
The NSA Called Me After Midnight and Requested My Source Code - imglorp
https://medium.com/datadriveninvestor/why-the-nsa-called-me-after-midnight-and-requested-my-source-code-f7076c59ab3d
======
mtw
There's nothing to be proud of and writing a blog post about it.

Your users used the software to protect them, or even paid for it. Now this
"Dave" can crack files generated by this shareware. Maybe "Dave" had a genuine
national security situation. But was it really? What if Dave just wanted to
prank the author, during a boring afternoon? What if it were a couple of guys
parked outside who hijacked the phone system, so even if you call 411, it
would route to their van outside? Or what if Dave already did the same demand
to dozens of other security vendors, effectively having the source code of all
encryption software? And even if it was a national security situation, what is
the legal basis of giving up source code and keys?

What I get is "I was just a regular computer programmer and overnight, I was
actually important enough to be useful for the NSA"

~~~
metildaa
The ethical implications are often not considered by software developers, thus
you get cases like this where the author did not stop to push back, acting as
a useful idiot for the NSA.

There are way too many people like that in tech, who don't stop to take in the
bigger picture before performing the requested action.

~~~
Latteland
At the very least there are many circumstances where reporters who were
reporting on pretty underhanded activities in the us were targeted by the us
govt, and what if this situation happened to them. My govt is generally good
here in the us, but we know plenty of cases where they didn't have good
intentions, this is done to intimidate. So if you are an author of security
software, you might keep this in mind. And other countries like Russia and
China would definitely put pressure on people to help them.

------
neilk
Assume the 411 call is legit, and this really was the NSA. The author has no
evidence there was a ticking time bomb scenario underway. Other than the fact
that he was called late at night.

Calling him at his parents’ place late at night seems less like a coincidence
and more like an ominous demonstration of their power. I know that would
influence me, and I’d feel more disposed to cooperate.

I could forgive someone making a rash decision after midnight while traveling.
But here it is, some time later, and the author still seems to think it’s a
cool story. Nice to know that a maker of privacy software doesn’t think
skeptically about the government.

~~~
jhall1468
He gave away the source code, not the master keys to unlock every single
version of the software. At best, the source allowed the NSA to derive the
binary format used by the files. Whoopie.

~~~
_asummers
Not quite. Not that source code secrecy should be relied on, but the source
code not being secret increases the changes of e.g. side channels being
discovered that jeopardize all the users of the author's software.

~~~
pavritch
The ciphers are public. What the NSA really wanted was the size of file
headers, special markers, etc -- so they could skip over the fluff and home in
on the juicy stuff. I gave up nothing that would put the product or users at
risk.

~~~
_asummers
With due respect, the person you spoke to on the phone didn't really answer
your questions, per your post. What leads you to the conclusion? From my
perspective, it doesn't sound like you know what they were using it for at
all, or even if there was an urgent matter that even required it. For all we
know, it was just a Tuesday and they were just hunting for the source of a
common encryption utility.

And just because a cipher is public does not mean that there does not exist a
side channel in the implementation of the ciphers or a mistake in your usage
of them.

~~~
bb88
> And just because a cipher is public does not mean that there does not exist
> a side channel in the implementation of the ciphers or a mistake in your
> usage of them.

And just because they have the source code, doesn't mean they couldn't get it
from reverse engineering the binary. I have not seen a binary that was
completely resistant to reverse engineering yet.

Likely he was just saving them time.

------
michaelmrose
People use encryption so that their files are secure in situations where
failure would be disastrous. Ranging all the way from protecting your credit
card number to protecting your sources from being tortured and killed for
talking to you.

Offering broken encryption that appears to work is dangerous, unethical, and
stupid.

The author ought to be ashamed and people ought to be smarter.

~~~
strictnein
40 bit encryption in 2000 wasn't seen as bad, it was seen as decent. It would
have required a fair amount of computer power to break in a short time.

It was also what was legally exportable at the time.

Providing some security is better than providing none. You lock your doors but
have glass windows.

~~~
joekrill
But I don't buy a lock for my front door expecting the manufacturer to simply
give the key to anyone that asks nicely for it.

~~~
tomatotomato37
This wasn't providing the key as much as the schematics to the lock, which
turns out, they pretty much do:
[https://www.kwikset.com/Libraries/Literature/Rekeying_Manual...](https://www.kwikset.com/Libraries/Literature/Rekeying_Manual.sflb.ashx)

~~~
michaelmrose
It's the spirit of the action. Publishing the source on github ought to be OK
in theory if it isn't implemented poorly but it turns out that it is in fact
implemented in a deliberately weak fashion.

Knowing that his customers privacy was on the line, knowing that there was no
due process, knowing that revealing the source would help the NSA violate his
customers privacy, not needing any explanation or legal paperwork, not even
truly knowing if the person on the other end of the line actually was the NSA,
not a private citizen trying to violate the privacy of another citizen he
decided to comply without question.

Ticking bomb scenarios that can be solved by cracking encryption are so rare
I'm not aware of any existing in history.

The right answer was to request a court order and wait. If it was truly a
matter of national security they can also wake up the judge in the middle of
the night and have an officer of the court serve it.

They were obsequious about it because they didn't have a leg to stand on. 50
50 they weren't even the NSA but rather a sailor trying to spy on a mates
computer.

Seeing as all you did was call a naval base and get transferred several times
how do we know he wasn't talking to a random individual at the base.

~~~
pavritch
The ciphers are public. Providing source for this specific implementation of
"user interface" did nothing more than indicate sizes of file headers, etc. No
customers were put at risk. All I did was save the NSA maybe a few hours of
time during a critical moment. Do you really think they couldn't have figured
out there is a 4K file header (see, I've said it here, no harm).

~~~
michaelmrose
Can you explain how you can prove you are talking to the NSA by call foo ask
to be transferred to bar, ask to speak to baz?

Logically the fact that you called into the navy base indicates you are
talking to them but by the time you get transferred how do you know who you
are ultimately talking to?

Couldn't you be talking to anyone who works at the navy or works with someone
who works at the navy? One great thing about court orders is that its trivial
to authenticate them and they get the exciting task of making sure the person
asking for them is a legitimate actor on legitimate business.

If a random private wanted to fool you couldn't they have had you call in in
such a way as you would trivially be talking to a known party who will
ultimately transfer you said party? Hey this joker is going to be transferred
to your extension asking to speak to john doe at the NSA send him to my
extension please.

Considering that we now know that intelligence apparatus was used to spy on
love interests how do you know you were collaborating with a legitimate legal
operation as opposed to illegal spying on citizens?

Likely you aren't in a position to judge right which is why we have you know
judges and court orders and such ceremony.

I respond to random calls that seem strange by hanging up and telling them to
send me something official in the mail.

Neither the people who claim they would like me to give me a fortune I
inherited overseas, the guy who claimed I won the lottery, or the guy that
claimed to be the IRS demanding immediate payment have followed up yet.

At best your judgement is questionable.

~~~
pavritch
Here's how I looked at it -- they are 1000x smarter than me on matters of
encryption. It was totally unlikely I knew something they didn't. At most, I
saved them a few hours on a matter of life and death, and I had minutes to
make that decision. And recall, back then, people felt differently about the
NSA. If this was a total spoof - the reality is I didn't give anything up. I
didn't invent the encryption ciphers. I just packaged common ciphers in a user
interface people really liked.

But in response to the people here who think I was tricked. That's not the
case. What I didn't put in the post was that a team from the NSA visited me in
California a few months later. But again, had I been tricked, it wouldn't have
mattered.

~~~
michaelmrose
You remembered to mention the coffee cup but you forgot to mention the team
from the NSA that visited you to confirm the authenticity of what sounds on
the face like a story of you getting scammed.

I'm sorry this is utterly beyond belief.

------
jbyers

      "But there’s still one thing that continues to nag me after all these years  -
      how the hell did Dave track me down 3,000 miles away from home after midnight
      on that hot summer’s eve in Bristol, Connecticut?"
    

Assuming the author flew cross-country from California and his brother had a
phone number in the family name, it doesn't seem too hard to piece together
with good old fasioned detective work - on top of good old fashioned databases
open to the NSA. I wonder if Dave got it right on the first call?

~~~
pavritch
I'm the author. They found me on the firsts call. I have a unique name - the
footprint was there. But, I had 5 relatives in the same town. Nobody else got
a call. Were they just lucky?

------
jerkstate
So, the NSA was able to build and deploy a backdoored version of this software
to their targets without the trouble of reverse engineering and modifying it.
Nice

~~~
lurquer
All for the cost of a coffee cup.

------
AnIdiotOnTheNet
> But seriously, this laptop idiot was planning to blow up a building, or
> something equally as bad, but wasn’t smart enough or flush enough to pop for
> the $39.99 to step up to the maximum-strength encryption?

Boy, you sure seem confident in your assessment of the severity of the
situation. It's not like the NSA would have any idea how to get information
out of people by convincing them the situation was something other than what
it actually was.

Granted 18 years ago was a much different time than today. It's a shame that
these agencies have proven their motives so untrustworthy.

~~~
sabarn01
Lets also assume there is a selection bias. The things the do right with the
right intentions you never hear of. Its only when things go wrong do we know.

------
mc_fish
I get that we all want to feel like something we are a part of is so important
that James Bond-esque stuff happens to us. But, the author of this software
did a disservice to his users by immediately rolling over to an, essentially,
unknown party. I'm wondering what he would have given up if "Dave" had claimed
to be Nigerian nobility.

Though, kudos to "Dave" if this was just a ruse to avoid paying for the $39.99
version.

------
bigmonads
This person is either lying or delusional, or got pranked really hard. The
"details" provided, while they make great story, simply don't cohere with how
the NSA operate.

~~~
dragontamer
I mean, Bethesda is like 20-miles away from where the NSA operates. So
straight up, the location is immediately wrong.

A funny thing about people who live in Maryland: the NSA has a big sign that
says "NSA" on the highway. We all know where it exists, and there are funny
local stories about ignorant criminals taking the wrong road and ending up in
the NSA checkpoint. Its a famous local landmark.

[http://www.capitalgazette.com/news/ph-ac-cn-carjacking-
suspe...](http://www.capitalgazette.com/news/ph-ac-cn-carjacking-suspect-
search-1009-20151008-story.html)

People tell me that you can even drive up and go to a public gift-shop they
have out front, by the National Cryptologic Museum (which is run by the NSA).
Its literally a public place and they let anyone in to see some cool stuff.
[https://www.nsa.gov/about/cryptologic-
heritage/museum/](https://www.nsa.gov/about/cryptologic-heritage/museum/)

\----------

The thing is: the guy seems to have been called by Naval Support Activity,
Bethesda.

[https://www.cnic.navy.mil/regions/ndw/installations/nsa_beth...](https://www.cnic.navy.mil/regions/ndw/installations/nsa_bethesda.html)

This is a "different" NSA, and not "THE NSA" that people talk about.

Whether or not its actually part of protocol: I dunno. But maybe "Naval
Support Activity" dudes like to pretend they are "the NSA" as a prank. Or
maybe they really are part of national security (I mean, the US Navy is
still... technically national security, right?)

\---------

In short: my expectation.

1\. Naval Support Activity called this guy up to ask for a favor. They
misrepresent themselves (but without lying: they are the "NSA" after all) to
kinda encourage this guy to do something for them.

2\. They feel bad about pranking the dude. So they drive to the Cryptographic
Museum and buy him the first "real NSA"-branded gear that they find. Then they
ship it to him.

~~~
philipodonnell
He says they sent him a blue NSA mug afterwards and "I’ve had that top secret
coffee cup for 18 years now. It’s the same one pictured at the top of this
article.". The picture of a blue mug on the post says National Security
Agency. Hard to imagine one agency pretending to be another like that. Not
sure what to make of it.

~~~
dragontamer
Those mugs are probably sold at the NSA Gift Shop in the Museum. Its probably
the real deal, but anybody can buy them.

If these pranksters were really in Bethesda, it wouldn't take much longer than
40 minutes or so to drive over to "real NSA", buy the mug, and then come back
to their office.

------
strictnein
The number of commenters who clearly did not read the story and have
completely missed that this story was about the year 2000 is pretty stunning.

Plus the complete lack of understanding of the encryption standards that were
legally exportable (which is also mentioned in the story) and seen as good
enough is kind of stunning. 40 bit encryption in 2000 was decent. It wasn't
great, but it would deter almost anyone.

------
ghewgill
Looks like weak security is a trend with this software.

> You attempted to reach www.safehousesoftware.com, but the server presented a
> certificate signed using a weak signature algorithm (such as SHA-1). This
> means that the security credentials that the server presented could have
> been forged, and the server may not be the server that you expected (you may
> be communicating with an attacker).

------
clubm8
What a dingus. Maybe there was no emergency, they just wanted your original
source to look for imperfections in your implementation. Maybe 256 is secure,
that doesn't mean _your_ 256 is secure.

------
bitwize
I think I know his brother. Given his intellectual interests, especially at
the time, I bet the phone call from the NSA is something they still talk
about.

