construction and operation of these two research centers (IN, N. 267/42). This agreement follows prior cooperation in constructing and running France's powerful Phebus laser and the United States' ten-laser unit Nova. Without joint cooperation, France's PALEN nuclear simulation program would cost an additional $200 to $400 million. What the CEA didn't explain is why President Jacques Chirac decided to break off cooperation in simulation and restart nuclear testing, a delicate subject we've previously treated (IN, N. 270/49). * NETHERLANDS: REAL "RED MERCURY" ON THE MARKET & NO BUYERS On 7 September in the Dutch daily "NRC Handelsblad", a page-long article, described how a Rotterdam company (the name of which was not mentioned for security reasons) has 100 to 200 kilos of so-called "red mercury" (HG2SB2O7, mercury-antimony- oxide) for sale, probably the largest quantity available in the world. The article discusses the controversy over the material, with positions and sources, and describes the market and the "strange" company, a subsidiary of the former Soviet state-controlled export company Molibden based in Moscow. Last year, after the Dutch company advertised the product in "Metal Bulletin," a Channel Four Dutch film crew tried in vain to get access to it. It has apparently still not been sold. The company's director has shown the shipment to reporter Karel Knip and claimed to have received it from Russia in 1992. He even gave a sample to the journalist, who had it examined. The Reactor Institute of Delft University believes that it is indeed "the real stuff." COMMENT - There is no known use for "red mercury," and it is not mentioned in scientific literature, leading SIPRI director Frank Barnaby to conclude that it probably has some secret military nuclear application. According to specialists contacted by "Intelligence", the whole "red mercury" scare was a media operation, probably by Western services, to see "what would pop out of the woodwork" in terms of Eastern European criminal elements wanting to traffic in nuclear contraband. The term itself is apparently CIA slang for any Eastern European or Soviet nuclear material, hence the term "red" and the term "mercury", a heavy metal, as Communist nuclear material was both "red" and "heavy" (uranium and plutonium being among the densest forms of matter). * For more info on Intelligence, or to subscribe, write: Olivier Schmidt intelligence-adi@wanadoo.fr tel/fax 33 1 40.51.85.19 ADI, 16 rue des Ecoles, 75005 Paris, France