[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

'Black' budget purchases



Cypherpunks:

	---	The following is posted by Tim May	---
I didn't comment before on Michael Wilson's revelations about the
Maryland Procurement Office (and how it revealed NSA purchases). But I
will now.

He writes:

> Michael Wilson
> Managing Director, The Nemesis Group
> 
> [I hope that the record of purchases made through the Maryland Procurement 
group
> are making their way from systems such as Mead Data and into private systems 
for
> analysis; warning, access of such data is expensive.]

Actually, there are much cheaper way to get even more accurate data.
Gunter Ahrendt has been the compiler of a list of supercomputer sites,
a list which he publishes weekly in comp.sys.super. (I haven't seen it
recently, so it may be dormant for the summer.)

Here's an excerpt for the NSA and CSS:

2) 83.73 - (02-JUN-1993) [NSA]
        National Security Agency,California,US
        1) 3 * Cray C916-512  83.73

3) 69.79 - (22-JUL-1993) [CSS]
        National Computing Security Center,Central Security
Service,National
        Security Agency Headquarters,Fort George G Meade,Maryland,US,
        [email protected]
        1)     TMC CM-5/512     ~35.04  {linearly scaled from a 64CPU
unit}
        2) 5 * Cray Y-MP/8-256   34.75

etc.

I don't discount the possibility that NSA, CSS, NRO, etc. try to hide
some of their purchases--certainly in budgets, if not physically. But
in general they have little to gain by hiding the fact that they have,
for example, 8 Connection Machines. After all, Thinking Machines knows
(purchase, service), and word gets out.

Ahrendt has had good accuracy.

In any case, the number of supercomputers the NSA and its related
affiliate agencies have is not too worrisome to me.

--Tim May

---	end of inclusion	---

The data from the Maryland Procurement Office that is stored in certain 
databases (and removed from others, as I have just discovered when I checked) 
provides the complete 'black' budget purchases of the intelligence community, 
not just their purchases of supercomputers.  Such raw data goes a long way 
towards confirming other bits of intelligence, such as the establishment by NSA 
of its own chip manufacturing facility owing to a lack of trust in undocumented 
sections of commercial silicon.  This data is useful beyond knowing the numbers 
of supercomputers available (although it does help provide an upper boundary on 
raw processing power, useful for quantifying tolerances).

What we find interesting regarding the number of supercomputers at NSA is what 
they do to the keyspace; a supposition of ours from the early period of 
commercial public key was an attack on the domain of potential keys.  Given a 
known keylength, a powerful systematic search for primes that fit that range 
can, over time, begin to damage the strength of the system.  Careful analysis of
technical resource also allows one to speculate--are CM platforms (pardon the 
pun) used for exhaustive systematic search for keys, while Cray systems are used
for attacks on the keyspace?  Differentiation of parallel versus scalar 
processing towards attack domains is interesting.

Additionally, having such information is useful beyond its application towards 
analysis.  Operationally, it is useful for an adversary to know, for instance, 
that photo recon analysis is performed on NeXT workstations.  This knowledge 
provides specifications on just what can achieved in the way of image 
enhancements, etc.  It also opens up a realm of options in informational 
warfare; knowledge of the target platform is critical toward building a tailored
attack mechanism to cripple their capability, while knowledge of their providers
supplies an adversary with the introduction mechanism (there is no such thing as
an isolated system).

Michael Wilson
Managing Director, The Nemesis Group
The Adversary