~~~
pavritch
Ha ha. We moved on years ago. Our conversations are now typically about the
fact he as way more patents than me. I only have two ;)

------
tantalor
How does access to the source code help?

~~~
AdamJacobMuller
attempting to find bugs (likely cryptographic weaknesses) that will let them
crack the encryption faster.

~~~
Mithorium
I should hope he didn't roll his own encryption, pretty sure openssl existed
in 2000, the NSA could have gotten a copy of that easily

~~~
pavritch
I did not roll my own. Very few people in the world are smart enough to do
that. I just create a very nice user interface to make things easy for
ordinary Windows users.

------
alexandernst
I'm not surprised at all seeing all sort of comments from the people of the
ethical sect...

I'd really love to see any of these people in such situation. Or maybe even
further, in a situation in which they actually have a tangible proof that
"something bad is going to happen".

------
LiamPa
Mitnick?

~~~
stef25
I'm about half way through Ghost in the Wires and this sounds exactly like
something he'd do. "Hi, this is so-and-so and I'm with this-and-that. Could
you send me a copy of the source code? I'm all over your phone line" The book
is a continuous stream of anecdotes like this. Love it.

~~~
LiamPa
Yep so good and the ‘ring this number to prove I am real’ was a walk in the
park for him.

------
onemoresoop
Social engineering at its best.

------
notacoward
If it were me, I'd be very wary about that coffee cup.

~~~
no_identd
Yepp, throw that thing in an x-ray machine.

------
mtgx
This guy had dubious ethics right from the start by offering most users a free
version with weak encryption just so they can pay for the premium version. The
export control excuse is bogus as by then DJB had already won the lawsuit
against the U.S. government over this issue.

So all in all, I could see it coming that he would be offering the source code
on the silver platter to the NSA after reading the first couple of paragraphs
from the post.

I also like how he calls that guy a "dumb criminal" for not buying his
military-grade encrypted software, as if he hadn't already admitted that he
was giving the source code for the full version to the NSA anyway. In other
words, he didn't just break the trust of the free users, but also of those
paying him to keep their conversations private. This is why I said he had
dubious ethics.

~~~
jawns
I don't see why it's any different than a photo-editing app that applies a
watermark to the free version. It's intended to let people give the software a
try, and if it seems to meet their needs, they buy the actual product.

As for sharing the source code with the NSA, I think you have a better
argument there. That said, it's kind of like helping someone install a secure
lock on their door to keep out criminals, yet being willing to share a master
key with police if it's a matter of life and death.

~~~
Mithorium
not the master key, the schematics to the lock maybe. Assuming no bugs, I
don't see how the source code could help in any way, they may as well have
downloaded the source code for openssl.

He also didn't bother to verify whether it was a matter of life or death, he
just immediately assumed he was helping break into a file containing the
deactivation code for a bomb or something, who knows what the NSA was actually
doing.

------
ElBarto
Notice how he masterfully distilled cool details about his software
culminating in the 'low' price, all wrapped in a captivating story?

30 minutes later after he has left and you have closed the door to go back to
your chores, you're wondering why you ordered 2 magic-mix blenders...

~~~
pavritch
The only thing I did masterfully was write a Medium article that got some
attention. I didn't even include a link to the old software which hasn't been
updated in a decade. It's nothing more than an interesting story about one
night nearly 20 years ago. Sorry to disappoint.

~~~
ElBarto
Can I return the blenders?

------
psychedictic
God bless you for doing what's right for America.

------
tdbgamer
This article seems like a great argument for using open source encryption
software. This guy handed over his source code to the NSA without a warrant or
anything? So any idiot that steals your laptop can just call him up and
exploit his software to get to your files. Great.

------
lbj
My guess is that this is a marketing ploy designed to convey the message that
the author's skills are above the NSA's and as such his software should be
bought by anyone and everyone interested in great security. Considering the
shareware version was 40bit encrypted, I highly doubt the NSA couldn't crack
it before making that phonecall.

~~~
pavritch
All commercial encryption software uses the same public ciphers. Do you really
think nearly 20 years after the fact I'm trying to impress anyone? But, they
were impressed at the time about my user interface which wrapped the ciphers,
and they later had a group visit me in California about some internal uses of
that same UX; but nothing came of it in the end.

~~~
lbj
Yeah that was the impression the blogpost left me with. If I'm in the wrong I
apologize but as always I feel that honesty is the best policy.

