
The NSA called me after midnight and requested my source code (2018) - treasure2seek
https://medium.com/datadriveninvestor/why-the-nsa-called-me-after-midnight-and-requested-my-source-code-f7076c59ab3d
======
lb1lf
I drew the ire of our security services in a much dumber way sometime in the
early nineties; after having seen Wargames, I set up my MicroVAX, rescued from
a dumpster at the local bank, to ID as a DoD box whenever any of my friends
dialled into it.

A few weeks into this, I get a summons to get down to the local police station
ASAP. The commissioner then gives me a good verbal beating for being such a
stupid kid; apparently someone had dialled into the uVAX by mistake or
wardialling, figured it was a real DoD machine, had reported the security
breach and had gotten all sorts of gears moving.

He wound up the sermon by telling me whoever had called him from the relevant
department at military intelligence had chuckled and told him they kind of
found it funny - but could he please get hold of me and tell me to stop doing
it immediately, or else have my landline terminated?

~~~
downerending
I miss the days when you could do stuff like this without ending up in prison.

~~~
filoleg
You were running a lower risk of getting caught, but if you got caught, you
could easily get slammed with all kinds of outlandish stuff back then, mostly
due to the general public ignorance of computing and hacking. These days, you
have a way higher chance of getting caught, but the punishment is more
reasonable and fair imo (even though it is still way overblown most of the
time).

What instantly came to my mind was the Kevin Mitnick trial, where "law
enforcement officials convinced a judge that he had the ability to 'start a
nuclear war by whistling into a pay phone'"[0].

0.[https://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest,_convicti...](https://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest,_conviction,_and_incarceration)

~~~
bjoli
I don't know, maybe Kevin was a real whistling virtuoso.

Raymond Chen could scream the 300 baud carrier tone:
[https://devblogs.microsoft.com/oldnewthing/20111111-00/?p=91...](https://devblogs.microsoft.com/oldnewthing/20111111-00/?p=9133)

------
code4tee
Interesting story, but wouldn’t be surprised if the real play here was to get
his source code so they could get some bad guys to use a modified version that
the NSA could crack. Put a back door in and then intercept traffic trying to
download the encryption app to download the back-doored version.

The fact that the NSA has to call him in the middle of the night to learn that
the free version didn’t use strong encryption (a fact that seems to have been
a selling point for the non-free version) just sounds a bit dubious, but
that’s just my sense. Nice mug regardless.

~~~
meowface
I doubt it. For one, how could they expect to distribute it in a way that a
bad guy was more likely to download than by going to the official site?

But also, if they did want to do that, they could probably backdoor it pretty
easily just by patching the binary a bit. Reverse engineering and changing
binaries is way easier than cracking encryption, and they probably have some
of the world's top reverse engineers.

The fact that they asked for an existing algorithm backdoor, among other
things, makes me think they really were trying to crack at least one thing
encrypted with it. As for whether it was to deal with a time-critical
situation or whether that was just a confidence trick to make him more likely
to give up the code, who knows.

~~~
bhelkey
> how could they expect to distribute it in a way that a bad guy was more
> likely to download than by going to the official site?

Man in the Middle attacks work even if one goes to the official site. It could
have looked something like this.

1) User attempts to go to the official site [https://..](https://..).

2) NSA intercepts the message, downgrades to http and sends back a dummy site
with the malicious binary [1].

3) The user doesn't notice the change and uses the malicious binary.

Today, a series of steps have been taken to make such an attack more
difficult. Now browsers tend to try to warn the user and sites can take
advantage of HSTS preload lists[2]. However, this article was written about an
event in early 2000 when many of these safeguards didn't exist.

[1]
[https://en.wikipedia.org/wiki/Downgrade_attack](https://en.wikipedia.org/wiki/Downgrade_attack)

[2] [https://blog.mozilla.org/security/2012/11/01/preloading-
hsts...](https://blog.mozilla.org/security/2012/11/01/preloading-hsts/)

