
How the CIA used Crypto AG encryption devices to spy on countries for decades - allard
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
======
NamTaf
Reading between the lines on this, it's plainly apparent why there's been
repeated attacks on encrpytion by the US government. From this, through RSA's
Dual_EC_DRBG, to the present day, it's obvious that the US highly values
rigging the deck to aid their decryption, and that the current democratisation
of encrpytion protocols is a threat to them.

I mean, you only need to read their repeated admissions that without MINERVA
their intelligence recovery would've dropped from ~80% to ~10% to see why
they're trying to play the same game plan again and again. Whether that's
through puppetmastering encryption companies like in this article, sneaking it
in via bribes (RSA's Dual_EC_DRBG), or most recently trying to legislate it
through (FB, Whatsapp, etc. E2E encryption), it's all essentially the same
play.

As a corollary to all this, it's another point of evidence that strong
encryption really is beyond the reach of even the biggest three-letter-
acronyms, and that there's no secret sauce technology out there letting them
mass-decrypt everything. If there was, then perhaps there wouldn't be such a
strong push to rig the deck in the first place. At least that's heartening.

~~~
edm0nd
I'm pretty sure the US government is why the TrueCrypt devs stopped all work.
They got hit with a national security letter (NSL) or heavily leaned on and
pressured to stop making their product so awesome and un-breakable.

~~~
RcouF1uZ4gsC
From the TrueCrypt webpage:
[http://truecrypt.sourceforge.net/](http://truecrypt.sourceforge.net/)

> WARNING: Using TrueCrypt is not secure as it may contain unfixed security
> issues

The fact that they use awkward wording that contains words whose first letters
that start with NSA (not secure as) is pretty suggestive that you are right.

~~~
pstuart
Wow. In a different timeline I'd dismiss that as tinfoil hat time, but in this
one it seems spot on.

~~~
lawnchair_larry
Nope, still tinfoil hat. This is just apophenia.

~~~
pstuart
Thank you for the new word.

You make your case as if you have proof, which you likely don't. It's a moot
point.

------
blattimwind
It has been known for a pretty long time that the Crypto AG is affiliated with
or controlled by intelligence services. It was also always firmly in the
"security through obscurity of our own cipher designs" department. Their C-52
(52 as in "1952") cipher machines were designed to enable decryption by
Western intelligence.

> Le Temps has argued that Crypto AG had been actively working with the
> British, US and West German secret services since 1956, going as far as to
> rig manuals after the wishes of the NSA. These claims were vindicated by US
> government documents declassified in 2015.

[http://www.spiegel.de/spiegel/print/d-9088423.html](http://www.spiegel.de/spiegel/print/d-9088423.html)
(1996)
[https://en.wikipedia.org/wiki/Crypto_AG#Compromised_machines](https://en.wikipedia.org/wiki/Crypto_AG#Compromised_machines)

~~~
eternalban
I saw this article and that is exactly the first thought that popped up.
Second thought was why is Washington Post feigning ignorance of this fact.

~~~
rtsil
They didn't, following the arrest in Iran and subsequent release of a Crypto
AG salesman in 92, they cite the salesman as talking with news organizations,
they also cite a Swiss TV broadcast in 1994 and reports from Baltimore Sun in
1995.

The new fact is that the company was co-owned, then fully owned by the CIA.

------
snowwrestler
Gives you a sense of why the U.S. intelligence community is so nervous about
having Huawei at the core of the domestic 5G network. Would not be fun for the
U.S. to have done to them what they've done to others.

And as a U.S. resident, even as I acknowledge and deplore what the U.S.
intelligence services have done to others, I still don't want China to do that
to me. This is not an area where equitable (but bad) treatment makes things
right IMO.

~~~
raxxorrax
Funny, I don't really care China spying on me as much since they just don't
have any handles that would be relevant. Your own government spying on you is
much more dangerous. And since I don't have influence on policies of China, I
can at least hold domestic politicians that strive for more surveillance
accountable. At least theoretically.

History shows that government isn't your friend at all. The US might be a rare
exception from time to time. But even that would be very, very limited.

