Security Engineering: A Guide to

Building Dependable Distributed

Systems 3° Edition Ross Anderson
Visit to download the full and correct content document:
https://ebookmass.com/product/security-engineering-a-guide-to-building-dependable-
distributed-systems-3-edition-ross-anderson/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Data Engineering with dbt: A practical guide to

building a cloud-based, pragmatic, and dependable data
platform with SQL Zagni

https://ebookmass.com/product/data-engineering-with-dbt-a-
practical-guide-to-building-a-cloud-based-pragmatic-and-
dependable-data-platform-with-sql-zagni/

Solution Architecture Patterns for Enterprise: A Guide

to Building Enterprise Software Systems 1st Edition
Chanaka Fernando

https://ebookmass.com/product/solution-architecture-patterns-for-
enterprise-a-guide-to-building-enterprise-software-systems-1st-
edition-chanaka-fernando/

eTextbook 978-0134454177 Building Construction:

Principles Materials and Systems (3rd Edition)

https://ebookmass.com/product/etextbook-978-0134454177-building-
construction-principles-materials-and-systems-3rd-edition/

Implementing Information Security in Healthcare:

Building a Security Program (Ebook PDF)

https://ebookmass.com/product/implementing-information-security-
in-healthcare-building-a-security-program-ebook-pdf/
Demystifying Intelligent Multimode Security Systems: An
Edge-to-Cloud Cybersecurity Solutions Guide Jody Booth

https://ebookmass.com/product/demystifying-intelligent-multimode-
security-systems-an-edge-to-cloud-cybersecurity-solutions-guide-
jody-booth/

Comptia Security+ Guide to Network Security

Fundamentals 7th Edition Mark Ciampa

https://ebookmass.com/product/comptia-security-guide-to-network-
security-fundamentals-7th-edition-mark-ciampa/

Systems programming: designing and developing

distributed applications Anthony

https://ebookmass.com/product/systems-programming-designing-and-
developing-distributed-applications-anthony/

CCSP Certified Cloud Security Professional. Exam Guide

3rd Edition Unknown

https://ebookmass.com/product/ccsp-certified-cloud-security-
professional-exam-guide-3rd-edition-unknown/

To My Sisters: A Guide to Building Lifelong Friendships

Courtney Daniella Boateng

https://ebookmass.com/product/to-my-sisters-a-guide-to-building-
lifelong-friendships-courtney-daniella-boateng/
Security Engineering
Third Edition
 Security Engineering

A Guide to Building Dependable

Distributed Systems
Third Edition

Ross Anderson
 Anderson ffirs01.tex V1 - 11/23/2020 5:59pm Page iv
k

Copyright © 2020 by Ross Anderson

Published by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada and the United Kingdom
ISBN: 978-1-119-64278-7
ISBN: 978-1-119-64283-1 (ebk)
ISBN: 978-1-119-64281-7 (ebk)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted
in any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright
Act, without either the prior written permission of the Publisher, or authorization through
payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher
for permission should be addressed to the Permissions Department, John Wiley & Sons,
Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at
www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no repre-
sentations or warranties with respect to the accuracy or completeness of the contents of this
work and specifically disclaim all warranties, including without limitation warranties of
fitness for a particular purpose. No warranty may be created or extended by sales or pro-
k motional materials. The advice and strategies contained herein may not be suitable for every k
situation. This work is sold with the understanding that the publisher is not engaged in ren-
dering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor
the author shall be liable for damages arising herefrom. The fact that an organization or Web
site is referred to in this work as a citation and/or a potential source of further information
does not mean that the author or the publisher endorses the information the organization or
website may provide or recommendations it may make. Further, readers should be aware
that Internet websites listed in this work may have changed or disappeared between when
this work was written and when it is read.
For general information on our other products and services please contact our Customer
Care Department within the United States at (877) 762-2974, outside the United States at
(317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some
material included with standard print versions of this book may not be included in e-books
or in print-on-demand. If this book refers to media such as a CD or DVD that is not included
in the version you purchased, you may download this material at booksupport.wiley
.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2020948679
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not
be used without written permission. All other trademarks are the property of their respec-
tive owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned
in this book.

k
For Shireen, Bavani, Nav, Ivan, Lily-Rani, Veddie and Bella
 About the Author

I’ve worked with systems for over forty years. I graduated in mathematics
and natural science from Cambridge in the 1970s, and got a qualification in
computer engineering; my first proper job was in avionics; and after getting
interested in cryptology and computer security, I worked in the banking
industry in the 1980s. I then started working for companies who designed
equipment for banks, and then on related applications such as prepayment
electricity meters.
I moved to academia in 1992 but continued to consult to industry on security
technology. During the 1990s, the number of applications that used cryptology
rose rapidly: burglar alarms, car door locks, road toll tags and satellite TV sys-
tems all made their appearance. The first legal disputes about these systems
came along, and I was lucky enough to be an expert witness in some of the
important cases. The research team I lead had the good fortune to be in the
right place at the right time when technologies such as peer-to-peer systems,
tamper-resistance and digital watermarking became hot topics.
After I’d taught security and cryptology to students for a few years, it
became clear to me that the existing textbooks were too narrow and theo-
retical: the security textbooks focused on the access control mechanisms in
operating systems, while the cryptology books developed the theory behind
cryptographic algorithms and protocols. These topics are interesting, and
important. But they’re only part of the story. Most working engineers are
not overly concerned with crypto or operating system internals, but with
getting good tools and learning how to use them effectively. The inappropriate
use of protection mechanisms is one of the main causes of security failure.
I was encouraged by the positive reception of a number of articles I wrote
on security engineering (starting with ‘Why Cryptosystems Fail’ in 1993).

vii
viii About the Author

Finally, in 1999, I got round to rewriting my class lecture notes and a number
of real-world case studies into a book for a general technical audience.
The first edition of the book, which appeared in 2001, helped me consolidate
my thinking on the economics of information security, as I found that when I
pulled my experiences about some field together into a narrative, the backbone
of the story was often the incentives that the various players had faced. As the
first edition of this book established itself as the standard textbook in the field,
I worked on establishing security economics as a discipline. In 2002, we started
the Workshop on the Economics of Information Security to bring researchers
and practitioners together.
By the time the second edition came out in 2008, it was clear we’d not paid
enough attention to the psychology of security either. Although we’d worked
on security usability from the 1990s, there’s much more to it than that. We need
to understand everything from the arts of deception to how people’s percep-
tion of risk is manipulated. So in 2008 we started the Workshop on Security and
Human Behaviour to get security engineers talking to psychologists, anthro-
pologists, philosophers and even magicians.
A sabbatical in 2011, which I spent partly at Google and partly at Carnegie
Mellon University, persuaded me to broaden our research group to hire psy-
chologists and criminologists. Eventually in 2015 we set up the Cambridge
Cybercrime Centre to collect lots of data on the bad things that happen online
and make them available to over a hundred researchers worldwide. This hasn’t
stopped us doing research on technical security; in fact it’s helped us pick more
relevant technical research topics.
A medic needs to understand a whole series of subjects including anatomy,
physiology, biochemistry, pharmacy and psychology, and then temper this
knowledge with experience of working on hundreds of cases with experienced
colleagues. So also a security engineer needs to understand technical subjects
like crypto, access controls, protocols and side channels; but this knowledge
also needs to be honed by studying real cases. My goal in my academic career
has been to pull all this together. The result you now hold in your hands.
I have learned a lot in the process; writing down what you think you know
is a good way of finding out what you don’t. I have also had a lot of fun. I hope
you have as much fun reading it!
Ross Anderson
Cambridge, November 2020
 Acknowledgements

A great many people have helped in various ways with the third edition of
this book. I put the chapters online for comment as I wrote them, and I owe
thanks to the many people who read them and pointed out assorted errors and
obscurities. They are: Mansoor Ahmed, Sam Ainsworth, Peter Allan, Amit
Seal Ami, James Andrews, Tom Auger, Asokan, Maria Bada, Daniel Bates,
Craig Bauer, Pilgrim Beart, Gerd Beuster, Johann Bezuidenhoudt, Fred Bone,
Matt Brockman, Nick Bohm, Fred Bone, Phil Booth, Lorenzo Cavallaro, David
Chaiken, Yi Ting Chua, Valerio Cini, Ben Collier, Hugo Connery, Lachlan
Cooper, Franck Courbon, Christopher Cowan, Ot van Daalen, Ezra Darshan,
Roman Dickmann, Saar Drimer, Charles Duffy, Marlena Erdos, Andy Farnell,
Bob Fenichel, David Fernee, Alexis FitzGerald, Jean-Alain Fournier, Jordan
Frank, Steve Friedl, Jerry Gamache, Alex Gantman, Ben Gardiner, Jon Geater,
Stuart Gentry, Cam Gerlach, John Gilmore, Jan Goette, Ralph Gross, Cyril
Guerin, Pedram Hayati, Chengying He, Matt Hermannson, Alex Hicks, Ross
Hinds, Timothy Howell, Nick Humphrey, James Humphry, Duncan Hurwood,
Gary Irvine, Erik Itland, Christian Jeschke, Gary Johnson, Doug Jones, Henrik
Karlzen, Joud Khoury, Jon Kilian, Timm Korte, Ronny Kuckuck, Mart Kung,
Jay Lala, Jack Lang, Susan Landau, Peter Landrock, Carl Landwehr, Peter
Lansley, Jeff Leese, Jochen Leidner, Tom de Leon, Andrew Lewis, David
Lewis, Steve Lipner, Jim Lippard, Liz Louis, Simon Luyten, Christian Mainka,
Dhruv Malik, Ivan Marsa-Maestra, Phil Maud, Patrick McCorry, TJ McIntyre,
Marco Mesturino, Luke Mewburn, Spencer Moss, Steven Murdoch, Arvind
Narayanan, Lakshmi Narayanan, Kristi Nikolla, Greg Norcie, Stanislav
Ochotnický, Andy Ozment, Deborah Peel, Stephen Perlmutter, Tony Plank,
William Porquet, David Pottage, Mark Quevedo, Roderick Rees, Larry Reeves,
Philipp Reisinger, Mark Richards, Niklas Rosencrantz, Andy Sayler, Philipp

