Entries Tagged "history of security"

Page 10 of 10

Indexes to NSA Publications Declassified and Online

In May 2003, Michael Ravnitzky submitted a Freedom of Information Act (FOIA) request to the National Security Agency for a copy of the index to their historical reports at the Center for Cryptologic History and the index to certain journals: the NSA Technical Journal and the Cryptographic Quarterly. These journals had been mentioned in the literature but are not available to the public. Because he thought NSA might be reluctant to release the bibliographic indexes, he also asked for the table of contents to each issue.

The request took more than three years for them to process and declassify — sadly, not atypical — and during the process they asked if he would accept the indexes in lieu of the tables of contents pages: specifically, the cumulative indices that included all the previous material in the earlier indices. He agreed, and got them last month. The results are here.

This is just a sampling of some of the article titles from the NSA Technical Journal:

“The Arithmetic of a Generation Principle for an Electronic Key Generator” · “CATNIP: Computer Analysis – Target Networks Intercept Probability” · “Chatter Patterns: A Last Resort” · “COMINT Satellites – A Space Problem” · “Computers and Advanced Weapons Systems” · “Coupon Collecting and Cryptology” · “Cranks, Nuts, and Screwballs” · “A Cryptologic Fairy Tale” · “Don’t Be Too Smart” · “Earliest Applications of the Computer at NSA” · “Emergency Destruction of Documents” · “Extraterrestrial Intelligence” · “The Fallacy of the One-Time-Pad Excuse” · “GEE WHIZZER” · “The Gweeks Had a Gwoup for It” · “How to Visualize a Matrix” · “Key to the Extraterrestrial Messages” · “A Mechanical Treatment of Fibonacci Sequences” · “Q.E.D.- 2 Hours, 41 Minutes” · “SlGINT Implications of Military Oceanography” · “Some Problems and Techniques in Bookbreaking” · “Upgrading Selected US Codes and Ciphers with a Cover and Deception Capability” · “Weather: Its Role in Communications Intelligence” · “Worldwide Language Problems at NSA”

In the materials the NSA provided, they also included indices to two other publications: Cryptologic Spectrum and Cryptologic Almanac.

The indices to Cryptologic Quarterly and NSA Technical Journal have indices by title, author and keyword. The index to Cryptologic Spectrum has indices by author, title and issue.

Consider these bibliographic tools as stepping stones. If you want an article, send a FOIA request for it. Send a FOIA request for a dozen. There’s a lot of stuff here that would help elucidate the early history of the agency and some interesting cryptographic topics.

Thanks Mike, for doing this work.

Posted on September 26, 2006 at 12:58 PMView Comments

Terrorists as Pirates

The Dread Pirate Bin Laden” argues that, legally, terrorists should be treated as pirates under international law:

More than 2,000 years ago, Marcus Tullius Cicero defined pirates in Roman law as hostis humani generis, “enemies of the human race.” From that day until now, pirates have held a unique status in the law as international criminals subject to universal jurisdiction—meaning that they may be captured wherever they are found, by any person who finds them. The ongoing war against pirates is the only known example of state vs. nonstate conflict until the advent of the war on terror, and its history is long and notable. More important, there are enormous potential benefits of applying this legal definition to contemporary terrorism.

[…]

President Bush and others persist in depicting this new form of state vs. nonstate warfare in traditional terms, as with the president’s declaration of June 2, 2004, that “like the Second World War, our present conflict began with a ruthless surprise attack on the United States.” He went on: “We will not forget that treachery and we will accept nothing less than victory over the enemy.” What constitutes ultimate victory against an enemy that lacks territorial boundaries and governmental structures, in a war without fields of battle or codes of conduct? We can’t capture the enemy’s capital and hoist our flag in triumph. The possibility of perpetual embattlement looms before us.

If the war on terror becomes akin to war against the pirates, however, the situation would change. First, the crime of terrorism would be defined and proscribed internationally, and terrorists would be properly understood as enemies of all states. This legal status carries significant advantages, chief among them the possibility of universal jurisdiction. Terrorists, as hostis humani generis, could be captured wherever they were found, by anyone who found them. Pirates are currently the only form of criminals subject to this special jurisdiction.

Second, this definition would deter states from harboring terrorists on the grounds that they are “freedom fighters” by providing an objective distinction in law between legitimate insurgency and outright terrorism. This same objective definition could, conversely, also deter states from cracking down on political dissidents as “terrorists,” as both Russia and China have done against their dissidents.

