Terminal Compromise, Winn Schwartau [sight word books txt] 📗
- Author: Winn Schwartau
- Performer: -
Book online «Terminal Compromise, Winn Schwartau [sight word books txt] 📗». Author Winn Schwartau
intentionally weakened it to insure that they could still decrypt
any messages using the approved algorithm.
“In 1982 a financial group, FIMAS endorsed a DES based method to
authenticate Electronic Funds Transfer, or EFT. Banks move
upwards of a trillion dollars daily, and in an effort to insure
that all monies are moved accurately and to their intended desti-
nations, the technique of Message Authentication Coding was
introduced. For still unknown reasons it was decided that en-
crypting the contents of the messages, or transfers, was unneces-
sary. Thus, financial transactions are still carried out with
no protection from eavesdropping.”
“Excuse me, Mr. Hammacher, I want to understand this,” interrupt-
ed Senator Deere. “Are you saying that, since 1976, we have had
the ability to camouflage the nation’s financial networks, yet as
of today, they are still unprotected?” Rickfield looked over at
Nancy in disgust but the single camera missed it.
“Yes, ma’am, that’s exactly the case,” replied Hammacher.
“What does that mean to us? The Government? Or the average citi-
zen?”
“In my opinion it borders on insanity. It means that for the
price of a bit of electronic equipment, anyone can tap into the
details of the financial dealings of banks, the government and
every citizen in this country.”
Senator Deere visibly gulped. “Thank you, please continue.”
“In 1984, President Reagan signed National Security Decision
Directive 145. NSDD-145 established that defense contractors and
other organizations that handle sensitive or classified informa-
tion must adhere to certain security and privacy guidelines. A
number of advisory groups were established, and to a minimal
extent, the recommendations have been implemented, but I must
emphasize, to a minimal extent.”
“Can you be a little more specific, Mr. Hammacher?” Asked Senator
Deere.
“No ma’am, I can’t. A great deal of these efforts are classified
and by divulging who is not currently in compliance would be a
security violation in itself. It would be fair to say, though,
that the majority of those organizations targeted for additional
security measures fall far short of the government’s intentions
and desires. I am sorry I cannot be more specific.”
“I understand completely. Once again,” Nancy said to Hammacher,
“I am sorry to interrupt.”
“Not at all, Senator.” Hammacher sipped from his water glass.
“As you can see, the interest in security was primarily from the
government, and more specifically the defense community. In
1981, the Department of Defense chartered the DoD Computer Secu-
rity Center which has since become the National Computer Security
Center operating under the auspices of the National Security
Agency. In 1983 they published a series of guidelines to be used
in the creation or evaluation of computer security. Officially
titled the Trusted Computer Security Evaluation Criteria, it is
popularly known as the Orange Book. It has had some minor
updates since then, but by and large it is an outdated document
designed for older computer architectures.
“The point to be made here is that while the government had an
ostensible interest and concern about the security of computers,
especially those under their control, there was virtually no
overt significance placed upon the security of private industry’s
computers. Worse yet, it was not until 1987 that any proposed
criteria were developed for networked computers. So, as the
world tied itself together with millions of computers and net-
works, the Government was not concerned enough to address the
issue. Even today, there are no secure network criteria that are
universally accepted.”
“Mr. Hammacher.” Senator Rickfield spoke up for the first time.
“You appear to have a most demeaning tone with respect to the
United States Government’s ability to manage itself. I for one
remain unconvinced that we are as derelict as you suggest.
Therefore, I would ask that you stick to the subject at hand, the
facts, and leave your personal opinions at home.”
Nancy Deere as well as much of the audience listened in awe as
Rickfield slashed out at Hammacher who was in the process of
building an argument. Common courtesy demanded that he be per-
mitted to finish his statement, even if his conclusions were
unpopular or erroneous.
Hammacher did not seem fazed. “Sir, I am recounting the facts,
and only the facts. My personal opinions would only be further
damning, so I agree, that I will refrain.” He turned a page in
his notebook and continued.