Doesn't mean I wouldn't mind 5G spyware from another country.

~~~
chungus_khan
Even saying that the US is your friend isn't really true. The Tuskegee
syphilis experiment and MKULTRA were only ended in the 70s, Orlando Letelier
happened the same decade, as did the discovery of Operation Mockingbird and
other Church Committee findings. Every peek we've had into that world since
then continues to come up dirty too. Operation SHAMROCK was considered a big
deal at the time, but we've since then allowed American intelligence to vastly
eclipse anything even conceivable at the time.

Other countries programs aren't good or anything, but anyone who's deluded
themselves into thinking the US is some kind of clean actor, not participating
in this sort of stuff, or only using it for good is more optimistic than I
could ever manage being.

~~~
dependenttypes
Ruby Ridge and Waco siege happened only in the 90s as well. Currently we have
killer drones assassinating people without trial, CBP ignoring policies
([https://vc.gg/blog/so-its-been-a-while.html](https://vc.gg/blog/so-its-been-
a-while.html)), sending agents to scare activists
([https://news.ycombinator.com/item?id=6946909](https://news.ycombinator.com/item?id=6946909)),
and police blowing up houses of innocents and refusing to compensate them
([https://news.ycombinator.com/item?id=21399770](https://news.ycombinator.com/item?id=21399770)).

------
apexalpha
What a treat to read a well written piece based on decent research. It's a
long read but well worth your time. Kudo's to the journalists who helped
uncover it.

And the 'coup of the century' is far from clickbait, it's definitionally
warranted for what the CIA and BND did here.

It's a little ironic as well, especially since the US is so keen on blocking
Huawei over espionage concerns.

~~~
noelsusman
There's nothing ironic, weird, or surprising about the US wanting to stop
other countries from doing to them what they do to other countries. It's
hypocritical in some sense, mostly because the US tries to project itself as
the good guys, but it's just basic international relations. That's how every
country has always operated and will always operate.

~~~
einpoklum
The US mostly tries to project itself as "the good guys" to its own
inhabitants, and secondly to the local and international media. But in most of
the world you are often faced with the business end of a US-operated or US-
financed weapon.

~~~
jorblumesea
To be fair, it's a spectrum. The US has its share of bodies, but it also
doesn't grind its citizens into a pulp with tanks when they protest.

~~~
einpoklum
The thing is, its subjects are mostly non-citizens, so it's enough to grind
_those_ into a pulp. So far, the US has not seen a popular uprising which
threatens the stability of the state(, excluding perhaps that of the native
Americans, who were actually ground to a pulp, eventually).

------
danso
The popular belief is that the CIA and its intelligence colleagues will go to
any lengths to protect its power and secrecy. But apparently a Crypto engineer
discovered the secret conspiracy in 1977, and even fixed vulnerabilities on
behalf of the Syrian state – and the CIA was content to leave him alone for
the next 40 years?

> _In 1977, Heinz Wagner, the chief executive at Crypto who knew the true role
> of the CIA and BND, abruptly fired a wayward engineer after the NSA
> complained that diplomatic traffic coming out of Syria had suddenly became
> unreadable. The engineer, Peter Frutiger, had long suspected Crypto was
> collaborating with German intelligence. He had made multiple trips to
> Damascus to address complaints about their Crypto products and apparently,
> without authority from headquarters, had fixed their vulnerabilities._

> _Frutiger “had figured out the Minerva secret and it was not safe with him,”
> according to the CIA history. Even so, the agency was livid with Wagner for
> firing Frutiger rather than finding a way to keep him quiet on the company
> payroll. Frutiger declined to comment for this story._

------
wycy
Two parts of interest that jumped out to me:

> The overlapping accounts expose frictions between the two partners over
> money, control and ethical limits, with the West Germans frequently aghast
> at the enthusiasm with which U.S. spies often targeted allies.

