23 May 1999. Thanks to Michael (Streaky) Bacon, International Security
Consultant

----------------------------------------------------------------------------

Porting Crypto

Since 1986 I have been involved, from time to time, in specifying, designing
and installing crypto devices for commercial telecommunications world-wide.
This particular work has taken me to over 20 countries (I’ve worked in 41
countries to date). My experiences could fill a book (and may do one day),
but here are a few. Some details have been masked to maintain client
confidentiality and to preserve my longevity.

Australia: In the 80s there was a 35% import tax on the importation of
electrical goods. The government wanted to levy this tax on some crypto
equipment we wanted to import. Their argument was that we could source the
equipment in Australia. It took time to persuade them of the
incompatibilities between our system and the locally available systems
before we were allowed to import free of this duty.

Brunei: I had ‘fun’ explaining (for three hours) what a steel box was doing
in my baggage. I'm convinced the customs officer was only curious and didn't
understand what the equipment was - not that I fully explained its purpose!

Colombia: I hand carried a telex cypher device. I had previously been
advised that importation of such devices could be difficult and
'arrangements' were made to meet me airside and escort me through customs.
They worked.

A European country: During some very difficult negotiations over certain
crypto devices, two colleagues and I were driven to a nice restaurant
courtesy of our hosts. We had requested the break at short notice and became
somewhat suspicious that the restaurant chosen was rather a long drive. On
entering we were shown to a table. One of my colleagues asked for a
different table (the restaurant was not crowded). He then changed the cruet
for that from two other tables and contrived to drop his napkin so he could
search under the table. There was no lump sugar, so we didn’t need to change
that! Even then we didn’t talk about our negotiations. I didn’t know all my
colleagues antecedents at the time, but he was annoyed to be ‘recognised’ by
the immigration officer when we re-entered his native country!

A Far Eastern country: Negotiations between the government and a commercial
party were not going well. The commercial party used e-mail to discuss
negotiating strategy with Head Office. Sensitive parts of the e-mails were
coded using a private code. Signal to noise ration on the telephone line
deteriorated badly during transmission and the e-mail would eventually have
to be sent en clair. A digitally encrypted telefax was installed at both
ends and the commercial party’s negotiation position improved.
Interestingly, after first using the telefax, the telephone rang an "an
engineer from the telephone exchange" asked if we were having problems with
our telephone line! BTW – the possibility of interception had never entered
the minds of the commercial party’s negotiators!

Another Far Eastern country: Negotiations between the government and a
commercial party were not going well (now where have I heard that before?).
The commercial party was using telex to communicate with Head Office. One
day, the head of the government’s negotiating team referred to some original
material in his file – a telex from the commercial party’s Head Office. This
was not a copy – it was a three part carbonless original! Clearly the
commercial party’s telex line was ‘slaved’ to another terminal to which the
government’s negotiating team had access. Installing an encrypted telefax
put an end to that! Again, interception had never been considered an issue!

Nigeria: What can I say? Pay-offs to customs officers; lost equipment;
missing import documentation; equipment signed for as received in Lagos
turning up in Brussels apparently unshipped. What it was doing in Brussels I
have no idea; as it had been shipped direct to Nigeria from another European
country.

On my first trip I took great delight in explaining to a Nigerian customs
officer that a hand-held key storage unit was a new form of shaver. My
concern was that he might take a fancy to it!

Another delight was noticing on departure that the magnetic arch, which was
being carefully watched by an armed guard, was not even plugged in!

As an aside, I had been asked to investigate in Lagos why a specially
installed voice line experienced very bad signal quality. The reason? The
four wires of the voice circuit had been pushed into the ‘choc-block’ on the
back, but the screws had not been tightened!

Philippines: I had to ‘satisfy’ customs officers to allow me and my baggage,
including a key carrier and hand-held coding device into the country.

Sarawak: I was taken across the Kuala Belait in a converted motor torpedo
boat to land at a small customs post staffed by 'inexperienced' customs
officers.

Singapore: I arrived on a flight from Australia. Some equipment arrived from
a European country two days beforehand, addressed to my hotel and marked for
my attention. The equipment was somewhat disingenuously described as
'facsimile signal conversion equipment'. Well, it converted the en clair
digital signal into an encrypted signal! On arrival I was ‘requested’ to
attend a meeting at Changi (the airport, not the prison!) with a
representative from 'import/export division'. I was closely questioned by
someone who was very knowledgeable about crypto and too knowledgeable about
my recent movements and affiliations. I was extremely concerned by the
direction and increasing force of his questions, ameliorated only somewhat
by my knowledge that the passport I had been forced to surrender at the
entry gate was not the one with the Singapore entry stamp. Eventually, the
'meeting' was interrupted by a visitor, a rapid exchange between my
interlocutor and the visitor, and a curt announcement that I was free to
leave and my package would be delivered to my hotel. I subsequently
discovered that, once my predicament had been discovered, ‘strings had been
pulled’ to allow the equipment (and me) entry.

UK: I was telephoned by a gentleman from "the DTI" with a PO Box address and
a Cheltenham telephone number on which I could never raise him and which
wouldn’t take messages. He wanted to know the end destination in the UK of
some equipment I was shipping in on a Carnet for testing. It arrived into
Heathrow, became "lost", and reappeared two weeks later at Gatwick airport.
I hand-carried it back to the manufacturers and asked them to ascertain
whether it had been tampered with. Their findings were "it’s possible, but
expertly". All to be expected really.

USA: Walking round and round a car-park in temperatures of 100°F discussing
with a colleague the ethics of a manufacturer shipping crypto equipment to
South America, where it could be used by governments with whose politics my
colleague disagreed. I was obliged to take a commercial view, but my
colleague (a cryptographer) was not convinced. Nevertheless, he did give me
a valuable insight into his concerns over the strength of the equipment we
were discussing.

Afterthought

One continuing problem, despite these examples, was convincing people that
there was a strong potential for the equipment to be compromised. Shipment
often took far longer than expected, it was detained in customs, released
from locations other than the port of arrival, and sometimes didn’t work on
arrival. All these may be expected from time to time, but, when you’re
dealing with crypto, paranoia creeps in. That’s why I end presentations on
such matters with a slide that says: "I know I’m paranoid, but … am I
paranoid enough?"

----------------------------------------------------------------------------