Slashdot Mirror

← Back to Domains

Domain: nsa.gov

Stories and comments across the archive that link to nsa.gov.

Stories · 73

  1. 2001 Big Brother Awards Announced

    Yro · Privacy · · posted by CmdrTaco · from the thats-pretty-funny dept. · 89 comments
    DaHat writes "ABC News.com is reporting that the latest round of Big Brother Awards are out. This years list includes the FBI's carnivore system being named "Most Invasive Proposal." The NSA won a "Lifetime Menace" award for, allegedly, "50 years of spying" on Americans and others and even the Florida company ChoicePoint was named "greatest corporate invader," for their actions during the Florida recount. Get the whole scoop and whole article here." We should have a different award, the Stalin award or something for entities advancing the destruction of the first ammendment. We can nominate the evil organizations oppressing freedom of speech like the RIAA, the MPAA, and Slashdot.

  2. NSA Linux In Depth

    Linux · Linux · · posted by Hemos · from the taking-a-look-inside dept. · 113 comments
    deran9ed writes "Folks over at IBM have an article explaining the intricacies regarding the NSA's SE Linux distribution. Included in the article, are the inner workings of the operating system. its features, design architecture. Definitely a nice article for Linux users (especially SE Linux users). Full The review is in IBM DeveloperWorks."

  3. NSA + VMware = Crackproof Computing?

    It · Encryption · · posted by timothy · from the heh-heh-heh dept. · 157 comments
    n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.

  4. Secure Digital Voice Communications In World War II

    It · Encryption · · posted by michael · from the good-use-for-a-phonograph dept. · 34 comments
    mercury7 writes: "Saw this one on Memepool. A very interesting paper from the U.S. National Security Agency site on the first digital encyrpted voice communication system. It is incredible how hard it was to manipulate data before the existence of computers."

  5. Secure Digital Voice Communications In World War II

    It · Encryption · · posted by michael · from the good-use-for-a-phonograph dept. · 34 comments
    mercury7 writes: "Saw this one on Memepool. A very interesting paper from the U.S. National Security Agency site on the first digital encyrpted voice communication system. It is incredible how hard it was to manipulate data before the existence of computers."

  6. Slashback: Aptitude, Consolation, Security

    Slashback · · posted by ryuzaki0 · from the yes-I'm-fine-really dept. · 154 comments
    A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

    apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

    Can your parents install Debian?

    Now there's some smidgeon of Justice for ya Foggy Tristan writes "

    According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

    For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

    " You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

    What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

    Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

    So that's why the bidding on eBay went so high, eh?

    Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

  7. NSA Releases High Security Version Of Linux

    Linux · Linux · · posted by Hemos · from the making-things-secure-=-good dept. · 257 comments
    We had an extremely interesting submission from Ted T'so,, Linux kernel developer, who also has an obvious interest in security, given his work with Kerberos [?] . He wrote in concerning the release by the NSA (Yes, that NSA) of a high security version of Linux. I've included his comments below.

    tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.

    While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.

    The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.

    Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)

    The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).

    P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....

    "

  8. NSA Releases High Security Version Of Linux

    Linux · Linux · · posted by Hemos · from the making-things-secure-=-good dept. · 257 comments
    We had an extremely interesting submission from Ted T'so,, Linux kernel developer, who also has an obvious interest in security, given his work with Kerberos [?] . He wrote in concerning the release by the NSA (Yes, that NSA) of a high security version of Linux. I've included his comments below.

    tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.

    While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.

    The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.

    Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)

    The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).

    P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....

    "

  9. NSA Releases High Security Version Of Linux

    Linux · Linux · · posted by Hemos · from the making-things-secure-=-good dept. · 257 comments
    We had an extremely interesting submission from Ted T'so,, Linux kernel developer, who also has an obvious interest in security, given his work with Kerberos [?] . He wrote in concerning the release by the NSA (Yes, that NSA) of a high security version of Linux. I've included his comments below.

    tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.

    While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.

    The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.

    Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)

    The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).

    P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....

    "

  10. NSA Releases High Security Version Of Linux

    Linux · Linux · · posted by Hemos · from the making-things-secure-=-good dept. · 257 comments
    We had an extremely interesting submission from Ted T'so,, Linux kernel developer, who also has an obvious interest in security, given his work with Kerberos [?] . He wrote in concerning the release by the NSA (Yes, that NSA) of a high security version of Linux. I've included his comments below.

    tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.

    While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.

    The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.

    Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)

    The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).

