
Uncovering the CIA's Crypto AG operation - zengid
https://www.npr.org/2020/03/05/812499752/uncovering-the-cias-audacious-operation-that-gave-them-access-to-state-secrets
======
saagarjha
> The Iranian government then arrested Crypto AG's top salesman, Hans Buehler,
> in March 1992 in Tehran. It accused Buehler of leaking their encryption
> codes to Western intelligence. Buehler was interrogated for nine months but,
> being completely unaware of any flaw in the machines, was released in
> January 1993 after Crypto AG posted bail of $1m to Iran. Soon after
> Buehler's release Crypto AG dismissed him and sought to recover the $1m bail
> money from him personally.

Sounds like a great employer. Knowingly sells backdoored equipment to foreign
governments, allows their employees to be arrested and held for nine months
even though they know nothing about it, pays the bail, then immediately fires
them and tries to recoup the bail.

~~~
pjc50
See the Matrix-Churchill fiasco, whereby:

\- UK government secretly changes its own rules on arms to Iraq

\- encourages a company to ship such weapons to Iraq

\- they get caught by UK Customs

\- this gets all the way to the trial and potential jailing of the directors

\- UK government (in particular, Kenneth Clarke) directs suppression of vital
evidence through "Public Interest Immunity Certificates"

\- Judge refuses to go along with the coverup and jail innocent people, and
the whole thing blows up in the newspapers.

[https://www.independent.co.uk/news/uk/scott-report-the-
essen...](https://www.independent.co.uk/news/uk/scott-report-the-essential-
guide-1319094.html)

~~~
switch007
This of course - I mean, of course - could have happened under /any/
government...but just for anyone wondering, it was the Conservatives.

------
notlukesky
This is a real old story. Was fleshed out in German and Swiss media in 1994:

[https://en.m.wikipedia.org/wiki/Crypto_AG](https://en.m.wikipedia.org/wiki/Crypto_AG)

And there were many suspicions going even back to a “tell all” by Ronald
Reagan

~~~
schoen
I thought so too, at first, but the new information is not just that some
Crypto AG products were somehow compromised for some customers (widely
reported since the 1990s), but that _the company was literally owned by the
BND and CIA_. Not in a metaphorical sense of owned.

~~~
jojo2000
Well, at least now we know it's widespread [0].

[0] [https://en.wikipedia.org/wiki/In-Q-Tel](https://en.wikipedia.org/wiki/In-
Q-Tel)

~~~
jonathanstrange
This is also well known for several decades. I'd be more interested in hearing
from a whistleblower whether someone runs the shell company behind VeraCrypt.
DGSE?

~~~
secfirstmd
Have we found out anything more about the people behind it recently? It's been
a question I've been pondering for awhile. I know this was mentioned in a
previous thread:

[https://news.ycombinator.com/item?id=18693073](https://news.ycombinator.com/item?id=18693073)

I've often thought an interesting place for an intelligence agency to place or
recruit a source would be in a code review organisation. There are a couple of
high profile ones that do a lot of work on open source projects. Let's be
honest, very few people have the time, energy and skills to review a project
independently of this.

Of course there comes a point where too much tinfoil makes the hat fall off.

------
refurb
How come I've never heard of this???

It also makes sense why the US is banning Huawei equipment. If the US can do
it, why can't the Chinese?

~~~
wahern
One answer is that you don't need to manufacture custom equipment with
escrowed keys to infiltrate communication systems any longer. The Israeli's
were using stingrays in Washington, DC just last year to spy on officials. You
could probably build a stingray using open source software and a software-
defined radio USB stick.

You can't trust the network. Rather than trying to avoid Huawei, energy should
be spent engineering things so Huawei equipment doesn't need to be trusted.
Until then, China and everybody will continue to be able to snoop, regardless
of who built the network components.

~~~
mistermann
> The Israeli's were using stingrays in Washington, DC just last year to spy
> on officials.

Did this make the news? I've never heard of it.

~~~
shauhdej
At a glance I see a few articles, it looks like the topic came up in 2018 and
2019, potentially in different but related circumstances. One of those stories
is from the Associated Press but the article I skimmed from them didn't make
the Israel assertion and was more general. If I had to guess, the topic didn't
gain much reaction because the most 'in-depth' articles are from infotainment
rags like Gizmodo, Common Dreams, and Politico. Politico seem to have been
there ones to break the 2019 story but I'm still reading so can't confirm
that.

