NDA for FOUO CAP Radio Freqs to be released

[N Harmon]

After reading the FAQ, I'm not sold on the overall security of the system, but it's "good enough" to avoid the normal type of prying eyes.

I'm curious which part gave you pause.

[JoeTomasone]

After reading the FAQ, I'm not sold on the overall security of the system, but it's "good enough" to avoid the normal type of prying eyes.

I'm curious which part gave you pause.

My bad, it was the manual, not the FAQ:

4. Decryption is considered successful if the first 4 bytes of the decrypted data contain the ASCII string "TRUE"

Providing known plaintext is a serious mistake in a cryptographic system as it significantly reduces the attackers burden.

I do recognize that this is mitigated by the inverse tree burden of multiple algorithms and hashes.

[Major Lord]

I have a little black box in my test gear that will show and store the frequency and CTCSS, DCS, and DTMF  of any transmissions in range. The bad guys ( and Scanner nerds) have these and other versions of these too. Our frequencies ranges  are a matter of public record. There is absolutely no strategic security to our comms, absent someone using a digital mode ( pretty good) and/or an encrypted mode ( Much better) I am sure that as Flyingpig pointed out, a trip to Google will give anybody all they need to know about our operations. ( Googling Robert? You Scofflaw! Next thing you know, you will move on to Moppery, then to Brigandry!) Unless you are in China, Googling Government info is not a crime. I suggest we start recruiting Navajo code talkers.....Or learn a secret language: "The Essnasay is inthey  itchday by the oadray"

Major Lord

[Nick]

After reading the FAQ, I'm not sold on the overall security of the system, but it's "good enough" to avoid the normal type of prying eyes.

https://www.ironkey.com/

I've had a great experience with mine.  After losing my old thumb drive with some personal data on it in the desert, I swore I would never carry another thumb drive without serious data protection (and not that U3 crap).  This was the best solution I've found so far.

[a2capt]

Heh. I don't remember what brand it was, but some time back after a mile run, one of our cadets brought back a 1GB drive they'd seen shimmering in the dark against the passage of the headlights of one of the chase vehicles. The thing was in the middle of the street, had been run over several times. I stuck it in the Wing provided laptop to see if it still mounted, to look for anything to identify the owner.

It came up with a splash screen that wanted passwords and bragged about encryption, etc. Fine. Oh well, nothing I can do except unplug it and stick it in the Macintosh instead.

The Macintosh sees two partitions. The first one, rather small, has this autorun on it that along with a script and there was a PNG file, it was the same graphic I saw on the Windows machine. LOL. d'oh!

Open the second partition .. files. Mostly pictures. The number one content of such devices. Turns out there's a ton of photos of a units deployment to Iraq and some of them are obviously of the group and an individual that died over there as later on there is the rifle and boots memorial. But none of them are decent enough to see any tapes clearly, other than seeing the same group of guys now around this instead of that.

I start looking at other files, for text files, word docs, whatever. I found several files that appeared to be text. But when loaded were not. After more looking one of them paid off. Though it was still garbage mostly to the eye, in the midst of it there was some plaintext stating that it was a cover letter to an emergency passport application. A bit more perusing through the HEX like mess and I located some phone numbers and started calling. After a bit of exchange of me asking about a missing flash drive, and them saying "no, I'm not missing anything" I probed a little more and then he said "let me go check something" .. "does it have a strap on it?" .. "no, it might have but it's been run over and that part is now broken. " .. does it look ...  " and he described it after a while. The way he was acting at first was like, "I didn't loose anything (because I'll be in trouble if I did)"

In the end, he woke up, seemed he was asleep, too. Though it was only about 2145, after our Tuesday night meeting. He met me in a spot near by and I dialed the phone again, his phone lit up and I handed him the flash drive, he was grateful.  I pointed to where it was found in the street. This is all on a Marine base.

Whats it got to do with the current thread discussion? Someome thought that was "secure', and the guy was actually sort of curious about how I was able to even get on it, because he thought it was secure but in the end he said having it back after not even knowing it was missing was better than wondering how the heck I got into it if it was supposed to be "secure". I didn't even get to explain anything.

I bought the cadet that found it, and turned it in, a 1GB flash drive, too.

Security by obscurity will stop most, but not all. Stuff only needs to leak once for potential damage to be done. It's a gamble and a crapshoot.

[desertengineer1]

A little more background....

