Hacker News new | past | comments | ask | show | jobs | submit login
How the CIA used Crypto AG encryption devices to spy on countries for decades (washingtonpost.com)
959 points by allard 7 days ago | hide | past | web | favorite | 330 comments

Reading between the lines on this, it's plainly apparent why there's been repeated attacks on encrpytion by the US government. From this, through RSA's Dual_EC_DRBG, to the present day, it's obvious that the US highly values rigging the deck to aid their decryption, and that the current democratisation of encrpytion protocols is a threat to them.

I mean, you only need to read their repeated admissions that without MINERVA their intelligence recovery would've dropped from ~80% to ~10% to see why they're trying to play the same game plan again and again. Whether that's through puppetmastering encryption companies like in this article, sneaking it in via bribes (RSA's Dual_EC_DRBG), or most recently trying to legislate it through (FB, Whatsapp, etc. E2E encryption), it's all essentially the same play.

As a corollary to all this, it's another point of evidence that strong encryption really is beyond the reach of even the biggest three-letter-acronyms, and that there's no secret sauce technology out there letting them mass-decrypt everything. If there was, then perhaps there wouldn't be such a strong push to rig the deck in the first place. At least that's heartening.

Putting my tinfoil hat on, after reading the Snowden disclosures I'm convinced that they do have limited means of attacking encrypted communication but they would rather rely on these (expendable) means. Once they lose their crypto vulnerabilities it will force them to be even more overt.

The key difference is that decrypting something would likely need to be targeted and on a case-by-case basis, as it would take specialized work, as opposed to these sorts of attacks (much like tapping all of the pipes which transit data underseas or elsewhere, which still goes on in every country or working directly with the ISPs and mobile operators which happens in most countries) which allows mass dragnet surveillance.

I think most of us would be fine with the NSA doing what they do if it was targeted, like the police getting warrants to break privacy only in important cases for public safety.

The problem will always be mass interception. Not only domestically either, as there is nothing protecting any foreign communications being intercepted in the US (and I'm sure Five eyes+ bypasses these legal roadblocks whenever needed). Which is why the push for encrypt-everything is so important. But as we've seen repeatedly, even when investigating the president and his people, even the allegedly "significant domestic protections" offered by FISA are a joke and basically rubber-stamp.

WhatsApp and iMessage and other non-SMS communication as well as email providers finally adopting proper transit encryption probably has reduced the amount of this sort of unfiltered "intelligence" gathering by 90%+. But I'm sure there's still tons of mobile apps and websites which aren't doing things properly and are filling up their databases.

> I think most of us would be fine with the NSA doing what they do if it was targeted

You think wrong. That fact that there are opposing world states engaging in this nefarious, oppressive, terrible acts and they're not all aligned doesn't legitimize any of these states' activities.

The NSA should essentially be shut down, or cut down to a small agency operating in public with a much more limited mandate. And no secret FISA courts all of that spy-movie crap. That should just stop, period.

I love privacy 'n' stuff, for sure.

But relative to the risk of global nuclear war, and the certainty of global climate disruption, I couldn't care less about the NSA and its adversaries.

And hey, maybe all that spying reduces the risk of overt war.

Why do you believe NSA spying decreases the risk of nuclear war, or helps stave off climate change?

Also, it's not that we "love privacy", it's that we dislike oppression. And believe you me - most people in my part of the world know very well how the US is oppressing them through military and intelligence means. We don't want to live under the US' boot, and the NSA is part of that boot.

I didn't say anything about spying staving off climate change. That's pretty much a done deal, at least to the extent of destroying our current civilization. We've been in free fall to that, for at least a decade.

And about nuclear war. Although I'm not expert, it seems pretty obvious that uncertainty increases the risk of war.

Sure, I hate oppression. And I'm not into oppressing others.

But the problem is all the assholes who are driven to oppress others. If I could snap my fingers, and have them all die instantly, I would. But that just ain't gonna happen.

And indeed, it's arguable that they've been selected for, since the development of agriculture and animal husbandry. I got that from Morgan's Black Man.

So anyway, I just do what I can for myself and those close to me, and what I can to help others. I don't focus so much on changing the system. Given how people are, it seems kinda pointless.

You could argue that uncertainty reduces the risk of war because you're only starting wars where you're reasonably certain that you can win. Uncertainty about your adversary's capabilities then prevents war.

Too much uncertainty can also risk war. It all depends on what you're uncertain about.

MAD doctrine is based on both sides being reasonably sure neither can get away with a first strike. There is interest in having that fact independently verifiable; spying is both providing that verification and serving as an incentive against overstating your actual capabilities.

Gives those who get a kick out of war and conflict something to do that isn't lob nukes at each other.

Same reason you want layers of government with progression at a small scale available to many. So all the people with political ambitions aren't all trying to start their own governments and revolutions.

Busy is stability.

To be fair, I don't think a search warrant is oppression if used correctly. If there was something analogous for encryption I wouldn't mind. Problem is an "encryption search warrant" likely would happen without anyone knowing about it.

Okay, but these big picture perspectives don't materialize in a vacuum. It's not just this binary do-or-die nuclear deterrence that such a mindset acquiesces to.

The rubber meets the road, and real names are drawn from a hat somewhere along the line. After we shoo away that pesky threat of hypersonic implosion triggered plutonium cores raining down upon our heads, the sun rises on a new day, and we have to put on coffee and make breakfast.

And some people ride in limousines from hotels for brunch, and some people ride the bus to a fast food job at the ass crack of dawn.

And you can bet that whomsoever holds the keys to these cryptosystems that serve as nuclear-proof umbrellas keeping our heads dry from the oh-so-inevitable megatons of explosive fire, they'll never drive a garbage truck, they're kids won't have to worry about flunking out of college, and none of them will ever get cold in the winter, unless they want to on their holiday ski trip.

And it's no accident, the way such things work.

So, maybe this whole nuclear war thing? Maybe it's always been a big shakedown.

Maybe, sometimes you buy a gun with the full knowledge that keeping it clean, safe and ready for reliable use is going to book your Sundays solid from now on, and whoops, the cost of gun ownership, it just so happens, is never attending Sunday mass again.

Don’t understand the gun paragraph

It's something like people who are into violence being immoral, I suspect. Not that I'd pick religion as a reliable measure for morality.

It is arguable that the US and Russia have collectively committed a crime against humanity that's comparable to genocide. Not in any simple numeric sense, of course. But even 1% annual risk of killing a billion people, protracted over several decades, is a pretty big number.

And yes, humanity is highly stratified. Socially, economically, whatever. But that just reflects what we are. Hate on it all you want, it's not gonna change.

OK, so reckless endangerment is a crime.[0] It's especially serious when weapons are involved, and when children are endangered. How does that not apply?

Except, of course, that there's no body with the requisite authority or power. But maybe someday there will be.

0) https://www.legalmatch.com/law-library/article/reckless-enda...

And who is creating the risk of global nuclear war, if not those very same governments?

Most of it is economic and political espionage, not spying on each others' military secrets. That happens too, sure, but none of the other stuff is necessary to protect us from nuclear war.

NIST and the NSA should be shunned when it comes to setting crypto standards (apart from setting their own FIPS and such for government users) because they've demonstrated their corruption and efforts to work against the public interest. Instead, an international nonprofit that encourages transparency and academic adversarial due-diligence across the whole lifecycle of standards would be a better vehicle for crypto standards, like an Underwriters Laboratory or similar. (NESSIE-ish but even broader.) It's impossible to remove gamification and attempts to infiltrate standards bodies, but it's important to remove both appearances of condoning their subversion and proactively mitigating all actual infiltration should a fellow, contributor or other affiliate be working on behalf of a foreign government. It's not a "all gubberment bad" thing, but particular parts of government who's culture has infected the integrity of the process to deliver modern, reliable cryptography as a net commonwealth good, but they've chosen instead to create more liabilities and doubt that defeat and outweigh the "benefit" they brought to the table for users outside of government.


Hmm, nah I don't think people understand that they created NSA. It is them and their neighbor living in quiet area paying taxes where government want to keep them quiet and keep paying.

This way of things is giving birth to idealism and naivete. Just like people living in cities are idealistic and naive about life of cattle and poultry.

You don't want innocent chicken to be killed, but it is tasty. You don't want innocent person to be kept in hidden prison, but you feel safer.

They all would like to close down the farms or agencies that deal with bad stuff, but once they will be hungry enough that they will have to kill an animal or will be faced with actual violence, they will change their mind right away. (I bet they will want someone else to deal with such things)

If someone lives comfy life he can be oblivious. But on the other hand that is also beneficial for society because people in first world countries can focus on growing their interests and don't mind that bad stuff.

In the end if I would have to kill chickens for food every day I could not learn software development. So I am grateful I don't have to. I am also grateful that I don't have to deal with criminal people every day, because also I probably would not have time to do software development (most likely I would be dead before my 20th birthday).

I would say it is the _opposite_ of what you suggest. That is, people are willing to accept the existence of oppressive institutions because they are kept ignorant about their terrible impact. And those who aren't ignorant are fearful.

On a personal note: I' been arrested, I've been beaten, I've been in court and I've been in prison (*) to uphold and promote my beliefs and principles. And I do software development too... it's possible :-)

> You don't want innocent person to be kept in hidden prison, but you feel safer.

Umm, no. That this happens makes me feel less safe. If it can happen to anyone, after all, it can happen to me or the people I hold dear.

A spy agency is necessary for the USA to compete on the world stage. Though, it's operations should be significantly limited.

The CIA is a disaster that needs to be dismantled.

The conceit of planetary-level politics being a "competition" is - with due respect - propaganda of the imperialist powers, that most of us are being fed and expected to buy into. Don't.

In fact, with deepening global threats like climate change and nuclear war (), it is becoming clear just how mortally dangerous such perceptions are. So: Stop supporting "competition on the world stage".


Yes, that is still a thing and making quite the comeback; see:




for example.

Welp, I'm a doomsday prepper now.

> The CIA is a disaster that needs to be dismantled.

Working for the CIA is like being a sysadmin. The world only knows you exist when you fuck up.

There was a great CCC talk recently that showed how one of the Vault 7 tools wasn't a remote assassination boogieman drone tool like Wikileaks framed it, but actually a control the CIA developed that allowed them to give anti-air weapons to friendlies in Syria and Ukraine with positive access control and strong time/geo scoping to prevent them from being used nefariously.

> Working for the CIA is like being a sysadmin. The world only knows you exist when you fuck up.

While there's some truth to that, this way of thinking entirely ignores the opportunity cost that all those agencies have. With those insane budgets, you could do so much good in the world that one wouldn't have to fear the problems those agencies try to solve, because a lot of them wouldn't exist in the first place.

The budget of intelligence agencies is not anywhere near that big.

CCC... Communist Congress of China? Christian Columnist Caucus? Conference on Computational Complexity?

Probably Chaos Computer Club, a German association of hackers. At least in Europe quite well known. They do a lot of cool stuff, like looking for security flaws in voting machines and such stuff.

I'm sure that's what you would have told me 300 years ago if I claimed we should abolish monarchy and hereditary rule...

I am fine getting rid of the NSA as soon as you can guarantee that Russia and China dismantle their equivalents. Not to mention all the other agencies in the world.

Sorry but when you talk of those two in particular, the US is the obvious good guy. Regardless of the terrible shit Trump has done, we would never accept him murdering journalists or critics. That shit happens regularly in Russia and China

Thinking of the US as “the good guy” deters improvement. If anything, the US is “the better guy,” a more modest claim.

> Regardless of the terrible shit Trump has done, we would never accept him murdering journalists or critics

There is strong evidence that Turkish intelligence intercepted the telephone call between Trump's son-in-law Jared Kushner and Bin Salman green-lighting the killing of Jamal Khashoggi, and used it as leverage to force the US drawdown in Syria. Turkish state media was the source of the audio recording of the murder inside the embassy, so it is not unreasonable to believe they have sufficient espionage capabilities against the Saudis to have phone recordings as well.

Source for Kushner phone call claim?

So you are saying the US killed Khashoggi.

Of course you don't mean that. What you mean is that the US didn't intervene.

Yes, I am certain the world that hates the US would have loved the US intervening in Saudi Arabia's affairs.

Whether the US gov't knew Saudi was going to do it or not is different than the US gov't pulling the trigger.

Can you name the Trump, Obama, or Bush vocal american citizen critics that have been killed by the government? Because it sure is easy to find the ones Putin has murdered

Not really about critics, but murder of Epstein pretty much shows corruption of the US establishment.

I'm pretty sure there more deaths like this but I don't collect this data and US is the country with most efficient propaganda and brainwashing. It's extremely effective at hiding unpleasant facts and dissemination of fake news.

It takes a lot of hubris to think that you would ever know for sure if some US three letter agency was killing journalists and critics.

Ummm Trump's biggest critics aren't dropping dead left and right. That is exactly what happens to Putin's critics.

Just watch the "Mission Impossible" franchising. They are obviously dramatized stories but I would not be surprised that the world has been very closed to cease to exist as we know it and the only thing that prevented was that they did their job. Only few people know what they have done, no glory, no prizes, no recognition. What kind of people do that? Heros.

Feel free to down vote me.

I can only guess but I would not be surprised if your very life was saved. Or even if we just look at money, you may have lost a significant amount of what you have in a scam that was avoided.

We do not know what we do not know. But there must be more good than bad in what they do.

There's plenty of memoirs by actual intelligence agents.

The world is a lot more boring than films and far more complicated and difficult to pull off serious operations. The serious operations often merely being inside information about other nation states. Not saving the world from bad guys.

It's mostly just a long series of super paranoid people chasing each other in circles. And in between plenty of useful information being given to leaders, ie before big events to give them an edge or whatnot.

The cold war was the heyday of the outside-the-office spycraft stuff. Today I'm sure it's mostly just countering massive digital campaigns hitting gov agencies, critical infrastructure, and megacorps. Plus the old school agents working within each of those agencies feeding information back to their motherlands.

The other amusing thing is that said leaders often ignore all that useful information when making their decisions, because they believe that they know better.

And for 2 years of boring paranoia there may be 2 days that save the day.

I would expect that people that speak up are mostly dissatisfied and frustrated people.

And for opacity, one part of the org will likely not know about what is going on on the other side.

A big selection bias.

But who knows...

I mean, sure, if you want to believe in superheroes, that's fine. But heroics typically have an opportunity to exist due to extreme events. Those, in turn, mostly happen due to massive screwups or deliberate large destructive events. Occasionally, accidents, but that's not what you're talking about.

If you want insight as to why heroic interventions are a sign of failure, talk to your IT department and then scale that up to nation states.

Wow! I have never seen it stated that well. I always said this one team got hero status for saving a contract that was horribly underbid in schedule and budget, so they proceeded to underbid contracts to recreate the success. If we treated heroics as a red flag we would all be better off.

I completely agree that the need of superheroic actions may arise by the result of self inflicted pains and it is usually the case in big corps.

At the same time, other heroic efforts may also require hard work to keep up with the competition or to clean up someone's mess.

That seems one of the reason they monitor what is going on and are vigilant: so they are more likely successful at preventing problems before they araise or become too big. Are not those the problems that require superheroic measures?

The world is far more Mr. Bean than James Bond.

I think a James Bond in the past may end up becoming a Mr Bean in the future if we are not careful.

I am not naive, there are problems in big organizations.

To keep the movies methaphor, the biggest fears I have come from movie like Star Wars in which the empire turns to the dark side.

I have no idea what systems are in place to prevent things like this to happen. I hope they are VERY good.

My experience as software engineer teaches me that as things become more and more complex in a system the risk of a bug increase. And opacity is a double edge sword.

Even if you have a buggy system, you do not say "Let get rid of it" without talking about the alternatives. Other thing to consider is: "full rewrites are generally a bad idea".

I would like to open this to constructive suggestions but I am afraid that without an inside view we are just shouting the breeze.

Mad guy speeds across London streets with a highly customized vehicle. Also, tanks. I see no difference.

I only downvoted this comment because the poster wrote:

>"Feel free to down vote me".

You are the reason the show "24" was rushed through.

iMessage is so riddled with problems from using weak RSA key sizes (1280 bits), to using RSA in the first place (thus no forward secrecy), to apple essentially managing the public keys for the user (which allows transparent MITM due to lack of public key fingerprints).

Also, both iMessage and WhatsApp are proprietary, thus it's almost impossible to verify the code you're running is safe. You're right in that E2EE has become more common, but seeing how the intelligence agencies have targeted major vendors like Crypto AG and RSA, we should be extra careful with popular, proprietary systems.

All it takes is one elected president who could upend the other branches, and the three letters become much more scary.

But thats just a partisan political beliefs, right?

> I think most of us would be fine with the NSA doing what they do if it was targeted, like the police getting warrants to break privacy only in important cases for public safety.

Except it's not getting a warrant, but simply deciding whether to spend resources. Which is not something that, like a warrant, I would be fine with.

Also there's another difference, technically it'll never really be on a case-by-case basis, because they can store all the encrypted communication (text chats, just store everything, easily). And they can in hindsight decide to decrypt any of that history (depending on ample metadata).

Or maybe they have a tiered system, a first-pass filter that detects a very vague definition of "possibly maybe interesting" (again, metadata) that would never ever pass a warrant request. Then just store everything that passes the filter, forever, and decrypt when needed.

> WhatsApp and iMessage

Don't both of these have default/recommended configurations that back up your chats to cloud services?

iCloud just recently added Messages in iCloud, but I know a fair amount of people that turn it off since the default iCloud storage space is 5gb.

So the messages on your phone are not backed up with the normal iCloud backup?

I know WhatsApp nags to turn on chat backup to the cloud.

normal iCloud backup I don't think so, but it does ask you to turn on 'messages in icloud' once you upgrade to iOS 13 and/or get a new phone, albeing one time only.

What documents from the Snowden leaks convinced you of that?

I think so too but reserve them for Bin Laden or "Iran is planning a Pearl Harbor type attack" cases, otherwise people would stop using these methods of communicating. Maybe very few people within the CIA /NSA even know of such abilities.

No tinfoil hat necessary. You're simply being practical. I mean, only the naive expect honesty from the three-letter acronyms. Honest is not their job.

I think this very suspicion is the reason Tor usage inflected down in Germany after the Snowden disclosures.

snowden explicitly said pgp was safe

How on Earth would he know? He's not a cryptographer. Much of what we've learned from the Snowden disclosures has been through experts granted access to the SCIF that houses the documents he exfiltrated. He didn't carefully review those documents before collecting them.

I think it's really difficult to come to any kind of firm conclusion about what NSA can and can't break, even with a background in the material. I tend to doubt NSA has a world-beating RSA class break locked away. But I don't think people should be making decisions based on Snowden's personal technical opinions.

it was not his opinion; he mentioned in an interview that when analysts would try to pass along pgp-encrypted messages for cryptanalysis they would be rebuffed, as an example to demonstrate that there is properly-implemented strong cryptography resists scrutiny by nsa. here is documentation: https://twitter.com/Snowden/status/878686842631139334

Your expectation, then, would have been that if NSA had a cryptological capability unknown to the academic literature, it would have put it "on tap" for analysts to call on at random?

who else is it for?

So that's a "yes"? Presumably you think, similarly, that if NSA, say, breaks all elliptic curve discrete log crypto, a random analyst inside NSA will be able to submit a ticket and break random crypto?

No, I don't think that's how it works. A class break in a core cryptography primitive or even a major break in a particular crypto format would be one of the most closely protected SIGINT secrets in the country; the number of people who would be exposed to even knowledge of its existence would be very low.

agee was a mere case officer and knew about minerva, wrote about it in the book he published in the 70s. snowden had access to documentation for dozens or hundreds of projects, many of which were much more damaging to leak (eg technical details for xkeyscore) than a pgp attack. nsa breaks things so their analysts can decrypt intelligence. it's not much use if your people can't use it.

agee was a mere case officer and knew about minerva, wrote about it in the book he published in the 70s.

Agee was higher up in the intelligence hierarchy than Snowden and the MINERVA secret, while a fairly big deal, is not nearly as big of a deal as 'NSA can break some kinds of modern crypto' would be.

More importantly, I think you're misreading what the new writeups on this story say about Agee's knowledge. He doesn't mention MINERVA and didn't know anything about the BND-CIA joint infiltration of the company. Here's what he writes in Inside the Company:

The National Security Agency cannot break this code system mathematically but they can do so if sensitive recordings can be obtained of the vibrations of the encrypting machine when the discs clack to a stop. The recordings are processed through an oscilloscope and other machines which reveal the disc settings. Knowing the settings, NSA can put the encoded messages, which are intercepted through the commercial companies, into their own identical machines with identical settings, and the clear text message comes out. Although the Swiss manufacturer when selling the machine emphasizes the need to use it inside a sound-proof room on a table isolated by foam rubber, we hope this particular code clerk is careless. If we can discover the settings on this machine in Montevideo, NSA will be able to read the encrypted UAR messages on the entire circuit to which their Montevideo Embassy pertains.

To further your point, even Snowden didn’t have access to the documents that tell us precisely what BULLRUN is able to do, or how.

(The speculation is, of course, with reasonable circumstantial support, is that it is a ~$1B program that has brute-forced the most common 1024 DH group in use.)

We simply don’t have the hard data, it is (educated) speculation based on what information we do have.

Even the existence of the program is TS. Its capabilities remain secret, due to the exact system you describe.

Most keys are at least 2048 bits nowadays. Bullrun's not about breaking modern key sizes that much is sure.

I read it as the opposite.

"No decrypt available for _this_ PGP encrypted message."

You don't write an error message that way unless the code has a success case as well.

The NSA has likely harvested and cached thousands of PGP secret keys from passive monitoring of internet links public and private (Google famously failed to use encryption on internal WAN links for a long time), active exploitation of host and workstation systems, and bulk exfiltration of nonpublic data from service providers (think stored records: emails and files).

(Unrelated: As well as TLS long term keys, passwords, hashes, usernames, and any other kind of metadata or secrets that may be useful one day in the future, if nothing more than for dictionary attack prefix/suffix fodder.)

I wouldn’t be surprised if they have some more creative secret key sources too: stolen and glitched smart cards, laptops that disappeared out of targets’ cars, tossed offices via evil maid, dumpster diving, all of it, including some I probably haven’t thought of because I’m a computer nerd and not a military intelligence cloak-and-dagger type.

Put all the recovered secrets into a big ol’ database, because disk is cheap and keys are small. Keep it for all time, Just In Case.

Of course, there is a request system frontending this capability.

There are many PGP messages they can decrypt, simply because they slurped up the specific private keys for those messages at some point, and simply saved every secret key, hash, or password that they ever saw, as a general organizational policy.

That doesn’t mean they have broken PGP.

Plus there's the good old endpoint hacking for key exfiltration Snowden said the NSA was doing every single day.

> How on Earth would he know?

I'm sure he said "to my knowledge" or something to that effect. That is, at least for at least relatively far into the circles of confidence, people did not know about encryption being broken algorithmicly or PGP broken in practice.

Which might also be a false-flag to encourage the use of PGP.

Russia has world class cryptographers too, and may have beaten the NSA to the punch. Snowden is after all currently living under FSB protection, which I doubt came for free. Someone willing to sell out their country would likely sell out its people too.

Snowden as a false flag? Well, it's theoretically possible, but quite unlikely IMHO.

He said that, from his vantage point, analysts at BAH didn't have access to capabilities to break PGP emails.

To be sure, that's an important fact. And it does mean that PGP (and for that matter, similar cryptosystems with robust implementations) create a palpable and useful protection against this kind of analysis.

But in the event that the NSA (or other agencies engaged in signals intelligence) have an attack wholly unknown to the literature, it's unlikely that it will be provided in the same toolchain as hunky-dory man-in-the-middle style attacks, such as those disclosed in Snowden's famous slides.

I'm not saying NSA can break PGP - I think they almost certainly can't. But Snowden's revelation on this point shows only that the analysts he was supporting don't have access to novel attacks, not that novel attacks don't exist.

that's a fair distinction

Well not exactly. Snowden was extremely vocal about NSA going around encryption and stealing keys from the endpoints. I've collected those statements here: https://www.youtube.com/watch?v=3euYBPlX9LM

PGP uses RSA which means it's not forward secret. That means, when the agencies hack endpoints to steal PGP keys, they can use them to retrospectively decrypt all PGP-encrypted emails that user has received from their contacts, even if the user has deleted the original message long since.

So no, NSA can't break RSA (assuming it's at least 2048 bits) or AES, but they can bypass the encryption by hacking endpoints. PGP's algorithms are not weak, the key management is extremely weak.

I'm pretty sure the US government is why the TrueCrypt devs stopped all work. They got hit with a national security letter (NSL) or heavily leaned on and pressured to stop making their product so awesome and un-breakable.