~~~
mistermann
It's kind of interesting the lack of interest the media has in such a story.
Would be interesting if there was a way to somehow float the same story except
with a different country (say, Russia) alleged to have been behind the
placement of the device.

~~~
wahern
Media attention was similarly short-lived regarding the closing of the Russian
consulate in San Francisco and the Russian compound in Maryland.

Yes, Israel usually gets a pass on espionage, and Russian election
interference is a years-long story. But in any particular incident it's hard
to tell whether the public is disinterested in the incident or disinterested
in the adversary. Plus, to be fair, reports of actual Russian incidents are
fairly common. I mean, they've literally built a niche industry for social
media hacking. Reporting on it is easy; you don't need to wait for
intelligence leaks. And they publicly gloat about their strategy and tactics.
By contrast, Israel is usually far more discrete[1] and publicly identified
incidents are few and far between.

[1] Operationally and politically. They certainly don't gloat. They stick to a
very strict recitation: "Israel does not spy against the United States."

------
kissickas
Discussion on the Washington Post's great exposé 23 days ago:

[https://news.ycombinator.com/item?id=22297963](https://news.ycombinator.com/item?id=22297963)

------
ColanR
This makes me wonder how many presently existing encryption & security
projects / organizations are owned or influenced by government agencies.

~~~
augstein
… yes, and how many (open-source) software projects in general.

~~~
boomboomsubban
Though I know it's not perfect, free software projects at least give you some
ability to discover and hinder government interference. I don't know why you
seem more interested/worried about them.

~~~
ColanR
Because the open source community is slowly coming to the uncomfortable
realization that many eyes != security. Take heartbleed: SSL had a glaring
security vulnerability open for years that none of those eyes ever spotted.

I've seen questions raised here on HN about Signal and Tor: where they came
from, and where their funding comes from. If I had to bet, then I'd bet both
of those are modern day Crypto AG variants.

~~~
Ill_ban_myself
Its one thing to acknowledge that open source software doesn't get the review
it needs. Its another thing entirely to suggest that major platforms in use
today are sponsored by state actors willing and able to introduce
vulnerabilities without proof.

Turnkey black box solutions may be reviewed more regularly by a dedicated team
but you have to admit that they're subject to flimsy and easy manipulation by
state actors and the greed and coruptability of their owners.

~~~
ColanR
> Its another thing entirely to suggest that major platforms in use today are
> sponsored by state actors willing and able to introduce vulnerabilities
> without proof.

I think the Crypto AG story is sufficient proof of itself to look with
suspicion at all related open source projects. In situations where there are
known bad actors and we are dependent on security, we should look with
suspicion unless we know better. "Insecure until proven secure" is probably a
good motto.

~~~
boomboomsubban
>Insecure until proven secure" is probably a good motto.

So just always insecure, as no amount of testing can guarantee there isn't
some heartbleed like bug in there still.

~~~
ColanR
If that's the reality, should we whitewash it?

------
tbyehl
Nice to finally have some exploration of how this tied into geopolitics.

What I'd still like to see is... how did this influence domestic crypto policy
and export controls? It seems entirely too coincidental that right after the
cat is fully out of the bag with the Iran thing, the US is suddenly easing
export restrictions on crypto, trying to shove Clipper / Key Escrow down our
throats, coming for Zimmerman, etc.

------
jamisteven
This is not even half the story, the real story is how many people died via
this shady entity: [https://gosint.wordpress.com/2020/03/02/crypto-ag-the-
missin...](https://gosint.wordpress.com/2020/03/02/crypto-ag-the-missing-
piece-of-the-snowden-puzzle/)

------
thatiscool
backdoor of Intel CPUs and chipsets

[https://arstechnica.com/information-
technology/2020/03/5-yea...](https://arstechnica.com/information-
technology/2020/03/5-years-of-intel-cpus-and-chipsets-have-a-concerning-flaw-
thats-unfixable/)

------
random_savv
The Swiss government (specifically the State Secretariat for Economic Affairs)
has filed a criminal complaint "against unknown persons" to shine some light
on this case:

[https://www.swissinfo.ch/eng/crypto-leaks_swiss-
authorities-...](https://www.swissinfo.ch/eng/crypto-leaks_swiss-authorities-
file-criminal-complaint-against-encryption-firm/45588760)

------
chriselles
This is not the only encryption/communications technology company that has
been compromised by national intelligence services.

