
NSA's Backdoor Key from Lotus Notes (2002) - Lammy
http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html
======
refset
I think Lotus Notes has a fascinating history, cryptographic shenanigans
asides. As far as I'm aware it is still the most successful "offline first" /
"local-first" application platform in widespread use today, complete with
multi-master document replication, highly-configurable conflict resolution and
rapid application development. These were revolutionary capabilities during
the dialup era. The email client just happens to be the most popularly
recognised groupware application outside of individual corporate firewalls.

The original vision was very lofty:
[https://web.archive.org/web/20180225100127/http://www.kapor....](https://web.archive.org/web/20180225100127/http://www.kapor.com/wp-
content/uploads/2016/12/Notes-Project.pdf)

"Notes should take the first major crack at the area of idea processors,
textual databases, and hypertext systems."

I would love to see where an open source equivalent built for the modern age
could take us... (CouchDB gave it a good shot!)

~~~
acqq
Still, I believe it's wrong to distract here from all the other important
topics addressed by Ray Ozzie, who was aware of all the important issues even
in 1996, and for historical context of the NSA key from the title, here is the
relevant part from his speech he gave in 1996, about how Lotus implemented
what was legally required from them:

"As you know, the U.S. government has defined its "maximum tolerance level"
for exportable unescrowed cryptography at 40 bits. That is, because they
generally permit the export of 40-bit products, the U.S. government is clearly
already willing to deal with a 40-bit work factor in order to examine
encrypted communications outside of this country.

So, the system that we're shipping in Lotus Notes Release 4 overseas is one
that presents different work factors to different parties, hence the name.

Against crackers -- against the run-of-the-mill adversary trying to break a
message -- the work factor is 64 bits, just like it is in the U.S. That is, in
the new International Edition of Lotus Notes, bulk data keys are now 64 bits
just as they are in our North American Edition that's sold in the U.S. and
Canada.

But when the U.S. Government needs access to a communications stream overseas
encoded by the international edition of Lotus Notes, they are no worse off -
and no better off - than they are today - they have to crack 40 bits."

Since then, the goals of different interest groups haven't changed, and we all
now about many new possibilities and about the surveillance actually being
done and the dangers that the changes brought and can bring.

Other comments here in the other threads are about these more recent issues
and the readers should note them too.

~~~
jeffrallen
This compromise was also used by WebTV in Japan in 1997. I vaguely recall that
client/server comms were protected by 56 bit symmetric encryption, and that in
international mode, 16 bits of the session key were explicitly sent in
cleartext to respect the 40 bit limit. WebTV in the USA was full strength
crypto, at least as strong as the little MIPS processor in the settop box
could manage.

~~~
nullc
Claims that weak devices couldn't handle strong cryptography are mostly bogus.

Fun fact: The Atari 7800, designed in 1983, used a 956-bit Rabin signature to
vendor lock games. Strong cryptography was unavailable for a long time
primarily due to indifference, ignorance, and interference and not primarily
due to computational limits.

~~~
acqq
> in 1983, used a 956-bit Rabin signature to vendor lock games.

But not to encrypt the communication -- that would have been, apparently,
against the U.S. laws of that time.

> Strong cryptography was unavailable for a long time primarily due to
> indifference, ignorance, and interference and not primarily due to
> computational limits.

It's surely the "interference" in the form of the mentioned U.S. laws at the
time, some other comments here detail the historical background.

~~~
nullc
I'm not aware of any law it would have been violating if was encrypted _in the
US_.

However, export was another matter and the export version of the 7800 left the
crypto out!

In any case, my point was that weak crypto spanning into the late 90s was not
a result of technical limitations.

~~~
acqq
> I'm not aware of any law it would have been violating if was encrypted in
> the US.

The laws as they were had exactly that effect: a lot of companies didn’t
intend to have products sold solely in the US. And it was problematic enough
that most companies avoided making a US-only version: even carrying such a
product on a floppy disk while travelling outside of US could get you in
trouble, see this article from 1995:

[https://www.wired.com/1995/03/the-continuing-
investigation-o...](https://www.wired.com/1995/03/the-continuing-
investigation-of-phil-zimmermann/)

The companies that did use strong crypto typically had the contracts with the
military.

~~~
nullc
Sorry, we're talking in loops. The legal issue wasn't encryption vs other
cryptography, it was export or not. 7800 _did_ face that issue, and resolved
it by making the non-US version not do the crypto. This was probably easier in
their case due to PAL vs NTSC. :)

I think both of us might be making the error of correcting something the other
person wasn't intending to comment on! :)

Some export complications around crypto exist to this very day-- at least for
commercial hardware products. I've had to fill out the export forms myself,
and not that many years ago.

~~~
acqq
> The legal issue wasn't encryption vs other cryptography, it was export or
> not

And I have never claimed anything else, it can be easily verified.

------
Lammy
Previous discussions:

\-
[https://news.ycombinator.com/item?id=5846189](https://news.ycombinator.com/item?id=5846189)
(June 2013)

\-
[https://news.ycombinator.com/item?id=9291404](https://news.ycombinator.com/item?id=9291404)
(2015)

~~~
xvector
Thank you for the link. I found barrkel’s comment[1] particularly moving:

> A non-authoritarian government is an historical anomaly. It's a ball
> balanced on top of a hill, pushed there by the deaths of millions, and kept
> there by the vigilance of those who care. Please start caring.

[1]:
[https://news.ycombinator.com/item?id=5847789](https://news.ycombinator.com/item?id=5847789)

~~~
monoideism
> It's a ball balanced on top of a hill, pushed there by the deaths of
> millions, and kept there by the vigilance of those who care.

I feel like the ball has started to roll downhill, and is rapidly gaining
speed, but that the only folks who can stop it are too dug into their own
partisanship to take a look around them and do something.

That, or they _desire_ authoritarianism. I've frankly been surprised at the
number of people I've talked to in the past few years who seem to _like_ the
idea of a strongman leader. I always assumed everyone but the most extreme
wings of the right and left believed in liberty and democracy, but I now see
that was I mistaken.

~~~
adventured
My experience has been the opposite. I've rarely met anybody in the center
~80% or so that didn't have a little dictator inside of them, yearning to come
out and strangle the masses under behavior controls, dictating how everyone
else is to live. I find it doesn't take more than a few minutes of
conversation with moderates, before you can see the gleam of dictator in their
eye, where you can get them to openly state something about wanting to
directly or indirectly control other people and how they live.

And when it comes to the extreme partisan wings, the dictator is giant rather
than little. You don't have to engage them in conversation for it to come out,
they project it all the time willingly, openly.

~~~
Taek
Everyone wants to believe that they know how other people should be living
their lives. And everybody believes that they themselves know where to draw
the line between freedom and order.

Freedom means something different to every person on the planet, and that
makes it difficult to protect.

------
userbinator
[https://en.wikipedia.org/wiki/RSA-768#RSA-768](https://en.wikipedia.org/wiki/RSA-768#RSA-768)
was factored almost exactly 10 years ago. I wonder if anyone has tried
factoring this one? Hopefully the NSA doesn't still use this key...

------
wpskidd
I have to chime in that I too have a love/hate relationship with Lotus Notes.
I started using it back in ‘98. It was massively empowering to build
functional and secure workflow apps, and do so faster than you could wireframe
on other platforms. I rolled it out to thousands of users successfully. It was
truly visionary in scope. However, the performance was mediocre and there were
many really poor oversights and omissions. Often I would go to program some
base operation and find out you just “can’t get there from here“. It seemed
their QC process hadn’t really given much though to global calendar
synchronization or to very basic needs like printing landscape. I still use it
daily for a large (funeral) industry specific app. and it has run flawlessly
for a decade (albeit making API calls to MS Office and the web). I go to
program new things in React or even Rails and am disappointed that you have to
reinvent things that were built into Notes 20 yrs ago.

------
reanimus
They embedded an entire X.509 cert in it? I wonder if the Lotus devs just made
an X.509 cert out of key material they were given or if the NSA actually
minted it with that subject.

~~~
dclowd9901
I have to think the engineers were maliciously complying with the directive.
It's far too dark a joke to be honorific.