From the TrueCrypt webpage: http://truecrypt.sourceforge.net/

> WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The fact that they use awkward wording that contains words whose first letters that start with NSA (not secure as) is pretty suggestive that you are right.

Wow. In a different timeline I'd dismiss that as tinfoil hat time, but in this one it seems spot on.

Is the idea that there would be consequences for a blatant message but not for a sort of more subtle one?

Nope, still tinfoil hat. This is just apophenia.

Thank you for the new word.

You make your case as if you have proof, which you likely don't. It's a moot point.

> tinfoil hat time

This trope needs to die already.

What would you suggest instead? It's a good way to convey unfounded paranoia or to acknowledge that what you're saying sounds like a conspiracy theory.

> talking bout NSA

“Unfounded” paranoia

There's nothing wrong with conspiracy theory. They regularly turn into conspiracy fact.

That's not a dirty phrase either - regardless of what the media memo said back then.

That's what I'm suggesting.

No the actual message is "Using TrueCrypt" -> UTC -> Coordinated Universal Time. The real culprit are the time thieves as explained in the book "Momo and the Time Thieves".

Your mind will see what it wants.

It's plausible to think that that message constitutes a warrant canary [0].

[0] https://en.wikipedia.org/wiki/Warrant_canary

Not mutually exclusive, it's possible the Momo and the time thieves and the NSA are working together - the UTC is NSA, is the combined message

Do you think you're making a point, or just being edgy with your humor?

For some people out there, this kinda shit keeps them safe/alive.

There's nothing that shows TrueCrypt is backdoored. Read the audit by nccgroup: https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_O...

There were vulnerabilities in the software, but nothing that allows the governments to break the encryption with. The Windows client had some privilege escalation attack but that doesn't allow decryption of data at rest. On Linux TrueCrypt is still fine to use, the only downside is, the password based key derivation function is starting to show it's age. However, provided your password is around 128 bits, that's not a problem.

Missing the point.

Indeed, a great call out. Props also to the French company sponsoring the Veracrypt fork.

Doesn't seem like awkward wording to me (as a native English speaker, fwiw); just a routine disclaimer.

I suppose the fact that it contains words that start with TIN (TrueCrypt is not) provides sufficient justification for your hat, anyhow.

I'm sure they were pressured, but the USG has deep pockets if they wanted someone to stop doing something they just throw a few million at them and call it done, there's far less chance of PR blowback then.

Even just reading this article should show you that they kill you with kindness when they want to keep things hush-hush. If someone is developing a free tool, and are offered a retirement-tier payoff to stop, they're going to stop.

They didn't kill lavabit with kindness.

I always assumed that this is exactly what happened to Skype and Whatsapp.

I’m in the exact same boat as you. I’m on mobile and lazy to post links, but Whatsapp’s acquisition was carried through a boutique investment bank which had former CIA director George Tenet on its board of directors. Anyway, I found a quick link about the bank [1], it’s called Allen & Co. And also let’s not forget that the precursor of Google Maps was funded with CIA venture capital money. I’m stil curious why and how the Russians let the Google StreetView car do its thing on the roads of Russia.

[1] https://www.fnlondon.com/articles/facebook-whatsapp-puts-all...

Also that one of the founders shifted his support to Signal...

If an average person got a huge windfall, that would raise a lot of attention, and people would wonder how they got the money. Police use sudden unexplained riches as a way to watch out for criminal activity, and everyone who knew the receiver of the windfall would ask questions. Between $10M and the other option, it may be easier to kill them with killing.

Agencies routinely set up fake businesses for cover, with the cooperation of insiders at big names (e.g. Dell). So you set up a fake SaaS, have your big name client buy the big thing 25k / CPU x however many you need to reach payout, done. All legitimized by a fancy public stock name.

If things really get too hot, it's easy to send a letter to any country's IRS via their local intell agency.

You'd be surprised how simple it is to close files in this world. I'd suggest reading Snowden's autobiography, Permanent Record. Very eye-opening and a great read.

I'm not sure that makes sense. The US could compel the devs to compromise their product but not keep them from issuing a cryptic statement and stopping work on the product?

Well, there is an argument that IC does not have a problem with other interested parties chasing their tail trying to figure out what that really meant similar to the way government occassionally releases few tidbits about Kennedy assasination just to keep the flames flowing and activist distracted from what is going on right now.

There is value in misdirection.

It doesn't make sense for two reasons to me. For one, the government can't compel you to do work. That's slavery.

Also, it's open source software. TrueCrypt going down didn't change the security landscape at all.

The government can. For example, take how the police will turn individuals into informants by getting them on trumped up drug charges and then offering them a deal if they work for the government, including engaging in acts that put them at risk of being killed.


The end result is "Work for us or go to prison."

> For one, the government can't compel you to do work. That's slavery.

Slavery's perfectly legal. The 13th Amendment:

"Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction."


Are you suggesting the TrueCrypt authors had been duly convicted of a crime?

I am not. I am pointing out that the Constitutional provisions preventing slavery have a loophole big enough to drive an aircraft carrier through.

He's saying they easily could have been.

See: Three Felonies a Day

Like the government (of any given state) can't rendition you or assassinate you if they deem it necessary for national security reasons?

I think under the right conditions, a good many state intelligence services would not let the letter of the law get in their way. I just don't think the particular scenario above makes sense.

What makes sense:

-devs discovered some vulnerability but were persuaded that disclosing it would endanger important operations in progress. They were not coerced but reached a compromise with (agency).

-Devs were told, in no uncertain terms, that they need to discourage use of Truecrypt. Seems kind of low-impact, so probably not the case.

- Truecrypt was an (agency) project all along, and the faction arguing for universal access to strong cryptography finally lost out. The cat being out of the bag, and given the difficulty of introducing new vulnerabilities into an open-source tool used by the professionally paranoid, the best option was to try to discredit Truecrypt to the extent possible.

> For one, the government can't compel you to do work. That's slavery.

That may be your personal opinion, but legally speaking, it is not true in any sense.

It is also the argument that Apple used against the FBI in the San Bernardino case.

I'm just taking issue with the quoted claim at face value, outside of the context. Consider for example, the legality of jury duty, conscription, subpoenas, taxation, traffic stops, etc. Government-compelled actions are common and legal.

They offer you a large contract to do <something>, then they require that <some guy> they nominate work with you on the project. That guy introduces the backdoor.

Why then aren't they able to do the same with LUKS, dm-crypt, cryfs, bitlocker etc?

Does that mean they are only available because the 3 letter agencies can hack them?

You must have a low threshold for “pretty sure”, because there is no evidence whatsoever to suggest this. Also, it’s open source. Also, the author recommended bitlocker as a replacement. Also, the authors may not even be American (the original author of E4M wasn’t). Doesn’t really add up.

Of all the cryptographic tools to mythologize, a crappy last-generation full-disk encryption tool?

Is that just a rant or do you have an actual reason to call TrueCrypt crappy? It was at least somewhat solid and it definitely had a great mindshare at the time. It wasn't niche.

Also, describing small-scale intervention in cryptography by services "mythologic" in a thread about news about large-scale intervention in cryptography by those services is a bit odd.

I don't even understand the theory underneath this supposed conspiracy, since full-disk encryption is utterly mainstream at this point. I also don't need to get too deep into what I don't like about TrueCrypt; use it if you like it. The problem is with the model of full-disk encryption; outside of phones with deeply integrated hardware designs that support it, FDE is the least powerful form of encryption we use. It wasn't even a speed bump for the Ulbricht investigators.

By all means: enable FDE. You have to turn it on. It's not optional. But the threat it defends against is not the threat many people think it defends against. It's hard to imagine it being such a priority that any government would launch a conspiracy to shut down an open source project.

Again: why do you use such belittling words like "conspiracy theory"? We know that the services interfere. We know that they interfered with vendors of cryptography products. And we know that National Security Letters exist, as do other – legal – means to pressure such vendors. There is no conspiracy needed for them to try to pressure someone by, say, threatening them with denial of a entry visa. Or they could have simply tried to buy them off which they might not have liked. It's not a crazy idea by any stretch.

> It wasn't even a speed bump for the Ulbricht investigators.

Are you talking about the situation where they had to very carefully snatch a running laptop from a suspect so that they can't lock it? Seems to me like FDE would have been at least a significant speedbump had they not circumvented it. Why else would they go to such trouble? And what would they have done if the suspect hadn't used his laptop in a public place?

