Bibliographic Notes

While the plot and the characters of The Electronic Money Mill are works of fiction, the setting is not. Because this may make it difficult for the reader to seperate fact from fiction, we provide the following loosely structured bibliographic notes.

• The descriptions of MAC's, DES, and RSA are accurate. The author has studied both DES and MAC's while working in the R&D division of a major US Computer Services company.
  • The general background material on cryptology that is presented in Chapter 4 is based primarily upon the author's personal understanding of the field.
  • Number theory is not the author's forte; he apologizes for any misrepresentations of the theory behind RSA.
• The description of the RSA-129 and RSA-130 challenges is accurate.
  • Most of the RSA-129 material presented in Chapter 4 is based upon e-mail from the three individuals that lead the cracking of RSA-129. In April of 1994, this e-mail message was sent out to all those that contributed machine cycles to cracking the code.
• The description of the EFT network, as presented in Chapters 5 and 17, is, with one exception, accurate.
  • Chapter 17 covers in detail ANSI X9.17-1985. This is the protocol used for key-exchange by banks in the US. X9.17 is also used in many commercial security products (e.g. encrypting modems). The author has reviewed X9.17-1992 and verified that it does not differ in any material way from the description presented in Chapter 17.
  • The statistics on traffic volume appearing in Chapter 5 are taken from:
    • Modern Cryptology by Agustov Simmons.
    • A review of the Automated Clearinghouse System, undertaken by Paul E. Homrighausen of Morrison & Foerster in San Francisco, circa 1988.
• Several companies are mentioned in the story -- some real and some not. All references are in passing except for references to banks and to Psuedo-One. The two banks that appear prominantly in the story, First Chicago Trust and Bendix of St. Louis, are, to the best of the author's knowledge, ficticious. The author apologizes for any similarities in name to actual banks (it is difficult to dream up convincing bank names that are not already in actual use!).
• Psuedo-One, which appears in Chapter 6, is a ficticious company, although it is based upon an actual company. The position attributed to Psuedo-One is based upon the author's interpretation of press releases and other public statements made by employees and representatives of the actual company upon which the fictictious company is based.
• The statistics on hacking that appear in Chapter 6 were taken from several sources, including:
  • A report by the Gartner Group
  • Building Internet Firewalls by Chapman and Zwicky
  • Reports by The Computer Emergency Response Team Coordination Center (CERT-CC)
• The passing references to an EFT crime in Argentina (e.g. in Chapter 12) are thinly disguised references to an actual incident reported in the New York Times. In 1995 $12 million was transferred illegally within Citicorp customer accounts in Argentina. While most of the money was later recovered, $400,000 was not.
• There are passing references to actual people that have been involved in computer security (on both sides). Most of these references appear in Chapter 13. The following people are real:
  • Clifford Stoll
  • Kevin Mitnick
  • Tsutomu Shimomura
  • "Buferd" (an alias for a real hacker)
  • A. Kerckhoff
  • G. S. Vernam
  • C. E. Shannon
  • W. Diffie and M. E. Hellman
  • R. L. Rivest, A. Shamir, and L. Adleman
  • Gustavas J. Simmons
  Other actual people mentioned in passing include:
  • Ralph Nadar
  • Richard Feynman
  • "Bonny and Clyde"
  • Al Cappone
  • Henry Ford
  • Edgar Allan Poe
  • Julius Caeser and Cicero
  • "Tokyo Rose"
  • Martin Luther King
  • J. E. Hoover
  All other persons named in the story are fictictious; any similarity to actual persons, living or dead, is entirely coincidental.
• The munition T-shirt mentioned in Chapter 14 really exists, except that now there are three line and two line versions, as opposed to the old four line version the author mentions. Lately RSA-in-Perl has spread to mailing labels, tattoos, etc.
• The anecdotes mixed into the description of the situation at Bendix of St. Louis in Chapter 14 are based upon material presented in an article by Ross Anderson in Communications of the ACM.
• The FBI stance on key-escrow, as presented in Chapter 16 is accurate. The indented quote that appears in Chapter 16 was taken from a web-site maintained by the FBI. As indicated in the story, the web-site claims that the quote is from a Congressional transcript.
• The explanation of NP complexity is the author's own. He apologizes for any misrepresentations.
• The names and addresses of FBI buildings used in the story are accurate, as of 1996.
• All named government agencies are real (e.g. DISA). It should be noted that one area that author did not carefully research is the inner machinations of the FBI. The author does not know how the FBI is structured and which groups investigate electronic banking crimes. The descriptions of FBI activities are entirely fictional.
• The flaw in X9.17 is the author's own discovery. The flaw is very real and is described in detail in Chapter 17. The quotes in Chapter 17 are taken directly from ANSI X9.17-1985.

General references:

• Applied Cryptography, by Bruce Schneier. A "must have" for anybody interested in cryptography. This book provides a single reference for nearly all of the cryptographic algorithms commonly in use at the time of printing. The book is comprehensive. The book can be criticized for a lack of depth, but must be expected for such a comprehensive covering of the field.
• Modern Cryptology, by Agustov Simmons. Another "must have". Includes an excellant treatment of Information Integrity.
• Computers and Intractability, by Garey and Johnson. A full coverage of NP-completeness and complexity theory in general can be had in this, the leading textbook on the subject.
• Practical Unix and Internet Security, by Garfinkel and Spafford. While this book covers many issues not directly related to cryptography, it is an excellant reference for Internet security and Unix security, as the title suggests.
• Building Internet Firewalls, by Chapman and Zwicky. This book covers all aspects of computer security, including guidance for developing corporate security policies.
• Web Security and Commerce, by Garfinkel and Spafford. This book complements the Unix security book by the same authors. It focuses on Web security.
• Cryptography: Theory and Practice, by Doug Stinson.