~~~
iancarroll
Just to be clear, no web browser has ever (AFAIK) allowed a navigation for
[https://](https://) to downgrade to [http://](http://). It's only when the
protocol is not explicit (i.e. typing only "domain.com") do problems really
arise.

~~~
meowface
They may have meant finding a link to it elsewhere from a plaintext site, in
which case they could sslstrip it. (Before more modern safeguards, at least.)

------
MR4D
If you read the article (you should - it's a good one and well written), then
you should also read the comments.

My favorite nugget from the comments:

    
    
      "I hope you’re keeping that mug in an opaque Faraday cage, well grounded."

~~~
remcob
I know it's a joke but: Mugs have a tendency to be put in microwaves, making
them a dangerous place for electronics.

If you find yourself receiving a questionable mug, time for a glass of warm
milk.

~~~
marcosdumay
Microwave ovens are not that horrible against bipolar transistors. They are
completely lethal for MOS-FETs, but one can make electronics that survive it.

~~~
remcob
Do you have more information on how to do that?

Making things resilient against a kilowatt of non-ionizing microwave radiation
seems challenging, in my experience it will burn the traces right off the PCB.
A different game from the more common radiation-hardening where the concern is
low power ionizing radiation.

~~~
marcosdumay
Embedding your conductive trails into a large non-conductive material helps,
as does putting unrelated trails apart, and making them at the right size.
Completely surrounding them with a ground plane helps too, but I have no idea
how to include an antenna.

~~~
illgenr
Make your faraday enclosure the antenna (better have some heavy duty
protection on the tx/rx circuitry though).

~~~
marcosdumay
That tx/rx interface is the real problem. But if you enclose things with the
right material, you can turn everything into a large varistor and even MOS-
FETs will survive.

------
bayouborne
My first job in the early '80's was for a phototypesetter manufacturer.
Logically, the NSA had one of our machines for in-house use. Whenever there
was a issue with the machine I flew up to Virginia to look at it. My
experience was roughly the same as the article's, super-nice people, all of us
immediately on a first name (only) basis. The two kind of uniquely funny
things about those visits was 1) that the machine (PDP-11 based) was kept in a
small room with _nothing_ in else it - a door opened into a room with the
machine exactly in the center of the space. The other thing 2) which did make
sense was the the core memory was always wiped w/a walking 1's and 0's paper-
tape utility prior to me getting access to it.

~~~
RandomBacon
Maybe it was just kept in that room while you worked on it. Perhaps that's the
room where they move equipment that needs servicing so they only have to
secure one route and room for technicians to use.

------
frollo
This sounds like spy training from Burn Notice. Like, you have to get the
source code of this program, from a guy who isn't at home right now and the
whole budget of the operation is a just enough to buy a mug from our gift
shop. Good luck Dave!

~~~
GlenTheMachine
You make it sound like that’s not how it usually is.

I have bad news. That’s how it usually is.

~~~
toomuchtodo
Sometimes you don’t even get enough for a nice mug.

~~~
jessaustin
Where is the $60B/yr going? It's not all AWS. They could buy a lot of mugs for
that.

~~~
frollo
The mugs are not cheap. And then you have to pay for storage and shipping.
Mugs are a costly business.

Oh, and don't forget all the nice paper for the notes.

------
superhuzza
Certainly doesn't make me want to use any software made by this guy.

~~~
selykg
Curious why...

Your security should never depend upon security of your source code. If you're
doing things correctly, then the source code doesn't change anything about the
security of the data that is encrypted.

Perhaps you mean that he chose to use 40-bit keys instead of 256-bit keys in
the free version? I mean, I guess. But that's just a matter of better
understanding the details. It sounds like he outlined this clearly and anyone
looking for more security knew to pay for the product to get the 256-bit keys.

~~~
rcoveson
> Your security should never depend upon security of your source code.

For sure. I don't think it's about that, though.

Even if the application in question were open source, if the project lead is
willing to cooperate in any way their government asks, they could probable
ensure the existence of a back door. For this reason, where possible, I would
prefer to use encryption software written by people who are principled to a
fault (or who at least do a good job acting as if they were).

Let's imagine Linus Torvalds or Greg Kroah-Hartman in this same situation.
Linux source is available, so let's say they were asked to ensure that a
certain patch to a cryptographic API was not accepted before a certain window.
Maybe the crypto API maintainers were on the call as well saying that they
were on board with the plan (apologies to those people, I don't know you and
mean no offense). I like to think that they would:

1\. Turn down the NSA.

2\. Attempt to get the word out about what they had been asked.

3\. Find new crypto maintainers.

And yes, it's entirely possible that this is not at all how it would go down.
Maybe they would be very cooperative. I don't know any of these people
personally. But what I do know is that they have not, as of yet, made a blog
post about that time when the NSA did ask them to betray an unspecified user
and how they did everything they asked without resistance.

I don't think I'm being idealistic here. Software and encryption are global
endeavors. People who blindly believe that the enemies of their state are also
their enemies, or even that obedience to local laws is a moral imperative,
should not write crypto software. Or at least, I hope they make their beliefs
known like this guy did so that I can avoid their software.

~~~
meowface
I'm pretty sure if the NSA asked him to add a backdoor, he wouldn't do it.
(They already asked if he had an existing one, and he clearly realized how bad
that would be if there was.)

~~~
rcoveson
That may well be true. But still, this story influences my _guess at the
likelihood_ that this author would do so in the direction of "more likely."

Likelihood that the authors/owners of software are willing to cooperate, and
capable of cooperating, with adversaries is an important metric for comparing
options. Very high profile open source maintainers are less capable, due to
the oversight of the community. Anarchist- or security-absolutist type
personalities are less likely. The author and his project don't fit either
bill.

I'm not arguing that this is the only metric that matters when considering
one's options. But it does matter.

------
miles
Discussion with 133 comments from late 2018:

[https://news.ycombinator.com/item?id=18293940](https://news.ycombinator.com/item?id=18293940)

------
g8oz
>>I probed again, this time about their capability at 40 bits; maybe that
reduced level wasn’t such a State secret. But again, Dave was mum.

I recall that 40 bit encrypted Word documents obtained from Al-Qaeda safe
houses in Afghanistan after 9/11 were successfully cracked. It was reported in
the media, so it was an open secret after that.

------
StillBored
Well they do have mugs in the gift store, and the one in the third picture [1]
from the end looks like a nice one, although not exactly the same. Of course
the picture there is 16 years later.

Sounds like a fun social engineering trick though, if you can subvert the
local phone switch. Probably would make more of an impression if the FBI/etc
knocked on your door and handed you the phone...

[1] [https://www.businessinsider.com/nsa-gift-
shop-2016-5?op=1](https://www.businessinsider.com/nsa-gift-shop-2016-5?op=1)

~~~
kyuudou
I think I'd say "oh wow, gift exchange!" and hand them this:
[https://www.zazzle.com/the_nsa_parody_shirt-2357202944443361...](https://www.zazzle.com/the_nsa_parody_shirt-235720294444336131)

------
GlenTheMachine
I have been to the NSA gift shop, and they do sell the blue mugs there. But
you have to have the right clearances to even get to where the gift shop is...

~~~
_not_the_nsa_
This isn't true, unless it's changed in recent years. There's a gift shop at
the Cryptologic museum on Ft. Meade. I've taken my folks there before,
although I haven't worked there in almost a decade, so maybe it's not there
anymore. There are gift shops inside the buildings though, but they sell the
same stuff as the other one. You don't necessarily have to be cleared to get
to those, you just have to have a reason to be in the building (i.e.
interviewing)

Now the CIA has a gift shop you can't get to without being able to get into
the building. ;)

~~~
GlenTheMachine
Touché. I’ve never been to the museum. There’s a gift shop inside NSA proper.

------
TomMckenny
Since the source code could not help with decryption and the file was trivial
to decrypt anyway, the NSA was either playing four dimensional chess that
requires making a pointless midnight phone call or it's actually fallible.

Rather than fairly justified suspicion of the NSA, we might want to apply
Hanlon's razor in this case.

~~~
AmericanChopper
I’ve had the pleasure of working in some organisations that had mountains of
legacy applications that didn’t always have any source code. When I’ve had to
fix bugs that involved those apps, reverse engineering them was always tedious
and time consuming, and having the original engineers on hand to answer
questions always sped things up. Regardless of the NSAs technical
capabilities, it seems all he helped them do was something they could have
done without his help, only faster.

------
op03
July 2000 is I guess a pre-Google world...so how would "Call 411 and ask for
the number of main naval base in Bethesda, MD" work? Just curious how the
operator did these lookups?

~~~
Mountain_Skies
Unless I'm remembering wrong, 411 only gave directory assistance for your area
code. To get the phone number for a naval base in another state, he would need
to dial that area code plus 555-1212 to contact the local directory assistance
for that location. Might be wrong though. Where I grew up there was a charge
for using directory assistance so my parent prohibited us from ever using it
instead of the phone book.

~~~
Hnrobert42
Haha. I remember phone charges for stuff like that. *69 to see who called you
was 50 cents. So many nickel and dime charges. Of course, back then, monthly
phone bills weren’t equal to a healthy percentage of a car payment.

------
dba7dba
Adam Savage (Myth Busters) once got a call from FBI because of a Star Wars
movie prop (thermal detonator) he was making for a project.

He meant to call his supervisor to leave a voicemail regarding the thermal
detonator prop used in Star Wars, but apparently it was left at a wrong
number. And that random person called FBI because he heard thermal detonator
in the voicemail.

Here's the link :)
[https://youtu.be/ZjpPgv9XtJA?t=1008](https://youtu.be/ZjpPgv9XtJA?t=1008)

------
ebg13
I can't help but feel like the author sounds excessively credulous.

I had to stop reading after he wrote "I could tell something big was up and
there simply wasn’t time to debate the merits of handing over my source code
to the NSA", because at that point my eyes rolled so hard they fell right out
the back of my head.

After I put them back in, I skipped down to the comments. I have a hard time
not agreeing vehemently with the top comment on the post, which says:

"You took time off your vacation to help the shadiest government agency on the
planet do God-knows-what, as well as give them your IP for free. In addition,
your ignorance and glee motivated you write this propaganda post, helping
their cause, all for the price of a mug with a fancy sticker on it."

~~~
bsamuels
I'm sorry but if you think the NSA is the shadiest government agency on the
planet, then you live in an information bubble.

Do you think the NSA is shadier than the KGB? What about the Iranian
Revolutionary Guard? Or even the CIA?

I know people are upset about the Snowden revelations but there are much
graver sins that have been committed by other agencies.

~~~
number6
Whataboutism

~~~
smolder
Not really, a comparison was implied. They didn't say "shady agency", they
said "shadiest", which makes a claim and invites dispute about the others'
relative shadiness.

~~~
TaylorAlexander
I felt like “shadiest” was hyperbole meant to mean “very shady”. Also while
the others mentioned might be bad, the NSA is probably the “best” at being
covert and probably the most active of all of them. So they might truly be the
“shadiest” by sheer volume of covert things they do.

------
peter_d_sherman
What I find interesting about this article is that the poster was apparently
permitted by the NSA to share his experience publicly...

Compare and contrast this with National Security Letters, which apparently
(based on the ones that I have seen, that have been publicly posted on the
Internet by other people) request or require absolute secrecy...

