July 2018 - cypherpunks-legacy@lists.ogf.org

Public Key Infrastructure: An Artifact...
by None 06 Jul '18

06 Jul '18

http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the Information Society Abstract It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others. Digital signature technology, based on public key cryptography, has been claimed as the means whereby this can be achieved. Digital signatures do little, however, unless a substantial infrastructure is in place to provide a basis for believing that the signature means something of significance to the relying party. Conventional, hierarchical PKI, built around the ISO standard X.509, has been, and will continue to be, a substantial failure. This paper examines that form of PKI architecture, and concludes that it is a very poor fit to the real needs of cyberspace participants. The reasons are its inherently hierarchical and authoritarian nature, the unreasonable presumptions it makes about the security of private keys, a range of other technical defects, confusions about what it is that a certificate actually authenticates, and its inherent privacy-invasiveness. Alternatives are identified. -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' For help on using this list (especially unsubscribing), send a message to "dcsb-request(a)reservoir.com" with one line of text: "help".

1 0

Annual Self-Inspection Report
by None 06 Jul '18

06 Jul '18

(a) OUSD(I) Memorandum, Annual Senior Agency Official (SAO) Self-Inspection Program Report for Classified National Security Information, 2 October 2012 (b) Memorandum of Agreement between the Secretary of Defense and the Director of National Intelligence concerning the National Reconnaissance Office, 21 September 2010 (c) DoDI 5200.01, DoD Information Security Program and Protection of Sensitive Compartmented Information, 9 October 2008 The National Reconnaissance Office (NRO) is providing the attached Self-Inspection Report as requested in reference (a). In accordance with Director, National Reconnaissance Office authorities in reference (b) and (c) it should be noted that the NRO does not administer a standard DoD Information Security Program based on DoDM 5200.01-V1 thru V3 and, therefore, some of the items in the attached checklist are not applicable and have been noted as such. My point of contact for questions concerning this submission is (b)(3) 10 USG 44- . Jamieson Burnett irector, Office of Security and Counterintelligence Attachment: NRO Annual Self - Inspection Report for 2012 UNCLASSIFIED UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACMATWFUNCRONAL AREA Information Security Program Self-Inspection Checklist NO. STEM NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office 045 R DATE Security Manager 11 October 2012 EO 13526 CLASSIFIED NATIONAL SECURITY INFORMATION AND IMPLEMENTING DIRECTIVE REQUIREMENTS PART 1. DESCRIPTION OF SELF-INSPECTION PROGRAM: A description of the DoD Components self- inspection program should include activities assessed, program areas covered, and methodology utilized. The description must demonstrate how the self-inspection program provides the senior agency official with the information necessary to assess the effectiveness of the classified national security information program within the individual Component activities and the Component as a whole. It should include the following: 1. Responsibility for the program: (1) Whom does the senior agency official designate to assist in directing and administering the self-inspection program? Answer . The Director of Security and Counterintelligence (DOS&CI) is provided a Letter of Instruction by the Director, NRO which assigns his responsibilities. (2) How is the program structured to provide the senior agency official with the information necessary to assess the agency's classified national security information program? Answer: The DOS&CI advises the Senior Agency Official (SAO) when the DOS&CI believes events warrant advising the SAO. The NRO Integrated Security Assessment Program (ISAP) results are also reported to the SAO thru the annual Management Control Plan Statement of Assurance (MCPSOA). (b)(3) 10 USC 424 (3) Who conducts the self-inspections? Answer: NRO self-inspections are part of the NRO ISAP. Because contractors make upgAof the total NRO workforce and have the overwhelming number of Sensitive Compartmented Information Facilities (SCIFs), ISAP is a collaborative process between Government and industry to identifi , and address security vulnerabilities, provide datfornlysi,findings e tmcuriyseand.Th may lead to identification and definition of risk mitigation practices, and enable sharing of best security practices across government and industry. The primary purpose of the ISAP is to ensure the proper safeguarding of classified information through a single comprehensive review by various components of the Office of Security and Counterintelligence (OS&CI). ISAP integrates reviews utilizing program security, classification management, transportation and transmission of classified information, physical and technical accreditation, information systems security, personnel security, and Counterintelligence (CI) perspectives. The integrated assessment evaluates implementation of and ensures compliance with, established security policies, procedures, and plans at all NRO government and contractor location& Site personnel conduct/document security self-assessments per requirements stated in the NRO Security Manual (NSM). Security Officers will conduct self-assessments of their SCIFs at least annually. For the reporting period there were 343 site self-assessments. The ISAP Manager or designee reviews the site assessments and enters a copy into an NRO database listing each NRO sponsored facility. Based on the self-assessments, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal assessment, if required OS&CI stakeholders represent the major OS&CI divisions and program office security staffs, including, but not limited to, PSOs, Physical/Technical Certification Officers, and Security Certification Officers. Stakeholders will develop and provide ISAP candidates to the ISAP Selection Board. Each ISAP recommendation shall contain detailed factors used to formulate the recommendation. Recommendation for site visits is then provided to the selection board Sites are selected based on ring proximity, resources, budgetary constraints, time since last assessment, and random sampling. A team composition is proposed for each site visit and a Lead PSO is selected The Assessment Team will, at a minimum, consist of a Government PSO and an OS&Cl/Facilities and Information Security Division (F&ISD) representative. Additional team members will be added as needed based on site size, mission, facility risk, and subject areas being assessed. An out-briefing is provided to site security site - and other site senior management identfying security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are then loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted. A final report requiring corrective actionsto be taken within 90 days of the date of UNCLASSIFIED 1 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLESUBJECT/ACTIVITY/FUNCT1 ONAL AREA Information Security Program Self-Inspection Checklist NO. I NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM report is issued by the DOS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. For the reporting period, 16 formal team assessments were performed An additional 9 formal specific-issue reviews were conducted There were an additional 1,491 visits by OS&CI stakeholders to contractor SCIFs. (4) How is the senior agency official involved in the program? Answer: The DOS&CI keeps the SAO advised of trends and issues developed by the ISAP. The NRO ISAP results are also reported to the SAO thru the annual MCPSOA. 2. Approach: (1) What means and methods are employed in conducting self-inspections? Answer: For formal assessments, the Assessment Team evaluates implementation, and ensures compliance with, established NRO security policies, procedures, and plans. (2) Are different types of self-inspections conducted? If so, describe each of them. Answer: Formal assessments will vary based on the experience of the lead PSO and the stakeholders with the facility and items noted in the self-evaluation report as well as the areas of responsibility of the attending subject matter experts. However, the objective for all is to identify and address security vulnerabilities, provide data for analysis, and identift system security issues and trends. (3) Do the self-inspections evaluate adherence to the principles and requirements of E.O. 13526 and its implementing directive and the effectiveness of agency programs covering: â€¢ Original classification? Answer: Since Original Classification items only apply to 13 government employees who are Original Classification Authorities (OCA) at NRO Headquarters, a formal tasking is sent to Program Security Officers supporting the OCA to determine the date the OCA received their annual briefing and the number of original classification decisions they made during the reporting period. Experience has shown that not all of the OCAs make individual OCA decisions every year but most require their authority to sign classification guides for their area of responsibility. For the reporting period there, nine OCA decisions were made. â€¢ Derivative classification? Answer: Included. In NRO Implementing Instructions released on 31 May 2011, derivative classifiers were instructed to include in the classification block a personal identification number rather than their name to protect their identity and association with the NRO. This "Classification ID (CLID)" number exists in the NRO Access Database so the specific individual with that number can always be identyled Employees of other agencies, who already have an ID number assigned by their parent agency, will use that number instead Headquarters NRO derivative classifiers have their PSO available for questions regarding classification and marking and to review their derivatively classified documents for format and accuracy of classffication and marking. Available on the OS&CI website are the Order, Information Security Oversight Office (IS00) Implementing Directive and Marking booklet, videos and documents that explain the correct way to classify and mark documents, the Controlled Access Program Coordination Office (CAPCO) register and manual, over 120 Frequently Asked Questions with answers that are posted about portion marking a Security Policy hotline that will answer their questions in real-time, and numerous other experts who are available to answer their questions. Once the document is distributed, they face additional scrutiny from any security or classification management officer who reads it or from subject matter experts who point out classification and marking errors to security officers. The ISAP team visiting a site will review a sample of derivatively classified documents to point out errors in classification and marking, omissions of required information, and to make suggestions for improvement. â€¢ Declassification? Answer: The NRO has a formal declassification program which restricts to one office the authority to officially declassify NRO information and release it to the public, and which is not included in the self-inspection program. The results of this program are reported in the SF 311 report provided to USD(I) in October 2012. The NRO Declassification Guide (known as the Review and Redaction Guide) is updated and approved by the UNCLASSIFIED 2 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUEWECT/AC71VITY/FUNCT1ONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 1 1 October 2012 ITEM DNRO each year. It is currently undergoing review by the Interagency and is expected to be approved by the end of 2012. â€¢ Security Classification Appeals Panel Safeguarding? Answer: Included â€¢ Security violations? Answer: Included â€¢ Security education and training? Answer: Included â€¢ Management and oversight? Answer: Included (4) Do the self-inspections include a review of relevant security directives and instructions, as well as interviews with producers and users of classified information? Answer: All directives and instructions are issued by the DOS&Cl and are reviewed and updated annually. All directives and instructions are maintained on-line and are accessible to all government employees and contractors. (5) Do the self-inspections include reviews of representative samples of your Component's original and derivative classification actions? â€¢ Do these reviews encompass all Component activities that generate classified information? Answer: There are hundreds of individual activities that can generate classified information. While the annual self-assessment questionnaire covers 343 of these activities, the ISAP formal assessment inspects only a small percentage of these activities yearly. However, the Program Security Officers, Contractor Program Security Officers, and Classification Specialists review hundreds of classified documents yearly and provide direction to originators to correct those that are improperly marked. o How do you identify the activities to which this applies? Answer: Site personnel conduct/document security self-assessments per requirements stated in the NSM â€¢ Do the reviews include a sampling of various types of classified information in document and electronic formats? o How do you ensure that the materials reviewed provide a representative sample of the Component's classified information? Answer: Documents are selected for review in cooperation with site personnel who are familiar with the type of materials produced by the site. However, contractors are not required to count classified pages produced because of the additional costs that would be incurred by the NRO, so the documents reviewed may not be a representative sample. o How do you determine that the sample is proportionally sufficient to enable a credible assessment of your Component's classified product? Answer: We do not attempt to do this as it would increase costs to the NRO (as explained above). â€¢ Who conducts the review of the classified products? o Are they knowledgeable of the classification and marking requirements of E.O. 13526 and its implementing directive? Answer: Yes o Do they have access to pertinent security classification guides? Answer: Yes â€¢ Have appropriate personnel been designated to correct misclassification actions? If so, identify. Answer: All Program Security Officers and Classification Managemeni Specialists are authorized to correct misclassification, incorrect use of SCI channels, and incorrect dissemination restrictions. 