readenglishbook.com » Other » Terminal Compromise, Winn Schwartau [sight word books txt] 📗

Book online «Terminal Compromise, Winn Schwartau [sight word books txt] 📗». Author Winn Schwartau



1 ... 94 95 96 97 98 99 100 101 102 ... 146
Go to page:
the NSA

intentionally weakened it to insure that they could still decrypt

any messages using the approved algorithm.

“In 1982 a financial group, FIMAS endorsed a DES based method to

authenticate Electronic Funds Transfer, or EFT. Banks move

upwards of a trillion dollars daily, and in an effort to insure

that all monies are moved accurately and to their intended desti-

nations, the technique of Message Authentication Coding was

introduced. For still unknown reasons it was decided that en-

crypting the contents of the messages, or transfers, was unneces-

sary. Thus, financial transactions are still carried out with

no protection from eavesdropping.”

“Excuse me, Mr. Hammacher, I want to understand this,” interrupt-

ed Senator Deere. “Are you saying that, since 1976, we have had

the ability to camouflage the nation’s financial networks, yet as

of today, they are still unprotected?” Rickfield looked over at

Nancy in disgust but the single camera missed it.

“Yes, ma’am, that’s exactly the case,” replied Hammacher.

“What does that mean to us? The Government? Or the average citi-

zen?”

“In my opinion it borders on insanity. It means that for the

price of a bit of electronic equipment, anyone can tap into the

details of the financial dealings of banks, the government and

every citizen in this country.”

Senator Deere visibly gulped. “Thank you, please continue.”

“In 1984, President Reagan signed National Security Decision

Directive 145. NSDD-145 established that defense contractors and

other organizations that handle sensitive or classified informa-

tion must adhere to certain security and privacy guidelines. A

number of advisory groups were established, and to a minimal

extent, the recommendations have been implemented, but I must

emphasize, to a minimal extent.”

“Can you be a little more specific, Mr. Hammacher?” Asked Senator

Deere.

“No ma’am, I can’t. A great deal of these efforts are classified

and by divulging who is not currently in compliance would be a

security violation in itself. It would be fair to say, though,

that the majority of those organizations targeted for additional

security measures fall far short of the government’s intentions

and desires. I am sorry I cannot be more specific.”

“I understand completely. Once again,” Nancy said to Hammacher,

“I am sorry to interrupt.”

“Not at all, Senator.” Hammacher sipped from his water glass.

“As you can see, the interest in security was primarily from the

government, and more specifically the defense community. In

1981, the Department of Defense chartered the DoD Computer Secu-

rity Center which has since become the National Computer Security

Center operating under the auspices of the National Security

Agency. In 1983 they published a series of guidelines to be used

in the creation or evaluation of computer security. Officially

titled the Trusted Computer Security Evaluation Criteria, it is

popularly known as the Orange Book. It has had some minor

updates since then, but by and large it is an outdated document

designed for older computer architectures.

“The point to be made here is that while the government had an

ostensible interest and concern about the security of computers,

especially those under their control, there was virtually no

overt significance placed upon the security of private industry’s

computers. Worse yet, it was not until 1987 that any proposed

criteria were developed for networked computers. So, as the

world tied itself together with millions of computers and net-

works, the Government was not concerned enough to address the

issue. Even today, there are no secure network criteria that are

universally accepted.”

“Mr. Hammacher.” Senator Rickfield spoke up for the first time.

“You appear to have a most demeaning tone with respect to the

United States Government’s ability to manage itself. I for one

remain unconvinced that we are as derelict as you suggest.

Therefore, I would ask that you stick to the subject at hand, the

facts, and leave your personal opinions at home.”

Nancy Deere as well as much of the audience listened in awe as

Rickfield slashed out at Hammacher who was in the process of

building an argument. Common courtesy demanded that he be per-

mitted to finish his statement, even if his conclusions were

unpopular or erroneous.

Hammacher did not seem fazed. “Sir, I am recounting the facts,

and only the facts. My personal opinions would only be further

damning, so I agree, that I will refrain.” He turned a page in

his notebook and continued.