We in fact do not know that NSLs of the form suggested in the root comment exist. Such an NSL, requiring developers to stop work on a project, would in fact be unprecedented. It is, in fact, a conspiracy theory. In reality, the exact opposite thing occurs: the USG-backed Broadcast Board of Governors actively funds cryptographic privacy technology, both through direct grants to projects and, to head off other conspiracy theories, in much harder-to-subvert grants to 3rd party pentesters to find and report vulnerabilities in those tools.

Pretty sure you misinterpreted that comment. It's not suggesting that they pressured the devs to stop work, it says they were pressured to stop making it so awesome. The inference being that they were pressured to weaken the product and they walked away instead.

Lavabit was a service that effectively held keys for its users and was compelled to disclose them. If we were discussing whether a vulnerable service was somehow compelled by the USG, I wouldn't argue. I doubt you'd even need an NSL compromise Lavabit; you might even be able to do it with routine civil litigation. Don't ever use things like Lavabit. That's why we talk about "end to end encryption", as opposed to the bad kind of encryption.

Lavabit also sent the private keys from their servers to clients using TLS that utilized RSA for key exchange. Levison was to put it into a word, a fool, for letting that happen. Once he had to submit the private RSA-key for the certificate, FBI could decrypt every past session, and every private key of every user. IMO he'd have to put a hell of a lot of effort if I'm ever going to look at his creations again.

It was a deeply irresponsible service for Levison to be selling to people.

An NSL to that effect would also be unprecedented. There is no evidence that anything like that has ever happened.

While not an NSL, we do know USG leans on companies to implement weaker/breakable cryptography. There is at least one public example (attempts to compel Apple), and presumably there are many more successful undocumented attempts.

> what would they have done if the suspect hadn't used his laptop in a public place?

Screw open his laptop when it's turned off and he's away from home, install a keylogger into the bios. Put a camera onto the shelf to film which keys he types to log in. If he puts a blanket over his head: solely rely on the sound each key makes. Hack his computer remotely using one of the government owned 0days and dump the keys. Use side channels to attain the password via the power outlet in the neighbouring house.

They had countless ways and they chose the one that revealed the least about their capabilities.

While what you are saying is possible technically, assuming any and all investigators in the US can tap into such capabilities is just FUD.

The biggest problem with FDE is that as long as you're using the encrypted computer, FDE isn't protecting you. It doesn't take technical capabilities to exploit this; you just wait until the target has their laptop open to do the interdiction.

FDE's not worthless. Again, I don't think it's even optional; one of your laptops is eventually going to get stolen, and you're going to want the reassurance that at the very least, once it loses power, the thief won't have access to your data (meaning, in effect, that most thieves will never have access to your data). And it's somewhat more powerful on phones, which have integrated designs to make FDE more granular.

But the idea that of all the things the USG could spend energy on, aftermarket FDE software would be their target? It's not very plausible.

Are Apple's new machines with T2 secure enclave less vulnerable in this regard? They claim all storage encryption goes through the chip, making it more like an integrated phone design.

Yeah, on the county sheriff level those capabilities are probably not available. However, Ulbricht was target of investigations on a federal level. He was arrested by FBI agents.

Or...properly assessing risk?

Yeah, but are there any other forms of encryption that could have mitigated any of those attacks? Once your adversary has physical access to your environment/hardware, it's pretty much game over for security.

AIUI it was a speedbump for Ulbricht; didn't they need to ambush him in a library in order to ensure they had access to his laptop's contents?

(I mean, sure, it didn't protect him in the end. But it was a speedbump.)

ambush him in a library

Someone started talking to him while someone else snagged his laptop - a thing you and a friend can do to more or less anyone. It's not like people rappelled down from helicopters with guns drawn.

They developed USBKill right after to prevent against stuff like this. That said, I'm sure the FBI knows about that now as well and would avoid sticking USBs into computers they want to target randomly.

But, there are also other tools out there.

this is true but i wouldnt count on it as evidence either way; fbi would not have nsa tools

I mean, Paul LeRoux is associated with it and he's been mythologized already himself

To be clear, "associated" means absolutely nothing at all here. Zero proof or anything close.

He's not linked beyond reasonable doubt to TrueCrypt, but IIRC

- there is clear evidence linking him to some earlier cryptographic software

-and someone (the journalist who wrote the story?) tried to say that it was a precursor to TrueCrypt.

Have people settled on whether he's also Satoshi or not?

It's unlikely to be him given his style of immediate profit-seeking and immense risk taking in the years that surround the creation of Bitcoin.

It’s quite obvious that he is not.

Why? Didn't Satoshi go quiet when Paul was arrested?

Why is it crappy?

It was the only non-microsoft option that was accessible and easy to use and free for Windows. And MS's FDE is likely compromised and backdoored.

But the source-available VeraCrypt still exists and is maintained.

no read the damn project notes on the ones that forked Truecrypt its obvious why as it needed fixes and someone clone and forked it to fix it. Not every action is NSA-CIA rigged..they are not hidden bogey men(women) and canni fact be defeated with light, truth, programming, and math

>the current democratisation of encrpytion protocols is a threat to them.

This is absolutely true and nowhere was it more evident than the Speck fiasco. Watching the old guard of the NSA show up and hammer a crypto forum with stonewalling and smug G-Man hand-waving would have been acceptable in 1995, but watching it take place after the snowden revelations was just cringe-worthy. The answer from the community wasnt just no, but hell no.


I suspect things like ED25519 and LetsEncrypt were probably a much more damning blow to the day-to-day business of warrantless telecom spying than we're led to believe, and its only going to get closer to that 10% pre-MINERVA figure as time rolls on. the Signal protocol has gained massive traction, and things like Tails are easy enough for a power user. Once someone rolls out a slick CSS frontend for wireguard its back to greasing the palms of guys like RSA in the hopes snooping corporate networks is just as fruitful as snooping the public internet.

CryptoAG tips the governments hand on exactly why it disfavors crypto now. its not terrorists or posthumous parallel construction of $latest_shooter. its about control.

Yes, and it started with the development of minicomputers and PCs, which facilitated the process, starting in the late 70s.

That thought is one reason why I've always questioned this advice:

"Don't roll your own encryption."

I've always understood the arguments for it but that the advice is so widespread seemed a little counter intuitive. It always seemed, to me at least, that having millions of encryption algorithms out there would be inherently more secure than a lot of people standardized on one because the risk to any one would be so compartmentalized by comparison.

The "don't roll your own" argument isn't against having lots of encryption algorithms, though. It's because it's nearly impossible for a nonspecialist to implement tools that other specialists can't fairly easily recognize as broken and exploit (whether cryptologically broken or due to side-channel exploits).

> other specialists can't fairly easily recognize as broken and exploit

Is there any supporting evidence for this claim? If I took an AES library and changed the order of some inner loop wouldn't it require extensive statistical analysis to notice the difference? Which means instead of throwing a bunch of compute at decrypting me, along with the masses 10 years from now, you would need to get a specialist to specifically target me and spend considerable time.

Maybe it would be safe, but there would be a decent chance you would accidentally mess up sometime simple and makee the algorithm trivial to decrypt. How do I know? I've experimented with variants of hash functions and seen that happen.

IIRC Groestl if you switch the inputs between the P and Q functions you'll introduce fixed points ino Groestl. Or take your example of AES, if you changed AES such that the loop which ran shift rows and increase it to run four times, you'd massively damage diffusion and probably have a trivially breakable block cipher. Modern cryptographic primitives are very carefully built, minor changes can be disastrous.

I've wondered this as well. Are there tools that will automatically run through all kinds of existing cryptographic algorithms to figure out which ones you're dealing with? Because it sounds to me like throwing enough layers of shoddy algorithms would obfuscate things enough that somebody would actually have to look at it and try to explicitly figure out a way to bypass what you're doing.

> If I took an AES library and changed the order of some inner loop wouldn't it require extensive statistical analysis to notice the difference?

Unless you knew why it was organized the way it is in the original spec, altering it may weaken it. The DES S-boxes were altered by the NSA and everyone was suspicious, but it turns out they had made things stronger:

* https://en.wikipedia.org/wiki/Differential_cryptanalysis

Turns out the NSA was (at the time) over a decade ahead in crypto knowledge than the public.

As it stands, AES is approved for even TOP SECRET labelled information:

* https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography#Comme...

As are the various ECDH NIST curves that so many people are anxious about.