~~~
jsjohnst
Ray Ozzie confirmed in a thread below that it was done by Charlie/Al/him as a
joke.

~~~
dclowd9901
Like laughing at a funeral?

~~~
acqq
Like "we do what we have to do because it's currently a law, but we can't be
forced to give a nice name to it, let them know what we think of it:"

[https://news.ycombinator.com/item?id=21859950](https://news.ycombinator.com/item?id=21859950)

See the other comments here for a historical context: "exporting" stronger
crypto software from the U.S. had the same status as exporting weapons of war.

------
Ericson2314
I thought at first the NSA made the Orwell reference, but it looks just the
lotus notes devs did?

I guess that's...reassuring.

~~~
rozzie
Charlie, Al, and I were just trying to maintain a sense of humor in fairly
tough times, knowing that the first who would see the key would be the folks
we were working with at the ministry.

~~~
dclowd9901
With no judgment whatsoever, may I ask: why did you do the work? Why did you
not walk away and stand on moral principle against such intervention? From
reading your comments, I gather this isn’t something you agreed with.

~~~
acqq
The context has an unofficial name "crypto wars":

[https://en.m.wikipedia.org/wiki/Crypto_Wars](https://en.m.wikipedia.org/wiki/Crypto_Wars)

"In the U.S." since "the immediate post WWII period" the "crypto software was
included as a Category XIII item into the _United States Munitions List._ "
That meant that _exporting software with strong encryption was legally the
same as exporting weapons_.

What they Ray Ozzie and colleagues implemented was at that moment (1996)
claimed to be a "superior exportable encryption technology when compared to
other US products on the market":

[https://packetstormsecurity.com/files/21281/lotus.notes.nsa....](https://packetstormsecurity.com/files/21281/lotus.notes.nsa.backdoor.txt.html)

To compare:

[https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States)

To be able to export Netscape web browser with SSL (a predecessor of TLS)
"Netscape developed two versions of its web browser. The "U.S. edition"
supported full size (typically 1024-bit or larger) RSA public keys in
combination with full size symmetric keys (secret keys) (128-bit RC4 or 3DES
in SSL 3.0 and TLS 1.0). The "International Edition" had its effective key
lengths reduced to 512 bits and 40 bits respectively (RSA_EXPORT with 40-bit
RC2 or RC4 in SSL 3.0 and TLS 1.0).[6] Acquiring the 'U.S. domestic' version
turned out to be sufficient hassle that most computer users, even in the U.S.,
ended up with the 'International' version,[7] whose weak 40-bit encryption can
currently be broken in a matter of days using a single computer."

Only later:

"In January 2000, the U.S. Government relaxed export regulations over certain
classes of mass-market encryption products. In line with these changes,
Netscape has made the strong-crypto versions of Communicator and Navigator
available worldwide." (1)

[https://www.fortify.net/README.html#do](https://www.fortify.net/README.html#do)

~~~
dclowd9901
I appreciate the illustrative nature of your comment, but I'm really looking
to learn something from a rather influential mind in software engineering.

------
almindor
This is a bit spooky. I wonder if the engineers responsible were just trying
to be cute, or "reaching out" in a way.

~~~
mindfulhack
Probably just having a joke. Human psychology is complex, no matter what
positive or negative things we do to each other.

~~~
jsjohnst
Posted by the man himself before your reply:

> Charlie, Al, and I were just trying to maintain a sense of humor in fairly
> tough times, knowing that the first who would see the key would be the folks
> we were working with at the ministry.

------
DonHopkins
Inslaw's legal case-management system "PROMIS" also had a back door, put there
by Michael Riconosciuto, under the direction of Earl Brian of Inslaw's
competitor Hadron. Attorney General Edwin Meese's Department of Justice drove
Inslaw out of business, pirated their software, and distributed it with the
back door to Israel and 80 other countries so the US could spy on them. Danny
Casolaro was investigating it, but suddenly died of an unlikely apparent
suicide.