Recall the U.N. definition of piracy as acts of “depredation [committed] for private ends.” Just as international piracy is viewed as transcending domestic criminal law, so too must the crime of international terrorism be defined as distinct from domestic homicide or, alternately, revolutionary activities. If a group directs its attacks on military or civilian targets within its own state, it may still fall within domestic criminal law. Yet once it directs those attacks on property or civilians belonging to another state, it exceeds both domestic law and the traditional right of self-determination, and becomes akin to a pirate band.

Third, and perhaps most important, nations that now balk at assisting the United States in the war on terror might have fewer reservations if terrorism were defined as an international crime that could be prosecuted before the International Criminal Court.

Ross Anderson recognized the parallels between terrorism and piracy back in 2001.

Posted on August 30, 2006 at 7:57 AMView Comments

Cold War Software Bugs

Here’s a report that the CIA slipped software bugs to the Soviets in the 1980s:

In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline, according to a new memoir by a Reagan White House official.

A CIA article from 1996 also describes this.

EDITED TO ADD (11/14): Marcus Ranum wrote about this.

Posted on November 14, 2005 at 8:04 AMView Comments

Caches of Explosives Hidden in Moscow

Here’s a post-Cold War risk that I hadn’t considered before:

Construction workers involved in building a new hotel just across from the Kremlin were surprised to find 250 kg of TNT buried deep beneath the old Moskva Hotel that had just been demolished to make way for a new one. Police astonished Muscovites further when they said that the 12 boxes of explosives lodged in the basement could have been there for half a century.

And now, new evidence points to the possibility that Moscow could be dotted with such explosive caches — planted by the secret police in the early days of World War II.

Posted on August 4, 2005 at 7:58 AMView Comments

Forged Documents in National Archives Change History

A recently published book claims that Himmler was murdered by the British Special Operations Executive, rather than him committing suicide after the Allies captured him. The book was based on documents found — apparently in good faith — in the UK’s National Archive, which now appear to have been faked and inserted.

Documents from the National Archives used to substantiate claims that British intelligence agents murdered Heinrich Himmler in 1945 are forgeries, The Daily Telegraph can reveal today.

It seems certain that the bogus documents were somehow planted among genuine papers to pervert the course of historical study.

The results of investigations by forensic document experts on behalf of this newspaper have shocked historians and caused tremors at the Archives, the home of millions of historical documents, which has previously been thought immune to distortion or contamination.

It seems that the security effort at the National Archives is directed towards preventing people from removing documents. But the effects of adding forged documents could be much worse.

Posted on July 14, 2005 at 8:40 AMView Comments

Deep Throat Tradecraft

The politics is certainly interesting, but I am impressed with Felt’s tradecraft. Read Bob Woodward’s description of how he would arrange secret meetings with Felt.

I tried to call Felt, but he wouldn’t take the call. I tried his home in Virginia and had no better luck. So one night I showed up at his Fairfax home. It was a plain-vanilla, perfectly kept, everything-in-its-place suburban house. His manner made me nervous. He said no more phone calls, no more visits to his home, nothing in the open.

I did not know then that in Felt’s earliest days in the FBI, during World War II, he had been assigned to work on the general desk of the Espionage Section. Felt learned a great deal about German spying in the job, and after the war he spent time keeping suspected Soviet agents under surveillance.

So at his home in Virginia that summer, Felt said that if we were to talk it would have to be face to face where no one could observe us.

I said anything would be fine with me.

We would need a preplanned notification system — a change in the environment that no one else would notice or attach any meaning to. I didn’t know what he was talking about.

If you keep the drapes in your apartment closed, open them and that could signal me, he said. I could check each day or have them checked, and if they were open we could meet that night at a designated place. I liked to let the light in at times, I explained.

We needed another signal, he said, indicating that he could check my apartment regularly. He never explained how he could do this.

Feeling under some pressure, I said that I had a red cloth flag, less than a foot square — the kind used as warnings on long truck loads — that a girlfriend had found on the street. She had stuck it in an empty flowerpot on my apartment balcony.

Felt and I agreed that I would move the flowerpot with the flag, which usually was in the front near the railing, to the rear of the balcony if I urgently needed a meeting. This would have to be important and rare, he said sternly. The signal, he said, would mean we would meet that same night about 2 a.m. on the bottom level of an underground garage just over the Key Bridge in Rosslyn.

Felt said I would have to follow strict countersurveillance techniques. How did I get out of my apartment?

I walked out, down the hall, and took the elevator.

Which takes you to the lobby? he asked.

Yes.

Did I have back stairs to my apartment house?

Yes.

Use them when you are heading for a meeting. Do they open into an alley?