There's also a good chance that your change would break some assumptions/guarantees of AES, perhaps fatally (e.g. the result could be that your result only depends on just a few bits of the key).

True, if your threat model is exclusively future untargetted attacks ,your algorithm may be safer,but that is not a commonly accepted threat model I think, even for terrorists or banks.

having millions of encryption algorithms out there would be inherently more secure than a lot of people standardized on one

Enclosing letters in paper the thickness of which has a million variations doesn't mean one of them is magically more secure than one made from two inch thick steel. The point of encryption is it's a standard that needs to be interoperable. Also, NSAs of this world aren't breaking modern ciphers. They're circumventing encryption by going for the keys: There's three choices

1) If communication system uses TLS-encryption (e.g. Telegram cloud messages), there's no need to break encryption, just hack server and read messages from there.

2) If the system uses E2EE where user has no way to verify fingerprints (e.g. iMessage, Confide), compromise the server legally or by hacking it, and perform undetectable MITM attacks.

3) If the system uses E2EE where fingerprints can be verified, hack the user's endpoint to steal their private keys and perform undetectable MITM attack (or just steal their chat logs or take screenshots).

So, to sum it up, the game when modern ciphers are used, is not with cipher security, but everything else around it.

I agree with the sentiment. The common argument against rolling out your own encryption just baffles me. Because there are plenty of ways to roll out your own encryption safely and in such a way that drastically eliminates the possibility of getting broken. Following is just a few ideas easily implemented even by a mediocre engineer.

For the easiest, you can just apply multiple encryption algorithms in succession (of course with different keys). Although the algorithm of AES is considered safe, it can be broken through a side-channel such as a backdoor, which secretly stores keys used somewhere. But if you apply another algorithm after AES, be it ChaCha20 or Blowfish, it can only gets reinforced.

Another trivial way to safely roll out your own encryption is to increase the number of rounds in ciphers that are considered safe. The increased number of rounds only strengthen the algorithm. And it's just changing a few magic numbers in the source code - you can get extra security for little expense of time.

Both methods provide esay-to-implement ways to safely 'invent' a new encryption algorithm without a proper knowledge of cryptography. If people start doing any of the above regularly, it would be a headache for those enjoying to exploit vulnerabilities in common crypto implementations.

This isn't really "roll your own". This is "run with non-standard parameters". This is a much smaller footgun, though you can really screw this up.

World experts in practical crypto regularly ship implementations that have serious errors that remain undetected by other world experts for years. This shit is hard.

To support both sides on this one, you could roll your own crypto on top of a third party crypto like AES. That way you get the benefits of both: You have the tried and true AES backing you up if your custom crypto is cracked, and you get security and obfuscation benefits from rolling your own crypto.

For downvoters - constructive counterarguments are welcome.

I don’t mean to be rude, but it’s quite obvious by what you wrote that you are barely literate in cryptography, yet you are fairly certain of yourself. Your confidence is misplaced. This isn’t the type of thing that encourages actual experts to bother replying.

Examples: “side channel such as a backdoor that secretly stores keys used somewhere”, “blowfish”, nonsensical mixing of block ciphers and stream ciphers without regard for the complete construction or the implementation (by far the largest weak point), etc.

"by far the largest weak point"

Well, if the nested ciphers are all properly implemented AEAD schemes, use unique keys, and don't rely on public key crypto for key exchange, cascading crypto is fine.

Other than that their discourse was that of a novice, sure.

Combining standard algorithms doesn't constitute rolling your own crypto. Arguably, even increasing the number of rounds in a standard cipher doesn't, either.

A back door is not a side channel.

Rolling one's own crypto has become a catch-all phrase. It's of course very important to remember implementing standard algorithms in non-standard way can be incredibly dangerous too. I've seen unauthenticated AES-CBC way too many times. I've seen fingerprints calculated by hashing pre-master secrets (completely insecure), I've seen crypto libraries that rely on completely insecure structures for their RNGs (worst was probably LCG fed from math.random). I've seen fixed IVs with fixed keys, E2EE without fingerprints (way too often), ones with expired primitives (SHA-1 in PGP). I've seen RSA PKCS #1.5 deployed in brand new products (https://trailofbits.files.wordpress.com/2019/07/image13-1.pn...).

So the correct advice is, "don't deviate from best practices, and hire a cryptographer."

Your cellular phone modem is both remotely programmable and has full root memory access 24/7.

Let that sink in a bit.

Your "cellular phone" does not in fact have "full root memory access 24/7". In modern phone designs, the baseband is a USB peripheral. The notion that the closed, secret baseband is a DMA backdoor into AP memory is a message board meme, not engineering reality.

That may be true of Apple, and is true of the PinePhone and Librem, but for the majority of Android devices, that's blatantly false.

On Qualcomm chipsets in particular heavily utilize shared memory for baseband to application processor communication.

"The majority of Android devices" is a very wide net to cast.

Qualcomm alone covers 40%, and they're arguably the most likely to correctly implement their MMU (nevermind they've seen quite a few vulnerabilities in their MMU implementations over the years..)

Meditek uses a similar architecture, and I sure as hell don't trust their MMU.

Outside of Apple, Librem and Pine are just about the only way you're getting a USB attached baseband.

edit - Here's a Mediatek Baseband->AP PoC even: https://comsecuris.com/blog/posts/path_of_least_resistance/


Even Apple's IOMMU has had vulnerabilities allowing for full memory access from the WiFi modem.

The wifi stack isn't the cellular modem. There's a reason people are particularly concerned about the baseband.

Right. and even better, move the baseband to a USB-tethered device.

The HTC One M9+, you say.

Where are you trying to go with this?

You start off trying to claim the entire class of vulnerability isn't possible because a few vendors made sane architectural decisions. When it's pointed out those sane vendors are in the minority, and there are real world examples of the terrible shared memory architecture being exploited, you scoff at the example being for a single device.

Nobody is claiming baseband == root, only that the terrible architecture prevalent in Android phones (the devices that make up the majority of the market) combined with the terrible software practices of SoC vendors results in a situation far more likely to be exploitable than shunting the baseband off on a non-dma capable bus.

Given that the US has operations aiming to capture large amounts of Internet traffic, and given that most interesting Internet traffic is encrypted nowadays, doesn't it follow that they probably have a way to decrypt at least some of it? Capturing DNS queries and HTTP requests to aging websites that still haven't enabled TLS seems not worth the trouble.

It’s pretty straightforward. They 0day, hardware backdoor and infiltrate the ranks of root CA’s. This is covert information war from blank-check black op military agencies we’re talking about. They will kill people if they have to and sleep at night like babies because it is a utilitarian philosophy these people hold, not some Kantian dream.

> If there was, then perhaps there wouldn't be such a strong push to rig the deck in the first place. At least that's heartening.

Intelligence isn't about truth and transparency. It's about deception. They're not going to run a Super Bowl advert saying they can crack anything. That's not how it works.

What is MINERVA? Google didn’t give any related results.

The codename for Crypto AG.

It's explained in the article.


"None are so blind as those who will not see." - Matthew 9:26

It has been known for a pretty long time that the Crypto AG is affiliated with or controlled by intelligence services. It was also always firmly in the "security through obscurity of our own cipher designs" department. Their C-52 (52 as in "1952") cipher machines were designed to enable decryption by Western intelligence.

> Le Temps has argued that Crypto AG had been actively working with the British, US and West German secret services since 1956, going as far as to rig manuals after the wishes of the NSA. These claims were vindicated by US government documents declassified in 2015.

http://www.spiegel.de/spiegel/print/d-9088423.html (1996) https://en.wikipedia.org/wiki/Crypto_AG#Compromised_machines

> Andreas Linde, the chairman of the company that now holds the rights to Crypto’s international products and business, said he had no knowledge of the company’s relationship to the CIA and BND before being confronted with the facts in this story.

I'm quite curious about this. As you said it's been known for a long time that, without knowing the full extent of the ties, there was ties between Crypto-AG and US agencies (at least). I find hard to believe the candor that this M. Linde displays here...

I saw this article and that is exactly the first thought that popped up. Second thought was why is Washington Post feigning ignorance of this fact.

They didn't, following the arrest in Iran and subsequent release of a Crypto AG salesman in 92, they cite the salesman as talking with news organizations, they also cite a Swiss TV broadcast in 1994 and reports from Baltimore Sun in 1995.