    P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....

    "

  11. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  12. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  13. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  14. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  15. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  16. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  17. Ask The NSA About Certain Things

    News · News · · posted by timothy · from the [redacted]-donut-[red.]-utah-[under-review]-hike dept. · 229 comments
    Last week, my brother Stephen and I make a pilgrimage to a museum most people have never heard about, at the agency that until not many years ago (Thanks, Ollie!) no one had heard about, at least on the record. It's the National Cryptologic Museum -- part of the National Security Agency, naturally -- located off scenic Route 32 in Ft. Meade, Maryland, and worth a visit. However, the museum has a better-than-average Web presence for a government program, probably because it is in large part a volunteer effort. Nonetheless, it is probably one of the world's greatest public collections of information and artifacts about codes and codebreaking, eavesdropping and counter-eavesdropping.

    I spoke briefly with museum curator Jack Ingram, and proposed a Slashdot interview. Ingram said that he could not simply answer readers' questions off the cuff, and referred me to the NSA's Public Affairs Office (yes, they do have one). That sounded like the kiss of death, since PAOs in general seem to insert such requests politely into the large circular file.

    I was pleasantly surprised when just a few phone calls yielded a polite and helpful public affairs officer (he requested I not use his name) who assented to field questions about the museum holdings from the Slashdot readership and assist in obtaining answers to those which could be answered without compromising national security.

    So submit your questions in the space below, about Venona, about the origins of the NSA's version of the Vatican's pornography collection, about The Black Chamber, about The Special Processing Laboratory (in-house silicon fab), the famous code talkers, or other aspects of the history of governmental secrecy.

    Moderators and submittors; think of this as a logic game -- since the NSA won't answer questions it considers too sensitive, what kind of questions can be moderated up high enough to send and stand a good chance of being answered?

  18. Enigma Machine Stolen

    It · Encryption · · posted by timothy · from the no-match-for-distributed.net dept. · 126 comments
    bullgod writes "The BBC is reporting this story about the theft of one of the remaining three Enigma machines. Bummer! Presumably stolen to order -- I doubt you could fence one of these. Lets hope it's found & returned soon." You might also want to check out the Enigma displayed at the National Cryptologic Museum, run by the same folks who deny bringing you Echelon.

  19. Intrusion Detection

    News · Internet · · posted by Hemos · from the teach-the-clueless-ones dept. · 55 comments
    Disgruntled Goat sent us a review of Intrusion Detection, a text sure to be of interest to all those working in organizations. The author is a former NSA employee and has written this book as a text to convince upper-level types of the need for security and actually paying attention to it. Click below to read more. Intrusion Detection author Rebecca Gurley Bace pages 339 publisher Macmillan Technical Publishing, o01/2000 rating 9/10 reviewer Disgruntled Goat, disgruntled_goat@hotmail.com ISBN 1-57870-185-6 summary Very good InfoSec handbook for suits and junior suits. The Scenario Security books, quite frankly, are pretty much a dime a dozen, most of which are written by people in IT field security. What immediately separates this book from the rest is the background of the author. Ms. Bace is an ex-government employee, spending 12 years in everyone's favorite spook organization, the National Security Agency. She led the Computer Misuse and Anonmaly Detection (CMAD) Research Program for six years at the NSA. She also collaborated on Computer Crime : A Crimefighter's Handbook by Dr. David Icove of the FBI. She also won the Distinguished Leadership Award in 1995 from the NSA.

    What's Bad? This book is sort of dry reading. It's akin to reading college CS textbooks for pleasure. Or law books. What I didn't like is the fact that she wasn't real clear on the distinction of "hackers", nor how she describes them. She worries that "hackers" wish to "corrupt the trust process". And the focus for the book is not primarily for techies. It's designed for CIO smacking. Generally, if you're in an organization like mine, your CIO has very little technical background. So, good for CIO bashing.
    And, it's $50 also.

    What's Good? This is good if you're in a position where you need to convince management of security threats. It's also good for the kiddies who want to get an idea of what to look for when they're gunning for targets to disrupt.
    What made this good for me was the fact that I could have points to show to management for InfoSec issues. I work in a hospital and we tend to attract a large amount of famous people as patients. If something damaging was leaked to the media about a famous person's medical condition that was potentially embarassing, we're looking at a good multi-million dollar lawsuit. This book isn't a by-the-book "How to protect your systems", but more of a book on what to safeguard, and how to detect patterns that may indicate patterns of unauthorized usage.
    One of the things that I liked was the chapter on Legal Issues. One of the sections in the chapter was "What Real Cases Have Taught Us". It did a few page review on Mitnick's case, cut and dry. It shows that Shimomura was no rocket scientist, and with cooperation from the courts, you can bust almost anyone. But it did bring up several good points, such as obtaining court orders, how laws work, and how it can be considered evidence.