Yes.

Take the alley. Don’t use your own car. Take a taxi to several blocks from a hotel where there are cabs after midnight, get dropped off and then walk to get a second cab to Rosslyn. Don’t get dropped off directly at the parking garage. Walk the last several blocks. If you are being followed, don’t go down to the garage. I’ll understand if you don’t show. All this was like a lecture. The key was taking the necessary time — one to two hours to get there. Be patient, serene. Trust the prearrangements. There was no fallback meeting place or time. If we both didn’t show, there would be no meeting.

Felt said that if he had something for me, he could get me a message. He quizzed me about my daily routine, what came to my apartment, the mailbox, etc. The Post was delivered outside my apartment door. I did have a subscription to the New York Times. A number of people in my apartment building near Dupont Circle got the Times. The copies were left in the lobby with the apartment number. Mine was No. 617, and it was written clearly on the outside of each paper in marker pen. Felt said if there was something important he could get to my New York Times — how, I never knew. Page 20 would be circled, and the hands of a clock in the lower part of the page would be drawn to indicate the time of the meeting that night, probably 2 a.m., in the same Rosslyn parking garage.

The relationship was a compact of trust; nothing about it was to be discussed or shared with anyone, he said.

How he could have made a daily observation of my balcony is still a mystery to me. At the time, before the era of intensive security, the back of the building was not enclosed, so anyone could have driven in the back alley to observe my balcony. In addition, my balcony and the back of the apartment complex faced onto a courtyard or back area that was shared with a number of other apartment or office buildings in the area. My balcony could have been seen from dozens of apartments or offices, as best I can tell.

A number of embassies were located in the area. The Iraqi Embassy was down the street, and I thought it possible that the FBI had surveillance or listening posts nearby. Could Felt have had the counterintelligence agents regularly report on the status of my flag and flowerpot? That seems highly unlikely, if not impossible.

Posted on June 2, 2005 at 4:31 PMView Comments

Hacking the Papal Election

As the College of Cardinals prepares to elect a new pope, people like me wonder about the election process. How does it work, and just how hard is it to hack the vote?

Of course I’m not advocating voter fraud in the papal election. Nor am I insinuating that a cardinal might perpetrate fraud. But people who work in security can’t look at a system without trying to figure out how to break it; it’s an occupational hazard.

The rules for papal elections are steeped in tradition, and were last codified on 22 Feb 1996: “Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff.” The document is well-thought-out, and filled with details.

The election takes place in the Sistine Chapel, directed by the Church Chamberlain. The ballot is entirely paper-based, and all ballot counting is done by hand. Votes are secret, but everything else is done in public.

First there’s the “pre-scrutiny” phase. “At least two or three” paper ballots are given to each cardinal (115 will be voting), presumably so that a cardinal has extras in case he makes a mistake. Then nine election officials are randomly selected: three “Scrutineers” who count the votes, three “Revisers,” who verify the results of the Scrutineers, and three “Infirmarii” who collect the votes from those too sick to be in the room. (These officials are chosen randomly for each ballot.)

Each cardinal writes his selection for Pope on a rectangular ballot paper “as far as possible in handwriting that cannot be identified as his.” He then folds the paper lengthwise and holds it aloft for everyone to see.

When everyone is done voting, the “scrutiny” phase of the election begins. The cardinals proceed to the altar one by one. On the altar is a large chalice with a paten (the shallow metal plate used to hold communion wafers during mass) resting on top of it. Each cardinal places his folded ballot on the paten. Then he picks up the paten and slides his ballot into the chalice.

If a cardinal cannot walk to the altar, one of the Scrutineers — in full view of everyone — does this for him. If any cardinals are too sick to be in the chapel, the Scrutineers give the Infirmarii a locked empty box with a slot, and the three Infirmarii together collect those votes. (If a cardinal is too sick to write, he asks one of the Infirmarii to do it for him) The box is opened and the ballots are placed onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice, the first Scrutineer shakes it several times in order to mix them. Then the third Scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process. If the total number of ballots is not correct, the ballots are burned and everyone votes again.

To count the votes, each ballot is opened and the vote is read by each Scrutineer in turn, the third one aloud. Each Scrutineer writes the vote on a tally sheet. This is all done in full view of the cardinals. The total number of votes cast for each person is written on a separate sheet of paper.

Then there’s the “post-scrutiny” phase. The Scrutineers tally the votes and determine if there’s a winner. Then the Revisers verify the entire process: ballots, tallies, everything. And then the ballots are burned. (That’s where the smoke comes from: white if a Pope has been elected, black if not.)