The new fact is that the company was co-owned, then fully owned by the CIA.

> There were also security breaches that put Crypto under clouds of suspicion. Documents released in the 1970s showed extensive — and incriminating — correspondence between an NSA pioneer and Crypto’s founder. Foreign targets were tipped off by the careless statements of public officials including President Ronald Reagan. And the 1992 arrest of a Crypto salesman in Iran, who did not realize he was selling rigged equipment, triggered a devastating “storm of publicity,” according to the CIA history.

> But the true extent of the company’s relationship with the CIA and its German counterpart was until now never revealed.

This thread needs to be at the top of the heap. I've read the WaPo article and it would be interesting to know exactly what's newly being revealed in it.

They have a little bit at the top claiming that it's newsworthy because they had access to a complete internal history which is rarely declassified. Okay. I'll buy that. And at the end, they mention a good article from the Baltimore Sun that is MORE THAN 20 YEARS OLD! But that's at the end.

Along the way, I wouldn't blame any reader for assuming that this is entirely new information.

The main (new) thing is that it was 100% CIA and German Intelligence owned, followed by 100% CIA owned. Not sure exactly how big of deal that really is...

(Edit: other than being a longtime profit center for CIA slush money.)

It's all a bit fishy, especially since it's admittedly sourced from within the agency. A lot depends on if it was an approved leak or not. With the divestment in 2018, and no other really new information, I would suspect sanctioned leak, as there was nothing to lose.

The question is what was gained by whom? And why the timing? There's nothing in the story that's pressing topical information.

Between the Amazon government cloud contract lawsuit, and being 1 week post impeachment, there's quite a few opposing angles that would all seem plausible. Wapo reward for some Agency cooperation maybe? Rabbit holes in every direction.

I'm guessing it's a sanctioned leak because they want the world to understand the danger with Huawei. Now that others are playing the same game, they need to stop it!

They forgot to add that after the CIA ownership, which was blown by Buehler's and Bamford's books, it was 100% Mossad owned via Marc Rich.

Gives you a sense of why the U.S. intelligence community is so nervous about having Huawei at the core of the domestic 5G network. Would not be fun for the U.S. to have done to them what they've done to others.

And as a U.S. resident, even as I acknowledge and deplore what the U.S. intelligence services have done to others, I still don't want China to do that to me. This is not an area where equitable (but bad) treatment makes things right IMO.

Funny, I don't really care China spying on me as much since they just don't have any handles that would be relevant. Your own government spying on you is much more dangerous. And since I don't have influence on policies of China, I can at least hold domestic politicians that strive for more surveillance accountable. At least theoretically.

History shows that government isn't your friend at all. The US might be a rare exception from time to time. But even that would be very, very limited.

Doesn't mean I wouldn't mind 5G spyware from another country.

Even saying that the US is your friend isn't really true. The Tuskegee syphilis experiment and MKULTRA were only ended in the 70s, Orlando Letelier happened the same decade, as did the discovery of Operation Mockingbird and other Church Committee findings. Every peek we've had into that world since then continues to come up dirty too. Operation SHAMROCK was considered a big deal at the time, but we've since then allowed American intelligence to vastly eclipse anything even conceivable at the time.

Other countries programs aren't good or anything, but anyone who's deluded themselves into thinking the US is some kind of clean actor, not participating in this sort of stuff, or only using it for good is more optimistic than I could ever manage being.

Ruby Ridge and Waco siege happened only in the 90s as well. Currently we have killer drones assassinating people without trial, CBP ignoring policies (https://vc.gg/blog/so-its-been-a-while.html), sending agents to scare activists (https://news.ycombinator.com/item?id=6946909), and police blowing up houses of innocents and refusing to compensate them (https://news.ycombinator.com/item?id=21399770).

For those, like me, who didn't know about Letelier:


You might be a god-fearing clean-shaven American, but I strongly suspect the number of Americans who have secrets they can be blackmailed over is at least one percent. While I’d like to change every society so such secrets are not big issues, I don’t expect that to happen, and 3.5 million Americans being potentially blackmailed by a superpower is something I’d prefer to avoid even though I’m not an American and don’t expect to live in the USA.

> but I strongly suspect the number of Americans who have secrets they can be blackmailed over is at least one percent.

1 %? I assume 80+ %. E v e r y o n e has secrets.

> Your own government spying on you is much more dangerous.

That really depends on the government, and how heavily they rely on domestic surveillance as an instrument of political control. It also depends on the geopolitical and diplomatic situation, and the risks that stem from that.

In China for instance, domestic surveillance is a clear threat any of its citizens that choose to be dissidents and advocate for change. For instance, I have friends there who are very angry about the coronavirus situation, but have to be careful about what they say and how they say it to avoid risking government attention. Even with an extremely dark and cynical view of the US government, that kind of threat is far less for US citizens.

Foreign spying can be dangerous to you, personally, but usually in a more indirect and collective way [1]. The most obvious example of this is war. If your country loses one to a more brutal and oppressive adversary, you'll likely find yourself is a worse, if not outright bad, position. On a smaller and more mundane scale, foreign industrial espionage could put you out of a job.

[1] You may be a target of foreign direct spying if you're friend of a dissident, a government employee, a government official, or have access to valuable technology or trade secrets, etc.

As a US citizen and resident I would far more prefer to have to contend with the US Govt than the CCP on this matter. At least in the US there is some legal procedure, accountability and civil society culture around limiting govt power. With the CCP there is none of that, neither for Chinese citizens nor foreigners.

It’s clear that the CCP is assembling a database of information on everyone in the developed world, not just in China, and that they intend to use it as part of their soft power arsenal (along everything else from economic incentives to Confucious Institutes).

The CCP is much more frightening and less accountable than the US Govt, especially as they reach parity in soft and hard power.

> At least in the US there is some legal procedure, accountability and civil society culture around limiting govt power.

No: go read about National Security Letters.

Yes, you may not care if you are spied on, as I do not. But do you care if our Congresspeople are spied on by China? I sure as heck do.

You don't have to live in China for the Chinese government to have power over you. The threat of releasing your secret emails or browsing history is enough to get people to change their behavior. The internet enables such remote threats to your reputation.

You might not care if China spies on you, but you might put others in danger who you communicate with. They could get to them through you. This goes for all spying agencies.

> Funny, I don't really care China spying on me as much since they just don't have any handles that would be relevant.

This is an incredibly foolish line of reasoning. Compromising the trust and sovereignty of individuals in the U.S. is an extreme risk, and it can come for anyone. The U.S. government at least will tend not to try undermining the U.S. economy except through specific policy initiatives; the Chinese government has a permanent interest in controlling the U.S. economy, and holding the threat of compromise over our heads.

No government is your friend, but there's really no comparing the abusiveness of the CCP, both at home and abroad, to the U.S. equivalent, and I'm honestly shocked that I ever have to remind people in the west of this.

When this stuff is used against you, it is FAR more likely going to be from a domestic group hostile to a political opinion you might have. Imagine if an outfit like Cambridge Analytica had the resources of a nation state helping it collect and process information about who might support any given policy (and be given the carrot) and who might oppose it (and be given the stick). That's the scale of threat we face. While certain governments around the world are asking for mandatory back door access to encryption, rest assured they have a "plan B" for getting access to your information without it, and the 3 letter departments are front and center in those plans.

I'm not clear if your post was implying this was the case or not, but this is an interesting, well-sourced article on the links between Cambridge Analytica and Russia [1].

[1] https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...

> Gives you a sense of why the U.S. intelligence community is so nervous about having Huawei at the core of the domestic 5G network. Would not be fun for the U.S. to have done to them what they've done to others.

Exactly. Huawei even kinda smells the same. From the OP:

> As Widman settled in, the secret partners adopted a set of principles for rigged algorithms, according to the BND history. They had to be “undetectable by usual statistical tests” and, if discovered, be “easily masked as implementation or human errors.”

> In other words, when cornered, Crypto executives would blame sloppy employees or clueless users.


> Huawei savaged by Brit code review board over pisspoor dev practices

> "The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in Huawei's software engineering and cyber security competence," said the HCSEC oversight board in its annual report, published this morning.

>Gives you a sense of why the U.S. intelligence community is so nervous about having Huawei at the core of the domestic 5G network

Makes me wonder what we've done using the fact US companies (ex: Cisco) control large swathes of the internet's infrastructure.

> US companies (ex: Cisco) control large swathes of the internet's infrastructure.