ix
x Acknowledgements

Schaumann, Christian Schneider, Ben Scott, Jean-Pierre Seifert, Mark Shawyer,

Adam Shostack, Ilia Shumailov, Barbara Simons, Sam Smith, Saija Sorsa,
Michael Specter, Chris Tarnovski, Don Taylor, Andrew Thaeler, Kurt Thomas,
Anthony Vance, Jonas Vautherin, Alex Vetterl, Jeffrey Walton, Andrew Wat-
son, Debora Weber-Wulff, Nienke Weiland, David White, Blake Wiggs, Robin
Wilton, Ron Woerner, Bruno Wolff, Stuart Wray, Jeff Yan, Tom Yates, Andrew
Yeomans, Haaroon Yousaf, Tim Zander and Yiren Zhao. I am also grateful to
my editors at Wiley, Tom Dinse, Jim Minatel and Pete Gaughan, and to my
copyeditors Judy Flynn and Kim Wimpsett, who have all helped make the
process run smoothly.
The people who contributed in various ways to the first and second editions
included the late Anne Anderson, Adam Atkinson, Jean Bacon, Robin Ball,
Andreas Bender, Alastair Beresford, Johann Bezuidenhoudt, Maximilian
Blochberger, David Boddie, Kristof Boeynaems, Nick Bohm, Mike Bond,
Richard Bondi, Robert Brady, Martin Brain, John Brazier, Ian Brown, Mike
Brown, Nick Bohm, Richard Bondi, the late Caspar Bowden, Duncan Camp-
bell, Piotr Carlson, Peter Chambers, Valerio Cini, Richard Clayton, Frank Clish,
Jolyon Clulow, Richard Cox, Dan Cvrcek, George Danezis, James Davenport,
Peter Dean, John Daugman, Whit Diffie, Roger Dingledine, Nick Drage,
Austin Donnelly, Ben Dougall, Saar Drimer, Orr Dunkelman, Steve Early, Dan
Eble, Mike Ellims, Jeremy Epstein, Rasit Eskicioǧlu, Robert Fenichel, Fleur
Fisher, Shawn Fitzgerald, Darren Foong, Shailendra Fuloria, Dan Geer, Gary
Geldart, Paul Gillingwater, John Gilmore, Brian Gladman, Virgil Gligor, Bruce
Godfrey, John Gordon, Gary Graunke, Rich Graveman, Wendy Grossman,
Dan Hagon, Feng Hao, Tony Harminc, Pieter Hartel, David Håsäther, Bill Hey,
Fay Hider, Konstantin Hyppönen, Ian Jackson, Neil Jenkins, Simon Jenkins,
Roger Johnston, Oliver Jorns, Nikolaos Karapanos, the late Paul Karger, Ian
Kelly, Grant Kelly, Alistair Kelman, Ronald De Keulenaer, Hyoung Joong Kim,
Patrick Koeberl, Oliver Kömmerling, Simon Kramer, Markus Kuhn, Peter
Landrock, Susan Landau, Jack Lang, Jong-Hyeon Lee, the late Owen Lewis,
Stephen Lewis, Paul Leyland, Jim Lippard, Willie List, Dan Lough, John
McHugh, the late David MacKay, Garry McKay, Udi Manber, John Martin,
Nick Mathewson, Tyler Moore, the late Bob Morris, Ira Moskowitz, Steven
Murdoch, Shishir Nagaraja, Roger Nebel, the late Roger Needham, Stephan
Neuhaus, Andrew Odlyzko, Mark Oeltjenbruns, Joe Osborne, Andy Ozment,
Alexandros Papadopoulos, Roy Paterson, Chris Pepper, Oscar Pereira, Fabien
Petitcolas, Raphael Phan, Mike Roe, Mark Rotenberg, Avi Rubin, Jerry Saltzer,
Marv Schaefer, Denise Schmandt-Besserat, Gus Simmons, Sam Simpson,
Sergei Skorobogatov, Matthew Slyman, Rick Smith, Sijbrand Spannenburg, the
late Karen Spärck Jones, Mark Staples, Frank Stajano, Philipp Steinmetz, Nik
Sultana, Don Taylor, Martin Taylor, Peter Taylor, Daniel Thomas, Paul Thomas,
 Acknowledgements xi

Vlasios Tsiatsis, Marc Tobias, Hal Varian, Nick Volenec, Daniel Wagner-Hall,
Randall Walker, Robert Watson, Keith Willis, Simon Wiseman, Stuart Wray, Jeff
Yan and the late Stefek Zaba. I also owe a lot to my first publisher, Carol Long.
Through the whole process I have been supported by my family, and espe-
cially by my long-suffering wife Shireen. Each edition of the book meant over
a year when I was constantly distracted. Huge thanks to all for putting up
with me!
 Contents at a Glance

Preface to the Third Edition xxxvii

Preface to the Second Edition xli
Preface to the First Edition xliii
For my daughter, and other lawyers … xlvii
Foreword xlix

Part I
Chapter 1 What Is Security Engineering? 3
Chapter 2 Who Is the Opponent? 17
Chapter 3 Psychology and Usability 63
Chapter 4 Protocols 119
Chapter 5 Cryptography 145
Chapter 6 Access Control 207
Chapter 7 Distributed Systems 243
Chapter 8 Economics 275

xiii
xiv Contents at a Glance

Part II
Chapter 9 Multilevel Security 315
Chapter 10 Boundaries 341
Chapter 11 Inference Control 375
Chapter 12 Banking and Bookkeeping 405
Chapter 13 Locks and Alarms 471
Chapter 14 Monitoring and Metering 497
Chapter 15 Nuclear Command and Control 529
Chapter 16 Security Printing and Seals 549
Chapter 17 Biometrics 571
Chapter 18 Tamper Resistance 599
Chapter 19 Side Channels 639
Chapter 20 Advanced Cryptographic Engineering 667
Chapter 21 Network Attack and Defence 699
Chapter 22 Phones 737
Chapter 23 Electronic and Information Warfare 777
Chapter 24 Copyright and DRM 815
Chapter 25 New Directions? 865

Part III
Chapter 26 Surveillance or Privacy? 909
Chapter 27 Secure Systems Development 965
Chapter 28 Assurance and Sustainability 1015
Chapter 29 Beyond “Computer Says No” 1059

Bibliography 1061

Index 1143
 Contents

Preface to the Third Edition xxxvii

Preface to the Second Edition xli
Preface to the First Edition xliii
For my daughter, and other lawyers … xlvii
Foreword xlix

Part I
Chapter 1 What Is Security Engineering? 3
1.1 Introduction 3
1.2 A framework 4
1.3 Example 1 – a bank 6
1.4 Example 2 – a military base 7
1.5 Example 3 – a hospital 8
1.6 Example 4 – the home 10
1.7 Definitions 11
1.8 Summary 16
Chapter 2 Who Is the Opponent? 17
2.1 Introduction 17
2.2 Spies 19
2.2.1 The Five Eyes 19
2.2.1.1 Prism 19
2.2.1.2 Tempora 20
2.2.1.3 Muscular 21
2.2.1.4 Special collection 22

xv
xvi Contents

2.2.1.5 Bullrun and Edgehill 22

2.2.1.6 Xkeyscore 23
2.2.1.7 Longhaul 24
2.2.1.8 Quantum 25
2.2.1.9 CNE 25
2.2.1.10 The analyst’s viewpoint 27
2.2.1.11 Offensive operations 28
2.2.1.12 Attack scaling 29
2.2.2 China 30
2.2.3 Russia 35
2.2.4 The rest 38
2.2.5 Attribution 40
2.3 Crooks 41
2.3.1 Criminal infrastructure 42
2.3.1.1 Botnet herders 42
2.3.1.2 Malware devs 44
2.3.1.3 Spam senders 45
2.3.1.4 Bulk account compromise 45
2.3.1.5 Targeted attackers 46
2.3.1.6 Cashout gangs 46
2.3.1.7 Ransomware 47
2.3.2 Attacks on banking and payment systems 47
2.3.3 Sectoral cybercrime ecosystems 49
2.3.4 Internal attacks 49
2.3.5 CEO crimes 49
2.3.6 Whistleblowers 50
2.4 Geeks 52
2.5 The swamp 53
2.5.1 Hacktivism and hate campaigns 54
2.5.2 Child sex abuse material 55
2.5.3 School and workplace bullying 57
2.5.4 Intimate relationship abuse 57
2.6 Summary 59
Research problems 60
Further reading 61
Chapter 3 Psychology and Usability 63
3.1 Introduction 63
3.2 Insights from psychology research 64
3.2.1 Cognitive psychology 65
3.2.2 Gender, diversity and interpersonal variation 68
 Contents xvii

3.2.3 Social psychology 70

3.2.3.1 Authority and its abuse 71
3.2.3.2 The bystander effect 72
3.2.4 The social-brain theory of deception 73
3.2.5 Heuristics, biases and behavioural economics 76
3.2.5.1 Prospect theory and risk misperception 77
3.2.5.2 Present bias and hyperbolic discounting 78
3.2.5.3 Defaults and nudges 79
3.2.5.4 The default to intentionality 79
3.2.5.5 The affect heuristic 80
3.2.5.6 Cognitive dissonance 81
3.2.5.7 The risk thermostat 81
3.3 Deception in practice 81
3.3.1 The salesman and the scamster 82
3.3.2 Social engineering 84
3.3.3 Phishing 86
3.3.4 Opsec 88
3.3.5 Deception research 89
3.4 Passwords 90
3.4.1 Password recovery 92
3.4.2 Password choice 94
3.4.3 Difficulties with reliable password entry 94
3.4.4 Difficulties with remembering the password 95
3.4.4.1 Naïve choice 96
3.4.4.2 User abilities and training 96
3.4.4.3 Design errors 98
3.4.4.4 Operational failures 100
3.4.4.5 Social-engineering attacks 101
3.4.4.6 Customer education 102
3.4.4.7 Phishing warnings 103
3.4.5 System issues 104
3.4.6 Can you deny service? 105
3.4.7 Protecting oneself or others? 105
3.4.8 Attacks on password entry 106
3.4.8.1 Interface design 106
3.4.8.2 Trusted path, and bogus terminals 107
3.4.8.3 Technical defeats of password retry
counters 107
3.4.9 Attacks on password storage 108
3.4.9.1 One-way encryption 109
3.4.9.2 Password cracking 109
3.4.9.3 Remote password checking 109
xviii Contents

3.4.10 Absolute limits 110

3.4.11 Using a password manager 111
3.4.12 Will we ever get rid of passwords? 113
3.5 CAPTCHAs 115
3.6 Summary 116
Research problems 117
Further reading 118
Chapter 4 Protocols 119
4.1 Introduction 119
4.2 Password eavesdropping risks 120
4.3 Who goes there? – simple authentication 122
4.3.1 Challenge and response 124
4.3.2 Two-factor authentication 128
4.3.3 The MIG-in-the-middle attack 129
4.3.4 Reflection attacks 132
4.4 Manipulating the message 133
4.5 Changing the environment 134
4.6 Chosen protocol attacks 135
4.7 Managing encryption keys 136
4.7.1 The resurrecting duckling 137
4.7.2 Remote key management 137
4.7.3 The Needham-Schroeder protocol 138
4.7.4 Kerberos 139
4.7.5 Practical key management 141
4.8 Design assurance 141
4.9 Summary 143
Research problems 143
Further reading 144
Chapter 5 Cryptography 145
5.1 Introduction 145
5.2 Historical background 146
5.2.1 An early stream cipher – the Vigenère 147
5.2.2 The one-time pad 148
5.2.3 An early block cipher – Playfair 150
5.2.4 Hash functions 152
5.2.5 Asymmetric primitives 154
5.3 Security models 155
5.3.1 Random functions – hash functions 157
5.3.1.1 Properties 157
5.3.1.2 The birthday theorem 158
5.3.2 Random generators – stream ciphers 159
5.3.3 Random permutations – block ciphers 161
Another random document with
no related content on Scribd:
 Having uttered this Speech, he, with his Cousin M‘Pherson and
Shaw, kneeled down, whilst the Reverend Mr Paterson and myself
joined in Prayer, kneeling before them on a Plank: When Prayers
were over, their Faces were cover’d; when Eighteen Soldiers, in
three Ranks, (Twelve of whom were appointed to do the Execution,
and the other Six for a Reserve, had been kept out of Sight for fear
of shocking the Prisoners) advanced on their Tiptoes, and with the
least Noise possible, their Pieces ready cock’d for fear of the Click
disturbing the Prisoners, Serjeant-Major Ellisson, (who deserv’d the
greatest Commendation for this Precaution) waved a Handkerchief
as a Signal to present; and, after a very short Pause, waved it a
second time as a Signal to fire; when they all three fell instantly
backwards as dead; but Shaw being observed to move his Hand,
one of the Six in Reserve advanc’d, and shot him thro’ the Head, as
another did Samuel M‘Pherson. After the Execution, an Officer
order’d three of the Prisoners, Name-sakes of the Deceased, to
advance and bury them; whom they presently stripp’d to their
Shrouds, put them in their Coffins, and buried them in one Grave,
near the Place they were shot, with great Decency. The Officers on
Duty appeared greatly affected, and three Hundred of the Third
Regiment of Scotch Guards, who were drawn up in three Lines in the
Shape of a half Moon, attended the Execution, many of whom, of the
harden’d Sort, were observed to shed Tears.
Thus ended this melancholy Scene, which raised Compassion
from all, and drew Tears from many of the Spectators. They had by
their courteous Behaviour, gained so much upon the Affections of
their Warders, the Inhabitants of the Tower, and others that
conversed with them, that none were so hard-hearted as to deny
them their Pity, nay, nor hardly had any Resolution to see them
executed.
What made this Spectacle still more moving was, that Mixture of
Devotion, Agony, and Despair that was seen in the Faces and
Actions of the remaining Highland Prisoners, who were ranged within
side the Guards. When Prayers began, they all fell on their Knees
and Elbows, hanging their Heads and covering their Faces with their
Bonnets, and might easily be observed that they could not refrain
from the loudest Lamentations. Such a number of young Men, in so
suppliant a Posture, offering their Prayers so fervently to Heaven,
with such Marks of Sorrow for the Fate of the unhappy Criminals,
had a prodigious effect upon the Spectators, and I am hopeful will
influence the Practice and Conversation of all that saw them; and to
the Praise of these poor Men, (take from them the Account (sic) their
heinous transgression of Mutiny and Desertion) I believe their
courteous and modest Behaviour, their virtuous and pious Principles,
and religious Disposition, would be no bad Pattern for Men above
the Rank of private Centinels, and ought to be a severer Reproof to
many who live here, and have all the Advantages of a liberal
Education, and the Example of a polite Court; that Men they esteem
barbarous, inhabiting a distant and barren Country, should outdo
them in real politeness, that is, in the Knowledge and Practice of the
Doctrines of Christianity.
From hence we may remark, that those who published or
propagated so many scandalous Reports of these unhappy young
Men, must either have taken little Pains to inform themselves of the
Truth, or must be possessed of little Charity, when they load their
Memory with so many Assertions no way connected with their Crime.
But, as this Relation is published from the Prisoners’ own Mouths,
and attested by a Person whose Profession and Character ought to
screen him from the Imputations of Partiality or Falsehood, it is
hoped these Impressions will wear off of the minds of the Public, and
give place to sentiments of Charity for their Crimes, and Compassion
for their Sufferings.
Magna est Veritas, et prævalebit.
FINIS
 APPENDIX III
Dates of Restorations carried on by H.M.
Office of Works at the Tower of London
to the present time. For Details see
Appendices IV.–V.
Under
whose
direction
works
executed.
Salvin. Beauchamp Tower, restored 1852
Do. Salt Tower „ 1856
Taylor. Chapel Royal „ 1876
Restoration of wall on River Front together with
Do. 1878
the Cradle and Well Towers
1881–
Do. Broad Arrow Tower
2
1882–
Do. Restoration of Lanthorn Tower
3
Do. Do. Ballium Wall 1886
Do. Well Tower 1887
Restoration of Ballium wall between Wakefield
Do. 1888
and Lanthorn Tower
Do. Restoration of S.W. Turret of White Tower 1895
Restoration of S.E. Turret and base of White
Do. 1896
Tower, S. and E.; also Stone Stairs on the S.
 Under
whose
direction
works
executed.
J. R. North Wing of King’s Tower lifted 15 in. on E. 1898–
Westcott. front; restored 9
1899–
Do. Bloody Tower
1900
Note.—Certain new buildings have also lately been erected by the
War Office, including a new Main Guard, which is a permanent
eyesore to the Tower; this ugly building was completed in the year
1900, and stands on the site of the old Main Guard.
DESCRIPTION
1. Kentish rag & flint with shell mortar splendid quality this
work is NORMAN
2. These foundations are from 5 to 6 feet below Dungeon
floor & are composed of Kentish Rag chalk and a small
quantity of Flints. The mortar is a kind of Clunck & not so
good as No 1
3. Similar to No 2 & within 6 inches of surface 6 feet in
depth. Chalk & Kentish rag chalk predominating rufus
very inferior
4. This wall consists of Kentish rag Gatton stone fragments
of Roman brick & Tile & shell mortar.
5. Similar to No 2 one of the walls of Coldharbour Tower & is
now incorporated in the New Main Guard. The bottom is
level with No 2
6. Under the S.W. angle of the batter of the White Tower is
the Oubliette & into which the subway enters
7. A fine specimen of Norman masonry. In 1899 it was 56
feet deep & contained 42 feet of water it is lined sith
Gatton stone Ashler
8. An aperture discovered in 1899 leading into the subway
& was probably broken through in the 16th century.
Through this aperture a large number of stone, iron &
lead cannon balls were lodged in the subway believed to
be relics of Flamanks or Wyatts rebellion. The arch was
made good in 1899

Plan showing Recent Discoveries at the Tower.

