Especially since this was just posted because of a news story that was released yesterday about the exact same thing. The other thread (with an actual current news story) already has 300 comments.
You’re probably wondering why this is relevant right now.
> In 2020, an investigation carried out by the Washington Post, Zweites Deutsches Fernsehen (ZDF), and Schweizer Radio und Fernsehen (SRF) revealed that Crypto AG was, in fact, entirely controlled by the CIA and the BND. The project, initially known by codename "Thesaurus" and later as "Rubicon" operated from the end of the Second World War until 2018.
The fact that Crypto AG was an intelligence front has been publicly known since at least the 1990s [1]. Why did the Washington Post rehash this story recently and pass it off as news? I'm glad that they did, because it spreads awareness - I'm just confused as to why.
Because of the new released documents. It says exactly this in their story. And why is it every time some article comes out about US spying, there is always someone complaining that they knew this all along? Good for you?
It's not that "I knew it all along", it's that this was a well-covered story that was already news in the '90s, based on documents as well, e.g. from the Baltimore Sun:
> For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents.
See also the 1992 news stories about the arrest of Hans Buehler [1], further elaborated in a 1998 article in Covert Action Quarterly [2]:
> The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG's marketing representative in Teheran.
Which newly released documents? Quote the article because I can't find anything.
Every article I'm seeing in the past week refers to documents released in 2015. Why the fuck now? It reeks of public manipulation, especially with the US increasing efforts to convince people not to use Huawei equipment.
From the article you linked to. It is new story because there are new details.
> Many details of the arrangements between Crypto and NSA are not known, including when the rigging began, whether it has ended and which machines were involved. The whole story will be told only when secret U.S. documents are declassified, probably well into the next century.
> Crypto rejects the rigging allegations as an invention by disgruntled former employees and denies that its machines were ever designed or altered according to the suggestions of American spies.
> Why did the Washington Post rehash this story recently and pass it off as news?
They didn't pass it off as news.
It's a long-form journalism story. This form covers more complex stories and aren't limited to new things that just happened. Stories where the facts come out over time or require multiple perspectives can't always be adequately told through a series of "what's new" updates.
But, still, why? The editors of The Washington Post would have to answer that.
The timing is arbitrary. They could have done it months ago or months from now. The author most likely found it, thought it would make a good story and pitched it to his editors (he is likely planning to turn it into a book if it gets some traction). This kind of thing would be a normal part of a journalists job. (Well, most don't get to do deeper stories like this very often, so he's probably pretty senior -- I just checked and he has a couple Pulitzers, so there you go.) I would guess the editors simply agreed with his pitch.
In short: the timing is arbitrary. The people who do this kind of thing just thought it would be an interesting story to tell, in-depth.
Yeah I can concur. I remember hearing about this looong time ago. More than a decade ago. First time I heard about it was from a speech given by Noam Chomsky.
What's scary is if they willingly admitted to this, they've secured other means of decryption. American-owned technology can't be trusted any more than Chinese-owned technology.
Personally, I do however have more faith in the secret agencies of western democracies than China. So all things being equal, right now I'd prefer Americans and Germans spied on me.
Further, you are likely to get people to rally against China's spying, whereas a significant fraction of Americans want you to be spied on (because they can't distinguish between the people and their government).
Rights once given away are nearly impossible to get back. All rights, I might add, not just your right to privacy. You may not care about <thing> today but at some point in the future, you may.
Not really. There is an important difference, in my opinion, between covert surveillance conducted for national intelligence purposes, and surveillance conducted for run of the mill police purposes.
There is no real way around the fact that national intelligence agencies need to conduct mass surveillance of various kinds. National intelligence is a competitive zero sum game, and if we don't do it, others will, and we'll be at a disadvantage.
The same is not true for policing, however. The real danger to citizen rights is when the crossover happens. I'm not worried when the CIA spies on me - i'm worried when the FBI does. I'm worried when the tools of international intelligence get turned to more mundane matters. And I think that is the transition that we have to fight tooth and nail. Fighting the "don't spy on me NSA" battle was lost decades ago, and you were never going to win anyway in any material way. Because even if you could stop the NSA from doing it, every other government in the world would be doing it.
What we need to do is fight to keep that surveillance contained within the international intelligence mission, and not let it creep into domestic policing.