If Trump really wanted to investigate corruption in the deep state, he should
start by interrogating his good buddy Edwin Meese, instead of honoring him
with the Medal of Freedom. He could also ask his own Attorney General Bill
Barr why he whitewashed the Justice Department last time he had it investigate
itself. (Actually, maybe that's why he hired Barr!)

[https://www.npr.org/2019/10/08/768136964/trump-to-honor-
form...](https://www.npr.org/2019/10/08/768136964/trump-to-honor-former-
reagan-attorney-general-who-left-government-under-ethics-c)

>Trump To Honor Former Reagan Attorney General, Who Left Government Under
Ethics Cloud

[http://nothingmajor.com/journal/775-meese-is-a-pig-
returns/](http://nothingmajor.com/journal/775-meese-is-a-pig-returns/)

>Experts Agree! MEESE is a PIG

[https://threadreaderapp.com/thread/1179701030520524801.html](https://threadreaderapp.com/thread/1179701030520524801.html)

>INSLAW/PROMIS links

>Barr refused to appoint an independent counsel to the Inslaw case, relying
instead on a retired federal judge, in this case Nicholas Bua, who reported to
Barr alone. In other words, the DOJ was responsible for investigating itself.

[https://en.wikipedia.org/wiki/PROMIS_(software)](https://en.wikipedia.org/wiki/PROMIS_\(software\))

[https://en.wikipedia.org/wiki/Inslaw](https://en.wikipedia.org/wiki/Inslaw)

[https://en.wikipedia.org/wiki/Michael_Riconosciuto](https://en.wikipedia.org/wiki/Michael_Riconosciuto)

[https://en.wikipedia.org/wiki/Earl_Brian](https://en.wikipedia.org/wiki/Earl_Brian)

[https://en.wikipedia.org/wiki/Danny_Casolaro](https://en.wikipedia.org/wiki/Danny_Casolaro)

>The Justice Department had dishonestly conspired to "drive Inslaw out of
business 'through trickery, fraud and deceit'" by withholding payments to
Inslaw and then pirating the software.

>The Justice Department had done so in order to modify PROMIS, originally
created to manage legal cases, to become a monitoring software for
intelligence operations.

>"PROMIS was then given or sold at a profit to Israel and as many as 80 other
countries by Dr. Earl W. Brian, a man with close personal and business ties to
then-President Ronald Reagan and then-Presidential counsel Edwin Meese."

>"There appears to be strong evidence, as indicated by the findings in two
Federal Court proceedings as well as by the committee investigation, that the
Department of Justice 'acted willfully and fraudulently,' and 'took, converted
and stole,' Inslaw's Enhanced PROMIS by 'trickery fraud and deceit.'"

>A book written in 1997 by Fabrizio Calvi and Thierry Pfister claimed that the
National Security Administration (NSA) had been "seeding computers abroad with
PROMIS-embedded SMART (Systems Management Automated Reasoning Tools) chips,
code-named Petrie, capable of covertly downloading data and transmitting it,
using electrical wiring as an antenna, to U.S. intelligence satellites" as
part of an espionage operation.

>"another undeclared mission of the Justice Department's covert agents was to
insure that investigative journalist Danny Casolaro remained silent about the
role of the Justice Department in the INSLAW scandal by murdering him in west
Virginia in August 1991."

>Inslaw's new allegations described the Justice Department dispute with Inslaw
as part of a broad conspiracy to drive Inslaw into bankruptcy so that Earl
Brian, the founder of a venture capital firm called Biotech (later
Infotechnology), could acquire Inslaw's assets, including its software Promis.
Inslaw owner William Hamilton told PSI investigators that Brian had first
attempted to acquire Inslaw through a computer services corporation he
controlled, called Hadron. Hamilton said that he rejected an offer from Hadron
to acquire Inslaw, and that Brian then attempted to drive Inslaw into
bankruptcy through his influence with Attorney General Edwin Meese.