How hard is this to hack? The first observation is that the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. The second observation is that the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In effect, the voter verification process is about as perfect as you’re ever going to find.

Eavesdropping on the process is certainly possible, although the rules explicitly state that the chapel is to be checked for recording and transmission devices “with the help of trustworthy individuals of proven technical ability.” I read that the Vatican is worried about laser microphones, as there are windows near the chapel’s roof.

That leaves us with insider attacks. Can a cardinal influence the election? Certainly the Scrutineers could potentially modify votes, but it’s difficult. The counting is conducted in public, and there are multiple people checking every step. It’s possible for the first Scrutineer, if he’s good at sleight of hand, to swap one ballot paper for another before recording it. Or for the third Scrutineer to swap ballots during the counting process.

A cardinal can’t stuff ballots when he votes. The complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes.

Making the ballots large would make these attacks harder. So would controlling the blank ballots better, and only distributing one to each cardinal per vote. Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense.

Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. But there’s one wrinkle: “If however a second vote is to take place immediately, the ballots from the first vote will be burned only at the end, together with those from the second vote.” I assume that’s done so there’s only one plume of smoke for the two elections, but it would be more secure to burn each set of ballots before the next round of voting.

And lastly, the cardinals are in “choir dress” during the voting, which has translucent lace sleeves under a short red cape; much harder for sleight-of-hand tricks.

It’s possible for one Scrutineer to misrecord the votes, but with three Scrutineers, the discrepancy would be quickly detected. I presume a recount would take place, and the correct tally would be verified. Two or three Scrutineers in cahoots with each other could do more mischief, but since the Scrutineers are chosen randomly, the probability of a cabal being selected is very low. And then the Revisers check everything.

More interesting is to try and attack the system of selecting Scrutineers, which isn’t well-defined in the document. Influencing the selection of Scrutineers and Revisers seems a necessary first step towards influencing the election.

Ballots with more than one name (overvotes) are void, and I assume the same is true for ballots with no name written on them (undervotes). Illegible or ambiguous ballots are much more likely, and I presume they are discarded. The rules do have a provision for multiple ballots by the same cardinal: “If during the opening of the ballots the Scrutineers should discover two ballots folded in such a way that they appear to have been completed by one elector, if these ballots bear the same name they are counted as one vote; if however they bear two different names, neither vote will be valid; however, in neither of the two cases is the voting session annulled.” This surprises me, although I suppose it has happened by accident.

If there’s a weak step, it’s the counting of the ballots. There’s no real reason to do a pre-count, and it gives the Scrutineer doing the transfer a chance to swap legitimate ballots with others he previously stuffed up his sleeve. I like the idea of randomizing the ballots, but putting the ballots in a wire cage and spinning it around would accomplish the same thing more securely, albeit with less reverence.

And if I were improving the process, I would add some kind of white-glove treatment to prevent a Scrutineer from hiding a pencil lead or pen tip under his fingernails. Although the requirement to write out the candidate’s name in full gives more resistance against this sort of attack.

The recent change in the process that lets the cardinals go back and forth from the chapel into their dorm rooms — instead of being locked in the chapel the whole time as was done previously — makes the process slightly less secure. But I’m sure it makes it a lot more comfortable.

Lastly, there’s the potential for one of the Infirmarii to do what he wants when transcribing the vote of an infirm cardinal, but there’s no way to prevent that. If the cardinal is concerned, he could ask all three Infirmarii to witness the ballot.

There’s also enormous social — religious, actually — disincentives to hacking the vote. The election takes place in a chapel, and at an altar. They also swear an oath as they are casting their ballot — further discouragement. And the Scrutineers are explicitly exhorted not to form any sort of cabal or make any plans to sway the election under pain of excommunication: “The Cardinal electors shall further abstain from any form of pact, agreement, promise or other commitment of any kind which could oblige them to give or deny their vote to a person or persons.”

I’m sure there are negotiations and deals and influencing — cardinals are mortal men, after all, and such things are part of how humans come to agreement.

What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a Pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems work is through a pyramid-like scheme, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.

And a third and final lesson: when an election process is left to develop over the course of a couple thousand years, you end up with something surprisingly good.

Rules for a papal election

There’s a picture of choir dress on this page

Edited to add: The stack of used ballots are pierced with a needle and thread and tied together, which 1) marks them as used, and 2) makes them harder to reuse.

Posted on April 14, 2005 at 9:59 AMView Comments

1 8 9 10

Sidebar photo of Bruce Schneier by Joe MacInnis.