Comments

Tatütata May 10, 2021 11:00 AM

FOIA request placed 25 November 2009
Final reply 30 April 2021

Phew, don’t hold your breath. It’s like if they’re gambling on the requester passing away before they begin to agitate their derrière.

On the plus side, there was an actual response, not like some idiotic and/or disappointing [non-]replies I got from US and foreign authorities… At least John Young had a specific starting point reference for the records sought, but requesting “all documents pertaining to a letter written by X…” seems vague and risky. In my limited experience (as compared to the Cryptome über-professional), when you’re poking in the dark, the authority will either interpret your request so narrowly that it will claim that the information demanded doesn’t exist (despite your precautions), or reply with “buffer overflow”, or ask for “clarification”, depending on their mood that day.

Shouldn’t the title to this post read “DEclassified” rather than “UNclassified”? The documents are after all stamped with “TOP SECRET UMBRA”.

According to https://bit.ly/2RJO0ag :

Way back when — at least since middle of the 1950s — the intelligence community used the UMBRA code word to inform the reader of a certain report that the original source for the intelligence was of the most sensitive category. At the NSA, back then, there were three levels of source sensitivity. UMBRA was the five-letter code word used for Category III sources. (Other words: MORAY and SPOKE).

If a document was stamped TOP SECRET UMBRA at the top and the bottom, you’d know that the agency went to great lengths to obtain the embedded information.

For a document concerning itself with a “public debate”, this does sound like overclassification, it is already apparent for the “(S)” passages. Why are some passages even merely labeled “(FOUO)” — “For Official Use Only”. Classification by magic 8-Ball? All the “(TSC)” passages where all deleted, so you might still be somehow obliged to give them the benefit of doubt.

From the dates and the title, the George Davida patent application which NSA unsuccesfully tried to block (memo, p. 16) would have been US4202051A, for a key stream generator based on a LFSR combined with a non-linear feedback circuit. According to the preamble of the disclosure, “The Government has rights in this invention pursuant to Grant No. NSF-77-36-DCR 74-23653 and IPA No. 0001 awarded by the National Science Foundation.” A bit ironical, IMO. This patent would have been applied for under the regime prior to the Bayh-Dole Act of 1980, about which Wikipedia says that “The [NSF and others] had implemented programs that permitted non-profit organizations to retain rights to inventions upon notice without requesting an agency determination.” The government’s tentacles are fighting each other, Commerce vs. Justice vs. Defense.

Another case concerned a patent application made by one Carl Nicolai (et al) is discussed on p. 17 of the memorandum in a passage labeled “(S)”. That would be US4188580A filed 20 October 1977, for a “secure communication system”. When I read this patent for a speech scrambler (yawn), I can’t understand why anyone would fret about this, even back in the day. Apparently, many at the NSA were of a similar opinion.

In April 1978 a patent application made by Carl Nicolai for a speech scrambling device was evaluated by the NSA using Inman’s new criteria. Once again, there was disagreement between NSA directorates. Neither Research and Engineering nor COMSEC believed that Nicolai’s invention should be classified. Howard Rosenblum, DDC, noted that Nicolai employed “a sophisticated use of well-known, open-source techniques” of spread spectrum technology and that “so many unclassified spread spectrum systems are already in the public domain that it is too late to try to close the door by imposing secrecy orders based solely on the fact that the system uses spread spectrum techniques.” However, Operations argued that a secrecy order was indeed warranted for this potentially dangerous invention. Inman decided to “err on the side of national security,” as he explained it, and he requested a secrecy order on the Nicolai patent.”

A bad move… Erred, Inman did indeed. The applicant reacted vigourously, weakening the NSA’s stance. I deduce that it took 5-6 months for the application to get from the USPTO to the NSA, but during that time the clock was ticking on the one year Paris priority year. The applicant apparently managed to secure the foreign filing licence in time, as they were also issued CA1113567. If it had arrived too close to, or after 20 October 1978, all foreign patent rights would have been lost. (That the patent was–IMO–worthless is besides the point).

By itself, spread spectrum doesn’t equate with secrecy. Ten years later Qualcomm based their success in the CDMA cellular business on their strategic patent portfolio. What would have happened in their case if the NSA had been similarly prickly?

The USPTO still slaps secrecy orders on applications, on recommendation of other US federal departments. According to the FAS, at “the end of fiscal year 2020, there were 5,915 secrecy orders in effect.” ( https://bit.ly/3uzUFT3 ) From the USPTO link, the number of orders imposed went down from 121 in FY16 to 45 in FY20, of which about 40-50% are “John Doe” (in their own words) Secrecy Orders imposed on private inventors. The most recent recommendations were a couple made by the NSA in FY17. Extrapolating from the Bloomberg article linked, such declarations are essentially equivalent to expropriation without any real compensation, if one truly can equate a patent privilege with a “property” covered by the takings clause of the fifth amendment.

Many non-US applicants still routinely select the US as their office of first patent filings, even though the disadvantages for foreign applicants mostly disappeared with the America Invents Act of 2012. The seemingly random (but rare) secrecy orders are one reason to avoid US initial filings.

Returning to an earlier case, the Crypto AG revelation first originated with a German freelance journalist close to ZDF, who got on board the Swiss SRF, the Washington Post, as well as the Dutch Cryptomuseum in Eindhoven, and Argos, an investigative program of the public radio broadcaster VPRO. The latter centered their pieces on more local angles.

One was the production and sale by Philips of “Aroflex” compromised crypto teletypewriters based on the Siemens T1000 Telex terminal. (Crypto AG too used that terminal, and this choice was apparently the subject of minuted meetings with NSA and Motorola. But I digress.)

The other one was a small device developed in Amsterdam in the late 1970s called “Pocket Telex PX-1000” , which allowed users to exchange encrypted message over the PSTN using an acoustic coupler.

Philips bought the company, but promptly modified the algorithm from DES (thus the connection to the current story) to, er, whatever, and marketed the weaked product.

Huub Jaspers (?) essentially made the claim that Philips was directly instructed by the NSA to do so, without adducing much in evidence besides the general association with the Aroflex and Crypto AG stories.

I think the truth is probably more nuanced.

DES based products would have been covered by COCOM export restrictions, without even having to refer back to US authorities. NL was a COCOM member.

Another on is the mention made by the DES FIPS standard to patents licensing. Reference was made to a notice made in the Official Gazette of the USPTO, Patents section, Volume 949, issue 5, 31 August 1976, in the section titled “Patents available for licencing or sale”, on page 1717.

Here it is, slightly edited for length.

The following notice amends the notice published in the Official Gazette of May 13, 1975 to extend the royalty free immunity under foreign patents to apparatus manufactured outside of the United States and sold for use or used within the United States and to extend certain dates until March 1, 1977.

IBM hereby grants to any party a non-exclusive, royalty free license to make, use and sell apparatus, within or without the US Government, which employs the data encryption information published in the Federal Register of March 17, 1975, Vol. 40, Fed. Reg. 12134-12138 for consideration in the Federal standard-making process, or complies with an encryption standard based on such information or complies with a revised standard based on such information and using alternative cryptographically secure functions, under:

(a) all claims in U.S. Patent No. 3,796,830 entitled “Recirculating Block Cipher Cryptographic System” issued March 12, 1974, in the name of John Lynn Smith, and U.S. Patent No. 3,798,359, entitled “Block Cipher Cryptographic System” issued March 19, 1974, in the name of Horst Feistel, and

(b) all those claims in any other US patent, which is presently assigned to IBM or which is hereafter assigned to IBM. the infringement of which claims could not be avoided by any apparatus which can be constructed and operated for the purpose of employing the published data encryption information or complying with the standard(s).

Such license extends throughout the US and includes a royalty free immunity from suit, with respect to apparatus which employs the published data encryption information or complies with the standard(s) and (a) is manufactured in the USA, or (b) is manufactured outside of the USA and is sold for use or used within the USA, under any and all foreign patents now or hereafter assigned to IBM, the infringement of which could not be avoided by any apparatus which can be canstructed and operated for the purpose of employing the published data encryption information or complying with the standard(s).

In the event that the standard is not established by the Department of Commerce by March 1, 1977, then such license shall extend only to apparatus manufactured after the date of the publication of the original notice and prior to March 1, 1977.

For the purposes of this grant, US is defined as the USA, its territories and possessions, PR and DC.

IBM will grant to any party a written license confirmatory of the rights set forth herein on written request to: [Armonk NY 10504].”

In short: you can build DES in the US and elsewhere devices for use in the US, but if you sell them anywhere else, watch out!

US3798359 together with US3796830 had effective foreign coverage in at least BE, DE, NL, FR, GB, IT, JP, and SE. (Did NSA ever fuss about these patents?).

The Philips patent department certainly had a lot of competent practitioners in its employ, and must have considered the PX-1000 like a grenade with the pin off. I don’t think you want to have a squadron of rutty IBM patent counsels on your back [ouch], spooks are probably nicer people to deal with…

Tatütata May 10, 2021 12:30 PM

Re COCOM export controls, here is a “Consolidated list of goods subject to security export control”, as published in “Trade and industry” on 30 April 1976, pages 301-327 by the British DTI (as it was called then). The list would be pretty much the same in all member countries.