 APPENDIX IV
RECENT DISCOVERIES AT THE TOWER
Since the time when the late Prince Consort interested himself in the
restoration and preservation of the Tower, the Commissioners of
Works and Public Buildings have cleared away, from time to time, all
useless and modern portions which obscured certain parts of the
ancient fabric. This work was actually begun in the lifetime of the
Prince Consort, under the superintendence of Mr Salvin, who still
continues to be consulted on all the more important restorations. The
works are now under the superintendence of Mr John Taylor, the
Surveyor to the Commissioners, who is aided by Major-General
Milman, Major of the Tower and the resident military commander, all
designs being submitted to the Sovereign before being carried into
execution. The various restorations, especially those of the
Beauchamp Tower and St Peter’s Chapel, have been described in
the body of this work.
During the year, a range of buildings which stood against the east
side of the White Tower, and believed to have been built in the
fourteenth or fifteenth century, were pulled down, and it was found
that the outer walls were of the period generally assigned to the
building, but that the inner or west wall was of brick. This building,
which extended on the south side from the south-east turret of the
White Tower to what was formerly the Wardrobe Tower, and thence
in a north-westerly direction with a return wall to the north-east turret
of the White Tower,—had been so altered and patched that it no
longer possessed any architectural or antiquarian interest, and was
entirely removed, except those portions of the south walls and the
ruins of the Wardrobe Tower, which form the north wall of the Tower
Armoury, erected in 1826.
 Whilst this work of demolishing was being carried out, an
interesting discovery was made, Roman tiles and mortar being
found, worked up into the materials of which these walls were built.
At the south-east corner, and adjoining the remains of the Wardrobe
Tower, a portion of Roman wall was disclosed, having three courses
of bonded tiles showing above the surface of the débris. This piece
of wall is in a direct westerly line with the old city wall, shown in a
plan of the Tower made in 1597, the demolished buildings likewise
appearing on this plan, which can be seen in the office of the
Commissioners of Works. Two inferences are possible from the
discovery of this Roman work; either it is part of the old city wall or
the remains of a Roman building, and if it is satisfactorily proved to
be Roman, it will practically settle the contested point as to whether
there was ever a Roman fortress on the site of the White Tower or
not. Holinshed, in the third Book of his history of England, quoting
both Leyland and Fabyan, says, that Belins, who began to reign
conjointly with Brennus as King of Britain, which was “about the
seventh year of Artaxerxes, the seventh king of the Persians, builded
a haven with a gate within the city of Troinovant, now called London.
This gate was long after called Belins gate, and at length, by
corruption of language, Billingsgate. He builded also a castle
westward from this gate (as some have written) which was long time
likewise called Belins Castell, and is the same which we now call the
Tower of London.” It was pointed out in the first volume of this work
that Fitzstephen declared the White Tower to have been built by
Julius Cæsar, and that the mortar used in the building was
“tempered with the blood of beasts,” but the Roman habit of mixing
powdered tiles with their mortar, may have given rise to this theory.
Stowe, in his survey of London about 1076, says, that William the
Conqueror caused the present White Tower to be erected at the
south-east angle of the city wall, which would be the actual spot
where the fragment of the recently discovered Roman wall now
stands.
On removing the southern wall of this building, it was found that it
was built up to, and not bonded into the south-east turret of the
White Tower, which forms the apse of St John’s Chapel. When it was
taken down, the original stone-work of the White Tower was laid
bare. It is quite honeycombed by age, Sir Christopher Wren having,
of course, been unable to reface it as he did the exposed portions of
the Tower.
The Cradle Tower, which is the third tower on the southern side of
the outer Ballium wall, the others being the Develin and the Well
Towers, was opened out and restored in the year 1878. Before its
restoration, the southern wall was closed up, the only apertures
being two loopholes. There was nothing to indicate that it ever had
any connection with the moat, and the only access to the interior was
on the north side, within the Ballium wall. It was used as a
gunpowder store, and was only one storey in height, no trace
remaining of the second storey which originally existed. The first step
taken was to remove the whole of the masonry which had been built
up against the Tower; this disclosed the old front as well as an arch
on the south side. The return walls extended ten feet, and were built
with their southern face in the moat, having two half arches turned
against the moat wall, and when the masonry blocking up the arch in
the south wall and these two half arches was removed, it at once
became evident that formerly the water in the moat had flowed
through the half arches and across the centre arch. By clearing away
this masonry the wall of the moat itself was disclosed, and was found
to be of an earlier date than the architecture of the Tower itself. On
the ground floor there is a chamber with a finely groined roof of the
late thirteenth or early fourteenth century. The following is the actual
restoration done to the Cradle Tower. The wall built up in the moat
under the centre arch and under the two half-turned arches has been
cleared away, and the outer walls have all been restored to their
original condition. An additional storey and turret have been erected
on the same plan as the old building. The corbels in the groined roof
of the ground floor chamber, which were broken off, have been
replaced by new ones copied from a single corbel that remained. A
wooden grating, after the pattern of an old doorway in the Byward
Tower, has been fitted to the central arch, whilst the space between
that arch and the moat has been boarded over.
 The White Tower, showing the Exterior of St. John’s
Chapel and remains of the Roman Wall
A further discovery was made during the restoration of this tower.
In the space between the bridge over the moat to the east of the
Cradle Tower and the Well Tower, stood a modern building used as a
storehouse by the Ordnance Department, and this being pulled
down, excavations in its foundations, made by the Board of Works,
have disclosed a brick paving and some loopholes in the outer
Ballium wall, which has helped to identify this space as the site of the
garden belonging to the Queen’s apartments, when the royal palace
stood within the Tower walls. This palace occupied the space
bounded by a line running exactly from the south angle of the White
Tower to the Broad Arrow Tower, thence south along the inner
Ballium wall to the Salt Tower, thence west to the Wakefield Tower,
and north to the south-west angle of the White Tower. A portion of
this space is now occupied by the Ordnance Stores and the Control
Office. Nearly opposite to, and to the west of the Cradle Tower, and
on the south side of the royal Palace, stood the Lanthorn Tower (now
rebuilt). The Queen’s apartments extended from the Lanthorn Tower
to the south-east angle of the White Tower, and the space recently
cleared, formed the Queen’s private garden, the loopholes in the
Ballium wall bounding the garden on the south side giving a view of
the river.
From these discoveries it would appear that the Cradle Tower was
the entrance to the Queen’s apartments from the river, and the
opinion is confirmed by the fact that the inner faces of the walls on
which the centre arch stands, are worked and pointed as outside
facing, probably to withstand the action of the water as they would
be covered when the moat was full. There is space above the arch
for a portcullis and grooves in the jambs, but it is not large enough
for portcullis slides. In the entrance on the north or land side,
however, both the space and grooves show that there was a
portcullis there, and the chamber on the east side has no outlet,
except into the centre chamber or gateway—from which it would
seem that it was a guard-room for the use of a warder while on duty
at the gate. And the name of the Tower strengthens this idea,
“Cradle” being the old Saxon word “cradel,” meaning a movable bed.
The hypothesis is that there was a hoist or lift by which a boat, after
passing through the archway, was lifted on to the floor of the
gateway. On comparing the groining of the chamber with the groined
chamber in the Well Tower, the greater beauty of that in the Cradle
Tower is at once apparent, which would point to its being part of a
royal dwelling. It is also nearly opposite the site of the Lanthorn
Tower, which was the entrance to the Queen’s apartments. The
access to and from the Thames and the Queen’s apartments of the
Palace, would be from the Cradle Tower to the moat, under St
Thomas’s Tower and through Traitor’s Gate, and would be the only
communication with the river. In 1641 the Cradle Tower appears to
have been used as a prison, according to “A particular of the Names
of the Towers and Prison Lodgings in his Majesty’s Tower of London,
taken out of a paper of Mr William Franklyn, sometime Yeoman
Warder, dated March 1641,” in which appears, “Cradle Tower—A
prison lodging, with low gardens where the drawbridge was in former
times.”
The War Office have determined to build stores on the Queen’s
gardens, and consequently the loopholes in the old Ballium wall will
be blocked up. The site will thus be lost for further investigation, and
as the Office of Works has no power to prevent these works being
carried out, all that has been exposed of one of the most interesting
portions of the older part of the Tower will be lost.