Really? Your local government has far more power over you than China does. I wouldn't be nearly as worried about China unless I was worth stealing from, assassinating, or something like that.
If someone spied on me, I think it being a government in another country not collaborating with my own and very busy keeping up with their own population seems preferabke
Not exactly. Don't get confused by false equivalencies.
This company is a problem because it's controlled by an American intelligence agency. The owners knew that was a problem, of course, and went to great lengths to hide that fact. Note that Crypto AG appeared to be a Swiss company, not an American one.
Typical American companies aren't controlled by the CIA or other government agencies.
Typical Chinese companies are substantially controlled by the Chinese government.
It's a rather important difference when trying to figure out the risks of how much you can trust who you work with. There's subterfuge, of course, so there aren't hard and simple rules. This is an exercise in risk management.
It's a rather large mistake to conclude Chinese Owned == American Owned.
"Typical American companies aren't controlled by the CIA or other government agencies."
True but that doesn't mean there aren't national interests in play when it comes to information security companies deploying crypto products. Think RSA e.g. who took bribes and implemented Dual EC DRBG -- a backdoored random number generator for a number of their cryptographic systems.
There are most likely others, thus transparency via open source (and verifiability via reproducible builds to split hairs) is necessary to avoid this ever happening again.
No. That's my exact point. The CIA can't just get control of a company because they want to. Not that it's impossible, but there isn't a reliable mechanism for doing so.
They would need to somehow subvert key executives and subvert key employees to convince them to add back doors and keep quiet about it.
Their levers on such people (carrots and sticks, threats and bribes) aren't that easy to deploy either, especially en mass and in the US. There are a lot of legal hurdles. (The CIA has a lot more legal latitude outside the US than in -- that's very likely an important reason AG Crypto is a Swiss company and not an American one.) Not that the CIA always scrupulously follows the law -- they don't -- but they have to be careful about it.
I suppose you can just believe the CIA hits the "pwn" button anytime they like. But that doesn't have anything to do with the way things work.
There's nothing that prevents the US government from hacking Chinese TelCo equipment. Thus I think it's more likely it's about traditional competition. Of course it's cheaper to put a "NOBUS" backdoor than to hack systems and estabilish presistence on Chinese HW.
Do you mean in addition to the Chinese tapping it the americans are unable to? I would agree if that is what you mean. I would also add that in hindsight, it looks like Huawei is the same arrangement as Crypto.
The UK government argument has been "we're not putting this stuff where a Chinese wiretap would get them anything", as I understand it, it's isolated to low security contexts. And they want Huawei because it's technically superior (needs fewer masts).
The panicky US response makes most sense if the reply they can't say out loud is "but you're putting it in places where it interferes with our wiretapping!"
> Buehler was interrogated for nine months but, being completely unaware of any flaw in the machines, was released in January 1993 after Crypto AG posted bail of $1m to Iran.[10] Soon after Buehler's release Crypto AG dismissed him and charged him the $1m.
Interesting list. Besides Palantir, I know these: GitLab, Databricks, MemSQL and mongoDB. I don't think "they" are using these to exfiltrate data "Crypto AG" style - I'd be surprised if "big data"/data science wasn't part of their operations, hence it makes sense to invest into some of their core tools. This ensures sustained development and maybe catering to CIA-specific edge cases.
Judging by the company names: Investments into RF companies also are more likely on the "tools we use" instead of the "rigged" side of things. The amount of Biotech makes me assume the decision-makers think this is an emerging market which will make a good investment.
So answering to GP: No, not compromised. I wouldn't be surprised if there were one or maybe even two hiding in plain sight, but I think for each individual company on that list, it is very, very, very unlikely that this specific company is compromised. If you don't trust them, make your sensitive GitLab and MongoDB instances accessible via Intranet/VPN only - but I suppose that's good practice anyway?
It says Crypto AG relocated to Switzerland to escape being nationalised by the Swedish government. How fun then, that it ended up being wholly state owned anyway.
The really good question is: What are they compromising now?
We can't know for sure, but I'd wager that most quantum cryptography companies have been well greased by spy agencies who expect to be paid back in backdoors.
No worries, though, I'm sure intelligence agencies weren't smart enough to get out ahead of things like search, social networks, password storage services and VPNs.
The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.
Ah. That puts the export on cryptography limitations in perspective. Don't allow new tech to compete with the source of a lot of valuable intel.