3. Frequency: (1) How frequently are self-inspections conducted? Answer: Annually. (2) What factors were considered in establishing this time period? Answer: Time period is defined in the NSM. UNCLASSIFIED 3 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office CPR DATE Security Manager 11 October 2012 ITEM 4. Coverage: (1) How do you determine what program elements and Component activities are covered by your self-inspection program? Answer: Self-assessments are to be completed on each contractor SCIF. (2) What Component activities are assessed? Answer: All contractor activities are assessed. (3) How is the program structured to assess individual Component activities and the Component as a whole? Answer: Contractor locations far outnumber government locations in the NRO. Government locations are relatively few in number and have professional government security officers assigned who can monitor safeguarding and classified information production and correct errors as they occur. We chose to concentrate on contractorfacilities which are visited relatively infrequently. The conditions at contractor locations are not directly applicable to government locations. (4) If your Component has any special access programs (SAP), are self-inspections of the SAP programs conducted annually? Answer: Most SAPs are reviewed as part of the ISAP program. The ISAP formal assessment team has PSOs assigned that are briefed for most SAPs. In addition. the NRO conducts special annual reviews (in some cases. semi-annual) of the entire Sensitive Activities portfolio. o o Do the self-inspections confirm that the Component head or principal deputy has reviewed each special access program annually to determine if it continues to meet the requirements of E.O. 13526? Answer: The NRO's entire Sensitive Activities portfolio is reviewed and briefed annually to the DNI's Senior Review Group (SRG) who then reports to Congress. Do the self-inspections determine if officers and employees are aware of the prohibitions and sanctions for creating or continuing a special access program contrary to the requirements of E.O. 13526? Answer: Yes. In keeping with E.O. 13526, all Sensitive Activities' compartments that are established terminated, or transitioned (to another program or lower classification) require NRO Special Activities Management Board review and approval, followed by notification to the DNI's Senior Review Group/Controlled Access Program Oversight Committee. 5. Reporting: (1) What format for documenting self-inspections in your Component? Answer: Self assessments are documented using the self-assessment review tool in the NSM, Appendix B. For formal assessments, an out-briefing is provided to site security staff and other site senior management identi&ing security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are then loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted A final report requiring corrective actions to be taken within 90 days of the date of report is issued by the DOS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. (2) Who receives the reports? Answer: The OS&CI ISAP Manager. (3) Who compiles/analyzes the reports? Answer: The ISAP Manager and the responsible PSO analyze the report. (4) How are the findings analyzed to determine if there are problems of a systemic nature? Answer: The ISAP Manager provides to the sponsoring Government Program Security Officer (GPSO) for review and subsequent action. (5) How and when are the results of the self-inspections reported to the senior agency official? Answer: The DOS&CI determines when results warrant informing the SAO. (6) How is it determined if corrective actions are required? Answer: The GPSO and security stalceholder(s) review. UNCLASSIFIED 4 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECTIACTIVITY/FUNCTIONAL AREA National Reconnaissance Office OPR Information Security Program Self Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security ITEM DATE Manager 11 October 2012 I I (7) Who takes the corrective actions? Answer: The assessed site. (8) How are the findings from your Component's self-inspection program distilled for the annual report to the Director o f ISOO? Answer: The OS&CI Security Policy Staff (SPS) tasks the ISAP Manager to distill the findings and provide them to SPS for inclusion in the annual report. Self-Inspection Program Description here: Description include in italics under questions above. PART 2. ASSESSMENT & SUMMARY: ASSESSMENT The assessment is an evaluation of the state of each element of your componenVs classified national security information program based on an analysis of the findings of the selfinspection program. It should consider if the program element is being effectively implemented in accordance with the Order and Directive and DoD 5200.01-M. It should consider whether the findings indicate that the regulation or other policies or procedures may need to be updated, and it should take into account other program information such as the Standard Form 311, "Agency Security Classification Management Program Data." If a particular element does not apply to a component (e.g., original classification authority) the report should explain this. â€¢ Original classification Rating: Satisfactory â€¢ Derivative classification Rating: Document creation: Satisfactory Training: Deficient due to cost â€¢ Declassification Rating: Satisfactory â€¢ Safeguarding Rating: Satisfactory â€¢ Security violations: Rating: Satisfactory â€¢ Security education and training Rating: Satisfactory except for Derivative Classifier training which is not required due to cost â€¢ Management and oversight Rating: Satisfactory SUMMARY: The summary should report the findings from the self-inspection program within each of the program areas. This information should support the assessment. â€¢ Original classification Rating: Satisfactory â€¢ Derivative classification Rating: Document creation: Satisfactory Training: Deficient due to cost â€¢ Declassification Rating: Satisfactory â€¢ Safeguarding Rating: Satisfactory â€¢ Security violations Rating: Satisfactory â€¢ Security education and training Rating: Satisfactory except for Derivative Classifier training which is not required due to cost â€¢ Management and oversight Rating: Satisfactory Assessment & Summary here: included in italics under headings above. UNCLASSIFIED 5 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACT1VITYIFU KnONAL AREA Information Security NO. Program Self-Inspection Checklist NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 201 2 ITEM PART 3. FOCUS QUESTIONS: FOCUS QUESTIONS: Answer the following focus questions. (1) Training for original classification authorities. (This applies only to Components with original classification authority). (1) Original classification authorities are required to receive training in proper classification and declassification each calendar year (5200.01-V?). What percentage of the original classification authorities at your Component has received this training? (2) Have any waivers to this requirement been granted? Answer: 100% of NRO OCAs have received training. No waivers have been granted. FOCUS QUESTIONS: Answer the following focus questions. (2) Training for persons who apply derivative classification markings. (1) Persons who apply derivative classification markings are required to receive training in the proper application of the derivative classification principles of the E0 13526 prior to derivatively classifying information and at least once every two years thereafter. What percentage of the derivative classifiers at your Component has received this training? (2) Have waivers to this requirement been granted? Answer: Percentage unknown. The DSS and CAPCO Derivative Classifier training is available through the NRO computer network; however, NRO has not made this training mandatory because of the cost of two hours of direct labor charged by each contractor. No waivers have been granted. FOCUS QUESTIONS: Answer the following focus questions. (3) Initial training. (1) All cleared agency personnel are required to receive initial training on basic security policies, principles, practices, and criminal, civil, and administrative penalties. What percentage of these personnel at your Component has received this training? Answer: 100% of new employees have received initial training. FOCUS QUESTIONS: Answer the following focus questions. (4) Refresher training. (1) Components are required to provide annual refresher training to all employees who create, process, or handle classified information. What percentage of these employees at your Component has received this training? Answer: 100% of employees have received refresher training. FOCUS QUESTIONS: Answer the following focus questions. (5) Identity of persons who apply derivative classification markings. (1) Derivative classifiers must be identified by name and position, or by personal identifier on each classified document. What percentage of the documents sampled meet this requirement? (Also, indicate the number of documents reviewed for this requirement.) Answer: NRO personnel are directed to use a personal identifier. 100% of documents have met this requirement. The number of documents reviewed is unknown. FOCUS QUESTIONS: Answer the following focus questions. (6) List of multiple sources. (1) A list of sources must be included on or attached to each derivatively classified document that is classified based on more than one source document or classification guide. What percentage of the documents sampled meet this requirement? (Also, indicate the number of documents reviewed for this requirement.) Answer: 100% of documents have met this requirement. The number of documents reviewed is unknown. UNCLASSIFIED 6 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST T1 TLEPAIBJECT/ACT1VITY1FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM FOCUS QUESTIONS: Answer the following focus questions. (7) Performance evaluations. (1) The performance contract or other rating system of original classification authorities, security managers, and other personnel whose duties significantly involve the creation or handling of classified information must include a critical element to be evaluated relating to designation and management of classified information. What percentage of such personnel at your Component has this element in their performance contracts? Answer: The NRO is comprised of government individuals from various agencies. Parent agencies set the rules for their performance contract or rating system. Based on the rules for each parent agency, approximately 40% have this element in their performance contract PART 4. DISCREPANCIES: Specific information with regard to the findings of the annual review of the Component's original and derivative classification actions to include the volume of classified materials reviewed and the number and type of discrepancies identified. 1. "Discrepancies" are instances when the classification and/or marking requirements of the Order, Directive and Agency regulation are not met. Among these are: (1) Overclassification: information does not meet the standards for classification. (2) Overgraded/Undergraded: Information classified at a higher/lower level than appropriate. (3) Declassification: Improper or incomplete declassification instructions or no declassification instructions. (4) Duration: A shorter duration of classification would be appropriate. (5) Unauthorized classifier: A classification action taken by someone not authorized to do so. (6) "Classified By" line: A document does not identify the OCA or derivative classifier by name and position or by personal identifier. (7) "Reason" line: An originally classified document does not cite a reason from section 1.4 of the Order. (8) "Derived From" line: A document fails to cite, or cites improperly, the classification source. The line should include type of document, date of document, subject, and office/agency of origin. (9) Multiple sources: A document cites "Multiple Sources" as the basis for classification, but list of these sources is not included on or attached to the document. (l0)Marking: A document lacks overall classification markings or has improper overall classification markings. (I 1 ) Portion Marking: The document lacks required portion markings. (12) Instructions from a classification guide are not properly applied. For additional information on marking, consult the l)oDM 5200.01-V2. List identified program deficiencies here. Also list actions taken or are planned to correct identified program deficiencies, marking discrepancies, or misclassification actions, and to deter their reoccurrence: Answer: Improper application of portion marking. Individuals will receive additional training and review of their documents by security officers. PART 5. BEST PRACTICES: List best practices that were identified during self inspections here: - Comprehensive security database developed which reflects final adjudication and investigation of security incidents - SCIF decertification process assembled consisting of: -- SCIF decertification checklist -- Sanitization steps for offices -- SCIF decertification roles and responsibilities - The self-assessments, methodology, and supporting application is a model for other industry sites - Comprehensive Open/Close procedures - Plexiglas inspection window and inspection ports for checking penetration of perimeter by HVAC, wiring, etc. - DoD SELF INSPECTION PROGRAM REQUIREMENTS: This portion of the checklist meets specific - requirements for a standard DoD Information Security Program based on the DoDM 5200.01-V1 thru V3. Please answer the following questions below. NO.PROGRAM MANAGEMENT (EO 13526 REQUIREMENTS) I YES I NO I N/A UNCLASSIFIED 7 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. IL National Reconnaissance Office OPR Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security Manager ITEM Has the head of each activity in the Component appointed a security manager to manage and implement the activity's information security program which implements the provisions of DoDM 5200.01-M? (DoDM 5200.01-M, Vol 1, End 2, para 8.b & 9.a) Does the Component Head develop and implement, through the security manager, security instructions necessary for program implementation? (DoDM 5200.01-M, Vol 1, Encl 2, para 9.d) Are sufficient resources and personnel committed to implement the classified national security information security program? (DOOM 5200.01-M, Vol 1, Encl 2, para 6.d) Are OCAs delegated classification authorities in writing? (DoDM 5200.01-M, Vol 1, Encl 4, para 5.c) Has the security manager attended the required training? Note: Training and education shall be provided before, concurrent with, or not later than six months following appointment. (DoDM 5200.01-M, Vol 3, End 5, paras 4.a and 10) Does the security manager conduct security inspections (self-inspections)? (DoDM 5200.01-M, Vol 1, Encl 2, para 7.d) â€¢ Is the Component Head informed of the results of such inspection? Does the security manager establish, implement and maintain an effective security education program as required by DoDM 5200.01-M, Volume 3, Enclosure 5, to include initial orientation and continuing/refresher training for assigned members? (DoDM 5200.01-M, Vol 1, End 2, para 7.g & 9.f; Vol 1, Encl 3, Para 6.c; and Vol 3, Encl 5, para 7 & 8) â€¢ Do security managers document all security-related training? (DoDM 5200.01-M, Vol 3, End 5, para 11) Are procedures established to prevent unauthorized access to classified information? (DOOM 5200.01-M, Vol 1, End 2, para 7.e) â€¢ Note: Examples include implementing visitor controls, restricting combinations to cleared members, establishing end-of-day security checks, etc) Are emergency plans developed for the protection, removal, or destruction of classified material in case of fire, natural disaster, civil disturbance, or terrorist activities to minimize the risk of compromise? (DOOM 5200.01-M, Vol 1, Encl 2, para 9.d) Are procedures established for ensuring that all persons handling classified material are properly cleared and have a need-to-know? (DOOM 5200.01-M, Vol 1, End 3, para 11.a) Does the security manager maintain a continuity handbook? DATE 11 October 2012 x x x x x x x x x x x x x x ORIGINAL CLASSIFICATION (EO 13526 REQUIREMENTS) 12. Are Original Classification Authorities (OCAs) trained on the process and requirements for original classification (DOOM 5200.01-M, Vol 1, Encl 4, para 6), to include? x Applicable standards and categories for classification? (D0DM 5200.01-m, x UNCLASSIFIED 8 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST ITTLE/SUBJECT/ACTIVITYTUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM 1, Encl 4, para 1) Levels of classification and damage criteria associated with each one? (DoDM 5200.01-M, Vol 1, Encl 4, para 3) â€¢ Avoidance of over - classification? (DoDM 5200.01-M, Vol 1, End 4, para 6.f) â€¢ Classification prohibitions and limitations? (DoDM 5200.01-M, Vol 1, Encl 4, para 2) â€¢ Required markings, including those for dissemination and handling? (DoDM 5200.01-M, Vol 1, Encl 4, para 6.h; Vol 2, Ends 3 & 4) â€¢ Determination of declassification instructions? (DoDM 5200.01-M, Vol 1, Encl 4, para 13.a) â€¢ Delegations of OCA responsibilities? (DoDM 5200.01-M, Vol 1, Encl 4, para 5 & 5.c) â€¢ Classification challenges? (DoDM 5200.01-M, Vol 1, Encl 4, para 22) 13. Have OCAs prepared, as appropriate, classification guides to facilitate the proper and uniform derivative classification of information? (DoDM 5200.01, Vol 1, Encl 4, para 6.h; Vo11, Encl 6, para 1) 14. Do the guides meet the requirements of section 2.2 of E.O. 13526 and section 2001.15 of title 32, Code of Federal Regulations (CFR)? Vol â€¢ X X X x x X x X DERIVATIVE CLASSIFICATION (EO 13526 REQUIREMENTS) 15. Are persons who apply derivative classification markings trained on the process and requirements for derivative classification (DoDM 5200.01-M, Vol 1, Encl 4, para 11 & 12), to include? â€¢ Identity of derivative classifier? (DoDM 5200.01-M, Vol 2, End 3, para 7 & 8.c. (1)(a)) â€¢ Use of source documents, including classification guides? (DoDM 5200.01M, Vol 2, Encl 3, para 8.c.(1)(b), 8.c.(2) & 8.c.(3)) â€¢ Declassification instructions? (DoDM 5200.01-M, Vol 2, Encl 3, para 8.c.(1)(d), 8.c.(4)-(9) & 9) â€¢ Proper application of markings? See Classification Markings/Document Review section below. (DoDM 5200.01-M, Vol 2, Encl 3 & 4) â€¢ Classification challenges (DoDM 5200.01-M, Vol 1, Encl 4, para 22) x x X X X CLASSIFICATION MARKINGS/DOCUMENT REVIEW (EO 13526 REQUIREMENTS) 16. Reviews of original and derivative classification actions shall be conducted in accordance with section 2001.60(c)(2) of title 32, CFR, and should evaluate the classification and marking of documents to include: (DOOM 5200.01-M, Vol 1, Encl 2, para 7.d) â€¢ Have the standards of classification been met? (DoDM 5200.01, Vol 1, Encl 4, para 1 & 2) â€¢ Could damage to the national security be reasonably expected in the event of unauthorized disclosure? (DoDM 5200.01, Vol 1, Encl 4, para 3) â€¢ Have the requirements for original classification of Part 1 of E.0.13526 or for derivative classification in Part 2 of E.O. 13526 been met? â€¢ Have the required markings been applied in accordance with E.O. 13526 and Subpart C of title 32, CFR? (DOOM 5200.01-M, Vol 2, para 3) UNCLASSIFIED 9 x X x x X 1 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST 11TLEISUBJECTIACTIVITY/FUNcnONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM â€¢ â€¢ â€¢ Overall classification level (DoDM 5200.01-M, Vol 2, Encl 3, para 5) "Reason for Classification" line (originally classified documents only) (DoDM 5200.01-M, Vol 2, Encl 3, para 3.b.(1)(b) & 3.b.(4)) The Agency, Office or Origin, and Date (DoDM 5200.01-M, Vol 2, Encl 3, para 7) â€¢ â€¢ 17. 18. 19. 20. 21. 22. 23. 24. A "Derived From" line (DOOM 5200.01-M, Vol 2, Encl 3, para 8.c.(1)(b)) A "Classified By" line (DoDM 5200.01-M, Vol 2, Encl 3, para 8.b.(1)(a) & 8.c.(1)(a)) â€¢ identification of the sources of classification (DoDM 5200.01-M, Vol 2, End 3, para 8.c.(1)(b), 8.c(2), & 8.c.(3)) â€¢ "Declassify On" line (DoDM 5200.01-M,Vol 2, Encl 3, para 8.c.(d)) â€¢ Downgrading instructions, if required (DoDM 5200.01-M, Vol 2, Encl 3, para 8.a.(4)) â€¢ Page and Portion Markings (DoDM 5200.01-M, Vol 2, Encl 3, para 5 & 6) â€¢ Have any unauthorized or invalid markings been applied to documents? Are Agency personnel who conduct reviews of the agency's original and derivative classification actions trained on the classification and marking requirements of E.O. 13526, part 2001 of title 32, CFR, and DoDM 5200.01; and do they have access to pertinent security classification guides? Are "subjects" or "titles" of classified documents marked with the appropriate symbol (TS), (S), (C), or (U) following and to the left of the title or subject? (DoDM 5200.01-M, Vol 2, Encl 3. Para 6.e.(2) & 14) Is each section, part, paragraph, or similar portion of a classified document marked to show the highest level of classification of information it contains, or that it is unclassified? Portion of text shall be marked with the appropriate abbreviations (TS, S, C, or U). (DOOM 5200.01-M, Vol 2, Encl 3, para 6) Are portions within documents containing Restricted Data and Formerly Restricted Data marked with the abbreviation "RD" or "FRO" (e.g. S//RD or TS//FRD)? (DoDM 5200.01-M, Vol 2, Encl 4, para 8.a & 8.b) Are portions within documents containing foreign government or North Atlantic Treaty Organization (NATO) information marked with the foreign classification or NATO and the appropriate classification level (e.g. //GBR S or //NATO C)? (DoDM 5200.01-M, Vol 2, Encl 4, para 4) Is the abbreviation "FOUO" used to designate unclassified portions that contain information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA)? (DoDM 5200.01-M, Vol 2, Encl 4, para 10.b & Vol 4, End 3, para 2.c) Are charts, graphs, photographs, illustrations, figures, and similar items within classified documents marked to show their classification? (DoDM 5200.01-M, Vol 2, Encl 3, para 6.a & 18) Are the markings placed within the chart, graph, photograph, illustration, figure, etc. or next to the item? (DoDM 5200.01-M, Vol 2, End 3, para 6.e.(3) & 18) UNCLASSIFIED 10 .. x X X x x x x x x X x x x x x x x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE /SUBJECT/ACTIVITWFUNCTI ONAL AREA Information Security Program Self-Inspection Checklist NO. 25. 26. 27. 28. 29. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR Security Manager ITEM Is the highest classification level placed on the top and bottom of each page containing classified information or marked "unclassified"? (This is called the "banner line") â€¢ Do the markings stand out from the balance of the information on the page (must be readily visible)? (DoDM 5200.01-M, Vol 2, Encl 3, para 5) Are TRANSMITTAL documents properly marked to include either its highest classification or a notation "Unclassified when separated from classified enclosures"? (DoDM 5200.01-M, Vol 2, Encl 3, para 15) For ELECTRONIC documents: â€¢ Are e-mails, blog entries, bulletin board postings, and other electronic documents marked as finished documents, not working papers? (DoDM 5200.01-M, Vol 2, Enc 3, para 17.a.(2)) â€¢ Do e-mails include the appropriate banner line, portion markings, and classification authority block? Is the subject line portion mark the classification of the subject, not the overall classification of the e-mail? (DoDM 5200.01-M, Vol 2, Encl 3, para 17.b) â€¢ Do classified URLs contain embedded portion marks? (DoDM 5200.01-M, Vol 2, Encl 3, para 17.d) â€¢ Are briefing slides, including any speaker notes and hidden slides, marked as required for text documents? (DoD 5200.01-M, Vol 2,Encl 3, para 16) â€¢ Are maps, charts, blueprints, photographs, and other special types of materials marked in the same fashion as for documents, to the extent feasible? (DoD 5200.01, Vol 2, Encl 3, para 18) Are Files, Folders, and Groups of documents clearly marked on the outside of the file or folder (attaching a classified document cover sheet to the front of the folder or holder will satisfy this requirement)? (DoDM 5200.01-M, Vol 2, Encl 2, para 4.a) Are removable storage media (e.g. magnetic tape reels, disk packs, diskettes, CD-ROMS, removable hard disks, disk cartridges, tape cassettes, etc.) marked with the appropriate Standard Form label (SF 706/707/708/710)? (DoDM 5200.01-M,Vol 2, Encl 2, para 4.b) DATE 11 October 2012 x X x x x x x x x x DECLASSIFICATION (EO 13526 REQUIREMENTS) 30. 31. Is there a records management system to facilitate public release of declassified documents? Are procedures established for automatic, systematic, discretionary, and mandatory declassification review? x x SAFEGUARDING AND STORAGE (EO 13526 REQUIREMENTS) 32. 33. 34. 35. Is the program designed and maintained to optimize safeguarding of classified information? Are there control measures to prevent unauthorized access to classified information? Are personnel aware of procedures for identifying, reporting, and processing unauthorized disclosures of classified information? Are there procedures to ensure that appropriate management action is UNCLASSIFIED 11 x x x x 1 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM taken to correct identified problems? Are there methods for transmitting classified information, preparing it correctly for mailing, and for hand carrying or escorting classified material? 37. Is classified information removed from storage kept under constant surveillance of authorized persons? (DoDM 5200.01-M, Vol 3, Encl 2, para 8) 38. Are cover sheets placed on all documents removed from storage? (DoDM 5200.01-M, Vol 3, End 2, para 8) 39. Are end-of-day security checks established for areas that process or store classified information to ensure the area is secure at the close of each working day? (DOOM 5200.01-M, Vol 3, Encl 2, para 9) 40. Is the SF 701, Activity Security Checklist, used to record end-of-day checks? (DoDM 5200.01-M, Vol 3, Encl 2, para 9) 41. is the SF 702, Security Container Check Sheet, used to record the closing of each vault, secure room, or container used for storage of classified material? (DoDM 5200.01-M, Vol 3, Encl 2, para 9) 42. Is the SF 700, Security Container Information, properly completed and posted inside the LOCKING drawer of the security container, or inside the door of vault and similar facilities? (DoDM 5200.01-M, Vol 3, Encl 3, para 10) 43. Are storage containers (safes) that may have been used to store classified information inspected by properly cleared personnel before removal from protected areas or before unauthorized persons are allowed access to them? (DoDM 5200.01-M, Vol 3, Encl 3, para 13) 44â€¢ Are combinations to security containers changed at the required intervals? (DoDM 5200.01-M, Vol 3, Encl 3, para 11.b) 45. If written records of the combination are maintained, are they marked and protected at the highest classification of the material stored therein? (DOOM 5200.01-M, Vol 3, Encl 3, para 11.a) â€¢ Is the combination stored in a security container other than the one for which it is being used? 46. Are entrances to secure rooms or areas under visual control at all times during duty hours to prevent unauthorized access or equipped with electric, mechanical or electromechanical access control devices to limit access during duty hours? (DoDM 5200.01-M, Vol 3, Encl 3, para 12.a) 47. Does each vault or container bear an external marking for identification purpose? NOTE: The level of classification stored therein must NOT be marked on the outside of the container(s). (DoDM 5200.01-M, Vol 3, Encl 3, Para 9) 48. is Top Secret material stored only in a GSA approved security container (safe) having one of the following supplemental controls: (DOOM 5200.01-M, Vol 3, Encl 3, para 3.a) â€¢ Guard or duty personnel cleared to the Secret level inspect the security container once every two hours â€¢ An Intrusion Detection System (alarm system) meeting requirements of para 2 of the Appendix to Encl 3 of DoDM 5200.01-M, Vol 3. 36. UNCLASSIFIED 12 x x x x x x x x x x x x x x x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL ARE A Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM â€¢ 49. so. 51. 52. 53. 3, 54. Combination lock meeting Federal Specification FF-L-2740 (X0-7) with security-in-depth Is Secret material stored in a GSA approved security container (safe) without supplemental controls or in the same manner as Top Secret? (NOTE: Approved containers will have a certification label on the container itself) (DOOM 5200.01-M, Vol 3, Encl 3, para 3.b) Is Confidential material stored in a GSA approved security container? (DoDM 5200.01-M,Vol 3, End 3, para 3.c) Are security container repairs (e.g. drilled because of a forgotten combination) done in accordance with FED-STD 809? (DoDM 5200.01-M, Vol 3, Encl 3, para 14) Is equipment (e.g. copiers, facsimile machines, AIS equipment and peripherals, electronic typewriters and word processing systems) used for processing classified information protected from unauthorized access? (DoDM 5200.01-M, Vol 3, Encl 2, para 14.a) Do appropriately cleared and technically knowledgeable personnel inspect the equipment and media used for processing classified information before the equipment is removed from the protected areas? (DoDM 5200.01-M, Vol Encl 2, para 14.d) Are GSA approved field safes and special purpose one and two drawer lightweight security containers securely fastened to the structure or under sufficient surveillance to prevent their theft? (DoDM 5200.01-M, Vol 3, End 3, para 6.a) x x x x X x x TELECOMMUNICATIONS, AUTOMATION INFORMATION SYSTEMS, AND NETWORK SECURITY MO 13526 REQUIREMENTS) 55. 56. Consistent with section 4.1(f) of E.O. 13526 and section 2001.50 of title 32, CFR, have uniform procedures been established to ensure that automated information systems that collect, create, communicate, compute, disseminate, process or store classified or controlled unclassified information are protected in accordance with applicable DoD policy issuances? Have procedures been established and implemented to: â€¢ Prevent access by unauthorized persons; â€¢ Ensure the integrity of the information; â€¢ TO the maximum extent practicable, use: 1) Common information technology standards, protocols, and interfaces that maximize the availability of, and access to, the information in a form and manner that facilitates its authorized use; and 2) Standardized electronic formats to maximize the accessibility of information to persons who meet the criteria set forth in section 4.1(a) of E.O. 13526. UNCLASSIFIED 13 x x x x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TULE/SUBJECT/ACTIVITY/FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. 57. 58. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM Have procedures been established to ensure that unclassified copiers connected to the Internet are not used for classified reproduction? (DoDM 5200.01-M, Vol 3, Encl 7, para 10) â€¢ Are modems, telecommunications capabilities and network connections disabled on copiers approved for classified reproductions? (DoDM 5200.01-M, Vol 3, Encl 7, para 10) â€¢ Are classified hard drives removed from classified reproduction equipment prior to maintenance? (DOOM 5200.01-M, Vol 3, End 7, para 10) Are cameras and microphones disabled on all hardware used for classified processing, in classified spaces, or connected to networks in classified spaces? (DoDM 5200.01-M, Vol 3, Encl 7, para 10) x x x X REPRODUCTION OF CLASSIFIED MATERIAL (EO 13526 REQUIREMENTS) 59. Are procedures established to oversee and control the reproduction of classified material? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b ) 60. Are personnel, who reproduce classified, aware of the risks involved with the specific reproduction equipment and the appropriate countermeasures they are required to take? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b.(2)) 61. Are waste products generated during reproduction properly protected and disposed of? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b.(6)) 62. Is reproduction equipment specifically designated for the reproduction of classified material? (DoDM 5200.01-M, Vol 3, End 2, para 5.b.(7)) 63. [Optional] Are RULES POSTED on or near the designated equipment authorized for the reproduction of classified? (DoDM 5200.01-M, Vol 3, Encl 2, para 15) 64. [Optional) Are NOTICES prohibiting reproduction of classified POSTED on equipment used only for the reproduction of unclassified material? (DoDM 5200.01-M, vol 3, Encl 2, para 15) â– 65. 66. x x x X x x DISPOSITION AND DESTRUCTION OF CLASSIFIED MATERIAL (EO 13526 REQUIREMENTS) Has each activity with classified holdings set aside at least one "Clean-Out" day each year when specific attention and effort is focused on disposition of unneeded classified material? (DoDM 5200.01-M, VoI3, Encl 3, para 17.b) Is classified materials properly destroyed by approved methods? (DOOM 5200.01-M, Vol 3, Encl 3, para 17 &18) x x TRANSMISSION AND TRANSPORTATION OF CLASSIFIED INFORMATION (EO 13526 REQUIREMENTS) 67. Whenever classified information is transmitted outside of the activity is it enclosed in two opaque sealed envelopes or similar wrappings or containers durable enough to properly protect the material from accidental exposure and facilitate detection of tampering? (DOOM 5200.01-M, Vol 3, Encl 4, para 9) â€¢ NOTE: When classified material is hand-carried outside an activity, a locked briefcase may serve as the outer wrapper. UNCLASSIFIED 14 x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST 11TLEISUBJECTIACTNITY/FUNCTIONAL AREA National Reconnaissance Office OPR Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security Manager DATE 11 October 2012 ITEM 68. Is the outer wrapper addressed to an official government activity or to a DOD contractor with a facility clearance and appropriate storage capability with a complete return address of the sender? (DoDM 5200.01-M, Vol 3, Encl 4, para 9.a.(1)) 69. Is the inner wrapper or container marked with the following information: sender's and receiving activity's address and highest classification level of the contents (including where appropriate, any special markings)? (DoDM 5200.01-M, Vol 3, End 4, para 9.a.(2)) â€¢ NOTE: The inner envelope may have an "attention line" with a person's name. 70. Are procedures established to limit the hand carrying of classified information to only when other means of transmission or transportation cannot be used? (DoDM 5200.01-M, Vol 3, End 4, para 11.a) 71. Are hand-carrying officials briefed on and have they acknowledged their responsibilities for protecting classified information? (DoDM 5200.01-M, Vol 3, Encl 4, para 11.c) 72. Are courier officials provided a written statement authorizing such hand carrying transmission? (DOOM 5200.01-M, Vol 3, Encl 4, para 12) â€¢ [Optional] Does the activity list all classified carried or escorted by traveling personnel? (DoDM 5200.01-M, VoI3, Encl 4, para 11) â€¢ [Optional] Does the activity keep this list until all material reaches the recipient's activity? (DoDM 5200.01-M, Vol 3, End 4, para 11) 73. When "Confidential" classified information is sent U.S. Postal Service "First Class" mail between DOD Components within the United States, is the outer envelope or wrapper endorsed "POSTMASTER: RETURN SERVICE REQUESTED"? (DOOM 5200.01-M, Vol 3, Encl 4, para 5.d 1 74. Do recipients of First Class mail bearing the "Postmaster" notice protect it as Confidential material? x x x x x X x x x SECURITY EDUCATION (E0 13526 REQUIREMENTS) 75. 76. 77. 78. 79. 80. , Has the Component Senior Agency Official established a Security Education program? (DoDM 5200.01-M,Vol 1, Encl 2, para 7.g ) Has the activity security manager implemented the security education and training program within the activity? (DoDM 5200.01, Vol 1, Encl 2, para 9.f) Have all personnel been trained on policies for classification, safeguarding and declassification? Do all personnel who perform derivative classification receive training every 2 years? (DoDM 5200.01-M, Vol 3, Encl 5, para 7.c) All original classification authorities (OCA) must receive training in proper classification and declassification at least once a calendar year. (DoDM 5200.01-M Volt, Encl 4, para 5.d and Vol 3, Encl 5, para 5) Does this training program include an "Initial Orientation" for all assigned personnel who are cleared for access to classified information? (DoDM 5200.01-M, Vol 3, End 5, para 3) Does this orientation include the: (DOOM 5200.01-M, Vol 3, End 5, para 3) UNCLASSIFIED 15 x x x x x . UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITYIRJ NicnomAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OP R DATE Security Manager 11 October 2012 ITEM â€¢ â€¢ â€¢ â– x x x x â€¢ x x x x x x x x x x x SECURITY INCIDENTS AND VIOLATIONS TO INCLUDE COMPROMISES MO 13526 REQUIREMENTS) 88. Are assigned members trained on of their responsibilities to report security violations concerning classified information? (DOOM 5200.01-M, Vol 3, End 6, para 3.b) 89 Are there procedures to conduct an inquiry/investigation of a loss, possible compromise, or unauthorized disclosure of classified information? (DoDM 5200.01-M, Vol 3, Encl 6, para 6) - UNCLASSIFIED 16 x x 7 Roles and responsibilities of assigned members and key personnel? Elements of safeguarding classified information? Elements of classifying and declassifying information? 81 . Is additional training provided for members who: (DOOM 5200.01-M, Vol 3, End 5, para 4.b & c) â€¢ Are members of deployable organizations, to provide enhanced security training to meet the needs of the operational environment? â€¢ Will be traveling to foreign countries? â€¢ Will be escorting, hand carrying, or serving as a courier for classified material? â€¢ Will use automated information systems to store, process, or transmit classified? â€¢ Will have access to information requiring special control or safeguarding measures? â€¢ Will be using Foreign Government Information or work in coalition or bilateral environments? â€¢ Submit information to OCAs for original classification decisions? 82. Is Refresher training provided at least annually to assigned members? (DOOM 5200.01-M, Vol 3, Encl 5, para 7.a) 83. Is Refresher training tailored to the mission needs and address policies, principles and procedures covered in initial training? (DoDM 5200.01-M, Vol 3, End 5, para 7.a) 84. Does Refresher training address concerns identified during Component SelfInspections? (DOOM 5200.01-M, Vol 3, End 5, para 7.a) 85. Are procedures established to ensure cleared employees who leave the organization or whose clearance Is terminated receives a termination briefing? (DoDM 5200.01-M, Vol 3, End 5, para 9) 86. Are records maintained to show the names of members who participated in "Initial" and "Refresher" training? (DoDM 5200.01-M,Vol3, Encl 5, para 11 ) 87. Do training programs for "Uncleared" members include: (DoDM 5200.01-M, Vol 3, Encl 5, para 3) â€¢ The nature and importance of classified information? â€¢ Actions to take if they discover classified information unprotected? â€¢ The need to report suspected contact with a foreign intelligence collector? UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST IITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA 90. 91. 92. National Reconnaissance Office OPR Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security Manager DATE 11 October 2012 ITEM Are appropriate and prompt corrective actions taken when a violation or infraction occurs? (DoD 5200.01-M, Vol 3, Encl 6) Are inquiries and/or investigations promptly conducted to ascertain the facts surrounding reported incidents? (DoDM 5200.01-M, VoI3, Encl 6, para 6) Are individuals who commit violations or infractions subject to appropriate sanctions? (DOOM 5200.01-M, Vol1, Encl 3, para 17 and VoI3, Encl 6, para 8.b & 14) UNCLASSIFIED 17 x X x UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 NRO Explanation of N/A Responses on 2012 Information Security Program Self-inspection Checklist Item 1. Comment The DNRO appoints the DOS&CI as responsible for NRO security. The DOS&CI appoints a Government Program Security Officer (GPSO) as the head of each Directorate or Office activity who implements the provisions of the NRO Security Program. For each contractor, an NRO Contractor Program Security Officer (NCPSO) is nominated by the contractor and approved by the DOS&CI. The NCPSO is a senior Contractor PSO responsible and accountable for the security oversight of all NRO program activities at their company or corporation. 2. All security instructions are signed by the DOS&CI 5. Equivalent training is provided 6. Security evaluations and self-inspections are centrally managed under the DOS&CI. The DOS&CI is informed of the results of such inspections. 7. Security-related training will be documented in the Personnel Security File or in a listing of all personnel who completed the training 9. Yes, in areas where political instability, terrorism, host country attitude, or criminal activity suggests the possibility that a SCIF may be overrun by hostile forces. 11. If the security manager has a COOP mission, essential materials are in place at the alternate location. 12. The NRO cannot approve OCAs so we cannot delegate OCA responsibilities. 16. The NRO does not use Downgrading markings. 21. NRO personnel do not have the authority to create NATO information. 28. Most SCIFs are open storage and do not require the use of cover sheets. 38. Most SCIFs are open storage and do not require the use of cover sheets. 40. SF 701 may be used or locally designed forms may be used 41. SF 702 may be used or locally designed forms may be used 45. Yes, at the SCI level, except for SAR where the holder does not have access to the SAR compartment nor the physical area housing the container. UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED Please note: The best way to view the report "Agency Annual Self-Inspection Program Data: FY 2013" (attached to this explanation) is in softcopy because several of the expandable fields have text that is hidden when viewed in hardcopy. The full text of entries that exceed the viewable space of expandable fields is included below for ease of reading, however, only the softcopy form will be submitted to OUSD(I). 3. Enter the name, title, address, phone, fax, and e-mail address of the Senior Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible for this report. Mr. Frank Calvelli Principal Deputy Director, NRO Room 14675 Lee Road, Chantilly, VA 20151 (b)(3) 10 USC 424 FAX (b)(3) 10 USC 424 (b)(3) 10 USC 424 13. What means and methods are employed in conducting self inspections? (For example: interviews, surveys, data calls, checklists, analysis, etc.) - NRO self-inspections are part of the NRO ISAP. Because of the total NRO workforce and have the contractors make up overwhelming number of Sensitive Compartmented Information Facilities (SCIFs), ISAP is a collaborative process between Government and industry to identify and address security vulnerabilities, provide data for analysis, and identify system security issues and trends. Site personnel conduct/document security self-assessments, per requirements stated in the NRO Security Manual (NSM) at least annually. The ISAP Manager or designee reviews the site assessments and enters a copy into an NRO database listing each NRO sponsored facility. Based on the self-assessments, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal assessment, if required. OS&CI stakeholders represent the major OS&CI directorates and program office security staffs, including, but not limited to, PSOs, 1 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED Physical/Technical Certification Officers and Security Certification Officers. Stakeholders develop and provide ISAP candidates to the ISAP Selection Board. Each ISAP recommendation shall contain detailed factors used to formulate the recommendation. Recommendation for site visits is then provided to the selection board. Sites are selected based on risk, proximity, resources, budgetary constraints, time since last assessment, and random sampling. A team composition is proposed for each site visit and a Lead PSO is selected. The Assessment Team will, at a minimum, consist of a Government PSO and an OS&Cl/Facilities and Information Security Division (F&ISD) representative. Additional team members will be added as needed based on site size, mission, facility risk, and subject areas being assessed. After the on-site assessment, an out-briefing is provided to site security staff and other site senior management identifying security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted. A final report requiring corrective actions to be taken within 90 days of the date of the report is issued by the D/OS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. For the reporting period, 291 selfassessments were received and 10 formal team assessments were performed. No additional formal specific-issue reviews were conducted. There were an additional 742 visits by OS&CI stakeholders to contractor SCIFs. In addition, a data call was conducted with all PSOs and CMOs in NRO Headquarters to answer items 87 and 88. 20. Describe below how the agency identifies activities and offices whose documents are to be included in the sample of classification actions. (Indicate if NA.) Based on the 291 site self-assessments submitted, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal 2 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED assessment, if required. OS&CI stakeholders represent the major OS&CI directorates and program office security staffs, including, but not limited to, PSOs, Physical/Technical Certification Officers and Security Certification Officers. Stakeholders develop and provide ISAP candidates to the ISAP Selection Board. Each ISAP recommendation shall contain detailed factors used to formulate the recommendation. Recommendation for site visits is then provided to the selection board. Sites are selected based on risk, proximity, resources, budgetary constraints, time since last assessment, and random sampling. A team composition is proposed for each site visit and a Lead PSO is selected. Additionally, several types of documents at NRO headquarters are reviewed annually by CMOs and PSOs for proper classification and marking. A data call was conducted with all PSOs and CMOs in NRO Headquarters to answer items 87 and 88. 22. How do you ensure that the materials reviewed provide a representative sample of the agency's classified information? (Indicate if NA.) Documents are selected for review in cooperation with site personnel who are familiar with the type of materials produced by the site. However, contractors are not required to count classified pages produced because of the additional costs that would be incurred by the NRO, so the documents reviewed may not be a representative sample. The data call conducted with NRO Headquarters PSOs and CMOs for item 87 and 88 represents all documents they reviewed during FY 2013. 31. How is the self-inspection program structured to assess individual agency activities and the agency as a whole? Contractor SCIF locations far outnumber government SCIF locations in the NRO. Government locations are relatively few in number and have professional government security officers assigned who can monitor safeguarding and classified information production and correct errors as they occur. We chose to concentrate on contractor facilities which are visited relatively infrequently. The conditions at contractor locations are not directly applicable to government locations. 3 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 35. What is the format for documenting self-inspections in your agency? Self-assessments are documented using the self-assessment review tool in the NSM, Appendix B. For formal assessments, an outbriefing is provided to site security staff and other site senior management identifying security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are then loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted. A final report requiring corrective actions to be taken within 90 days of the date of report is issued by the D/OS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. 47. Safeguarding: Regular conduct of exercises provides vital feedback to the physical security program. Exercises identify areas for corrective measures, enhancements, validate current tactics, techniques and procedures (TTP) and the adoption/employment of new TTP to meet a dynamic threat environment. Regular inspections/audits are essential to ensuring status and validity of issued IC badges and conformity to physical security requirements. Risk assessments/physical security assessments provide a helpful "outside" perspective to site security offices. NRO government and contractor personnel work in SCIFs equipped with secure telephones, FAX, and teleconferencing equipment, badges and badge readers, guard forces in several locations, document shredders and other features to ensure compromises of classified information do not occur. While the insider threat is always a possibility, we take every precaution to prevent security incidents from occurring. The NRO applies uniform procedures established by the Intelligence Community Directive (ICD)-503 family of policy and guidance for Information Technology Systems Security Risk Management and Assessment and Authorization (A&A) activities. 4 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 48. Security Violations: The ISAP program is the formal mechanism by which we corroborate self - inspections. Included in these formal reviews is an assessment of the respective security violation program and trends. In addition, each component Security team evaluates Security incidents and violations by tracking them according to general broad categories. During this past FY, the majority (63%) of incidents/violations were related to categories within personnel electronic devices in SCIFs. Other categories that have multiple occurrences indicating potential trends are data spills (9%) and inadvertent removal of classified information (12%). Personal cell phones and prohibited electronic devices are not allowed in SCIFs. While we have installed lockers outside SCIFs to secure cell phones, entry of prohibited electronic devices into SCIFs is still a problem. Visitor attendance to NRO conferences/facilities result in numerous cell phones being brought into the conference even by individuals with security duties who should know better. 49. Security Education and Training: 100% of personnel assigned to the NRO are required to complete an SCI indoctrination briefing to include signing a NonDisclosure Agreement. E.O. 13526 is called out specifically so that personnel fully understand their responsibilities and requirements to protect classified information. This message is repeated by the release of awareness videos and reminders throughout the year; to include presentations, written materials, and training. Specifically, OS&CI incorporates classification management questions within the Annual Security Refresher (ASR) web-based training (WBT). In 2014 ASR will include additional Derivative Classification questions. With as many contractors as the NRO employs, training can be a major expense. Every contractor and government employee with a secure computer account is required to take the Annual Security Refresher training otherwise they lose their computer connection. There are numerous additional courses and specialized security training available on-line even though sequestration has reduced training manpower overall to include elimination of the Information Management Branch which ran the OS&CI web site and security-specific applications. 5 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 50. Management and Oversight: Government oversight of NRO-sponsored SCIFs is achieved in a multi-faceted manner. Program Security Officers, Physical/Technical, and Computer Security Officers review selfassessment results and participate in on-site reviews. Some program findings for FY 13 were identified in the following areas: â€¢ Standard Operating Procedures (SOPs) require more detail and more frequent revision to stay up-to-date with security requirements. â€¢ Foreign travel and contact reporting were not always accomplished using the mandated NRO Counterintelligence Network (CINet). â€¢ There are undocumented information systems within facilities. â€¢ Not all employees with AIS privileged user type access have been identified and tracked. â€¢ Facility alarm test records are not always maintained for the required time period. â€¢ Red/Black cabling is not labeled for identification. 54. Safeguarding: Awareness and education programs are vital to ensuring the workforce maintains awareness of security policy and procedures. Regular and aperiodic exercises, inspections, and audits provide crucial inputs that are indispensable to ensuring that the physical security program is current and effective. Key challenges are maintaining adequate funding to replace aging, malfunctioning, and obsolete security equipment and training and education for new personnel. The NRO has an organization-level process for the Assessment and Authorization (A&A) of Information Systems and a Directive 51-1, "Information Technology, Information Assurance, and Information Management Architecture and Strategy for Certification and Accreditation" to ensure automated information systems that collect, create, communicate, compute, disseminate, process or store classified information are protected in accordance with applicable national policy issuances. 6 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 55. Security Violations: The NSM details the NRO process for reporting and investigating security incidents, infractions and violations. Appropriate and prompt corrective actions were taken to.mitigate the severity of the infraction/violation, and to sanction the offender via management, counterintelligence, and personnel security processes. Infractions and violations are centrally tracked in the Security Log (the NRO incident/violation database). This database is managed by the Program Security Officers in each directorate and office, and enables the PSO to automatically notify Counterintelligence Division and Personnel Security Division, via a system generated e-mail, of infractions/violations that require immediate CI and/or personnel security attention. The database also enables both OS&CI management as well as individual PSOs to track and analyze trends linked to the various categories of security infractions/violations. 56. Security Education and Training: OS&CI works closely with PSOs, Counterintelligence personnel, and the Integrated Self Assessment Program to determine any trends or specific areas that need an additional educational awareness campaign. Security communications are then targeted, utilizing large scale efforts, per a topic area and audience for best impact results. The NRO is adding additional classification management questions to the Annual Security Refresher to better satisfy the derivative classification training requirement. OCAs complete yearly training provided by NRO/OS&Cl/Policy Branch with direct knowledge of current CAPCO guidelines. 57. Management and Oversight: The NRO has a very mature Security management and oversight program. Over the past FY, much greater emphasis has been placed on ensuring all sites and facilities accomplished the self-assessments and submited the findings to the Government within the mandated time requirements. This improved management oversight has made an impact. Our self-inspection program coupled with security officer visits, and formal team 7 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED assessments provide managers a report card on the health of our security programs. When negative trends are identified, managers from across industry and the Government develop corrective action plans to reverse the trends and ensure security requirements are met. Impacts are being felt to overall security programs due to reductions in security resources. While security requirements are increasing, especially in the area of information systems management, resources are being reduced. Additionally, some sites assessed have made decisions not to fully comply with a security requirement because of resource constraints. 8 UNCLASSIFIED

1 0

Re: Freedom Hosting Owner Arrested, Tormail Compromised, Malicious JS Discovered
by Ted Smith 06 Jul '18

06 Jul '18

On Mon, 2013-08-12 at 10:30 +0200, rysiek wrote: >> > While I'm certainly not saying "I don't buy it", how does this >> > reconcile with the reality of The Silk Road still being in >> existance. >> > One would think that governments would use these techniques against >> > the site if for nothing more than to catch/punish them for all the >> tax evasion going on. > >> Yeah, that's a conundrum. >No it isn't. The government agencies that could potentially attack Tor >to bust the Silk Road would *never* care about the level of drugs moved >through it. They care about the people multiple levels above TSR, >drastically higher up in the supply chain. Is there any evidence of this? From all appearances, they care about nothing so much as preserving and expanding their funding. >Remember, TSR sends drugs *through the mail*. You can't successfully >*mail* enough drugs for the NSA/DEA to care. NSA surely doesn't want the publicity, but the DEA is always in search of positive press. If they have to listen to 100K conversations in order to bust one kid, picking up a few hundred Oxycodone pills at the Post Office, is there any reason to suspect they wouldn't do so?

1 0

None
by Jim Salters 06 Jul '18

06 Jul '18

*** September Project Update *** After a busy summer season of meetings and project development, a number of FSTC projects are poised to launch, as well as a strong pipeline in development. Our Standing Committees (SCOMs), especially those in Business Continuity, Security, and Check Imaging and Truncation, continue to broaden their participation, and build upon a foundation of dialog and action that leads to FSTC projects. In the past few weeks, we issued two new calls for participation: e-Authentication Proof-of-Concept, and Business Continuity Compliance and Status Reporting. See http://fstc.org/projects/new.cfm . In addition, we have recently completed projects in Image Quality and Usability Assurance Phase I, Technology Recovery Best Practices, and Survivability of Check Security Features. Details on these recent projects can be found at: http://fstc.org/projects/past.cfm . FSTC provides an action-oriented, collaborative forum for our members to address shared business opportunities and challenges through technology projects and knowledge-sharing. We view our projects as our core activity, and one of the key benefits of FSTC membership is eligibility to participate in these projects. In our efforts to keep our members and friends up-to-date on the latest developments in these active and developing initiatives, we provide our colleagues this periodic project update As always, please contact me or Zach Tumin, FSTC Executive Director, for more information. Or visit our website at http://fstc.org. Active Projects: 1. Counter-Phishing Phase I Projects in Formation: 1. e-Authentication: Business and Technology Proof-of-Concept (call for participation issued 9/8) 2. Business Continuity: Compliance and Status Reporting (call for participation issued 9/8) Projects in Development: 1. Image Quality and Usability Assurance Phase II 2. Survivability of Check Security Features Phase II 3. Treasury Services Integration: Data Exchange and Customer Connectivity through Web Services 4. Transformation to Open Mission Critical Systems 5. Minimum Essential Finance (MEF) ______________ ACTIVE PROJECTS: 1. Counter-Phishing Phase I (launched July 2004, expected to complete in December) http://fstc.org/projects/counter-phishing-phase-1/ FSTC has launched a phased initiative to address the problem of phishing and related threats in financial services, as it affects the relationship between customer and firm. In collaboration with other industry groups, FSTC will focus on defining the unique technical and operating requirements of financial institutions (FIs) for counter-phishing measures; investigating counter-phishing technical solutions, proving and piloting solution sets enabled by technology to determine their fit against FI criteria and requirements; and clarifying the infrastructure fit, requirements, and impact of these technologies when deployed in concert with customer education, enforcement, and other industry initiatives. The benefits to participants are: industry-vetted due diligence and scaling of the current problem and its future evolution; insight into peer institution strategies and assessments; and definition of an industry response that may be best undertaken with collaboration between key industry segments. 12 financial institutions and over 15 technology companies are participating in the 5-month first phase. This project originates from the Security SCOM: co-chaired by Mike McCormick of Wells Fargo, and Mike Versace of NEC. Please contact FSTC Managing Executive Gene Neyer for more information (gene.neyer(a)fstc.org) (http://fstc.org/advisory/security.cfm) ______________ PROJECTS IN FORMATION: 1. e-Authentication: Business and Technology Proof-of-Concept (call for participation issued 9/8/04) http://fstc.org/projects/new.cfm#eauth This 5-month project will assess the viability of the potential business opportunity that exists for financial institutions to leverage their online customer relationships and provide an authentication service to government agencies, and to integrate these services into financial institutions' online applications. FSTC, jointly with the GSA's E-Authentication Initiative Project Management Office (EAI PMO), propose to launch a three-track project to ascertain the business model, legal framework, and technical viability of using institutions' identity credentials to permit consumers and businesses to access secure online government applications. The GSA is funding the business track of the initiative. There is no cost to financial institutions, and a $5,000 fee for associate and advisory members. In addition, a resource commitment is required for all participants, as outlined in the prospectus. Participation commitments are requested by Sept 24th, and the target kickoff is the week of October 4th. ______________ 2. Business Continuity: Compliance and Status Reporting (call for participation issued 9/8/04) http://fstc.org/projects/new.cfm#compliance The FSTC Business Continuity Standing Committee proposes an initiative to assist the financial industry in coming to a common understanding on the meaning of continuity regulation, prioritization of compliance related activities, and creating efficiencies in documenting regulatory compliance status. To establish a clear understanding of the regulatory environment, a list of continuity related guidance will be pulled together along with the name of the agency responsible. Each regulation will be reviewed and a clearly worded summary of the continuity requirements will be developed. Where possible the regulatory agencies will be contacted for clarification on specific points. Common themes and requirements will be documented and prioritized. >From the continuity regulation summary, a questionnaire will be developed which will allow a FI to provide or collect continuity compliance status. The project will focus on providing straight forward interpretations of what is needed for an FI to comply with current regulations. This project is sponsored by the Business Continuity SCOM, co-chaired by Tom Hirsch of US Bank, and Damian Walch of IBM. Please contact FSTC Managing Executive Charles Wallen for more information (charles.wallen(a)fstc.org) ______________ PROJECTS IN DEVELOPMENT: 1. Image Quality and Usability Assurance: Phase II (proposal being finalized) http://fstc.org/projects/new.cfm#iqa2 In Phase I, more than 20 companies, representing 2/3 of US check volume, most major vendors, and key industry associations, undertook a 90-day effort to assess the impact of poor quality check images, and defined 16 technical metrics and 4 usability levels that can be used to measure image quality and usability in a standard and interoperable way. The findings of the Phase I project team justified further development, to test these metrics in a real-world scenario, on millions of images, to determine the quantitative thresholds for the 16 metrics that will define a minimum baseline "standard" for acceptable quality images for the industry. The business objectives are to maximize efficiencies, cost savings, and ensure strong adoption of image exchange. The project will undertake a robust, "real-world" analysis and test to provide actionable specifications and direction to the industry to allow financial institutions, technology vendors, standards organizations, and other key partners to collectively implement baseline image quality and usability through industry collaboration under the FSTC umbrella. This project originates from the Check Truncation SIG (http://fstc.org/advisory/check-truncation.cfm) co-chaired by Katrina Brown, Wells Fargo; Glen Ulrich, US Bank; and Ian Goodall, NCR. A call for participation is expected during the month of September. ______________ 2. Survivability of Check Security Features Phase II As a follow-on to the recently completed Phase I (http://fstc.org/projects/csf/) this initiative will seek to develop interoperability specifications for automated security feature verification engines. As a growing number of vendors offer security features targeted at surviving the imaging process, institutions face a growing number of proprietary verification engines that must be installed and configured to validate these features during processing. The objective of this initiative is to make is less expensive and easier to manage the implementation of these security feature verification products. This project originates from the Check Truncation SIG (http://fstc.org/advisory/check-truncation.cfm) More information on this project will be published in the next month or so. ______________ 3. Treasury Services Integration: Data Exchange and Customer Connectivity through Web Services (on hold) http://fstc.org/projects/new.cfm#tsi As a potential Phase II following the previous Web Services for Corporate Cash Management effort, a core group of FSTC institutions and technology companies have defined key business objectives and deliverables for a discovery phase, and subsequent pilot-level project utilizing Web Services in the Treasury Services / Cash Management area. The project, as it currently stands, will seek to further develop the Phase I set of web services and associated definitions to create new and open-standards-based connectivity options between banks, and between banks and their customers. The business goals are to enable standards-based "plug-and-play" integration capabilities between institutions and customer platforms, whether ERP, Treasury Work Station (TWS), or desktop. A core group of financial institutions and technology companies has committed to launching this initiative in the second half of 2004. This project is considered on-hold until later this year. ______________ 4. Transformation to Open Mission Critical Systems The transformation of systems from higher cost or proprietary delivery to open systems is one of the most hotly debated and discussed topics in financial services IT. While there is great promise in the flexibility and efficiencies gained, there is also risk and cost. An FSTC project will soon form up to determine answers to such key questions as, "Are those transformations viable?" and "What are the costs and processes by which a successful transformation program will be run?" The vision of this initiative is to bring together financial institutions to investigate the needs, processes, best practices, technology issues, risk factors, organizational issues and lessons-learned for transformation projects which move core business processes from legacy IT assets to open systems. We will provide additional details shortly. If you are interested in joining an interest group around this topic, please contact us. ______________ 5. Minimum Essential Finance (MEF) In its early stages, FSTC and its members are in dialog with numerous government and industry organizations to explore interest in an initiative to identify the minimum essential elements of our financial system, and to develop a plan and process to ensure that it remains operational in the event of a disruption to normal operations. A workshop is currently being planned for this fall for multiple public and private sector organizations to develop this concept further. If you are interested in joining this dialog, please contact Zach Tumin at zachary.tumin(a)fstc.org . ______________ ## ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://ls.fstc.org/subscriber> --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Re: Public Key Infrastructure: An Artifact...
by None 06 Jul '18

06 Jul '18

I would like to get further information as to why you don't think revocation does not work? I'll admit that in the case of the revocation of Sun's certificates, it was very apparent that the notification process was weak. The other piece, the browser checking of expired/revoked certificates is non-existent but if you properly set up your application, it "should" check the revocation status of both the CA certificate and the subscriber's certificate. Your thoughts? Bram Cohen wrote: > On Wed, 22 Nov 2000 Lynn.Wheeler(a)firstdata.com wrote: > > > the other scenerio that some certification agencies have expressed (i.e. > > licensing bureaus, bbb, consumer report, etc operations) is that in the online > > world ... that they would provide an online service .... rather than > > certificates designed for an offline world. > > Yes, it seems fairly well established that revocations just plain don't > work. > > Once again, the solution to the problems of offline operation appears to > be online operation. > > -Bram Cohen > > For help on using this list (especially unsubscribing), send a message to > "dcsb-request(a)reservoir.com" with one line of text: "help".

1 0

[Zero-Knowledge Press Release] Royal Bank To Test Zero-Knowledge
by Dov Smith 06 Jul '18

06 Jul '18

Systems' Internet Privacy & Sec urity Tools For Home Use Date: Wed, 15 Aug 2001 15:05:49 -0400 Sender: owner-zks-press(a)zeroknowledge.com Reply-To: press(a)zeroknowledge.com ================================================================== Zero-Knowledge Systems Press Release, http://www.zeroknowledge.com ================================================================== FOR IMMEDIATE RELEASE ROYAL BANK TO TEST ZERO-KNOWLEDGE SYSTEMS' INTERNET PRIVACY AND SECURITY TOOLS FOR HOME USE -Select Royal Bank customers to receive Zero-Knowledge Systems' Freedom Privacy & Security Tools- Montreal, Quebec- August 15, 2001-Zero-Knowledge Systems today announced that Royal Bank will begin a six-month pilot program in the fall offering selected customers the opportunity to try privacy and security tools for personal use with their computers at home. The award-winning Freedom software will allow users to secure different aspects of their Internet experience, such as alerting them of unauthorized attempts to connect to their personal computer, simplifying registrations when shopping online, preventing activity-tracking "cookies" from being stored on their computer, and sending personal information only when it's the consumer's choice. "We've designed tools that average consumers can use in their own homes, to give them greater control over how they share their personal information when they do business, surf, or shop on the Internet," said Hamnett Hill, Executive Vice President at Zero-Knowledge Systems. "Companies like Royal Bank have robust privacy and security measures in place for their web-based financial services. Our privacy tools give consumers added confidence when they enter the open marketplace of the Internet." Zero-Knowledge, which has been providing security and privacy enabling technologies and services for the past two years, is partnering with OEMs (Original Equipment Manufacturers), ISPs (Internet Service Providers) and now financial institutions like Royal Bank to make their privacy and security tools available for distribution to customers. "We're pleased to make our privacy and security tools available through organizations that want to help increase their customers' positive experiences online," Hill added. "Our clients have come to trust the privacy and security of their information with Royal Bank when doing their banking online. We want to bring tools that offer privacy and security to other parts of their online experiences," said Peter Cullen, Corporate Privacy Officer at Royal Bank. As part of a direct mailing in the fall, Royal Bank will offer Zero-Knowledge's Freedom Privacy & Security Tools for free to selected current and potential online banking customers. Based on customer feedback, Royal Bank will consider offering the tools to all its customers next spring 2002. Cullen added: "People want more choice and control over what they reveal about themselves online. Royal Bank continues to work on many fronts to help customers feel more comfortable using new technology for their everyday needs, such as shopping and banking online. The easy-to-use tools developed by Zero-Knowledge put additional control over privacy and security in the hands of the consumer." About Zero-Knowledge Systems, Inc. Zero-Knowledge Systems (www.zeroknowledge.com) is a provider of security and privacy software and services. Zero-Knowledge equips Global 2000 organizations with the software and expertise to manage the security and privacy of corporate and customer information assets, build brand around consumer trust, and lower the cost of complying with global privacy regulations and industry standards. Headquartered in Montreal with offices in Redwood City, California, the company's suite of products includes the Privacy Rights Management Center for secure and private management of customer and corporate data within organizations; the Zero-Knowledge Gateway for secure and private corporate Internet activities and communications; and the Freedom Privacy & Security Tools for personal privacy and security online. Journalists can visit the online pressroom at www.zeroknowledge.com/media. About Royal Bank Royal Bank of Canada (RY) is a diversified financial services company. It provides personal and commercial banking, wealth management services, insurance, corporate and investment banking, and transaction processing on a global basis. The company employs more than 57,000 people who serve more than 10 million personal, business and public sector customers in North America and in some 30 countries around the world. For more information, please visit www.royalbank.com. (Freedom(r) and Zero-Knowledge(r) are trademarks of Zero-Knowledge Systems, Inc. These trademarks may be registered in certain jurisdictions. All other trademarks are sole property of their respective owners.) For further information, please contact: Dov Smith Zero-Knowledge Systems 514.350.7553 dov(a)zeroknowledge.com Sara Best Royal Bank Media Relations 416.974.2124 ________________________________ Dov Smith Director of Public Relations Zero-Knowledge Systems, Inc. T 514.350.7553 F 514.286.2755 mailto:dov@zeroknowledge.com www.zeroknowledge.com/media ________________________________ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)wasabisystems.com

1 0

None
by R. A. Hettinga 06 Jul '18

06 Jul '18

irtheory-owner(a)yahoogroups.com Delivered-To: mailing list irtheory(a)yahoogroups.com Date: Sun, 13 Jun 2004 17:00:23 -0400 Subject: [irtheory] Re: War ain't beanbag. Irony is conserved. Reply-To: irtheory(a)yahoogroups.com At 8:37 PM +0000 6/13/04, Carmi Turchick wrote: >Thank you for the perfect illustration of pure evil There you go again. ;-) Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ------------------------ Yahoo! Groups Sponsor --------------------~--> Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar. Now with Pop-Up Blocker. Get it for free! http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/_tgrlB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/irtheory/ <*> To unsubscribe from this group, send an email to: irtheory-unsubscribe(a)yahoogroups.com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Processor VIPER
by FOX2000＠go2.pl 06 Jul '18

06 Jul '18

I am a student from Poland. I learn in Zielona Gora on Technical University of Zielona Gora. I study computing and electronics. My science on that university persist five years, now I am on fifth year. My education on that of university ends when I write and execute M.A. thesis, therefore I apply to You. Subject of my work is "Modelling and Synthesis safety processor VIPER in VHDL". VIPER takes its name from "Verifiable Integrated Processor for Enhanced Reliability" - it is the world's first microprocessor for safety-critical applications. VIPER is 32-bit microprocessor which invented at (RSRE) the UK Royal Signals and Radar Establishment for use in highly safety-critical military and civil systems. This processor is safety processor, which is used to steer systems, in which error, or mistake can't appear during work of system. These systems should characterize high precision of action. VIPER is used at nuclear plants, on board a missile, or at a chemical refinery, it's going to happen: a catastrophic computer- related disaster. My work, I execute in VHDL hardware description language. This language, I have known on studies. VHDL takes its name from "V - Very High Speed Integrated Circuit and HDL - Hardware Description Language". I apply to You; Do You know something about VIPER ?; perhaps Your friends know something about this processor. If You know something about VIPER, Could You make accessible me all materials, documentation, algorithm of programs in VHDL or another languages what You have. Thank You, I wait for answer Marek Salamaj My personal details: MAREK SALAMAJ e-mail: FOX2000(a)go2.pl

1 0

None
by None 06 Jul '18

06 Jul '18

_________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com

1 0

ScanDisk and Defrag aren't working. What do I do?
by "Steve Black - webworker"＠grapemail.net 06 Jul '18

06 Jul '18

Hello, I am having a problem running maintainence on my computer. ScanDisk and Defrag seem to keep running over and over without any results. I tried uninstalling and reinstalling them, but that did not work. I even uninstalled and reinstalled Windows 98 II. Also, my clock kicks back an hour ever once in a while for no apparrent reason. Has anyone else ever ran into these problems? Any suggestions? Steve webworker(a)grapemail.net Discover how easy an affordable it can be to get you small business on the internet. Web site hosting only $9.99/month. E-commerce and much much more. Visit http://www.Create-Website.com for more info. ______________________________________________________ >>>>>> WEBSITE SHOWCASES <<<<<< Examine carefully - those with email addresses included WILL trade links with you, you are encouraged to contact them. And, there are many ways to build a successful business. Just look at these successful sites/programs other members are involved in... ------------------------------------------------- INCREASE YOUR INTERNET PROFITS Being an "affiliate" isn't just slapping a banner on your site. Learn all the secrets of getting extra cash from your site, without a product to sell! http://activemarketplace.com/w.cgi?winning-8886 ------------------------------------------------- I didn't MAKE MONEY until I QUIT! I'm TIRED of marketing! I'm SICK of being the ONLY one who works! I'm FED UP with the "do nothing and make millions" mentality! Are YOU? Click below NOW: http://www.PWCwealth.com/StopMarketing/ Trade Links - Mentor(a)PWCwealth.com ------------------------------------------------- Is your website getting traffic but not orders? Profile, Analyze, Promote, and Track your site to get the results you want. Fully Guaranteed! Free Trial Available! http://www.roibot.com/w.cgi?R4887_saa ------------------------------------------------- If you have a product, service, opportunity and/or quality merchandise that appeals to people worldwide, reach your target audience! For a fraction of what other large newsletters charge you can exhibit your website here for only $8 CPM. Why?... Because as a valuable member we want you to be successful! Order today - Exhibits are limited and published on a first come, first serve basis. http://bannersgomlm.com/ezine ______________________________________________________ >>>>>> MEMBER *REVIEWS* <<<<<< Visit these sites, look for what you like and any suggestions you can offer, and send your critique to MyInput And, after reviewing three sites, your web site will be added to the list! It's fun, easy, and it's a great opportunity to give some help and receive an informative review of your own site. Plus, you can also win a chance to have y our site chosen for a free website redesign. One randomly drawn winner each month! SITES TO REVIEW: Site #130: http://hometown.aol.com/laurigal47/myhomepage/sale.html LauriGal47(a)aol.com Site #131: http://www.webwitness.homestead.com John Stitzel oldstitz(a)yahoo.com Site #132: http://www.essjayar.co.uk/ Stuart stuart.reid(a)ntlworld.com Site #133: http://www.gems-gifts.com Michael Blanchette mfj(a)netway.com Site #134: http://www.LenSeiderInc.com Len Seider Lenseider(a)cs.com Site #135: http://www.alabastercove.com webmaster(a)alabastercove.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SITE REVIEWED! Comments on Site #129: http://www.mlmAnonymous.com Tom Corbett Tom.corbett(a)fuse.net ~~~~ mlmanonymous had a lot of good information but it was very overwhelming. The home page seemed to jump around between the what's, the who's and answering questions. I would recommend dividing this information - have a page on why you recommend, overviews of the three products on another page, faq's on another page. The text on some of the pages was very tiny, and would be easier to read in a san-sarif font such as arial. I like the site name, but didn't see the fit between it and health products. The feel of the site was on use these products for your health, not to make money like so many other biz-opp sites, so the name just seemed to conflict with the message. ~~~~ The site is clear enough but to tell the truth I got lost in the text. I didn't understand most of it and got turned away. It seems you're selling through various affiliate programs or home businesses on Health Products (a lot of this around). There's lots of info here but perhaps too much. A good summary on the 1st page would do wonders. ~~~~ I had to get out my dictionary for a couple of the words in your first paragraph, and I have a college education. You're going to be missing or turning off a lot of people with your current wording. On the other hand, if you would develop the "I had faced some serious health challenges..." and tell people your story more people would be drawn into your site. The layout is fine, you're just covering too much on your home page, and switching topics too often. ~~~~ This site did not load fully in my screen but overlapped. I'm not sure what makes sites do that, and very few do, but it is a little bothersome as I have to scroll over to see the rest of the page. It also had those annoying pop up windows. I like the products advertised and there is a lot of info on them, so that's good. ~~~~ The information on this site should be divided in to two different websites. The focus is divided between health products and mlm programs, confusing the reader. I would have liked to see more information about what the mlm anon meetings and eschool are about. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ______________________________________________________ moderator: Amy Mossel: Moderator(a)AEOpublishing.com posting: MyInput(a)AEOpublishing.com ______________________________________________________ Send posts and questions (or your answers) to: mailto:MyInput@AEOpublishing.com Please send suggestions and comments to: mailto:Moderator@AEOpublishing.com To change your subscribed address, send both new and old address to mailto:Moderator@AEOpublishing.com See below for unsubscribe instructions. Copyright 2001 AEOpublishing ----- End of Your Membership Exchange ------------------------------------------------ ------------------------------------------------ This email has been sent to cypherpunks(a)cyberpass.net at your request, by Your Membership Newsletter Services. Visit our Subscription Center to edit your interests or unsubscribe. http://ccprod.roving.com/roving/d.jsp?p=oo&id=bd7n7877.kzpf8557&m=bd7n7877&… View our privacy policy: http://ccprod.roving.com/roving/CCPrivacyPolicy.jsp Powered by Constant Contact(R) www.constantcontact.com --1790374487.995320053578.JavaMail.RovAdmin.rovweb002 Content-Type: text/html; charset=iso-8859-1 <HTML>  <head> <title>Your Membership Exchange</title> </head> <body bgcolor="#ffffff" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"> <IMG SRC="http://ccprod.roving.com/roving/sa/o.jsp?id=bd7n7877.kzpf8557&o=http://ccpr…" WIDTH=1 HEIGHT=1 alt=" ">  <center>    <table border="0" cellpadding="0" cellspacing="0" width="575"> <tr> <td width="25"><img src="http://ccprod.roving.com/roving/images/letters/gray-corner-tl.gif" width="25" height="25" border="0" alt=""></td> <td width="525" bgcolor="#666666"> </td> <td width="25" bgcolor="#666666"> </td> </tr>  <tr> <td width="25" bgcolor="#666666"> </td> <td width="525" bgcolor="#CCCCCC"> Your Membership Exchange, Issue #430</td> <td width="25" bgcolor="#666666"> </td> </tr>   <tr> <td width="25" bgcolor="#666666"> </td> <td width="525" bgcolor="#CCCCCC" align="right">July 16, 2001 </td> <td width="25" bgcolor="#666666"> </td> </tr>  <tr> <td width="575" colspan="3" height="1" bgcolor="#666666"><img src="http://ccprod.roving.com/roving/images/letters/spacer.gif" width="1" height="1" border="0" alt=""></td> </tr> <tr> <td width="25" bgcolor="#870000"> </td> <td width="525" bgcolor="#FFFFFF">  <table border="0" cellpadding="6" cellspacing="0" width="100%"> <tr> <td width="100%">  Your place to exchange ideas, ask questions, swap links, and share your skills!   ______________________________________________________ You are a member in at least one of these programs - You should be in them all! <a href="http://www.BannersGoMLM.com">BannersGoMLM.com</a> <a href="http://www.ProfitBanners.com">ProfitBanners.com</a> <a href="http://www.CashPromotions.com">CashPromotions.com</a> <a href="http://www.MySiteInc.com">MySiteInc.com</a> <a href="http://www.TimsHomeTownStories.com">TimsHomeTownStories.com</a> <a href="http://www.FreeLinksNetwork.com">FreeLinksNetwork.com</a> <a href="http://www.MyShoppingPlace.com">MyShoppingPlace.com</a> <a href="http://www.BannerCo-op.com">BannerCo-op.com</a> <a href="http://www.PutPEEL.com">PutPEEL.com</a> <a href="http://www.PutPEEL.net">PutPEEL.net</a> <a href="http://www.SELLinternetACCESS.com">SELLinternetACCESS.com</a> <a href="http://www.Be-Your-Own-ISP.com">Be-Your-Own-ISP.com</a> <a href="http://www.SeventhPower.com">SeventhPower.com</a> ______________________________________________________ Today's Special Announcement: ORGANIZE YOUR AFFILIATE PROGRAMS! Do you know if you're making money as an Affiliate? Do you know which programs are the most successful? Do you know how to track your efforts? Check it out!  <a href="http://www.roibot.com/w.cgi?R4887_affa">http://www.roibot.com/w.cgi?R4887_affa</a> ______________________________________________________ >> Q & A    QUESTIONS:      - ScanDisk and Defrag aren't working. What do I do? >> MEMBER SHOWCASES >> MEMBER *REVIEWS*      - Sites to Review: #130, #131 & #132!      - Three New Sites to Review!      - Site #129 Reviewed! ______________________________________________________ >>>>>> QUESTIONS & ANSWERS <<<<<< Do you a burning question about promoting your website, html design, or anything that is hindering your online success? Submit your questions to <a href="mailto:MyInput@AEOpublishing.com">MyInput(a)AEOpublishing.com</a> Are you net savvy? Have you learned from your own trials and errors and are willing to share your experience? Look over the questions each day, and if you have an answer or can provide help, post your answer to <a href="mailto:MyInput@AEOpublishing.com">MyInput(a)AEOpublishing.com</a> Be sure to include your signature file so you get credit (and exposure to your site).   QUESTIONS: From: Steve Black   - webworker(a)grapemail.net Subject:  ScanDisk and Defrag aren't working. What do I do? Hello, I am having a problem running maintainence on my computer. ScanDisk and Defrag seem to keep running over and over without any results. I tried uninstalling and reinstalling them, but that did not work.  I even uninstalled and reinstalled Windows 98 II. Also, my clock kicks back an hour ever once in a while for no apparrent reason.  Has anyone else ever ran into these problems?  Any suggestions? Steve webworker(a)grapemail.net Discover how easy an affordable it can be to get you small business on the internet.  Web site hosting only $9.99/month. E-commerce and much much more. Visit http://www.Create-Website.com for more info.   ______________________________________________________ >>>>>> WEBSITE SHOWCASES <<<<<< Examine carefully - those with email addresses included WILL trade links with you, you are encouraged to contact them. And, there are many ways to build a successful business. Just look at these successful sites/programs other members are involved in.. ------------------------------------------------- INCREASE YOUR INTERNET PROFITS Being an "affiliate" isn't just slapping a banner on your site. Learn all the secrets of getting extra cash from your site, without a product to sell! <a href="http://activemarketplace.com/w.cgi?winning-8886">http://activemarketplace.com/w.cgi?winning-8886</a> ------------------------------------------------- I didn't MAKE MONEY until I QUIT! I'm TIRED of marketing!  I'm SICK of being the ONLY one who works!  I'm FED UP with the "do nothing and make millions" mentality!  Are YOU?  Click below NOW: <a href="http://www.PWCwealth.com/StopMarketing/">http://www.PWCwealth.com/StopMarketing/</a> Trade Links - <a href="mailto:Mentor@PWCwealth.com">Mentor(a)PWCwealth.com</a> ------------------------------------------------- Is your website getting traffic but not orders? Profile, Analyze, Promote, and Track your site to get the results you want. Fully Guaranteed! Free Trial Available! <a href="http://www.roibot.com/w.cgi?R4887_saa">http://www.roibot.com/w.cgi?R4887_saa</a> ------------------------------------------------- If you have a product, service, opportunity and/or quality merchandise that appeals to people worldwide, reach your target audience! For a fraction of what other large newsletters charge you can exhibit your website here for only $8 CPM. Why?... Because as a valuable member we want you to be successful! Order today - Exhibits are limited and published on a first come, first serve basis. <a href="http://bannersgomlm.com/ezine">http://bannersgomlm.com/ezine</a> ______________________________________________________ >>>>>> MEMBER *REVIEWS* <<<<<< Visit these sites, look for what you like and any suggestions you can offer, and send your critique to MyInput And, after reviewing three sites, your web site will be added to the list! It's fun, easy, and it's a great opportunity to give some help and receive an informative review of your own site. Plus, you can also win a chance to have y our site chosen for a free website redesign. One randomly drawn winner each month!   SITES TO REVIEW: Site #130:  <a href="http://hometown.aol.com/laurigal47/myhomepage/sale.html">http://hometown.aol.com/laurigal47/myhomepage/sale.html</a> LauriGal47(a)aol.com Site #131: <a href="http://www.webwitness.homestead.com">http://www.webwitness.homestead.com</a> John Stitzel oldstitz(a)yahoo.com Site #132:  <a href="http://www.essjayar.co.uk/">http://www.essjayar.co.uk/</a> Stuart stuart.reid(a)ntlworld.com Site #133:  <a href="http://www.gems-gifts.com">http://www.gems-gifts.com</a> Michael Blanchette mfj(a)netway.com Site #134:  <a href="http://www.LenSeiderInc.com">http://www.LenSeiderInc.com</a> Len Seider Lenseider(a)cs.com Site #135:  <a href="http://www.alabastercove.com">http://www.alabastercove.com</a> webmaster(a)alabastercove.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   SITE  REVIEWED! Comments on Site #129: <a href="http://www.mlmAnonymous.com">http://www.mlmAnonymous.com</a> Tom Corbett Tom.corbett(a)fuse.net ~~~~ mlmanonymous had a lot of good information but it was very overwhelming. The home page seemed to jump around between the what's, the who's and answering questions. I would recommend dividing this information - have a page on why you recommend, overviews of the three products on another page, faq's on another page. The text on some of the pages was very tiny, and would be easier to read in a san-sarif font such as arial. I like the site name, but didn't see the fit between it and health products. The feel of the site was on use these products for your health, not to make money like so many other biz-opp sites, so the name just seemed to conflict with the message. ~~~~ The site is clear enough but to tell the truth I got lost in the text. I didn't understand most of it and got turned away. It seems you're selling through various affiliate programs or home businesses on Health Products (a lot of this around). There's lots of info here but perhaps too much. A good summary on the 1st page would do wonders. ~~~~ I had to get out my dictionary for a couple of the words in your first paragraph, and I have a college education. You're going to be missing or turning off a lot of people with your current wording. On the other hand, if you would develop the "I had faced some serious health challenges..." and tell people your story more people would be drawn into your site. The layout is fine, you're just covering too much on your home page, and switching topics too often. ~~~~ This site did not load fully in my screen but overlapped. I'm not sure what makes sites do that, and very few do, but it is a little bothersome as I have to scroll over to see the rest of the page. It also had those annoying pop up windows. I like the products advertised and there is a lot of info on them, so that's good. ~~~~ The information on this site should be divided in to two different websites.  The focus is divided between health products and mlm programs, confusing the reader. I would have liked to see more information about what the mlm anon meetings and eschool are about. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ______________________________________________________ moderator: Amy Mossel  <a href="mailto:Moderator@AEOpublishing.com">Moderator</a> posting:   <a href="mailto:MyInput@AEOpublishing.com">MyInput(a)AEOpublishing.com</a> ______________________________________________________ Send posts and questions (or your answers) to:    <a href="mailto:MyInput@AEOpublishing.com">MyInput(a)AEOpublishing.com</a> Please send suggestions and comments to:    <a href="mailto:Moderator@AEOpublishing.com">Moderator(a)AEOpublishing.com</a> To change your subscribed address, send both new and old address to <a href="mailto:Moderator@AEOpublishing.com">Moderator(a)AEOpublishing.com</a> See below for unsubscribe instructions. Copyright 2001 AEOpublishing ----- End of Your Membership Exchange   <hr width="60%" size="1" align="left" NOSHADE>  </td> </tr> </table>  </td> <td width="25" bgcolor="#870000"> </td> </tr>  <tr> <td width="25" bgcolor="#870000"> </td> <td width="525" bgcolor="#870000" align="right"> </td> <td width="25"><img src="http://ccprod.roving.com/roving/images/letters/red-corner-br.gif" width="25" height="25" border="0" alt=""></td> </tr>  <tr> <td colspan="3" bgcolor="#FFFFFF" align="center">  This email was sent to cypherpunks(a)cyberpass.net, at your request, by <a href="http://ccprod.roving.com/roving/sa/s.jsp?id=bd7n7877.kzpf8557">Your Membership Newsletter Services</a>. Visit our Subscription Center to <a href="http://ccprod.roving.com/roving/d.jsp?p=oo&id=bd7n7877.kzpf8557&m=bd7n7877&…">edit</a> your interests or <a href="http://ccprod.roving.com/roving/d.jsp?p=oo&id=bd7n7877.kzpf8557&m=bd7n7877&…">unsubscribe</a>. View our <a href="http://ccprod.roving.com/roving/CCPrivacyPolicy.jsp">privacy policy</a>. Powered by <a href="http://www.constantcontact.com/index.jsp?cc=ctrlr" target="_blank"><img src="http://ccprod.roving.com/roving/images/cc-logo-color-sm.gif" border="0" alt="Constant Contact"></a>  </td> </tr> </table> </center> </body> </html> --1790374487.995320053578.JavaMail.RovAdmin.rovweb002--

1 0