> Hagelin had once hoped to turn control over to his son, Bo. But U.S.
> intelligence officials regarded him as a “wild card” and worked to conceal
> the partnership from him. Bo Hagelin was killed in a car crash on
> Washington’s Beltway in 1970. There were no indications of foul play.

~~~
johnflan
> There were no indications of foul play. Yup

~~~
sailfast
Have you ever driven on the beltway?

~~~
wycy
I have. Nowadays it's generally slow enough that it's hard to imagine dying in
an accident there. But this was so long ago that I imagine things were
different with the Beltway back then, and of course cars were much more deadly
at the time too.

~~~
sailfast
Indeed. But it seems people keep finding new and innovative ways to crash
spectacularly as well. Maybe it's foul play all the way down, but I'd bet most
of money on Marylanders :)

------
mxcrossb
> U.S. officials were even more alarmed when Wagner hired a gifted electrical
> engineer in 1978 named Mengia Caflisch. ... But NSA officials immediately
> raised concerns that she was “too bright to remain unwitting.”

Wow, those are words to aspire to

~~~
drummer
You cannot get a better compliment than this.

------
cameldrv
This story was originally reported in CovertAction Quarterly 22 years ago:
[https://covertactionmagazine.com/wp-
content/uploads/2020/01/...](https://covertactionmagazine.com/wp-
content/uploads/2020/01/CAQ63-1997-4.pdf) (Page 36)

~~~
istinetz
... What? This is a well written article covering essentially the same
information. This is so confusing, why did nobody react back then? Why did
governments continue to buy equipment from Crypto AG?

Amazing. The only explanation I can think of is that CovertAction had much
worse reputation and could be easily dismissed as conspiracy theory.

------
reddog
It follows that private VPN firms would be a similar target for deep pocketed
state intelligence agencies. What do you think the chances are that the VPN
service or software you use hasn't been co-opted, compromised or is outright
owned by state actors in China, Europe or the US?

~~~
e12e
It would be hopelessly naive to assume that intelligence services don't run a
large number of VPN providers an tor relays, just as the used to run mix
master smtp (email) relays.

~~~
freeflight
While at the same time taking out the competition they can't get to comply [0]

[0]
[https://www.theregister.co.uk/2019/09/30/cyberbunker_cb3rob_...](https://www.theregister.co.uk/2019/09/30/cyberbunker_cb3rob_germany_police_raid/)

------
just_steve_h
It certainly does make one wonder who else in the worlds of high technology
(and journalism!) May be – wittingly or unwittingly – working for Uncle Sam.

I've seen some deep integrations that have made me despair of any organization
being free from the overweening influence of the "security services." I'm
talking about groups as large as multi-billion dollar public US technology
infrastructure companies and as small as anarchist cells planning to attend a
political convention.

Sometimes it seems that internal turf battles, budget disputes, careerism, and
rank incompetence are our only protections against the machinations of the
National Security State.

~~~
WarOnPrivacy
US Telcos have been jointed at the hip w/ the USIC for generations. AT&T's
history of proactively helping the US spy on US Citizens+Everyone hints at the
company's deep desire to be a spy entity in it's own right.

Even though the knowledge of that is/was public, it wasn't widely know until
the Edward Snowden revelations - largely due to the relative disinterest of US
news orgs (even when faced with clear evidence of US's ethical lapses -- eg:
Mark Klein whistleblows AT&T's NSA taps on the internet backbone).

Most of the US Press still behaves as if USIC's primary goal was safeguarding
the public instead of furthering the interests of US Gov & political
financiers.

~~~
blattimwind
Worth pointing out that the rules around telco accounting are pretty much
designed to give Interested Parties a single point to siphon off call
metadata.

------
leowinterde
The same report by the ZDF (second german television):
[https://www.zdf.de/nachrichten/politik/cryptoleaks-bnd-
cia-o...](https://www.zdf.de/nachrichten/politik/cryptoleaks-bnd-cia-
operation-rubikon-100.html)

------
drummer
The CIA's current strategy is placing spies in all major tech companies:
[https://news.yahoo.com/shattered-inside-the-secret-battle-
to...](https://news.yahoo.com/shattered-inside-the-secret-battle-to-save-
americas-undercover-spies-in-the-digital-age-100029026.html)

------
willvarfar
Being able to read diplomatic messages is a definite gold-mine.

