Tuesday, April 1, 10:15 P.M.
Megasoft Online, Columbus Ohio
I continued thinking about the challenge before us after reading Car- leton Jillson’s message. If the way to defeat DES was to get more key- cracking clients running, we needed to let a lot more people know about the DESCHALL project and to convince them to run our client soft- ware. We had to find the right people and we needed a compelling message to get their attention.
Building on that initial awareness would be the hard part. We were all pretty sure that once things got started, we could get some critical mass of participants and then wait for one of the clients to find the right key. We didn’t know just what would constitute critical mass, but we knew that we were nowhere near it. At the rate we were going, we would take eight years to find a DES key. We needed thousands of clients— that would mean hundreds or even thousands of new participants.
To bring our message to a large number of people, we looked at the media, with particular emphasis on the news outlets that were re- porting on computing technology. Early conversations with writers in the media were helpful. Once they understood what we were doing and why anyone would want to find DES keys, they often expressed inter- est in our project and wanted to be advised in the event of any major milestone (in particular, once someone found the right key). Through those conversations we learned that we didn’t have time to educate peo- ple about cryptography, how DES was used, and cryptographic export policy. Reporters need to know what happened so they can give their
78 CHAPTER 11
readers the facts. We quickly learned to adapt our message to get their attention first and to fill in the details afterward. A typical story pitch might go something like, “The government standard for cryptography, used to protect the nation’s financial systems is vulnerable to attack. I think your readers might like to know how a group of researchers, engineers, and students are using their computers to demonstrate how weak it is.” With that as a basis, many reporters would want to hear more.
Not all DESCHALL participants were talking to reporters, though. Some of us were simply looking for ways to raise awareness among people we encountered in our daily online activities. Many of the DES- CHALL participants were active on a system called Usenet. Usenet works much like e-mail, except that instead of being a one-to-one com- munication mechanism, Usenet is many-to-many. Instead of writing an article and addressing it to a person, authors will address it to anews- group, and servers all around the world will carry that article in that newsgroup. Thus, people all over the world with similar interests can read articles that people have written and post their own for others to read. Usenet would prove to be an effective way for DESCHALL participants to draw attention to the project.
Signature blocks have long been a part of Usenet articles and e-mail. The basic idea is to define some block of text that will be automatically appended to your message, rather than making you retype your name on each message. Before long, people started adding more information to the signature block, including contact information, thus creating a sort of virtual business card. Pithy remarks were also included on occasion, and some people even went so far as to create huge signature blocks, with gaudy pictures made out of text characters, advocating a dozen different causes. Taken to this extreme, signature blocks could become the electronic equivalent of the bumper sticker.
Before long, messages showing up on the DESCHALL mailing list were carrying signature blocks that advertised the project or provided a link to the project Web site. As DESCHALL project participants went about their business, their signature blocks advertising DESCHALL started to spread. Usenet newsgroups, e-mail lists, and private corre- spondence became graced with mentions of and links to DESCHALL, usually with a simple tag like “Crack DES Now!” (Although we weren’t technically attempting to crack DES itself—we were trying to crack a DES-encrypted message—our experiences with the media helped us to
understand that opening with a long technical digression would not catch and hold the reader’s attention. Brevity rules.)
Likewise, on their personal Web sites, participants began to describe the project and their efforts to advance it. Invitations to join the project were often extended on such Web pages. Oregon State University engi- neering student Adam Haberlach and I made small graphical buttons fashioned after the “Netscape Now!” buttons that graced so many Web pages in 1997. In a problem akin to having a cupholder with no car to put it in, the European DES-Challenge group that never made any soft- ware had created a Web site and graphics. One particularly common graphic was a “Crack DES Now!” button that came from that group. Justin Dolske commandeered that button and put a copy on his Web site for others to use. Since the European DES-Challenge effort had no software, it didn’t seem that they would need the promotional graphic themselves.
Dolske didn’t really have time to try to create new graphics of his own. He had been drafting a “call for participation” document with a brief description of the project and its purpose which was aimed at the technically inclined who would be most likely to understand the project without any explanation. Dolske’s call was posted to Usenet where it would be seen by others involved in cryptography.