    So What's In It For Me? If you're a script kiddie, probably nothing. But for those who are achin' to topple some network, this may be for you.

    For those with functioning brains who have vested interests in InfoSec and protecting their organization from people who wish to do harm, and getting real security info, rather than from those half-assed "Security Experts" like JohnP, then pick this up.

    Pick this book up at ThinkGeek.

    Table of Contents
    1. The History of Intrusion Detection
    2. Concepts and Definitions
    3. Information Sources
    4. Analysis Schemes
    5. Responses
    6. Vulnerability Analysis: A Special Case
    7. Technical Issues
    8. Understanding the Real-World Challenge
    9. Legal Issues
    10. For Users
    11. For Strategists
    12. For Designers
    13. Future Needs

  20. Intrusion Detection

    News · Internet · · posted by Hemos · from the teach-the-clueless-ones dept. · 55 comments
    Disgruntled Goat sent us a review of Intrusion Detection, a text sure to be of interest to all those working in organizations. The author is a former NSA employee and has written this book as a text to convince upper-level types of the need for security and actually paying attention to it. Click below to read more. Intrusion Detection author Rebecca Gurley Bace pages 339 publisher Macmillan Technical Publishing, o01/2000 rating 9/10 reviewer Disgruntled Goat, disgruntled_goat@hotmail.com ISBN 1-57870-185-6 summary Very good InfoSec handbook for suits and junior suits. The Scenario Security books, quite frankly, are pretty much a dime a dozen, most of which are written by people in IT field security. What immediately separates this book from the rest is the background of the author. Ms. Bace is an ex-government employee, spending 12 years in everyone's favorite spook organization, the National Security Agency. She led the Computer Misuse and Anonmaly Detection (CMAD) Research Program for six years at the NSA. She also collaborated on Computer Crime : A Crimefighter's Handbook by Dr. David Icove of the FBI. She also won the Distinguished Leadership Award in 1995 from the NSA.

    What's Bad? This book is sort of dry reading. It's akin to reading college CS textbooks for pleasure. Or law books. What I didn't like is the fact that she wasn't real clear on the distinction of "hackers", nor how she describes them. She worries that "hackers" wish to "corrupt the trust process". And the focus for the book is not primarily for techies. It's designed for CIO smacking. Generally, if you're in an organization like mine, your CIO has very little technical background. So, good for CIO bashing.
    And, it's $50 also.

    What's Good? This is good if you're in a position where you need to convince management of security threats. It's also good for the kiddies who want to get an idea of what to look for when they're gunning for targets to disrupt.
    What made this good for me was the fact that I could have points to show to management for InfoSec issues. I work in a hospital and we tend to attract a large amount of famous people as patients. If something damaging was leaked to the media about a famous person's medical condition that was potentially embarassing, we're looking at a good multi-million dollar lawsuit. This book isn't a by-the-book "How to protect your systems", but more of a book on what to safeguard, and how to detect patterns that may indicate patterns of unauthorized usage.
    One of the things that I liked was the chapter on Legal Issues. One of the sections in the chapter was "What Real Cases Have Taught Us". It did a few page review on Mitnick's case, cut and dry. It shows that Shimomura was no rocket scientist, and with cooperation from the courts, you can bust almost anyone. But it did bring up several good points, such as obtaining court orders, how laws work, and how it can be considered evidence.

    So What's In It For Me? If you're a script kiddie, probably nothing. But for those who are achin' to topple some network, this may be for you.

    For those with functioning brains who have vested interests in InfoSec and protecting their organization from people who wish to do harm, and getting real security info, rather than from those half-assed "Security Experts" like JohnP, then pick this up.

    Pick this book up at ThinkGeek.