Of course, knowing the contents of diplomatic messages isn't always enough. A
good example is described in Peter Wright's Spycatcher: the Brits were
breaking the French diplomatic cipher, using an ingenuous attack on the
electromagnetic noise of the cipher machine in the embassy. But all this
intelligence was unable to stop De Gaulle thwarting their entering the
European Common Market.

~~~
C1sc0cat
Assuming they aren't coded as well or double enciphered

eg XXX in 21Land is a WW

------
Psyladine
>Their [Soviet Union & China] well-founded suspicions of the company’s ties to
the West shielded them from exposure, although the CIA history suggests that
U.S. spies learned a great deal by monitoring other countries’ interactions
with Moscow and Beijing.

Fascinating use of 'negative space' in intelligence. Also appreciated the dig
at Reagan, apparently gross intelligence breaches at the highest levels aren't
anything novel.

~~~
WarOnPrivacy
> gross intelligence breaches at the highest levels aren't anything novel

True. Same portrayals too. If breacher is an R they're incompetent, it's a D
they're a traitor.

------
mindfulhack
This article has made me decide to never mistake Huawei's ties to Chinese
government surveillance for US political nonsense ever again.

I may not like our current US president, but it doesn't mean he can't use
truths as political instruments.

Due to China's and Russia's human rights abuses, they are who I dislike the
most. It might be by a small margin, but I would feel more comfortable having
the CIA and NSA spy on me any day, than China or Russia.

What's wild is that I know many in China would feel the same way - but in the
reverse.

------
bobosha
Related question: do modern diplomats/negotiators automatically assume their
comms are compromised? Are their "secure" lines ever truly secure? Surely they
know the NSA/CIA would be listening.

~~~
tinus_hn
Not all communication is compromised; for example for an embassy it could be
practical to use a true one time pad which is uncrackable and attempts to
intercept the key would lead to a diplomatic incident.

Much of their communication probably isn’t that sensitive though.

~~~
nroets
Until the people slip up and use the same pad twice
[https://www.theregister.co.uk/2018/07/19/russia_one_time_pad...](https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/)

------
adventured
[https://outline.com/tTTmh6](https://outline.com/tTTmh6)

And

[http://archive.is/1w61P](http://archive.is/1w61P)

~~~
Apofis
Thanks, it gets irksome at some points that a large number of submitted
content on HN is paywalled. I can't subscribe to all of these, just to read a
couple of articles a month per publication.

~~~
mellosouls
Yes. It would be useful to have an accessible version posted with the original
each time, and for it to be a preferred guideline for submitters.

Though to be fair, I'm not sure if there are copyright issues involved, which
might make such a guideline difficult.

~~~
AnimalMuppet
It is posted each time. Under the article, there are a number of little links
("flag", "hide", "past", and so on). You want the one that says "web".

~~~
Apofis
Thanks, I'll keep this in mind in the future.

------
rjsw
A slightly related article is this [1].

[1] [https://www.bell-labs.com/usr/dmr/www/crypt.html](https://www.bell-
labs.com/usr/dmr/www/crypt.html)

------
burakemir
TL;DR Swiss firm Crypto AG sold tech to governments for decades, but turns out
to be owned and operated by CIA and BND who benefited from backdoors. From
their POV, a wildly successful operation, beyond imagination.

> At times, including in the 1980s, Crypto accounted for roughly 40 percent of
> the diplomatic cables and other transmissions by foreign governments that
> cryptanalysts at the NSA decoded and mined for intelligence, according to
> the documents.

------
tareqak
Same story from the Associated Press: _Switzerland investigating alleged CIA,
German front company_ \-
[https://apnews.com/fbd5fe4261c8b326f860936de7c32a87](https://apnews.com/fbd5fe4261c8b326f860936de7c32a87)

------
leroy_masochist
Would be cool if the Agency did relatively more of this kind of thing and
relatively less of, for example, paying psychotic Afghan pedophile warlords
hundreds of millions of dollars for reneged-upon power sharing agreements and
HUMINT of dubious value.