“Several laws were passed, most notably Public Law 100-235, the

Computer Security Act of 1987. This weak law called for enhanced

cooperation between the NSA and NIST in the administration of

security for the sensitive but unclassified world of the Govern-

ment and the private sector. Interestingly enough, in mid 1990

it was announced, that after a protracted battle between the two

security agencies, the NCSC would shut down and merge its efforts

with its giant super secret parent, the NSA. President Bush

signed the Directive effectively replacing Reagan’s NSDD-145.

Because the budgeting and appropriations for both NSA and the

former NCSC are classified, there is no way to accurately gauge

the effectiveness of this move. It may still be some time before

we understand the ramifications of the new Executive Order.

“To date every state has some kind of statute designed to punish

computer crime, but prosecutions that involve the crossing of

state lines in the commission of a crime are far and few between.

Only 1% of all computer criminals are prosecuted and less than 5%

of those result in convictions. In short, the United States has

done little or nothing to forge an appropriate defense against

computer crime, despite the political gerrymandering and agency

shuffling over the last decade. That concludes my opening re-

marks.” Hammacher sat back in his chair and finished the water.

He turned to his lawyer and whispered something Scott couldn’t

hear.

“Ah, Mr. Hammacher, before you continue, I would like ask a few

questions. Do you mind?” Senator Nancy Deere was being her

usual gracious self.

“Not at all, Senator.”

“You said earlier that the NSA endorsed a cryptographic system

that they themselves could crack. Could you elaborate?” Senator

Nancy Deere’s ability to grasp an issue at the roots was uncanny.

“I’d be pleased to. First of all, it is only one opinion that

the NSA can crack DES; it has never been proven or disproven.

When DES was first introduced some theoreticians felt that NSA

had compromised the original integrity of IBM’s Lucifer encryp-

tion project. I am not qualified to comment either way, but the

reduction of the key length, and the functional feedback mecha-

nisms were less stringent than the original. If this is true,

then we have to ask ourselves, why? Why would the NSA want a

weaker system?”

A number of heads in the hearing room nodded in agreement with

the question; others merely acknowledged that it was NSA bashing

time again.

Hammacher continued. “There is one theory that suggests that the

NSA, as the largest eavesdropping operation in the world wanted

to make sure that they could still listen in on messages once

they have been encrypted. The NSA has neither confirmed or

denied these reports. If that is true, then we must ask our-

selves, if DES is so weak, why does the NSA have the ultimate say

on export control. The export of DES is restricted by the Muni-

tions Control, Department of State, and they rely upon DoD and

the NSA for approval.

“The export controls suggest that maybe NSA cannot decrypt DES,

and there is some evidence to support that. For example, in

1985, the Department of Treasury wanted to extend the validation

of DES for use throughout the Treasury, the Federal Reserve

System and member banks. The NSA put a lot of political muscle

behind an effort to have DES deaffirmed and replaced with newer

encryption algorithms. Treasury argued that they had already

adapted DES, their constituents had spent millions on DES equip-

ment for EFT and it would be entirely too cumbersome and expen-

sive to make a change now. Besides, they asked, what’s wrong

with DES? They never got an answer to that question, and thus

they won the battle and DES is still the approved encryption

methodology for banks. It was never established whether DES was

too strong or too weak for NSA’s taste.

“Later, in 1987, the NSA received an application for export of a

DES based device that employed a technique called infinite en-

cryption. In response to the frenzy over the strength or weakness

of DES, one company took DES and folded it over and over on

itself using multiple keys. The NSA had an internal hemorrhage.

They forbade this product from being exported from the United

States in any form whatsoever. Period. It was an extraordinary

move on their part, and one that had built-in contradictions. If

DES is weak, then why not export it? If it’s too strong, why

argue with Treasury? In any case, the multiple DES issue died

down until recently, when NSA, beaten at their

1 ... 94 95 96 97 98 99 100 101 102 ... 146
Go to page:

Free e-book «Terminal Compromise, Winn Schwartau [sight word books txt] 📗» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment