July 30, 2004

Blackhat Briefings: It's the stupidity, stupid

Author: Joe Barr

Robert Morris worked at AT&T's famed Bell Labs for 26 years, from 1960 until 1986. Then he began his second career: An eight year stint with the NSA, where he became the agency's chief scientist. Morris describes himself as "a teenage code clerk." He was trained in math at Harvard, helped invent the first modems at Bell Labs, and tells great stories -- declassified, of course -- about the history of communications intelligence. The briefing room was packed Thursday morning for his talk on "The History of the Future."

Looking and sounding for all the world like the classic absent minded professor, Morris began his talk describing the successes the English and Americans had in cracking the German's Enigma code machine. He gave full props to the English mathematicians involved, but then began to describe some of the wartime "social engineering" and simple carelessness on the part of the Germans which also contributed to a nearly steady diet of decrypted Enigma traffic for the Allies.

One example Morris cited was that of German weather ships. During the war, they were very active in the North Atlantic. They used Enigma machines to send their weather reports back home. The Americans realized that they could save considerable time and effort in decrypting Enigma traffic if they could get their hands on the key lists aboard those weather ships. So they managed to sink three or four of them and salvage the needed keys without the Germans ever becoming aware of what the real target of the attacks was.

As another example, he described a relatively unimportant military installation inside Germany which sent a daily status report via an Enigma link. Since nothing ever happened at the installation, the report was invariably the same. Once this discovery was made, Allied cryptoanalysts were able to recover the key used on a daily basis since they had both plain-text and encrypted versions of the message.

But Morris did more than pick on the German's mistakes. He insisted there was sufficient stupidity to go around for everyone. The Allies knew that during World War I, for example, the Germans had cracked one of their codes. And yet they continued to use that same code to send information back and forth on convoys sailing from North America to Europe during the World War II.

For real security, Morris described the use of one-time pads, which are virtually unbreakable -- unless stupidity is involved, that is. Then he proceeded to describe how one government intelligence agency decided to use one-time pads for their traffic. To obtain the keys, they went to the lowest bidder, who promptly provided them. A second agency soon decided to do the same thing, and again they turned to the same source for the keys. As a cost-saving measure, the vendor decided to send the second buyer the same keys they had sent the first. The one-time pads became breakable "two-time" pads.

The two government agencies involved were the KGB and the GRU. The NSA finally released the details about this incident (and other details about the VENONA Project) in 1995. Forty years of stupid conquers all, it seems.

It isn't any stretch at all to substitute network security for the war, network security specialists for the intelligence agencies, and users/management as the source of much stupidity. The lesson to be learned from the VENONA Project is that the best practices in the world won't protect your data from your own stupidity.

The room enjoyed the tales of communications intelligence and lack of same. When the following session was canceled due to a noshow, Morris simply took a short break and continued his talk for another hour.


  • Security
Click Here!