------
webmobdev
Interesting read. I wonder whether this was an attempt at social engineering†?
While we tend to think of the NSA (or other foreign agencies in this field)
working on intercepting information only through electronic means, sometimes a
direct approach is often easier (obligatory - xkcd:
[https://xkcd.com/538/](https://xkcd.com/538/)).

Perhaps all they wanted was the source code of his application to repackage
(after introducing a backdoor) and distribute it on the internet or directly
to targets of interest ... perhaps it was part of his training ...

† _Social Engineering
([https://en.wikipedia.org/wiki/Social_engineering_(security)](https://en.wikipedia.org/wiki/Social_engineering_\(security\)))
in the context of information security, is the psychological manipulation of
people into performing actions or divulging confidential information._

~~~
burrows
Only works if the 411 call was MiTMd.

 _edit_

I was confused and my reply is confusing. I was trying to say that a third
party could have stolen the source code by MiTMing the 411 call.

~~~
webmobdev
I meant perhaps NSA agents are trained in social engineering too. Or it may
not have been the NSA, but FBI or CIA or even Military Intelligence too,
pretending to be NSA.

~~~
burrows
You think the NSA impersonated themselves?

~~~
webmobdev
I meant it may have been a real NSA agent, acting on actual orders, but that
he may have lied to get access to source code. If so he wouldn't need to do
any MitM attack.

~~~
burrows
The NSA agent's goal was to get the source code, but he lied about why he
wanted it. Fair enough.

------
pcmasterdave
I think the question asked by the author at the end was already answered by
Snowden.

------
grayed-down
Should have just driven to Ft Meade and had "Dave" meet you at the gate. It's
only a 3 1/2 hour drive...

------
valuearb
I would have demanded, at a minimum, to be told exactly how the NSA located me
in exchange for my source code.

------
implicator
The cup is probably a listening device.

------
KurtMueller
Isn't it always after midnight?

------
ahi
Dave really does know everyone.

------
mesozoic
Handing stuff over to the supposed feds with no reasoning or warrant is not
exactly something to be proud of.

~~~
pensatoio
It was pre-9/11, no? The world was a different place.

------
moneysake
2018

------
LiamPa
Mitnick?

~~~
at-fates-hands
Probably not. Mitnick was just getting out of jail in 2000.

I was thinking along the same lines though. Who were some high profile hackers
that were on the FBI/NSA most wanted list?

Max Butler maybe? Aleksey Ivanov?

------
avipars
this is from 2018

------
meroes
So, if his encryption was implemented perfectly the source code would do
nothing to speed up decryption. Author admits this in the 2018 thread. If
there was some bug or oversight, he gave the NSA a way to break into millions
of machines. So should we conclude author doesn't trust his own software as
advertised?

Without even getting into the social engineering possibility. I don't see a
way this looks good for the author.

------
gist
> But seriously, this laptop idiot was planning to blow up a building, or
> something equally as bad, but wasn’t smart enough or flush enough to pop for
> the $39.99 to step up to the maximum-strength encryption?

Says the developer who could have been social engineered to give away what he
had done by being rushed in a way that others would perhaps call 'not smart
enough'.

And where does the skill set of knowing about encryption come close to what
someone needs to know in order to 'blow up a building'? Why would you expect
that someone understands the difference or the risk? Or should? After all it's
risky to begin with what they are doing. This is just another and different
risk.

Now the question is if you were the NSA and of course I have no clue how they
operate but maybe it would have made more sense to send the local police to a
house to deliver the message AND the other part 'call this number' etc. And
who knows how that could have been fake for that matter (it all hinged on
calling 411 as being definitive and/or someone not intercepting a legit call).
Sure someone could social engineer the local police to show up (I would think
that would be easy for someone who knows how they operate or with whoever is
on shift at that time).

Also the coffee cup is strange. Secretive agency but they send a gift as a
thank you with their name so you have some kind of proof that allows you to
detail how they operate and that they did this? Would make more sense that
they got you to agree to not reveal they had requested the info not that they
gave you some kind of bragging rights and story.

