> The Iranian government then arrested Crypto AG's top salesman, Hans Buehler, in March 1992 in Tehran. It accused Buehler of leaking their encryption codes to Western intelligence. Buehler was interrogated for nine months but, being completely unaware of any flaw in the machines, was released in January 1993 after Crypto AG posted bail of $1m to Iran. Soon after Buehler's release Crypto AG dismissed him and sought to recover the $1m bail money from him personally.
Sounds like a great employer. Knowingly sells backdoored equipment to foreign governments, allows their employees to be arrested and held for nine months even though they know nothing about it, pays the bail, then immediately fires them and tries to recoup the bail.
The employer was US Intelligence anencies. That is how they operate. The ends justifies the means. Collateral damage, be it physical, emotional, personal or professional is seen as part of the role.
I'm not saying I agree. But it's important to point out how skewed (usually mistakenly) most ppl's perception is of those three-letter outfits.
Shows how much you can rely on spies to value their relationships. Just fraudsters. All talk, but unreliable. No wonder the profession attracts so many deceptive sociopaths. Optimizing for people who won't have your back is a "virtue" apparently...Can't even take care of their own. Pathetic.
I thought so too, at first, but the new information is not just that some Crypto AG products were somehow compromised for some customers (widely reported since the 1990s), but that the company was literally owned by the BND and CIA. Not in a metaphorical sense of owned.
This is also well known for several decades. I'd be more interested in hearing from a whistleblower whether someone runs the shell company behind VeraCrypt. DGSE?
Have we found out anything more about the people behind it recently? It's been a question I've been pondering for awhile. I know this was mentioned in a previous thread:
I've often thought an interesting place for an intelligence agency to place or recruit a source would be in a code review organisation. There are a couple of high profile ones that do a lot of work on open source projects. Let's be honest, very few people have the time, energy and skills to review a project independently of this.
Of course there comes a point where too much tinfoil makes the hat fall off.
One answer is that you don't need to manufacture custom equipment with escrowed keys to infiltrate communication systems any longer. The Israeli's were using stingrays in Washington, DC just last year to spy on officials. You could probably build a stingray using open source software and a software-defined radio USB stick.
You can't trust the network. Rather than trying to avoid Huawei, energy should be spent engineering things so Huawei equipment doesn't need to be trusted. Until then, China and everybody will continue to be able to snoop, regardless of who built the network components.
this is also why the us wants to avoid Huawei. letting Huawei in and doing that engineering makes the American spies' job harder than keeping the ruse going
Australian PM basically confirmed this conspiracy theory recently, the main risk AU intelligence identified in Huawei hardware wasn't interception of intelligence by China* rather denial of access to networks with Huawei hardware which compromises intelligence sharing, i.e. it makes it harder for FVEY agencies to spy on each other's citizens. Also puts in perspective William Barrs' recent comment on buying controlling share in Ericsson or Nokia.
There's also the drama last year where US claimed Huawei technicians was helping Uganda and Zambia spy on political opponents. Political opponents being Washington friendly anti-establishment candidates, and helping being acceding to request for lawful interception duties as vendor. To be fair the technicians also helped used Israeli spyware to extract Whatsapp data. The TL;DR of the entire debacle being Chinese hardware actively undermines US foreign influence operations abroad.
*I surmise the reason US is having so much trouble producing convincing evidence of Huawei malfeasance is that China actually haven't exploited Huawei hardware because they don't want to risk damaging the brand's reputation. That's not to say China doesn't spy, of course they do. They just have the capability to do so without going through Huawei.
Still, given the extraordinary claims the proof on Huawei seems to be spread thin. I know they "theoretically could" surveill everything, but actual proof isn't really there (yet) afaik and this while there are parties with considerable interest to proof their wrongdoing.
Which leaves three explainations:
1. The chinese are so good the 5 eyes can't proof it
2. The 5 eyes can proof it but don't dare to for certain reasons (which wont stop independend researchers)
3. It doesn't actually happen (yet)
Meanwhile we've got tons of actual backdoors from the US side.
The PLA members being charged with the Equifax hack to me was a statement that they probably -do- know some things but do not wish the political turmoil that would result.
But what does that have to do with Huawei and 5G? The Equifax exfiltration exploited bugs in an internet-facing Java application. Likewise for previous incidents, such as the exfiltration of data from the Office of Personnel Management. In both those cases and others the U.S. government publicly fingered China. Publishing technical details wouldn't have created any additional political turmoil, and in fact some technical details were published.
The U.S. government could divulge credible information about a particular Huawei attack, especially if it were as pervasive as they seem to claim. I can think of many reasons why they wouldn't do this (e.g. exploits make more than just Huawei look bad, such as other American suppliers), but few that bolster their case against Huawei as a distinct threat to telecommunications security.
Rather, it seems their beef with Huawei is two-fold: 1) generalized national security interest in preventing China from dominating the telecommunications market (i.e. concern over relative tactical and strategic positions of China and U.S. SIGINT capabilities), and 2) protecting the profit margins of Qualcomm and other American suppliers.
Huawei hacking to steal IP =/= Chinese government exploiting Huawei infrastructure to hack other nation states. The latter allegation has no credible public evidence.
Lots of US companies founded and operated by former military. Ren was a technical researcher for that didn't hold military rank. He wasn't even eligible for CPC membership due to parental ties to KMT.
Also lots of devices with bad security and spaghetti code. Huawei is probably the most scrutinized vendor in the last decade, national and private investigators from a host of countries found nothing to suggest links to Chinese espionage. Hundreds of mobile operators with years of experience found nothing. NSA with access to Huawei internal networks found nothing. GCHQ with Huawei code to audit found nothing. The only people who claim to have evidence but steadfastly refuse to release any until recently is current US administration with Mike Pompeo leading the charge. Which turned out to be non specific claims about legally mandated lawful interception function, aka Vodaphone SSH tier of vapidness. Unsurprisingly, this has convinced no new countries, and the countries have firm banned Huawei all have exeptional dependence on US security and intelligence sharing. With all that as the starting point, why would you ever trust allegations?
Even straight from this article:
>So one other - there was another Swiss company at the time - Gretag is what it was called - that was trying to become a rival to Crypto. And the CIA and U.S. intelligence helped to sort of orchestrate smear campaigns around the world to spread disinformation that Gretag's devices couldn't be trusted; there were vulnerabilities in them.
The playbook hasn't changed. Neither have the interests. There's nothing wrong with US intelligence pursing self interest based purely on the fact that Chinese are security competitors despite complete lack of evidence. But the only useful idiots are people who believe the US smear campaign around Huawei blindly.
>Malcolm Turnbull has warned Boris Johnson that allowing Chinese company Huawei to build Britain's 5G network would compromise the ability of the Five Eyes countries to collect and share intelligence.
>Mr Turnbull said the main risk the Australian security agencies had identified was not through potential Chinese interception of intelligence but by denial of access to the network.
If you follow the story closely, the intelligence community began to intervene loudly once US escalated to severing intelligence sharing if countries didn't ban all Huawei gear. To the point where you have UK firing defense minister over Huawei leak. Which is understandable, FVEY domestic security is built around hacking each other's citizens to get around domestic legislation and only NSA has access to western tech giants.
You absolutely could build a stingray with an SDR with OpenBTS, although I'm not sure how you'd get it to emulate 4G. As far as I know, OpenBTS only supports 3G.
For the lazy, a 3G tower dev kit from Range Networks is $8,000 [1].
AFAIK stingrays typically use 2G, since 3G and upwards have strong mutual authentication (i.e. the network authenticates the phone but the phone also authenticates the network). They just jam the 3/4G signal to make the target phone fall back to 2G.
At a glance I see a few articles, it looks like the topic came up in 2018 and 2019, potentially in different but related circumstances. One of those stories is from the Associated Press but the article I skimmed from them didn't make the Israel assertion and was more general. If I had to guess, the topic didn't gain much reaction because the most 'in-depth' articles are from infotainment rags like Gizmodo, Common Dreams, and Politico. Politico seem to have been there ones to break the 2019 story but I'm still reading so can't confirm that.
