Police control of classified information

David Biggins ukcrypto at chiark.greenend.org.uk
Wed, 22 Apr 2009 10:33:52 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-
> admin@chiark.greenend.org.uk] On Behalf Of Ian Batten
> Sent: 20 April 2009 10:31
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Police control of classified information
>=20
> >
> > When we did the security system for the computerised red box project
> > for
> > David Clark, the software was not cleared to such levels, but the
> > limiting factor in this was the actual algorithms.
>=20
> Presumably that would be slightly different now, as AES is the first
> time we've had an algorithm that is simultaneously cleared for SECRET
> when appropriately used and also publicly available.

Perhaps;  we were given to understand at the time that access to the
relevant algorithms was not going to be a problem;  we were working with
other material that had been released to us - all of which had to be
accounted for and returned to CESG when the company died, of course.
=20
The real issue was time - the government were busy trying to look
modern, and so had deadlines for press announcements and so on.

A few fun stories:

We were using iButtons as tokens, embedded in some rather chunky signet
rings.  The Cabinet Office were having difficulty binding these to the
right user accounts, so they arranged for a bike courier to bring them
out to us to be programmed.  Apparently at Reading Services, the courier
found the ring had fallen off his finger (!!!!) somewhere...  Why it
wasn't all boxed up, I'll never know - and he thought it was just a
silver ring.   He went back to London to apologise for the loss of the
ring;   where it got correctly (if in context, over the top) logged as
"loss of a minister's security device".

This was on the same day that another security device was lost in the
Cabinet Office...   later reported as being a Rambutan box.     The
courier spent several unhappy hours being grilled by security, who were
not aware of the difference between the threat represented by an iButton
and the threat represented by a Rambutan box, and so were...   a tad
tetchy.

After the Launch, the Americans got in on the act - a senior US military
figure went on TV announcing that they were going to follow the UK
government in using us, and were preparing for a rollout nationwide...
we got quite excited.  Apparently though he went on to claim that the
product was already cleared for Top Secret...  Much consternation in
GCHQ and MI5/6,  much to-ing and fro-ing of transatlantic calls as UK
government seeks not to make US military figure lose face...   And
apparently almost an entire one-hour cabinet meeting spent on the
incident and a debate of just how far we were to be allowed to go.
CESG was, you'll recall, at that time in the oddball position of both
validating commercial product, and being told to make a profit on their
own products.  So GCHQ was all for limiting us to somewhere lower, and
insisting that only their own product be used for Secret or above.
MI5/6 however - perhaps with some political interest - apparently were
arguing our case...  Quite fun.

I still treasure a confidential report written by a load of (allegedly
ex?)-NSA guys to a major US pharma, describing us as the only product on
the market they could recommend.  =20

Pity it ended the way it did.


D