The FOUO came out of the agreement between us and the AF.  We just agreed to tell our members not to release frequency information unless specifically authorized by CAP-DC and CAP-CC.

Everyone knew the info would be out on some scanner site within 15 minutes of release.  That wasn't the reason for the FOUO mandate.  We just agreed that our members wouldn't be releasing it in violation of the AFI 10-701 CI process.

I have an ICOM PCR-1000.  I can set it for autoscan between two frequencies, and see a logged list of all active frequencies it saw after XX hours or days.  There are some programs that will even integrate a spectrum line over that scan range to do the same visually.  Many tools out there for medium hobbiests to find frequencies - cheaply.

But remember, CAP's policy here doesn't apply to all this talk.  So what if people are listening?  They always have.  people are listening to military traffic, even decoding ALE (the unencrypted stuff).

[Spaceman3750]

I'd be more interested in baking the person doing the interfering than the source of the data.

This is just a hunch, but I think the concern is folks eavesdropping on potentially sensitive conversations (say, coordinates of an object of interest on some type of mission) than interference. The FAA can already bake people for interfering with our frequencies, provided someone can find them, regardless of all this secret squirrel FOUO top secret Q-clearance yankee white stuff.

It'd be the FCC, but saying the FAA is an acceptable mistake for an organization like ours.

Yes, you are correct, I typed that at the end of an endless day . Plus I forgot to have alphabet soup for breakfast...

[desertengineer1]

Sooo..

Back to the original topic...

Can anyone cough up a real NDA issued by CAP-DC or commpermissions, or do we call this thread a definate troll fest?

[N Harmon]

I suggest we start recruiting Navajo code talkers.....Or learn a secret language: "The Essnasay is inthey  itchday by the oadray"

We still use code words, right?

"The joker is wild at four three niner seven by one niner six four"

("We're stopping for a slurpee at the 7/11 before RTB")

[CommGeek]

The NDA that CAP requires for ANY official  release of  our freqs to a CAP member or any other party, is not the same NDA you sign in e-services as a member. It basically says we (CAP) will not release our freq to you unless you sign, and prommis not to tell anyone.  and CAP WILL NOT release the freq, unless that document is signed.  I don't know were it is in writine , but i have been involved with several in the past months. 

[desertengineer1]

The NDA that CAP requires for ANY official  release of  our freqs to a CAP member or any other party, is not the same NDA you sign in e-services as a member. It basically says we (CAP) will not release our freq to you unless you sign, and prommis not to tell anyone.  and CAP WILL NOT release the freq, unless that document is signed.  I don't know were it is in writine , but i have been involved with several in the past months.

Please PM me the following, if you can:

Who in CAP is writing them?  (Your Wing, or someone at NHQ?)

Who in CAP is requiring you to do them?  (Need a specific - CAP-DC?  CAP-USAF?  WING CC?  WING DC?)

What is the basis for this requirement, according to the commpermission response?  Again, I was told there was no requirement to do this in 2009.

[Eclipse]

Again, I was told there was no requirement to do this in 2009.

Hmm...And yet we are.

I discussed this in detail yesterday with my Wing's DC.  The regulation states that specific permission must be granted for for any
non-CAP members to be provided with frequency and related information.

For permission to be granted, the requester must agree to use "due care" in protecting those frequencies and not releasing that information to other parties.

Sounds like an NDA to me.

[Major Lord]

From CAPR 100-1:

e. Release of FOUO frequencies outside of CAP. Proposals to provide CAP frequencies to repeater site owners/managers, local partner agencies, or other entities outside of CAP shall be approved on a case-by-case basis by CAP-USAF via CAP National Headquarters prior to disclosure.
(1) Following written coordination with the wing and region commanders, the director of communications shall e-mail the proposal and confirmation of the wing and region commanders' approval to: commpermissions@capnhq.gov.
(2) The proposal should include justification of a need to know on the part of the proposed recipient.
(3) Previously approved releases of wideband CAP frequencies to outside entities shall not apply to narrowband frequencies, so wings must reapply for approval to provide such information to outside entities.
(4) When providing such frequency sensitive information, the CAP user shall state in writing that the frequency information is Department of Defense For Official Use Only (FOUO) and must be afforded a reasonable level of control.

This is the only regulatory guidance I could find on the matter. This seems to create roadblock significantly grater than an NDA. I don't see anything anywhere about an NDA per se.