I’m aware of another(potentially) where an employee credibly alleged it.

From the perspective of a national intelligence service, it is likely a far
better return on investment to proactively catalogue compromised
communications at root, rather than intercept and brute force it later.

------
KCUOJJQJ
As a Swiss I would say that you can put Swiss cryptography into the garbage
bin, together with US-American cryptography, unless there is quality control.
My country needs a food inspector for cryptography. The inspector should talk
to employees, check source codes, look at who owns a company etc.

~~~
sschueller
We need open source. Threema is one of those that concerns me. Used by the
government but source is closed and distributed via Google Play and Apple App
Store.

------
itsreal
Considering the CIA is still running all sorts of programs out of private
companies that shouldn't be surprising
[https://pastebin.com/0ydbVRkP](https://pastebin.com/0ydbVRkP)

------
dang
Recent threads on this:

[https://news.ycombinator.com/item?id=22297963](https://news.ycombinator.com/item?id=22297963)

[https://news.ycombinator.com/item?id=22307500](https://news.ycombinator.com/item?id=22307500)

[https://news.ycombinator.com/item?id=22309478](https://news.ycombinator.com/item?id=22309478)

[https://news.ycombinator.com/item?id=22473148](https://news.ycombinator.com/item?id=22473148)

Others?

------
stebann
USA hypocrisy again. Oh! We will ban Huawei while we sing racist slurs in
every country around the world!

------
Wistar
Last night's Fresh Air interview with WaPo's Greg Miller about the Crypto AG
case. 37 minute run time.

[https://www.npr.org/transcripts/812499752](https://www.npr.org/transcripts/812499752)

------
aschatten
On my way home I tuned in on this interview, caught the end of it. Had my
dinner and decided to google the story, but before checked Hacker News. And
here it is on the from page.

------
JabavuAdams
Why do we trust Tor and Protonmail, again? Ugh.

~~~
xorcist
Tor places limits on how much of the network must be owned by an adversary in
order for them to extract useful information from it. They are quite
transparent about it.

------
BurningFrog
Amusing how the CIA is "audacious", while foreign agencies are pure evil.

~~~
steve19
Within the context, this is about the spying and signals intelligence. We
don't usually talk about an foreign agency being pure evil when they tap fiber
lines, we do when they murder or massacre.

~~~
thulecitizen
“If only it were all so simple! If only there were evil people somewhere
insidiously committing evil deeds, and it were necessary only to separate them
from the rest of us and destroy them. But the line dividing good and evil cuts
through the heart of every human being. And who is willing to destroy a piece
of his own heart?”

― Aleksandr Solzhenitsyn

In the digital age, information is everything. And information usually
precedes action, so in my eyes your argument is wilfully ignorant to the
larger reality of a complex globalized world.

I think the US and other Global North countries have a massive shadow:
[https://www.youtube.com/watch?v=j800SVeiS5I](https://www.youtube.com/watch?v=j800SVeiS5I)

If unfamiliar, this is a guide to Jung's concept of the shadow:
[https://highexistence.com/carl-jung-shadow-guide-
unconscious...](https://highexistence.com/carl-jung-shadow-guide-unconscious/)

~~~
Nasrudith
All of that is mere sophistry to justify their crimes. It is an addictive
toxic meme like "neccessity" as it at best escalates from any actual
neccessity to excusing mistakes to whatever is convenient to whatever they
/think/ will help even if actively detrimental like torturing for information.
This sort of delusion has a long history - often found as societies rail
against "decadence" when it is really what they consider virtue which will be
their inevitable downfall.

The secret is that information doesn't matter to the evil fools, it is all a
pretext for self justification whether consciously or otherwise. In order for
the delusional evil to die and stay dead the secret must be widely exposed.