View of Sṭ Peter’s Chapel in 1817.

 APPENDIX V
THE BLOODY TOWER
Owing to serious signs of weakness in the upper portions of the
walls of the Bloody Tower, it was considered an absolute necessity to
carefully renew the Kentish Rag facing in various places. The work
has been thoroughly well executed stone by stone, all the old stones
that were sound being re-used, and the whole of the walls have been
greatly strengthened by what is technically known as “tying in.” It
was found that the Tower had been repaired in this same manner
about the time of Henry VIII., and probably on more than one
occasion. The heart of the walling is in excellent preservation, and is
the original Norman Transitional masonry with a liberal proportion of
chalk. The parapet has been restored to its original embattlemented
character. A brick wall, which had closed the historical entrance to
Raleigh’s Walk for the last hundred years, has been cleared away,
leaving the passage open as in the days of Cranmer and Raleigh;
this wall was built to prevent the south-west angle of the Tower
falling down, and was an economical vandalism on the part of the
authorities of the time. Another act of vandalism was committed by
some former occupant of the Tower, who had cut out a cupboard for
blacking brushes in the solid masonry immediately behind the
springing of the large arch over the portcullis, thereby seriously
jeopardising the stability of the arch; happily this has been remedied
by the recent restoration. A fine arch over the northern portcullis that
had completely disappeared, has been replaced, and early English
Gothic windows of stone with lead lights have been fixed throughout
the Tower, in the room of the Georgian windows with common
double-hung deal sashes. Stone chimney-stacks have also taken the
place of the incongruous chimney-stacks of brick, and a very
interesting octagonal stone turret, which had been patched with
brick, has been restored to its original condition. This turret is circular
inside, and is about five feet in diameter; a curious internal window
was found about a foot higher than Raleigh’s Walk, and as it
answers no purpose, it is supposed that it was used for supervising
the prisoners. In a jamb of the recess immediately over the northern
portcullis several inscriptions were brought to light, but of these only
the letters R. D. were legible, which, seeing the acquaintance that
both Robert Devereux, Earl of Essex, or Robert Dudley, Earl of
Leicester, had with the Tower, has not unnaturally led to the
conclusion that the initials belong to one or other of these royal
favourites.
The Bloody Tower is of the Norman Transitional period, but the
groining as well as the gates on the south side—those on the north
side have been removed—are Tudor. The massive bottom rails of
these gates were destroyed to allow of an injudicious raising of the
road surface many years ago. It is said that the road was raised from
two to three feet, probably to overcome some difficulty of draining,
but whatever the reason, the fine gates suffered both in effect and
materially. On the west front of the Tower there is an early English
doorway which has been “Tudorised,” its outer arch being modern
Norman Transitional.
The original freestone used in the building of the Bloody Tower
was procured from the neighbourhood of Red Hill, and in the old
records is called “Rygate” stone. It is known at the present time as
Gatton, but the quarries are no longer worked. The fine old arches
over the main entrance are still in this “Rygate” stone, an interesting
survival, since the whole of the external stone dressings in this
material on the Tower were superseded by Caen stone from
Normandy in the reign of Henry VIII. This was a deplorable error of
judgment, for notwithstanding the enormous amount of Caen stone
used throughout the Tower in this reign, scarcely a trace of it now
remains. The modern restorations to the interior have been carried
out in the “pinny bed of Chilmark,” a stone closely resembling the
Rygate or Gatton stone, but much more durable, whilst Kelton stone
from the neighbourhood of Rutland has been employed for the
battlements and other external dressings. All the main walling was
carried out in Kentish Rag stone, which was procured from the
contractor who built the new guard buildings for the War Department.
In the records of Henry VIII.’s time, this Kentish Rag is called the
“hard stone of Kent.” The stone used in those days was undoubtedly
superior to that used by Salvin over fifty years ago, as is shown by
the comparison between the restored Beauchamp Tower and the
White Tower. Soft stones, such as Caen or Bath, absorb a great deal
of moisture, and their injudicious use consequently hastens the
decay of any building in which they are used. Much of the mischief in
the Bloody Tower was doubtless caused by the decay of the Caen
stone, and also the neglect in pointing the joints. It is generally
thought amongst those most concerned, that the restoration of the
Bloody Tower is the most careful and complete of any of the works of
preservation carried out in the old fortress, and it is now judged to be
safe from all fear of collapse.
 APPENDIX VI
STAINED GLASS IN THE TOWER
A quantity of stained glass panels were found in the crypt of St