“Several laws were passed, most notably Public Law 100-235, the
Computer Security Act of 1987. This weak law called for enhanced
cooperation between the NSA and NIST in the administration of
security for the sensitive but unclassified world of the Govern-
ment and the private sector. Interestingly enough, in mid 1990
it was announced, that after a protracted battle between the two
security agencies, the NCSC would shut down and merge its efforts
with its giant super secret parent, the NSA. President Bush
signed the Directive effectively replacing Reagan’s NSDD-145.
Because the budgeting and appropriations for both NSA and the
former NCSC are classified, there is no way to accurately gauge
the effectiveness of this move. It may still be some time before
we understand the ramifications of the new Executive Order.
“To date every state has some kind of statute designed to punish
computer crime, but prosecutions that involve the crossing of
state lines in the commission of a crime are far and few between.
Only 1% of all computer criminals are prosecuted and less than 5%
of those result in convictions. In short, the United States has
done little or nothing to forge an appropriate defense against
computer crime, despite the political gerrymandering and agency
shuffling over the last decade. That concludes my opening re-
marks.” Hammacher sat back in his chair and finished the water.
He turned to his lawyer and whispered something Scott couldn’t
hear.
“Ah, Mr. Hammacher, before you continue, I would like ask a few
questions. Do you mind?” Senator Nancy Deere was being her
usual gracious self.
“Not at all, Senator.”
“You said earlier that the NSA endorsed a cryptographic system
that they themselves could crack. Could you elaborate?” Senator
Nancy Deere’s ability to grasp an issue at the roots was uncanny.
“I’d be pleased to. First of all, it is only one opinion that
the NSA can crack DES; it has never been proven or disproven.
When DES was first introduced some theoreticians felt that NSA
had compromised the original integrity of IBM’s Lucifer encryp-
tion project. I am not qualified to comment either way, but the
reduction of the key length, and the functional feedback mecha-
nisms were less stringent than the original. If this is true,
then we have to ask ourselves, why? Why would the NSA want a
weaker system?”
A number of heads in the hearing room nodded in agreement with
the question; others merely acknowledged that it was NSA bashing
time again.
Hammacher continued. “There is one theory that suggests that the
NSA, as the largest eavesdropping operation in the world wanted
to make sure that they could still listen in on messages once
they have been encrypted. The NSA has neither confirmed or
denied these reports. If that is true, then we must ask our-
selves, if DES is so weak, why does the NSA have the ultimate say
on export control. The export of DES is restricted by the Muni-
tions Control, Department of State, and they rely upon DoD and
the NSA for approval.
“The export controls suggest that maybe NSA cannot decrypt DES,
and there is some evidence to support that. For example, in
1985, the Department of Treasury wanted to extend the validation
of DES for use throughout the Treasury, the Federal Reserve
System and member banks. The NSA put a lot of political muscle
behind an effort to have DES deaffirmed and replaced with newer
encryption algorithms. Treasury argued that they had already
adapted DES, their constituents had spent millions on DES equip-
ment for EFT and it would be entirely too cumbersome and expen-
sive to make a change now. Besides, they asked, what’s wrong
with DES? They never got an answer to that question, and thus
they won the battle and DES is still the approved encryption
methodology for banks. It was never established whether DES was
too strong or too weak for NSA’s taste.
“Later, in 1987, the NSA received an application for export of a
DES based device that employed a technique called infinite en-
cryption. In response to the frenzy over the strength or weakness
of DES, one company took DES and folded it over and over on
itself using multiple keys. The NSA had an internal hemorrhage.
They forbade this product from being exported from the United
States in any form whatsoever. Period. It was an extraordinary
move on their part, and one that had built-in contradictions. If
DES is weak, then why not export it? If it’s too strong, why
argue with Treasury? In any case, the multiple DES issue died
down until recently, when NSA, beaten at their
Comments (0)