[https://www.wired.com/1993/01/inslaw/](https://www.wired.com/1993/01/inslaw/)

>The INSLAW Octopus

>Software piracy, conspiracy, cover-up, stonewalling, covert action: Just
another decade at the Department of Justice

>The House Judiciary Committee lists these crimes as among the possible
violations perpetrated by "high-level Justice officials and private
individuals":

>> Conspiracy to commit an offense

>> Fraud

>> Wire fraud

>> Obstruction of proceedings before departments, agencies and committees

>> Tampering with a witness

>> Retaliation against a witness

>> Perjury

>> Interference with commerce by threats or violence

>> Racketeer Influenced and Corrupt Organizations (RICO) violations

>> Transportation of stolen goods, securities, moneys

>> Receiving stolen goods

[https://www.muckrock.com/news/archives/2017/may/16/FBI-
promi...](https://www.muckrock.com/news/archives/2017/may/16/FBI-promis-
part-1/)

>The Undying Octopus: FBI and the PROMIS affair Part 1 35 years later, file
reveals dropped leads and confirmed allegations in “the scandal that wouldn’t
die”.

>Inslaw’s attorneys, which included Elliot Richardson, who had previously
resigned from the DOJ rather than comply with President Nixon’s orders to fire
the Watergate Special Prosecutor Archibald Cox, repeatedly demanded a special
prosecutor be appointed to investigate the matter, along with its numerous
connections that implicated officials such as Ed Meese, who were in turn
allegedly connected to affairs such as Iran-Contra and Reagan’s October
Surprise.

~~~
DonHopkins
The perils of "Cloud Computing" in the 80's:

[https://en.wikipedia.org/wiki/Inslaw#Contract_disputes_and_I...](https://en.wikipedia.org/wiki/Inslaw#Contract_disputes_and_Inslaw_bankruptcy)

> There were also disputes over service fees. During the first year of the
> contract, the DOJ did not have the hardware to run Promis in any of the
> offices covered by the contract. As a stopgap measure, Inslaw provided
> Promis on a time-share basis through a Vax computer in Virginia, allowing
> the offices to access Promis on the Inslaw Vax through remote terminals,
> until the needed equipment was installed on-site. EOUSA claimed that Inslaw
> had overcharged for this service and withheld payments.

------
vectorEQ
O=MiniTruth CN=Big Brother :D love it

------
DoctorOetker
Was it systematically leaking the same 24 bits (encrypted to the NSA public
key), or a random contiguous selection of 24 bits?

in the second case having just a few documents would result in only the NSA
being able to decrypt without even brute forcing...

------
schappim
Does anyone else find it ironic that cypherspace.org doesn't support https?

------
haecceity
So the fact that most crypto export controls are gone now means NSA can crack
everything now right?

~~~
nullc
The export controls weren't relaxed particularly willingly.

[https://en.wikipedia.org/wiki/Bernstein_v._United_States](https://en.wikipedia.org/wiki/Bernstein_v._United_States)

~~~
acqq
Also:

[https://www.wired.com/1995/03/the-continuing-
investigation-o...](https://www.wired.com/1995/03/the-continuing-
investigation-of-phil-zimmermann/)

[https://www.nytimes.com/1996/01/12/business/data-secrecy-
exp...](https://www.nytimes.com/1996/01/12/business/data-secrecy-export-case-
dropped-by-us.html)

------
EddieCPU
Well DOH!

------
tripzilch
> the NSA public key had an organizational name of "MiniTruth", and a common
> name of "Big Brother"

> the Ministry of Truth was the agency who's job was propaganda and
> suppression of truths that did not suit the malignant fictional future
> government in the book, and "Big Brother" was the evil shadowy leader of
> this government.

"Are we the baddies?", said nobody at the NSA.

Seriously, this is kind of blatant. I could see them using the phrase "Big
Brother", because it has become a common saying and lost some of its edge. But
not Ministry of Truth, that only has one meaning and it's terrifying. It
literally means "ministry of lying to the people and denial of truth". There
is no reading of the book, no matter how superficial, that the term "Ministry
of Truth" is anything but overtly sarcastic.

What does this come from? Is it edgy young people (young back then), picking
these names? Even if tongue-in-cheek, it has enormous consequences on the
culture inside a rather insulated work environment of a job that really should
be one of solemn responsibility.

~~~
jsjohnst
> What does this come from?

Do some reading of the threads here + links to previous discussions. Ray Ozzie
(one involved) has been commenting.