It's kind of interesting the lack of interest the media has in such a story. Would be interesting if there was a way to somehow float the same story except with a different country (say, Russia) alleged to have been behind the placement of the device.
Media attention was similarly short-lived regarding the closing of the Russian consulate in San Francisco and the Russian compound in Maryland.
Yes, Israel usually gets a pass on espionage, and Russian election interference is a years-long story. But in any particular incident it's hard to tell whether the public is disinterested in the incident or disinterested in the adversary. Plus, to be fair, reports of actual Russian incidents are fairly common. I mean, they've literally built a niche industry for social media hacking. Reporting on it is easy; you don't need to wait for intelligence leaks. And they publicly gloat about their strategy and tactics. By contrast, Israel is usually far more discrete[1] and publicly identified incidents are few and far between.
[1] Operationally and politically. They certainly don't gloat. They stick to a very strict recitation: "Israel does not spy against the United States."
In case of Huawei is not about spying - its about money. Building 5G networks will require installing lots of equipment on every building in every country. This will allow to make astronomical amount of money. US doesn't want all those money to go to Huawei - hence the witch hunt.
The evidence seems to show that open source crypto is more likely to be secure. The Dual_EC_DRBG [1] thing is a good example where the NSA was desperate enough to actually try to hack an algorithm and then was immediately caught at it. That known dodgy algorithm was then used in commercial crypto products for 7 years. The open source crypto community could just avoid it.
Snowden used an open source implementation of PGP based on his knowledge of the NSA's capabilities at the time. He did not go shopping at the crypto store.
Though I know it's not perfect, free software projects at least give you some ability to discover and hinder government interference. I don't know why you seem more interested/worried about them.
Wasn't there a post here about how little review open source software actually gets due to the highly specific knowledge required to identify vulnerabilities?
Because the open source community is slowly coming to the uncomfortable realization that many eyes != security. Take heartbleed: SSL had a glaring security vulnerability open for years that none of those eyes ever spotted.
I've seen questions raised here on HN about Signal and Tor: where they came from, and where their funding comes from. If I had to bet, then I'd bet both of those are modern day Crypto AG variants.
Its one thing to acknowledge that open source software doesn't get the review it needs. Its another thing entirely to suggest that major platforms in use today are sponsored by state actors willing and able to introduce vulnerabilities without proof.
Turnkey black box solutions may be reviewed more regularly by a dedicated team but you have to admit that they're subject to flimsy and easy manipulation by state actors and the greed and coruptability of their owners.
> Its another thing entirely to suggest that major platforms in use today are sponsored by state actors willing and able to introduce vulnerabilities without proof.
I think the Crypto AG story is sufficient proof of itself to look with suspicion at all related open source projects. In situations where there are known bad actors and we are dependent on security, we should look with suspicion unless we know better. "Insecure until proven secure" is probably a good motto.
>Because the open source community is slowly coming to the uncomfortable realization that many eyes != security
The community has been aware of this for a very long time. Many eyes still provides better security than few eyes, which is why singling out free software as your concern seems misplaced.
>f I had to bet, then I'd bet both of those are modern day Crypto AG variants.
Though it's possible Signal is compromised, it's basically known that the proprietary offshoot WhatsApp is compromised. Free software is still your best bet, likely even better than doing it yourself for 99.9% of the world
Pretty much all of them, I'd assume. Basically there is no secret that a major state player cannot crack open unless 1) it doesn't care 2) it's protected by another equally strong state player.
I wonder if RISC-V would fall under this category. I saw recently that a decently powerful SOC was built and sold in small quantities. Is that architecture sufficiently open (and simple) that a satisfactory audit would be feasible?
The issue with #3 in practice is that roll your own tends to have its own undiscovered bugs and winds up being security by obscurity in practice unfortunately. There is a reason best practices for Cryptography involve throughly tested algorithims as opposed to just "the latest and greatest".