The increasing mentions of DES and DESCHALL online helped us recruit new participants who, in turn, encouraged others to join DESCHALL.
Thursday, April 3, 2:30 P.M.
Megasoft Online, Columbus, Ohio
A critical aspect of the promotional effort was to stress the importance of the DESCHALL project to others who weren’t cryptographers and might not even use computers much themselves. To find a way to relate DES security to the concerns of a typical American citizen, I called my own bank, KeyBank, introduced myself as a computer scientist work- ing on a security research project, and asked to speak with someone in the bank’s information security group. The person who answered the phone took my name and number, promising to have someone call me back. Shortly thereafter, my call was returned, and the bank represen- tative and I engaged in an interesting discussion about cryptography, specifically the use of DES. Although the bank official did not want
80 CHAPTER 11
to share details of how DES was used in the banking industry, he was willing to verify for the record certain vague statements like “DES is heavily used in the financial sector.” He expressed serious interest in the project, wished us success, and said that he would be watching our progress from “a safe distance.”
Tuesday, April 8, 7:22 A.M.
Loveland, Colorado
Among the hats that Rocke Verser wore throughout the day was that of editor. Justin Dolske and I worked with Verser to create a press release that would help more DESCHALL participants to talk to the media with confidence. Draft after draft, the press release got improved. Finally, Justin Dolske, Rocke Verser, and I had something we were reasonably happy to share with the rest of the project participants.
Many of the newcomers to the project were very enthusiastic, but did not have the kind of background in cryptography needed to frame the discussion in the right context for reporters on their own. Part of the motivation for our press release was to provide the less technical participants with a simple fact sheet that would help them to make the pitch to their local media outlets. Once the release was put on my Web site and posted to the DESCHALL mailing list, participants began calling local media, pitching a story about the project, with a connection that would be of interest to local news organizations— someone from the immediate community participating in a nation-wide effort.
Hoping that if we addressed tech-savvy media would help us find still more participants, I sent a draft of our press release to the tips contact address at News.com.
1:30 P.M.
CNET Networks, San Francisco, California
Courtney Macavinta, a writer at CNET’s News.com found the an- nouncement of the DESCHALL group’s formation of interest. Given the success of the recent 48-bit and 40-bit challenges, she thought that DESCHALL might actually have a shot at solving the challenge.
After reading the press release, she telephoned Rocke Verser and tracked down a few more sources that could help to estimate the dif-
ficulty of the problem. She finished her article, and it went into the News.com publication system.
“Users take crack at 56-bit crypto” ran on News.com with a lead- in that clearly set forth the seriousness of our claim, as well as the difficulty facing us. Macavinta wrote,
Thousands of American and Canadian computer users are work- ing night and day to prove that the 56-bit encryption standard set by the United States government is vulnerable. But the effort could take several years.
Our objective was to draw some more attention to the project, bring- ing in a whole new audience of potential participants. Articles like the one that CNET ran were critical in these efforts.
Wednesday, April 9, 5:50 A.M.
Megasoft Online, Columbus, Ohio
Happy to see the success with CNET, I sent a copy of the press release to my local paper, theColumbus Dispatch. After a long night of working on DESCHALL, I posted a copy of the press release to the DESCHALL Web site that I maintained.
DESCHALL GROUP SEARCHES FOR DES KEY Sets out to prove that one of the world’s most popular
encryption algorithms is no longer secure.
COLUMBUS, OH (April 9, 1997). In answer to RSA Data Se- curity, Inc.’s “Secret Key Challenge,” a group of students, hob- byists, and professionals of all varieties is looking for a nee- dle in a haystack 2.5 miles wide and 1 mile high. The “nee- dle” is the cryptographic key used to encrypt a given mes- sage, and the “haystack” is the huge pile of possible keys: 72,057,594,037,927,936 (that’s over 72 quadrillion) of them.