John’s Chapel, in which some interesting and valuable fragments,
mostly incomplete in themselves, of heraldic glass of the sixteenth
century and of small pictorial subjects, were mixed with modern and
valueless glass of subordinate design. The whole was carefully
examined by Messrs John Hardman, who separated the ancient
from the modern glass, and using delicate leads to repair the
numerous fractures of the former, and setting the various fragments
in lozenges of plain glass, filled the eight windows of the Chapel with
the following subjects:—
The first window in the south front, entering from the west.—A coat
of arms with the words “Honi soit qui mal y pense” around it on the
upper portion; a sepia painting in the centre representing the Deity
and two angels appearing to a priest, with flames rising from an altar.
In the lower portion is another sepia painting with the Deity depicted
with outstretched arms, one hand on the sun, the other on the moon,
and the earth rolling in clouds at the feet. This is generally supposed
to be emblematical of the Creation, but has been suggested as
representative of the Saviour as the Light of the World.
The second window has a head and bust near the top, with a
peculiar cap and crown. The centre is a sepia representing the
expulsion of Adam and Eve from the Garden of Eden, and the
guardian angel. At the bottom there is another sepia depicting a
village upon a hill, probably a distant view of Harrow.
The third window has at the top a figure of Charles I. in sepia; in
the centre a knight in armour, skirmishing, and at the bottom what
appears to be a holly bush with the letters H. R.
 The fourth window has a negro’s head with a turban in the upper
portion; in the centre a sepia of Esau returning from the hunt to seek
Isaac’s blessing, Rebecca and Jacob being in the background. Near
the bottom is another sepia of the exterior of a church, probably
Dutch.
The fifth window, and the last of the series facing south, has a coat
of arms and motto like those in the first window; in the centre, a
sepia of the anointing of David by Samuel; and near the bottom,
Jehovah in clouds, with the earth and shrubs bursting forth. This is
probably emblematical of the Creation.
The south-east apsidal window has the coat of arms and royal
motto as before, with two smaller coats of arms and the same motto
below, a royal crown and large Tudor rose being near the bottom.
The eastern window (in the centre of the apse) has a crown with
fleur-de-lys and leopards at the top, and in the centre the small
portcullis of John of Gaunt and the wheatsheaf of Chester. These are
by far the best heraldic devices in the whole series of windows.
The north-east window has a very imperfect coat of arms with
fleur-de-lys and leopard, as well as two other coats with the royal
motto. There is also a device which might be taken to represent the
letter M, but which is probably the inverted water bottles of the
Hastings family. Daggers are quartered upon the other coats of
arms. At the bottom of this window is a Tudor rose and several
fragments of glass much confused.
The glass has been placed in the windows with great care, the
subjects being made as complete as the broken fragments
permitted. Each of the eight windows is ornamented with leaded
borders.
 APPENDIX VII
LIST OF THE CONSTABLES OF THE TOWER
Geoffrey de Mandeville
William de Mandeville
Geoffrey de Mandeville[8] 1140
Richard de Lacy 1153
Garnerius de Isenei
William Longchamp, Bishop of Ely 1189
Walter de Coutances, Archbishop of
Rouen 1192
Roger Fitz Renfred
Roger de la Dane
During the reign
Geoffrey de Mandeville
of
Eustace de Greinville John.
Archbishop of Canterbury
Walter de Verdun During the reign
Stephen de Segrave of
Hugh de Wyndlesore Henry III.
Randulph, Bishop of Norwich
John de Boville
Thomas de Blunvil
Thomas Fitz Archer
Ralph de Gatel
123
Hubert de Burgh
2
W. de St Edmund
Geoffrey de Crancumb
Hugh Giffard
Archbishop of York
jointly
Bertram de Crioyl
Peter de Vallibus
John de Plessitus
Peter de Blund
Aymor Thorimbergh
Inbert Puglys
Richard de Culworth
Richarde de Tilbury
125
Hugh le Bigod
8
John Mansel
Hugh le Despenser
126
Roger de Leyburn
5
Hugh Fitz Otho During the reign
John Walerand of
jointly
John de la Lind Henry III.
Alan la Touch
Thomas de Ippegrave
Stephen de Eddeville
Hugh Fitz Otho
Walter, Archbishop of York During the reign
John de Burgh of
Anthony Bek Edward I.
Ranulph de Dacre
Ralph de Sandwich
Ralph de Berners
Ralph de Sandwich
John de Crumwell
Roger de Swynneston
Stephen Segrave
Bishop of Exeter
John de Gisors
Thomas de Wake
John de Crumwell
William de Monte Acuto
Nicholas de la Beche
Robert de Dalton During the reign
John Darcy of
father and son Edward III.
John Darcy
Bartholomew de Burghersh
Robert de Morley
Richard de la Vache
Alan Buxhill
Sir Thomas Murrieuse
Edward, Earl of Rutland
During the reign
Ralph de Nevill
of
Edward, Duke of Albemarle Richard II.
Thomas de Rempston
Edward, Duke of York
Robert de Morley
During the reign
John Dabrichcourt
of
William Bourghchier Henry V.
Roger Aston
John, Duke of Exeter During the reign
of
James Fienes, Lord Say Henry VI.
John Lord Taploft, Earl of Worcester During the reign
John, Lord Dudley of
Richard, Lord Dacre Edward IV.
John Howard, Lord Howard