Major Lord

[desertengineer1]

From CAPR 100-1:

e. Release of FOUO frequencies outside of CAP. Proposals to provide CAP frequencies to repeater site owners/managers, local partner agencies, or other entities outside of CAP shall be approved on a case-by-case basis by CAP-USAF via CAP National Headquarters prior to disclosure.
(1) Following written coordination with the wing and region commanders, the director of communications shall e-mail the proposal and confirmation of the wing and region commanders' approval to: commpermissions@capnhq.gov.
(2) The proposal should include justification of a need to know on the part of the proposed recipient.
(3) Previously approved releases of wideband CAP frequencies to outside entities shall not apply to narrowband frequencies, so wings must reapply for approval to provide such information to outside entities.
(4) When providing such frequency sensitive information, the CAP user shall state in writing that the frequency information is Department of Defense For Official Use Only (FOUO) and must be afforded a reasonable level of control.

This is the only regulatory guidance I could find on the matter. This seems to create roadblock significantly grater than an NDA. I don't see anything anywhere about an NDA per se.

Major Lord

Thanks, Major!

The policy does not require you to obtain their signature on an agreement - mainly due to the legal landmines I mentioned earlier.

However, we are required to give them something to firmly communicate the need for FOUO protection.  That's why they specifically wrote "CAP user" in (4).

There is no requirement to have them sign an NDA.

When we start our installations, I'll obtain the necessary permissions from CAP-DC (commpermissions is basically an email listserve for the CAP DC repeater committee and DC staff), and then provide the owners with a memo asking as nice as I can that they don't publicly release the frequencies.  We are their guests and want to maintain good relations.

When the installation is complete, for extra measure on my end, I'll author a quick MFR to our wing DC stating the request was made IAW the Oct 08 policy letter and 100-1, and put it in the repeater file.  That covers me and our wing for e(4).

But there is no requirement for them to sign an agreement in-turn.  We just have to make good effort we record our notifications to them.

[desertengineer1]

Again, I was told there was no requirement to do this in 2009.

Hmm...And yet we are.

I discussed this in detail yesterday with my Wing's DC.  The regulation states that specific permission must be granted for for any
non-CAP members to be provided with frequency and related information.

For permission to be granted, the requester must agree to use "due care" in protecting those frequencies and not releasing that information to other parties.

Sounds like an NDA to me.

Nope.  It just means you ask them nicely not to release.  If an NDA were required, the regulations would have specific entries and an attachment with a template of the letter.  This is because any contractual-like agreement actions need to be reviewed by a legal staff.  You just can't be making up NDA's on your own and having corporations sign them.  You should know that.

[desertengineer1]

The NDA that CAP requires for ANY official  release of  our freqs to a CAP member or any other party, is not the same NDA you sign in e-services as a member. It basically says we (CAP) will not release our freq to you unless you sign, and prommis not to tell anyone.  and CAP WILL NOT release the freq, unless that document is signed.  I don't know were it is in writine , but i have been involved with several in the past months.

Were these approved by Marek and crew at commpermissions?  I have high doubt they are requiring you to do this. 

If they are, we need to get clarification on the CAP-DC list ASAP.  We're about to turn on a bunch of repeater installs.

[CommGeek]

Holy Cow Batman....Get over it! ...whats the hang up?  The fact is CAP will not release freqs without a NDA.  Thats the way it is!  You should contact CAP-USAF Legal if you see a problem with it.....  But for now thats the way it is!  To date I have been involved with 5 of them, the receving party had no problems with the process!   

[Eclipse]

If they are, we need to get clarification on the CAP-DC list ASAP.  We're about to turn on a bunch of repeater installs.

"We", don't.

[raivo]

"We", don't.

The second sentence was a fairly good indicator that he meant "we, the people who are about to install these repeaters."

Geesh. Guy's trying to confirm that he's doing something IAW the regs (regs which were quoted in another post, no less) and all he's getting is a bunch of "Well *I* do it this way." Okay, great - if you do it that way, help everyone out and tell us what regs you're operating under so the confusion can be sorted out.

It may very well be that it's the policy of CAP-DC to require an NDA before sharing frequencies, but nobody has definitively confirmed that yet.

[heliodoc]

The only help you'll get here is "cite please"

When those individuals say that and can not produce some sort of reg or NDA themselves..  but maybe they don't have to but the will expound to everyone about the regulations out there

Does one really believe those individuals??

Where is that NDA that someone here is talking smack about?

Yep,  let's SEE that so called clarification form CAP-DC list