The point? To prove that the DES algorithm—which is widely used in the financial community and elsewhere—is not strong enough to provide protection from attackers. We be- lieve that computing technology is sufficiently advanced that a “brute-force” search for such a key is feasible using only the spare cycles of general purpose computing equipment, and as a result, unless much larger “keys” are used, the security provided
82 CHAPTER 11
by cryptosystems is minimal. Conceptually, a cryptographic key bears many similarities to the key of a typical lock. A long key has more possible combinations of notches than a short key. With a very short key, it might even be feasible to try every pos- sible combination of notches in order to find a key that matches a given lock. In a cryptographic system, keys are measured in length of bits, rather than notches, but the principle is the same: unless a long enough key is used, computers can be used to figure out every possible combination until the correct one is found.
In an electronic world, cryptography is how both individuals and organizations keep things that need to be private from be- coming public knowledge. Whether it’s a private conversation or an electronic funds transfer between two financial institutions, cryptography is what keeps the details of the data exchange private. It has often been openly suggested that the US Gov- ernment’s DES (Data Encryption Standard) algorithm’s 56-bit key size is insufficient for protecting information from either a funded attack, or a large-scale coordinated attack, where large numbers of computers are used to figure out the text of the message by brute force in their idle time: that is, trying every possible combination.
Success in finding the correct key will prove that DES is not strong enough to provide any real level of security, and win the first person to report the correct solution to RSA $10,000.
Many more participants are sought in order to speed up the search. The free client software (available for nearly every pop- ular computer type, with more on the way) is available through the Web site. One simply needs to follow the download instruc- tions to obtain a copy of the software. Once this has been done, the client simply needs to be started, and allowed to run in the background. During unused cycles, the computer will work its way through the DES keyspace, until some computer cooperat- ing in the effort finds the answer.
If you can participate yourself, we urge you to do so. In any case, please make those you know aware of our effort, so that they might be able to participate. Every little bit helps, and we need all the clients we can get to help us quickly provide an answer to RSA’s challenge.
With the CNET article published and a press release on the Web site, my workday of over twenty-four hours came to an end.
After a few hours’ sleep, I was back online, watching the mailing list, seeing other participants describe their efforts to get more publicity for DESCHALL. All told, local papers in Minnesota, Michigan, Ohio, Connecticut, California, and Ottowa were contacted by participants in those areas. Some participants contacted the national technology media and broadcast media throughout the United States and Canada. It was a busy day.
In the first half of 1997, few in the mainstream media understood the significance of the Internet, what kinds of possibilities it presented, or even why anyone should care about DES. A larger problem was that, while most reporters were interested, they didn’t really see a story in the beginning of an effort. If we managed to succeed, however, they wanted to hear about it.
This reaction was not altogether surprising, but it was frustrating in light of our early success with CNET. We were very happy with the coverage that we did get—even if only CNET picked it up. Thanks to that one article, we got the attention of new participants, which is just what we needed—even if it wasn’t the worldwide mainstream media coverage we wanted.
Thursday, April 10, 1:39 A.M.
The Ohio State University, Columbus, Ohio
Justin Dolske looked over RSA’s Web site, and its description of its 1997 Secret Key Challenge. Noticing a link called “In the News” for the first time, he clicked on the text. Dolske noted the links to the articles written about RSA’s 40-bit and 48-bit challenges being won. In addition, he saw a link he did not expect to find: one to CNET’s April 8 article.
Dolske smiled and fired off a message to the DESCHALL mailing list. Attracting enough attention for the contest sponsors to notice us would be important, because anyone finding out about the challenges
84 CHAPTER 11
from RSA’s site would be able to follow links to see that RSA’s DES Challenge was being answered.
“Nice to see that RSA knows that they may need to get out their checkbook soon,” observed Dolske in his e-mail.
As the days went on, we realized that our approach of a simple press release that individual participants would use to base their own pitches to local media was a good one. Rather than having a single Associated Press story (for example) that everyone would run, each paper got to write its own story about someone from among the readership that was involved in a very important project dealing with the security of cryptosystems. The press release provided the necessary background and the rest of the story was about the involvement and the trials of the local individuals participating.
This strategy was at its most effect when the press release was sent to university newspapers. Many students pitched stories to their school papers, and, taking a cue from Carleton Jillson’s April 1 message to the mailing list, would point out their standings in comparison to rival schools.