The Spooky Page
Strange and mysterious stories from the world of the Computer and the Internet
The key escrow affair
As the transfer of information freely gathered pace due to new technology, so state security worldwide became more anxious that the old methods of monitoring flows of information across state and continental boundaries - the phone taps and radio listening posts - were rapidly becoming outmoded. The Internet and mobile phones posed new threats to state security. Now hostile field agents could transfer information worldwide without detection unless measures were taken to close the gaps in intelligence gathering. Not left out of this unease were the British secret services. Coming under the control of the Home Office, MI5, the internal security service, and MI6 (or SIS), the external service, allegedly produced initial proposals to overcome the problems.
One of the first things to be tackled was mobile phones. These can of course be tapped at the Network Service Provider, but of especial concern were the pre-pay variety, most of which are not registered. It is alleged that the Home Office resisted the introduction of pre-pays, but was over-ruled mainly due to commercial considerations. Apart from direct taps, the mobile phone also gives another important form of intelligence, that of location. Providing the mobile phone is switched on, there is a transponder system whereby at intervals the phone is contacted to reveal which cell it is in. This is part of the telemetry intrinsic to the mobile system. Therefore, monitored and recorded feedback from this continous interchange can be used to track the suspected user of a mobile phone from cell to cell and hence geographical location. without the phone being used. This would be very useful from an intelligence angle, but of course will not work with un-registered pre-pays where the user is unidentified.
Attention was also focused on encrypted emails. These are used quite legitimately for corporate company security, but, it appears, are also used for serious crime and international espionage. The most common form of encryption is the "private key" method. This is reminiscent of the wartime German "Enigma" system, in that parties to the interchange, and only them, know a key or code which will decrypt the message. This decryption is done automatically by the various computers at the ends of the message chain. The algorithms used can be quite complex, being multi-layer. It is alleged that the Home Office suggested a "key escrow" system to allow interception of these emails between known suspects. Key escrow works as follows. Person A and Person B are parties to the exchange of encrypted emails. They jointly nominate a person C, who is not party to the interchange, to hold the key, and Person C notifies the authorities they hold it. Person C does not at this point make the actual key known to the authorities.
If the security authorities suspect the encrypted exchange relates to suspects being investigated, they contact Person C, who gives them the key. But person C is not allowed by law to tell A or B of the contact. Obviously, emails have to be intercepted, and this would be done at the ISP. It is understood that this would require a certain type of server, at an indicated cost of 1/2 million pounds to be installed at those ISPs which did not have one. It would seem that ISPs allegedly were contacted on this, but raised severe obligations to this cost.
It is thus not clear whether this legislation, secret as it is itself, can or will be passed due to the practical problems involved. Another complication would appear to be the emergence of new forms of encryption which do not use a key. These rely on system parameters unique to every PC, whereby the encryption only can be decrypted by another PC where these parameters are known to the sender PC. These systems would of course bypass the key escrow system. Only time will tell if the thorny problems of intercepting information passed between suspects, potentially damaging to state security, made possible by new technology, can be enshrined in legislation, and thus be dealt with.
Of trapdoors and things that go bump in the night
The Y2K problem has caused many companies to call in specialists to go through their systems code to check for any problems, and modify as necessary. Of course the vast majority of these people are honest, and the work is fine. But it seems a few are not, and some companies have had to call in new specialists to check the previous specialists` Y2K work, mainly for "trapdoors". So, what is a trapdoor? Trapdoors are means by which one can enter directly into the program code, to modify and correct. They are much used in experimental "beta" code, testing new software products. They are normally removed prior to final sale.
What are trapdoors for, when used for fraud? Say the client is a Bank. When the code is examined for Y2K compliance, a small piece of unnecessary code is inserted, allowing external entry, bypassing the firewall, from the outside world. The new program code passes into operation. Meanwhile, the writer of the insert has opened a number of Bank Accounts in false names in various Banks to which he has access. Then the trapdoor is first used to insert another new piece of code. This says to the Bank system to pay a small amount of money to each of his false Bank accounts in turn for every x number of transactions. An algorithm varies the actual amount randomly within limits. Exactly similar amounts could be noticeable.
The Bank system continues to pay the amounts as instructed, perhaps for several months. By that time say two million pounds has accumulated in the accounts in total. All the accounts are then closed, and the money removed. The Bank code is then entered again via the trapdoor, and the distribution code removed. The trapdoor is still there, perhaps to be used again later. The bank may detect money is missing, from the global sums, even though accounting records of course tally.
They may even suspect the guilty party. But then would any Bank risk the damage to the confidence of their customers by pursuing the suspect to Court? And admit their security is flawed? Better to put it down as a bad debt, find the trapdoor and remove it. And forget it. Meanwhile the new millionaire is on a beach somewhere.....
More will follow of the spooky happenings in the world of computers and the Internet,,,,
Go back to Personal Site Home Page
Or go to 2CV Online ........
Webstyle produced NavBar
Music Player - to stop/replay use panel below