    Table of Contents
    1. The History of Intrusion Detection
    2. Concepts and Definitions
    3. Information Sources
    4. Analysis Schemes
    5. Responses
    6. Vulnerability Analysis: A Special Case
    7. Technical Issues
    8. Understanding the Real-World Challenge
    9. Legal Issues
    10. For Users
    11. For Strategists
    12. For Designers
    13. Future Needs

  21. Furby is a national security risk

    News · News · · posted by CmdrTaco · from the hide-your-toys dept. · 42 comments
    Chase writes "Nation Public Radio reported this morning that the National Security Agency has deemed Furby's as a risk. The reason is each furby contains a microphone that records sound bytes from its environment and will play them back at any time. The NSA is concerned that a furby might over hear a classified conversation while in the building and then repeat it at a later time once it was removed from the building. As a response to the risk, the NSA has banned furbys from NSA buildings. " Update: 01/13 09:55 by B : Here's a CNN Story and a BBC Story for good measure.

  22. Review:Handbook of Applied Cryptography

    News · Encryption · · posted by Hemos · from the just-the-facts-ma'am dept. · 0 comments
    Giving some actual theory to the whole cryptography discussion, Ian S. Nelson's review of Handbook of Applied Cryptography takes a look at this veritable tome of information. This isn't a book for those of you trying to figure out exactly what the NSA actually does; this is for the real meat and numbers behind it all. Click below for more info. Handbook of Applied Cryptography author Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone pages publisher CRC Press rating 9/10 reviewer Ian S. Nelson ISBN 0-8493-8523-7 summary Required reading for any cryptography freak. REVIEW: Handbook of Applied Cryptography Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone CRC Press (ISBN 0-8493-8523-7) Nutshell
    Review: Required reading for any cryptography freak.
    Rating: 9/10 The Scenario CRC Press has been building a series of books on discrete mathematics and its applications. Doug Stinson wrote the theory book on cryptography (Cryptography: Theory and Practice (ISBN: 0-8493-8521-0, if you don't like this book you'll vomit when you see the Stinson book) and this is the application book on cryptography. It's close to 800 pages chocked full of information.

    I must confess that I'm a cryptography freak and I'm a little sick of the constant political discussions and lack of tech talk, this book is all tech and might even be a little much if you're not into math. It's a wonderful companion to the Schneier books (Applied Cryptography 1st or 2nd Edition A.K.A. "the crypto bible") if you're into the nitty gritty details of cryptography.

    What's Bad? I really like this book and I can't find a lot that I don't like about it... but I think in places the math gets a little thick. I have a degree in math and I find myself returning to the math overview section more often than I'd like to admit. If you're not familiar with discrete math and combinatorics then this book probably isn't for you. If you enjoy that stuff, then this will be a piece of cake. If you're looking to build your crypto book library up I'd highly recommend this book before you get some of the more hard-core books.

    Something else I feel is lacking is cryptanalysis on ciphers. They discuss attacks on various protocols and hashes but actual attacks on ciphers are glossed over. As a companion to Cryptography: Theory and Practice, which covers cryptanalysis in more detail, it is understandable to leave that material out of this book but I think they could discuss it a little more than they do without going into specifics.

    The no-nonsense style can be a little dry at times, there aren't a lot of jokes or anecdotes to lighten things up in this book.

    What's Good? Cipher isn't spelled with a 'y' anywhere in this book. It's not filled with a lot of opinion or rumor. It doesn't hardly bring up ITAR, key escrow, or the NSA's mystical superpowers. This book is about cryptographic techniques and a listing of patents is about as political or opinionated as it gets.

    It is kind of like a textbook without the problems at the end of each chapter. It is written in an outline format with subitems of "Definition", "Fact", "Notes", "Example", and "Algorithm." Each subitem is followed by a few short but concise paragraphs of explanation.

    Plenty of charts and figures fill the pages and everything is explained well. While it lacks source code, there is certainly enough information for you to implement any of the ciphers, hashes, or protocols covered. It even includes some test vectors for a lot of the algorithms.

    So What's In It For Me? If you want to learn about cryptography, not the politics but the actual technology, then this is a great book to get before you get over your head. It's very readable and while the math can be a little heavy in places it is accessible and useful. It gives you a good flavor of how more advanced papers and books on the subject are and it avoids the nonacademic discussions surrounding cryptography.

    To pick this book up, head over to Amazon and help Slashdot out.