The attention of manufacturers and exporters is drawn on the following Schedule of Goods which replaces the list appearing in Trade and Industry for 12 October 1972 (as amended). This schedule defines goods which may be subject to export restrictions for reasons of national security. The licensing requirements apply to most destinations but the security implications arise principally in relation to exports to Albania, Bulgaria, China, Czechoslovakia, German Democratic Republic, Hungary, Mongolia, North Korea, North Vietnam, Poland, Romania and the USSR. For other destinations licences will be more freely available, but restrictions will apply in some cases, particularly for goods in the M.L. [Munitions List] and A.E. [Atomic Energy] lists.

[…]

The attention of exporters is also drawn to the notice (Exports of goods of US origin) published on page 166/167 of Trade and Industry dated 16 January 1976.

[Industrial List]
1527. All cypher machines, cryptographic and/or coding devices and equipment, and asociated equipment, usable on any transmission system (telegraphy, telephony, facsimile, video, data), that is designed to ensure the secrecy of communications and thus prevent clear reception by other than the intended receiver.

Explanatory Note: This item is intended to refer to all the related equipment for cypher machines and cryptographic and/or coding devices, specialised assemblies, sub-assemblies and components, and equipment containing components embargoed by this item, it is not intended to refer to simple coding devices or equipment only ensuring the privacy of communications.

For Philips, degrading a product like the PX-1000 to a mere “privacy” device would allow its sale everywhere without any worries.

Anonymous May 10, 2021 1:05 PM

Perhaps a little bit tin-foil-hattish to even suggest this. But given this article and its proximity to recent security news, I had to do a double-take at the PDF to make sure I was reading the right article. Yep, this is the 1970s crypto article and PDF which has the @pipeline.com email address. The hack of an actual oil supply pipeline is another security news item, and the timeliness is just a coincidence, right?

Clive Robinson May 10, 2021 6:36 PM

@ All,

Something fun to think about…

When I saw “” in the link it triggered a memory, from casting a wide information search about the use of RF on peoples brains with respect to “Cuban Syndrome” or what ever it’s now being called…

And I remember this delightful little titvit came up in that search,

“Speaking in 1966, Delgado asserted that his experiments “support the
distasteful conclusion that motion, emotion and behaviour can be
directed by electrical forces and that humans can be controlled like
robots by push buttons.” He even professed a day when brain control
could be turned over to non-human operators by establishing two-way
radio communication between the implanted brain and a computer. Work
by the brothers Ralph and Robert Schwitzgebel for tracking individuals over long ranges led to the proposal of a scheme whereby miniature radio receivers are mounted on utility poles throughout a given city, thereby providing a 24-hour monitoring capability.

One of the most disturbing suggestions in this area came in 1994 from Joseph Meyer of the National Security Agency, who proposed implanting roughly half of all Americans arrested (but not necessarily convicted of any crime). These “subscribers” (his term) could then be monitored continually by computer. Meyer carefully worked out the economics of his mass-implantation system and asserted that taxpayer liability should be reduced by forcing subscribers to “rent” the implant from the state. Meyer argued that implants are cheaper and more efficient than police.”

Funny thing is, whilst they may not yet be implanted in your brain, we do indeed rent such devices, so the cost to the tax payer is minimal. Yes we realy are “subscribers” as Meyer called us, but rather than “implants” we call them “Mobile Phones”.

Make of it what you will but if it’s the same Meyer, it’s kind of a creepy coincidence…

David Rudling May 11, 2021 1:54 PM

@Clive Robinson

Very well spotted. But coincidence? I don’t believe so. Meyer must have been a student of Benjamin Disraeli.

“The secret of success is constancy to purpose.”

Random Reader May 17, 2021 11:47 PM

Just two tiny comments regarding the Vastaamo case. As mentioned in the Wired link, it was NOT a ransomware case but rather just a very poorly (if at all) secured database left open to the ‘net. Not surprisingly, more than one adventurous soul discovered it. Took them a while to figure out what it was, probably because of the language.

As for ABC’s horror story, there may have been something to what you are describing a some hundred years ago, when Finland was still a part of Russia or living down the dark legacy of that era, and if so, I wouldn’t know, that was well before my time. Today, sadly, pretty much the opposite is the case. In today’s Finland, law enforcement is allowed to hardly anything at all, and the penal system is a joke compared to many other countries (including the U.S.). Essentially free housing + food is all, plus a plan to get you integrated back into society. The law is more understanding towards perpetrators than their victims.

Vastaamo patients were not being imprisoned and forcibly medicated. They were ordinary people seeing counselors. Many of them have publicly talked and written about their experiences in the Vastaamo breach.

Not surprisingly, Vastaamo went bankrupt soon after the breach became public knowledge.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.