Wouldn't China/Russia make some noise if they had proof the Cisco was hiding something in their infra?

I thought the whole point of such things is it's near impossible to prove?

Also complaining means you reveal what you know, which helps narrow what you don't know.

I think they're pretty good at keeping it hidden and remote. It was proven the US did economic espionage on a German firm but the snowden files showed a range of other European companies also targeted. No doubt they also focus on "less friendly" targets industry, infrastructure and politics.

The political squabble over 5G/Huawei is as much about western vendors using fear of China to prevent competition.

Why should Cisco/Juniper/Ericsson/etc compete with Huawei when they can more easily use political pressure to exclude them from the market?

It wouldn't be so bad with ubiquitous end to end encryption though right? If everything was encrypted in transit it wouldn't really matter if Huawei (and by extension the supposition goes the Chinese government) because they'd just see noise.

Guess they would also be able to do location tracking though and that's not so easily solved.

Even end to end encryption often leaves them with metadata [0]

[0] https://www.nybooks.com/daily/2014/05/10/we-kill-people-base...

Which is why you'll want to use some open source onion-routed app like Briar, Ricochet, Cwtch, TFC, or Session.

Using tor to keep your communications secret is like having ACAB tattooed on your forehead - fine if you like the attention, not exactly useful if you don't.

It is when everyone uses Tor.

Nobody uses Tor: Everyone is surveilled.

Few activists use Tor: Activists are easy to pick and everyone else is easy to surveill.

Everyone uses Tor: Nobody can be surveilled.

Nothing to gain by not using Tor, only one way to win, use Tor and tell everyone else to use Tor too.

It's like the prisoner's dilemma, and not using Tor is like betraying others just in case things ever get bad.

Governments are focusing more and more on end-to-end encryption. It can be banned within the next 5 years. They could need to manufacture some consent before that (e.g. mention e2e in the news every time a major crime is committed).

Not going to happen, considering djb vs US declared code free-speech; E2EE is implemented in code so you can't ban it without violating the constitution.

I mean, you can do a lot with metadata.

Also, I think quite a bit of telecomm traffic is encrypted by the telecomm carrier itself. For example I don't think my iPhone, by default, encrypts/decrypts SMS or voice calls on the device. To the extent text messages and mobile phone calls are resistant to dumb eavesdropping, that's provided by the mobile carrier. So having access into all the equipment at the carrier would be a nice centralized place to sit and observe/record.

The US government does not get to dictate mobile phone standards so that is irrelevant. Besides, it’s not like the US government doesn’t have its hand in the sniffing cookie jar, they don’t really want the traffic to be indecipherable.

Yes, this is my understanding. But, haven't USA for Adobe history wrt "backdooring" the encryption algorithms themselves (ie private knowledge allows decryption to be made plausible [but still costly]).

There is also the risk of disrupting network operations at some unfortunate time, especially since these new networks are thought to be dominated by machine-to-machine communications.

There is metadata, but you also have frequent bugs or other errata that render encryption vulnerable.

A nation-state type actor can hoover up everything and retroactively decrypt.

Or maybe simply because the US intelligence not having a backdoor is why the're demonizing Huawei in Europe for example. That doesn't imply that Huawei does have a backdoor, simply that they'd not be able to spy anymore...

Not sure how that makes sense when the alternatives to Huawei proposed and supported by the US are European, primarily Ericsson and Nokia.

Where is the self-interest in the US pressuring European (mostly EU) countries to use EU competitors?

Not because they uniquely enable the user to switch off their 2G radios and thereby defeat now trivial MITM?

it could be as simple as Huawei refusing to install a backdoor for them.

What a treat to read a well written piece based on decent research. It's a long read but well worth your time. Kudo's to the journalists who helped uncover it.

And the 'coup of the century' is far from clickbait, it's definitionally warranted for what the CIA and BND did here.

It's a little ironic as well, especially since the US is so keen on blocking Huawei over espionage concerns.

There's nothing ironic, weird, or surprising about the US wanting to stop other countries from doing to them what they do to other countries. It's hypocritical in some sense, mostly because the US tries to project itself as the good guys, but it's just basic international relations. That's how every country has always operated and will always operate.

The US mostly tries to project itself as "the good guys" to its own inhabitants, and secondly to the local and international media. But in most of the world you are often faced with the business end of a US-operated or US-financed weapon.

To be fair, it's a spectrum. The US has its share of bodies, but it also doesn't grind its citizens into a pulp with tanks when they protest.

The thing is, its subjects are mostly non-citizens, so it's enough to grind _those_ into a pulp. So far, the US has not seen a popular uprising which threatens the stability of the state(, excluding perhaps that of the native Americans, who were actually ground to a pulp, eventually).

People seem to take for granted that things like that will never change, but always is a very long time --much longer than modern history. I hope you don't just expect/accept that we should kill ourselves off as opposed to reaching some kind of sustainability.

Right, the decision to avoid huawei is totally justified, but the hypocrisy is something to behold. Even here on HN, where people supposedly shouldn't be falling for propaganda so easily, there is a lot of indignation when e.g. the Chinese are caught doing something shady. If someone then points out that this is in some sense normal and US agencies are doing the same or worse stuff it is instantly dismissed as whataboutism.

Even if something is "in some sense normal" it is still completely unacceptable.

The fact that the US has repeatedly succeeded in SIGINT capers like this makes their concern about Huawei kind of un-ironic, right?

Well, yes, but for third parties like the UK it makes it much more explicit that the choice is between the system that might be compromised by Huawei and the system that might be compromised by the US. Except the UK has its own little joint venture of security inspection of Huawei systems ...

Also, the UK is one of the Five Eyes nations, explicitly sharing intelligence data with the US and vice-versa. I'm sure they're not 100%open, but if there is any nation on Earth that would not overly fear US spying and prefer it to Chinese spying, it would be the UK.

The alternatives that the US supports are European (Ericsson and Nokia, IIRC) so I see little benefit for at least EU countries regardless of their ties to the US to choose Huawei in this case.

please expand..

It's not a secret: https://www.gov.uk/government/publications/huawei-cyber-secu...

(On the other hand, it's not a very positive report! Lots of basic issues with build reproducibility and updates)


Guess again, actually this is the first time I had reason to register despite reading for a long time.

On the contrary. When you are a master of the dark arts, you can't help but see other practitioners around every corner.

No, this is not original research, this isn't being uncovered now, and I'm not sure why this is being republished now in 2020.

There have been detailed leaks since 1995 on cryptome.org and crypto mailing lists about CryptoAG, including details about the message format and the bits used to leak parts of the key (16 bit leak, IIRC).

The CryptoAG story has tainted all Swiss-based crypto/security firms since 1994.

[1] https://www.cryptomuseum.com/people/hans_buehler.htm

[2] Verschlüsselt, Der Fall Hans Bühler, ISBN 3-85932-141-2. 1994 - Book written by former CryptoAG employee Hans Buehler (1994).

Exactly. The piece does give a hat tip to the good article written by their rival, the Baltimore SUN, more than 20 years ago. But that's buried near the bottom.

The news is this:

"CIA owned CryptoAG in collaboration with the intelligence establishment of West-Germany"

I take this plainly without irony as evidence for the restriction of foreign government-controlled infastructure in series with trusted communication.

Hypocritical, not ironic. You mean to highlight that the USA does not treat other sovereign states like the USA expects to be treated. There is no ironic contrast between the USA funding Crypto AG and China funding Huawei.

I think it's pretty clear that the US expects to be treated exactly like they've treated other nations.

>based on decent research

The story was handed to him by the Agency, or agents of. The only "research" seems to be calling the names in the story for fact checking, and wapo couldn't even determine if some of them were alive or dead.

This story is dangerously close to being nothing but a CIA press release.

Ok, what so you think the purpose is?

Specifics? No telling...

But it is the CIA, so I'm assuming information was used as currency in paying off a favor to wapo.

Plus they get to brag about a huge success story in times where the public has... doubts ... About the competency and value of the intelligence community in general. Without revealing much that want already public knowledge.

Factor in the timing of FASA court investigations, the impeachment, and the AWS government cloud suit, and there are thousands of directions it could take.

> It's a little ironic as well, especially since the US is so keen on blocking Huawei over espionage concerns.

It's not ironic to play a game to win. Saying this is ironic is like saying it was ironic for the US to try to keep the North Koreans/Chinese from winning the Korean War because the US had just won WWII.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact