Taurus
Taurus London stock exchange share settlement system. 1990-1993 Abandoned after spending BP400M. ($600M) Today the CREST system is being designed to replace it. A thorough analysis is found in Helga Drummond Escalation in Decision-Making Oxford University Press 1966 237 pages News brief: CrestCo extends deadlines after failed networking trial The two main connection providers for the Crest paperless share settlement system have fallen behind schedule after failing crucial network tests. The Risks Digest Volume 14: Issue 41 Wednesday 17 March 1993 Buy IBM and get fired Ross Anderson < rja14@cl.cam.ac.uk > 12 Mar 93 15:51:24 GMT Newsgroups: sci.crypt,alt.security The press in Britain this morning has been full of stories about Taurus. This was a share dealing system in which the London stock exchange and local institutions had invested some 400 million pounds (600 million dollars). It didn't work and a review showed that there was no reasonable prospect of it working; it seems that it just got too complex to cope with. It has now been written off and the chief executive of the stock exchange `resigned' today. A fair bit of the previous press criticism centred on the security, which was designed by IBM and was apparently rather difficult to manage. As far as one can tell from the press reports, it used their `common cryptographic architecture' of 4753s for central control, DES cards in PS/2's for terminal security, and smartcards for personal key management. Coopers and Lybrand, the systems integrators, have also got a fair bit of stick (they sponsored Eurocrypt 91, or so I seem to recall). It will be interesting to see if this marks a turning point for bankers' attitude to crypto technology. Up to now, it has been hard to sell things like formal methods or elliptic curves to men in suits, as DES in steel boxes was what they were comfortable with. Future systems however may well use public key algorithms, and maybe even electronic wallets which distribute the security processing entirely into smartcards. In that case, expect further entertainment, as some of the complexity will be pushed into the settlement process, or the arbitration system, or the key management mechanism; and the lack of relevant systems experience will exact its pound of flesh in one way or another. Our head of department remarked that such fiascos can be compared to the civil engineering disasters of the nineteenth century such as the collapse of the Tay bridge. Civil engineers eventually got their act together, but there was a long learning process in which they worked out how to structure their approach to large problems and combine the maths with the project management in a way that worked. Watch this space! Ross The Risks Digest Volume 14: Issue 42 Tuesday 23 March 1993 Buy IBM and get fired - a response (Anderson, RISKS-14.41) "Todd W. Arnold" < tarnold@vnet.IBM.COM > Tue, 23 Mar 93 13:18:20 EST In an earlier posting, Ross Anderson discusses the cancellation of the Taurus project in the UK. The information he presents, some from the UK media, is misleading and in some cases incorrect. This gave a rather unfair appraisal of IBM security products. In fact, this part of the system was finished, installed, and tested. I've been asked to post the following "official" description of the situation, so everyone knows what really happened. "The overall Taurus project was managed by the London Stock Exchange with Coopers and Lybrand and other consultants in a number of key management positions; with a range of contractors involved in sub-projects modifying and enhancing the Stock Exchange systems. A US software house was meant to be providing a new custody application and IBM provided a market-leading security infrastructure. The shelving of the overall TAURUS project is for reasons unconnected with IBM's role. IBM's involvement has been as subcontractor for the TAURUS Message Security system. This leading-edge development exploited IBM ICRF host cryptography, OS/2, smart cards, and PS/2 cryptography and signature verification technology to deliver an outstandingly secure method of transferring data between member firms and the Stock Exchange. The development was successfully completed last summer, then rigorously acceptance-tested by the Stock Exchange. IBM installed the system across 200+ separate financial institutions, completing on time in February against an aggressive schedule." I've been told that the massive complexity of the back-end settlement systems was a major factor in the collapse, but I don't really know all the details. (Note that the "signature verification technology" mentioned above is dynamic signature verification, a biometric technology -- not public key digital signatures. RSA public key functions are also available in TSS, but that's not what was used in Taurus.) Todd W. Arnold, tarnold@vnet.ibm.com, IBM Cryptographic Facility Development, Charlotte, NC Disclaimer: This posting represents the poster's views, not those of IBM [I normally suppress all disclaimers and cover them blanket-wise in the masthead. This one is intriguing, because the posting explicitly contains an "official" description, which would seem to disclaim the disclaimer! PGN] The Risks Digest Volume 14: Issue 43 Wednesday 24 March 1993 < Ross.Anderson@cl.cam.ac.uk > Wed, 24 Mar 93 12:55:03 GMT In reply to this: (1) My primary source was `Waiting for Taurus' by J Green-Armitage in Computer Weekly March 4 1993 pp 28 - 29. This article states that the considerable delays and cost overruns were due to a number of problems, including the security subsystem, management hassles and regulatory delays. To quote the article `IBM must accept a modicum of blame because it needed an extra three months in 1992 to finish its solution'. This article appeared a few days before the project was cancelled and the chief executive of the stock exchange resigned. (2) There will be a lot of lawyers picking over this disaster. Two hundred banks and brokers have lost over half a billion dollars between them, and IBM seems to be one of three possible defendants (the others are Coopers and the Stock Exchange itself). If, as IBM now say, their system was finally signed off a few days before the project meltdown, then they may get lucky. But they're obviously still worried. Why else did they not just keep quiet and let the matter die? If they hadn't tried to argue the matter, my initial posting to sci.crypt would have been forgotten by now. Ross Anderson From RISKS forum 15, 20 (November, 1993)