    Table of Contents
    1. Overview of Cryptography
      1. Introduction
      2. Information Security and Cryptography
      3. Background on Functions
      4. Basic Terminology and Concepts
      5. Symmetric-key Encryption
      6. Digital Signatures
      7. Authentication and Identification
      8. Public-key Cryptography
      9. Hash Functions
      10. Protocols and mechanisms
      11. Key establishment, management, and certification
      12. Pseudorandom numbers and sequences
      13. Classes of attacks and security models
      14. Notes and further references
    3. Mathematical Background
      1. Probability theory
      2. Information theory
      3. Complexity theory
      4. Number theory
      5. Abstract algebra
      6. Finite fields
      7. Notes and further references
    5. Number-Theoretic Reference Problems
      1. Introduction and overview
      2. The integer factorization problem
      3. The RSA problem
      4. The quadratic residuosity problem
      5. Computing Square roots in Z n
      6. The Discrete logarithm problem
      7. The Diffie-Hellman problem
      8. Composite moduli
      9. Computing individual bits
      10. The subset sum problem
      11. Factoring polynomials over finite fields
      12. Notes and further references
    7. Public-Key Parameters
      1. Introduction
      2. Probabilistic primality tests
      3. (True)Primality tests
      4. Prime number generation
      5. Irreducible polynomials over Z p
      6. Generators and elements of high order
      7. Notes and further references
    9. Pseudorandom Bits and Sequences
      1. Introduction
      2. Random bit generation
      3. Pseudorandom bit generation
      4. Statistical tests
      5. Cryptographically secure pseudorandom bit generation
      6. Notes and further references
    11. Stream Ciphers
      1. Introduction
      2. Feedback shift registers
      3. Stream ciphers based on LFSRs
      4. Other stream ciphers
      5. Notes and further references
    13. Block Ciphers
      1. Introduction
      2. Background and general concepts
      3. Classical ciphers and historical development
      4. DES
      5. FEAL
      6. IDEA
      7. SAFER, RC5, and other block ciphers
      8. Notes and further references
    15. Public-Key Encryption
      1. Introduction
      2. RSA public-key encryption
      3. Rabin public-key encryption
      4. ElGamal public-key encryption
      5. McElliece public-key encryption
      6. Knapsack public-key encryption
      7. Probabilistic public-key encryption
      8. Notes and further references
    17. Hash Functions and Data Integrity
      1. Introduction
      2. Classification and framework
      3. Basic constructions and general results
      4. Unkeyed hash functions (MDCs)
      5. Keyed hash functions (MACs)
      6. Data integrity and message authentication
      7. Advanced attacks on hash functions
      8. Notes and further references
    19. Identification and Entity Authentication
      1. Introduction
      2. Passwords (weak authentication)
      3. Challenge-response identification (strong authentication)
      4. Customized zero-knowledge identification protocols
      5. Attacks on identification protocols
      6. Notes and further references
    21. Digital Signatures
      1. Introduction
      2. A framework for digital signature mechanisms
      3. RSA and related signature schemes
      4. Fiat-Shamir signature schemes
      5. The DSA and related signature schemes
      6. One-time digital signatures
      7. Other signatures schemes
      8. Signatures with additional functionality
      9. Notes and further references
    23. Key Establishment Protocols
      1. Introduction
      2. Classification and framework
      3. Key transport based on symmetric encryption
      4. Key agreement based on symmetric techniques
      5. Key transport based on public-key encryption
      6. Key agreement based on asymmetric techniques
      7. Secret Sharing
      8. Conference Keying
      9. Analysis of key establishment protocols
      10. Notes and further references
    25. Key Management Techniques
      1. Introduction
      2. Background and basic concepts
      3. Techniques for distributing confidential keys
      4. Techniques for distributing public keys
      5. Techniques for controlling key usage
      6. Key management involving multiple domains
      7. Key life cycle issues
      8. Advanced trusted third party services
      9. Notes and further references
    27. Efficient Implementation
      1. Introduction
      2. Multiple-precision integer arithmetic
      3. Multiple-precision modular arithmetic
      4. Greatest common divisor algorithms
      5. Chinese remainder theorem for integers
      6. Exponentiation
      7. Exponent recoding
      8. Notes and further references
    29. Patents and Standards
      1. Introduction
      2. Patents on cryptographic techniques
      3. Cryptographic standards
      4. Notes and further references
    31. Appendix A: Bibligraphy of Papers from Selected Cryptographic Forums
      1. Asiacrypt/Auscrypt Proceedings
      2. Crypto Proceedings
      3. Eurocrypt Proceedings
      4. Fast Software Encryption Proceedings
      5. Journal of Cryptology papers

  23. FORTEZZA declassified

    It · Encryption · · posted by Hemos · from the now-change-crypto-policy dept. · 0 comments
    In a somewhat surprising move, the NSA has decided that the rest of the world can have the encryption alogorithim used in FORTEZZA card. This includes the Skipjack and Key Exchange Alogorithim.