------
not2b
It has long been known that the NSA had their hooks into Crypto AG; for
example, that's how they managed to intercept Libyan communications. What's
new is the report that the CIA actually partly owned the company.

------
dropoutcoder
My new startup focuses on human nervous system faraday cages embedded into
next generation fashion technology. This tech covers your entire body, keeping
you safe from remote scans, and includes realistic facial and body disguises.
For your safety, our tech constantly scans your thought patterns and memories
and keeps them safe with a static filled triple scrambled encryption method,
and encodes them into specially placed augmented cellular technology at
undisclosed locations in the body.

For funding, please visit [https://CE.YA/](https://CE.YA/)

~~~
AndyMcConachie
I love it!

------
not_buying_it
Can anyone here point out an actual case where the NSA was able to break or
legitimately hack someone's crypto? I was under the impression that their
track record was basically nil on this, and that virtually every instance of
them spying on encrypted info boiled down to some sort of inside job that
actually resulted in the encryption being weakened or thwarted. People speak
about these guys like they have off the charts abilities, yet the available
evidence is not so indicative of that. Just looks like a big government
operation kinda bumbling along to me.

~~~
glitchdigger
If they had that ability they certainly wouldn’t broadcast that capability,
but I’ve seen enough crazy shit in the legal 0day market alone to think they
have some insane capabilities. However, you’d never know If they could crack
RSA/AES, but assuming quantum computing is on its way I’m sure it won’t be
long or happened 8 years ago.

------
etiam
There may be some new documents available now, but the story as such seems to
have been known for a while. I first learned of it last summer while reading
some of the drafts for Ross Anderson's update of his excellent _Security
Engineering_.

See chapter 26,
[https://www.cl.cam.ac.uk/~rja14/book.html](https://www.cl.cam.ac.uk/~rja14/book.html)

------
mpoloton
There was a documentary about this company and other surveillance topics aired
on Swiss TV in last November.

[https://www.rts.ch/dossiers/la-suisse-sous-
couverture/](https://www.rts.ch/dossiers/la-suisse-sous-couverture/)

It's in French and may not be accessible outside Switzerland but I highly
recommend it.

------
RachelF
Makes you wonder about other Swiss based encryption providers like Proton
Mail?

Proton Mail would be a great honey pot for the CIA.

------
edge17
It's weird this article talks like this is new information. I guess it's not
probably not widely known, but this stuff was discussed in James Bamford's
Puzzle Palace, published in the early 1980's (nearly 35 years ago).

------
NN88
John Schindler (Former NSA) has hinted Signal isn't secure either...

------
rafaelvasco
This is one of the reasons why my tinfoil hat has been shinier than ever;

------
microcolonel
Is there a list somewhere of companies who are known to have bought and
installed Crypto AG devices?

------
hownottowrite
I’m surprised no one is talking about all the companies that have In-Q-Tel as
an investor.

------
anonu
Anyone have a link to the leaked doc referenced in the article?

------
allovernow
And that's why we can't trust Uncle Sam with backdoors. You bet your ass
they'll be reading _everything_ and we won't find out for decades, if ever.

------
PhantomGremlin
I have to disagree with the headline. The "intelligence coup of the century"
came much earlier, during WWII.

The Allies were reading a good deal of both Japanese and German encrypted
communications. This saved the lives of many Allied solders and, perhaps,
tipped the balance of the war.

[https://en.wikipedia.org/wiki/Magic_(cryptography)](https://en.wikipedia.org/wiki/Magic_\(cryptography\))
[https://en.wikipedia.org/wiki/Ultra](https://en.wikipedia.org/wiki/Ultra)

David Kahn's book, the Codebreakers, is a good introduction to cryptography
and has a lot of this history in it.

[https://en.wikipedia.org/wiki/The_Codebreakers](https://en.wikipedia.org/wiki/The_Codebreakers)

~~~
mzs
also how Poland kept the Bolsheviks from sweeping across Europe

[https://warfarehistorynetwork.com/2016/10/05/polish-
ciphers/](https://warfarehistorynetwork.com/2016/10/05/polish-ciphers/)