If you can audit completely enough to not leave anything then the question becomes why not audit the commodity? Lack of availability of auditable components or proportionate costs of doing so is the main answer I can think of.
Nice to finally have some exploration of how this tied into geopolitics.
What I'd still like to see is... how did this influence domestic crypto policy and export controls? It seems entirely too coincidental that right after the cat is fully out of the bag with the Iran thing, the US is suddenly easing export restrictions on crypto, trying to shove Clipper / Key Escrow down our throats, coming for Zimmerman, etc.
The Swiss government (specifically the State Secretariat for Economic Affairs) has filed a criminal complaint "against unknown persons" to shine some light on this case:
This is not the only encryption/communications technology company that has been compromised by national intelligence services.
I’m aware of another(potentially) where an employee credibly alleged it.
From the perspective of a national intelligence service, it is likely a far better return on investment to proactively catalogue compromised communications at root, rather than intercept and brute force it later.
As a Swiss I would say that you can put Swiss cryptography into the garbage bin, together with US-American cryptography, unless there is quality control. My country needs a food inspector for cryptography. The inspector should talk to employees, check source codes, look at who owns a company etc.
We need open source. Threema is one of those that concerns me. Used by the government but source is closed and distributed via Google Play and Apple App Store.
On my way home I tuned in on this interview, caught the end of it. Had my dinner and decided to google the story, but before checked Hacker News. And here it is on the from page.
Tor places limits on how much of the network must be owned by an adversary in order for them to extract useful information from it. They are quite transparent about it.
Who said we do? That's up to each person to (consder to) construct a threat analysis.
Protonmail uses JavaScript, which can theoretically be serving nonsense to a specific client. There's no way you will audit the source every time you use it. I use it, for larping, and because I like the though that there is still some competition in the e-mail landscape.
Tor is a completely different league... but I don't consider the actions I (might) perform there to be confidential for the rest of my life, so I act accordingly. YMMV.
Within the context, this is about the spying and signals intelligence. We don't usually talk about an foreign agency being pure evil when they tap fiber lines, we do when they murder or massacre.
“If only it were all so simple! If only there were evil people somewhere insidiously committing evil deeds, and it were necessary only to separate them from the rest of us and destroy them. But the line dividing good and evil cuts through the heart of every human being. And who is willing to destroy a piece of his own heart?”
― Aleksandr Solzhenitsyn
In the digital age, information is everything. And information usually precedes action, so in my eyes your argument is wilfully ignorant to the larger reality of a complex globalized world.
I wrote this before and then edited, without realizing that now my main argument has become for the opposite of what I intended it to be for. Now I can't edit it. Original post:
"Wow very selective mind you've got there. Please tell me this is a joke?
In the digital age, information is everything. And information usually precedes action, so in my eyes your argument is wilfully ignorant to the larger reality of a complex globalized world.
All of that is mere sophistry to justify their crimes. It is an addictive toxic meme like "neccessity" as it at best escalates from any actual neccessity to excusing mistakes to whatever is convenient to whatever they /think/ will help even if actively detrimental like torturing for information. This sort of delusion has a long history - often found as societies rail against "decadence" when it is really what they consider virtue which will be their inevitable downfall.
The secret is that information doesn't matter to the evil fools, it is all a pretext for self justification whether consciously or otherwise. In order for the delusional evil to die and stay dead the secret must be widely exposed.
Donald Trump: “I think Snowden is a terrible threat, I think he’s a terrible traitor, and you know what we used to do in the good old days when we were a strong country — you know what we used to do to traitors, right?” Trump
Eric Bolling (Fox and Friends): “Well, you killed them, Donald,”
It depends on what the information is used for. If it's to stop nuclear proliferation, it's audacious. If it's to monitor and then disappear political dissidents, it's pure evil.
Yes, those are pure evil. The particular case of monitoring nuclear weapons development programs or the Billy Carter case mentioned in the article, however, is more on the audacious side.
Sounds like a great employer. Knowingly sells backdoored equipment to foreign governments, allows their employees to be arrested and held for nine months even though they know nothing about it, pays the bail, then immediately fires them and tries to recoup the bail.