I drew the ire of our security services in a much dumber way sometime in the early nineties; after having seen Wargames, I set up my MicroVAX, rescued from a dumpster at the local bank, to ID as a DoD box whenever any of my friends dialled into it.
A few weeks into this, I get a summons to get down to the local police station ASAP. The commissioner then gives me a good verbal beating for being such a stupid kid; apparently someone had dialled into the uVAX by mistake or wardialling, figured it was a real DoD machine, had reported the security breach and had gotten all sorts of gears moving.
He wound up the sermon by telling me whoever had called him from the relevant department at military intelligence had chuckled and told him they kind of found it funny - but could he please get hold of me and tell me to stop doing it immediately, or else have my landline terminated?
You were running a lower risk of getting caught, but if you got caught, you could easily get slammed with all kinds of outlandish stuff back then, mostly due to the general public ignorance of computing and hacking. These days, you have a way higher chance of getting caught, but the punishment is more reasonable and fair imo (even though it is still way overblown most of the time).
What instantly came to my mind was the Kevin Mitnick trial, where "law enforcement officials convinced a judge that he had the ability to 'start a nuclear war by whistling into a pay phone'"[0].
I wouldn't worry. You can still set up a computer pretending to offer a DoD login, in fact as many as you want/can afford on AWS, and you still won't go to prison. IANAL, but go ahead and knock yourself out! It'll be fun/character building/a learning experience no matter what happens.
I can see why that would have been intimidating. With the decades of experience you've had since, do you think he could have gotten your landline terminated? What would be the legal argument?
-I am quite convinced it was just meant to drive home the point that they were being serious about me changing the welcome message.
I do not think there is any legal way they could have severed my (well, my parents') phone service over such an issue - but then again, I had no desire to have to explain to my parents why the phone was dead, and promptly replaced the welcome with something along the lines of "This computer is so secret the DoD told the op not to ID it!" (Which, while rather flippant, was definitely true... Ah, the joys of being fifteen!)
I can't even imagine there is a valid legal argument.
If somebody calls me, I can say whatever I want. If I want to answer the phone by saying "Department of Defense, how can I help you?" the First Amendment guarantees me the right to do that.
Now, I certainly could not call other people and claim to be the Department of Defense. That's fraud. The same applies if I had done something like put up flyers claiming my phone number was related to the DoD or something like that.
I am in Norway, so the First Amendment carries little weight around here; our equivalent is 'Article 100' (of the Constitution) stating pretty much the same thing as the First Amendment.
(This is hardly relevant; I just grasped the opportunity to stress that the HN crowd resides in the most peculiar places...)
Now, I definitely am biased, being a norwegian myself. But I see people mentioning themselves being norwegians everywhere here on HN. I don’t recall seeing half as many people going around saying, «I’m a dane» or similar; this seems peculiar, Norway is small. I wonder if it actually is at it seems to me, or if I just miss these seemingly non–but—actually-not–non-existant remarks.
> The frequency illusion is that once something has been noticed then every instance of that thing is noticed, leading to the belief it has a high frequency of occurrence (a form of Selection bias). The Baader–Meinhof phenomenon is the illusion where something that has recently come to one's attention suddenly seems to appear with improbable frequency shortly afterwards. The Baader–Meinhof phenomenon is sometimes conflated with frequency illusion and the recency illusion.
You got me interested so I looked for the English translation. Taken from Constitution.org
> Article 100
> There shall be liberty of the Press. No person may be punished for any writing, whatever its contents, which he has caused to be printed or published, unless he wilfully and manifestly has either himself shown or incited others to disobedience to the laws, contempt of religion, morality or the constitutional powers, or resistance to their orders, or has made false and defamatory accusations against anyone. Everyone shall be free to speak his mind frankly on the administration of the State and on any other subject whatsoever.
I always get interested in how other free speech laws are worded because I enjoy the way Madison worded the First Amendment so damn much. When somebody points to an Article # or something like that, it makes my pursuit of this hobby a bit easier.
> Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
Compare and contrast. One is a grant, essentially a permission, to the people of Norway, and the other is basically telling the US Congress to fuck off because it has no right nor permission and not even a wink and a nod to make any law on the matters which follow. The liberty is inherent, Congress’ powers are not.
Mind this is a translation, I unfortunately do not know any Norwegian to verify the original Article 100.
Now compare and contrast with the California State Constitution. I’m providing a link because it is much wordier, and starts at Sec 2 and runs for a few more sections. While California is under the same structures of as the First Amendment in modern times, that wasn’t always the case. If you read the wording here, it is downright inferior to both the US First Amendment and the Norwegians Article 100, spares too many words, and phrases it’s equivalents mostly in a manner of a permission under the CA Constitution rather than telling the State legislature to fuck off. An unfortunate choice, but most of the State’s Constitution is a long tragedy of errors and poor choices, one of the most unfortunate being the choice to grant voters the right to amend the bloody rag by referendum.
Yeah, Norway's Article 100 isn't anywhere near as powerful as the First Amendment. So many broad and vague exceptions are carved out, and as you pointed out it's granting the people of Norway a right instead of enshrining an inherent right.
Our amendment process is not for the faint of heart, and so amendments are rare. An amendment can be proposed by two-thirds of Congress or by 2/3 of the State legislatures, but to be ratified you need 3/4 of the States to agree and each State has equal voice regardless of population.
During the ratification process for the Constitution, there was some debate about whether a Bill of Rights was even necessary, but there were many States that didn’t want to ratify without one. The reason for the debate is that the liberties in the Bill of Rights were taken to already be natural rights and so spelling them out was unnecessary, but the Anti-Federalist faction wasn’t convinced.
Madison eventually won his seat in the election of the First Congress against Monroe (fun fact, they traveled together while campaigning!) by campaigning on the promise to draft and propose a Bill of Rights, but he didn’t see the lack of one as a reason to hold up the ratification conventions.
So repealing the First Amendment wouldn’t have the effect of repealing Free speech per se. Congress would still have to justify regulating speech under its enumerated powers (and could still lose elections over the issue) and many State constitutions already have their own takes on it. Some more like Norway’s Article 100, and some more like the First Amendment.
There are laws against representing yourself as military (active or former) when you are not a member; these laws are pretty narrow in scope and likely would not affect you answering the phone in this manner. Another concern is to avoid (mis)representing yourself as any kind of law enforcement or emergency services involved capacity, as I believe there are federal regulations forbidding this.
I'd be more concerned with making false statements to federal agents, which is a crime, when answering the phone using those words. At that point in the call, you are announcing yourself and making verifiable statements, although in jest. But if you're talking to someone who wants to ruin your weekend, they will find a way to do so.
Kids these days ;) . Before ssh there was telnet, and a telnet server can write a greeting text before asking for your username (it can even be configured to skip the login and just show you a shell), e.g.: https://www.youtube.com/watch?v=tno79Q2X-Sg&t=31
In that video it says "User Access Verification", he probably changed his to "Dept. of Defense"...
Before we had that, we had modems, which I assume was the case since wardialing is mentioned. They could run ANY protocol - or indeed none at all. You could tie it directly to the text I/O of any program(easy on unix systems, not as easy on MSDOS or early Windows versions). Many "BBS" systems worked this way.
EDIT: also early "multiplayer" games, which would talk to the modem directly. I've spend hours playing Descent over a 9600bps modem connection. That was only running... whatever protocol Descent used. You kids and your fancy packets.
If a file was being transferred you could do nothing else. If you were specially high-tech, you would use ZModem for the transfer. If not, you would be using something like XModem, or even Kermit or something proprietary.
It's a shame the commissioner couldn't have had a bit more of a sense of humor about it. Except for him being a jerk the story is pretty much pure slapstick.
Interesting story, but wouldn’t be surprised if the real play here was to get his source code so they could get some bad guys to use a modified version that the NSA could crack. Put a back door in and then intercept traffic trying to download the encryption app to download the back-doored version.
The fact that the NSA has to call him in the middle of the night to learn that the free version didn’t use strong encryption (a fact that seems to have been a selling point for the non-free version) just sounds a bit dubious, but that’s just my sense. Nice mug regardless.
Whatever they used source code for, it just a shortcut - they could do the same thing by just disassembling and binary patching (like all hackers and agencies do all the time). Basically they would never do it and risk exposure if they didn’t want to get result extremely fast.
Maybe they had the opportunity to get someone to use their patched software but only had a day or so to create a fake copy. In that case the source could would be very valuable.
From the story, I didn't get the sense that Dave didn't know that the shareware version used 40-bit encryption. But that it was a revelation for the author. Sounded like Dave didn't give up any information, other than the relevant version.
I see so many tactics of an expert negotiator here. Being incredibly nice and respectful. They were able to get what they wanted. They were able to convince you of an issue, with urgency, without any evidence of the use of your code other than the words of the officer. The story could have absolutely been fabricated to obtain access to the source code per an initiative to have access to cryptographic software, or it could have been true.
Being NSA they could have easily have gotten source code in the covert way - one of the employees had copy at home, they emailed it around! But for encryption software there is no value in source code in the first place - algorithms are standard, and software can be disassembled anyway. All access to the source code does is allows them to save time on disassembly. Author knew all this and this is why he gave them source code in the first place.
Basically fabricating this story and risking exposure just wasn’t necessary.
I doubt it. For one, how could they expect to distribute it in a way that a bad guy was more likely to download than by going to the official site?
But also, if they did want to do that, they could probably backdoor it pretty easily just by patching the binary a bit. Reverse engineering and changing binaries is way easier than cracking encryption, and they probably have some of the world's top reverse engineers.
The fact that they asked for an existing algorithm backdoor, among other things, makes me think they really were trying to crack at least one thing encrypted with it. As for whether it was to deal with a time-critical situation or whether that was just a confidence trick to make him more likely to give up the code, who knows.
> how could they expect to distribute it in a way that a bad guy was more likely to download than by going to the official site?
Man in the Middle attacks work even if one goes to the official site. It could have looked something like this.
1) User attempts to go to the official site https://...
2) NSA intercepts the message, downgrades to http and sends back a dummy site with the malicious binary [1].
3) The user doesn't notice the change and uses the malicious binary.
Today, a series of steps have been taken to make such an attack more difficult. Now browsers tend to try to warn the user and sites can take advantage of HSTS preload lists[2]. However, this article was written about an event in early 2000 when many of these safeguards didn't exist.
Right. They could possibly do this and have done it before. But they wouldn't need to request the source code from the author in order to do it - they could patch the binary. Also, it's a pretty involved thing to do and not that easy to pull off in a situation like this. For example, presumably all of the targets already have the software installed, and they may have no reason to visit the official site again; especially if updates are very infrequent.
Finally, it wouldn't do them any good for trying to crack things that are already encrypted with it, which from the conversation does seem like was at least one of their goals. (Could be deception, but that's the most likely reading, to me.)
I'm just saying that that doesn't seem to be a likely reason for requesting the source code.
The reason is likely what they said it was: they want to look at the source code to see if there's some way to crack the encryption faster than they otherwise could - for example, some bug causing key generation to be somewhat predictable.
Just to be clear, no web browser has ever (AFAIK) allowed a navigation for https:// to downgrade to http://. It's only when the protocol is not explicit (i.e. typing only "domain.com") do problems really arise.
They may have meant finding a link to it elsewhere from a plaintext site, in which case they could sslstrip it. (Before more modern safeguards, at least.)
I suppose, but the actual process of hosting or sharing it seems a little convoluted. And, again, they could do all this without the source code, if their goal was simply to subtly backdoor it.
Microwave ovens are not that horrible against bipolar transistors. They are completely lethal for MOS-FETs, but one can make electronics that survive it.
Making things resilient against a kilowatt of non-ionizing microwave radiation seems challenging, in my experience it will burn the traces right off the PCB. A different game from the more common radiation-hardening where the concern is low power ionizing radiation.
Embedding your conductive trails into a large non-conductive material helps, as does putting unrelated trails apart, and making them at the right size. Completely surrounding them with a ground plane helps too, but I have no idea how to include an antenna.
That tx/rx interface is the real problem. But if you enclose things with the right material, you can turn everything into a large varistor and even MOS-FETs will survive.
My first job in the early '80's was for a phototypesetter manufacturer. Logically, the NSA had one of our machines for in-house use. Whenever there was a issue with the machine I flew up to Virginia to look at it. My experience was roughly the same as the article's, super-nice people, all of us immediately on a first name (only) basis. The two kind of uniquely funny things about those visits was 1) that the machine (PDP-11 based) was kept in a small room with nothing in else it - a door opened into a room with the machine exactly in the center of the space. The other thing 2) which did make sense was the the core memory was always wiped w/a walking 1's and 0's paper-tape utility prior to me getting access to it.
Maybe it was just kept in that room while you worked on it. Perhaps that's the room where they move equipment that needs servicing so they only have to secure one route and room for technicians to use.
This sounds like spy training from Burn Notice. Like, you have to get the source code of this program, from a guy who isn't at home right now and the whole budget of the operation is a just enough to buy a mug from our gift shop. Good luck Dave!
I bought an NSA mug at the National Cryptologic Museum in 2000 or so. I was amused when it developed cracks and started leaking around the time Snowden was just getting into the news.
Life imitating art... or art imitating life... or something like that!
Also, fun fact: The Liberty Bell cracked some time ago in history (between 1752 and 1846), when exactly is debated by historians, but "The last big crack happened on Washington’s Birthday. The Liberty Bell cracked up, literally, in February 1846, when it was rung on President’s Day, celebrated on Washington’s birthday, and then stopped ringing because of damage from a major crack."
Your security should never depend upon security of your source code. If you're doing things correctly, then the source code doesn't change anything about the security of the data that is encrypted.
Perhaps you mean that he chose to use 40-bit keys instead of 256-bit keys in the free version? I mean, I guess. But that's just a matter of better understanding the details. It sounds like he outlined this clearly and anyone looking for more security knew to pay for the product to get the 256-bit keys.
> Your security should never depend upon security of your source code.
For sure. I don't think it's about that, though.
Even if the application in question were open source, if the project lead is willing to cooperate in any way their government asks, they could probable ensure the existence of a back door. For this reason, where possible, I would prefer to use encryption software written by people who are principled to a fault (or who at least do a good job acting as if they were).
Let's imagine Linus Torvalds or Greg Kroah-Hartman in this same situation. Linux source is available, so let's say they were asked to ensure that a certain patch to a cryptographic API was not accepted before a certain window. Maybe the crypto API maintainers were on the call as well saying that they were on board with the plan (apologies to those people, I don't know you and mean no offense). I like to think that they would:
1. Turn down the NSA.
2. Attempt to get the word out about what they had been asked.
3. Find new crypto maintainers.
And yes, it's entirely possible that this is not at all how it would go down. Maybe they would be very cooperative. I don't know any of these people personally. But what I do know is that they have not, as of yet, made a blog post about that time when the NSA did ask them to betray an unspecified user and how they did everything they asked without resistance.
I don't think I'm being idealistic here. Software and encryption are global endeavors. People who blindly believe that the enemies of their state are also their enemies, or even that obedience to local laws is a moral imperative, should not write crypto software. Or at least, I hope they make their beliefs known like this guy did so that I can avoid their software.
Being willing to provide source code is entirely different than inserting a backdoor or purposefully holding back security updates.
One should have zero impact, as I said, modern crypto algorithms do not depend on keeping the algorithm secret to maintain security. Implementation can absolutely be full of bugs that are incorrectly using crypto primitives though.
The other has a direct impact on security.
I don't think one blurs the line to the other, they're fundamentally different things.
If anything, this is further proof that you need to use crypto properly because it literally means someone with code in hands won't have any advantages in attempting to break that encryption.
To me anyway, someone willing to give source code to the NSA doesn't imply they'd be willing to do nefarious things. There's nothing inherently nefarious about giving the NSA source code.
That said, I can understand being skeptical, but people love to talk about how open source is more secure because it has eyeballs on it. But now we try to pull the "it's not secure because the source was given to the NSA"
Source availability helps in crafting successful exploits in the real world.
Providing the source of a closed source project to an adversary so that they can break your software is nefarious.
If the author's justification was...
"My crypto implementation is perfect. There are no bugs in my code, so providing source code (which the user community does not have) to an adversary does not have any effect on any user's security."
...then the author is simply incompetent, not malicious. But I am not inclined to accuse the author of such incompetence.
Most people who argue that open source is equally or more secure than close source software do not argue that access to source code provides zero benefit to attackers. Instead, they argue that the benefit gained by the many additional sets of eyes belonging to researchers and other "good guys" outweighs the detrimental effect of letting the "bad guys" see as well.
The question in this instance is not whether the closed-source-superior or open-source-superior security camps is correct. The only related question is: "Does access to source code provide any benefit whatsoever to an attacker?"
I don't think I'm the "only person around here" who would argue that yes, it does. And that if you're taking the closed-source route, like this project's author, you can't provide copies of your source code to one specific attacker when they ask. If you do that, you're _definitely_ worse off (from a security perspective) than the people in the open source camp. I'm sure the closed-source-superiority people would agree.
Not necessarily - the normal argument for open source being secure is that the source code can be reviewed by the community and any security issues will be noticed and patched. In this case the parent specifically mentions source code the community doesn't have access to.
Your argument is that withholding source code raises the cost of attack for the NSA. They'll have to buy expensive decompilers, hire competent assembly/C programmers, it'll take longer, etc.
Seems like it would similarly be unethical for a local bakery to give the NSA a discount on cheesecake.
The NSA does a lot of things. A lot of them are good. Some of them are bad.
When the NSA asks you to help them do bad things, you say no. If you feel inspired to give them a cheesecake discount because of the good things they do, that is fine.
I'm pretty sure if the NSA asked him to add a backdoor, he wouldn't do it. (They already asked if he had an existing one, and he clearly realized how bad that would be if there was.)
That may well be true. But still, this story influences my _guess at the likelihood_ that this author would do so in the direction of "more likely."
Likelihood that the authors/owners of software are willing to cooperate, and capable of cooperating, with adversaries is an important metric for comparing options. Very high profile open source maintainers are less capable, due to the oversight of the community. Anarchist- or security-absolutist type personalities are less likely. The author and his project don't fit either bill.
I'm not arguing that this is the only metric that matters when considering one's options. But it does matter.
My understanding is that he may not have a choice. With a combination of an NSL and the all-writs-act, the US government can likely compel any non-FAANG domestic entity to do nearly anything short of murder.
The practice of looking up algorithms by name dates back to that same time. The phrasing of the law, since they were treated as munitions, was that you couldn't even export something that was designed to have crypto bolted on. So you made it so anything could be bolted on and some of them just happened to be crypto.
The legacy being things like the blacklist/whitelist discussion we had the other day about case sensitivity in crypto algorithms. We still look up algorithms by string name (instead of enum or some other mechanism) decades later.
I guess to be fair, this was in 2000. Before we knew the Snowden revelations, etc. I also wonder if he handed over just the source code to the shareware version or the full version? Also, nearly everything is open sourced now...so I guess it isn't the biggest boundary to cross?
I knew about Echelon in 1998, but nobody I talked to would believe a word of it. (Or rather, I "knew" what other people ranted about on web pages with badly scanned photos of satellite dishes. But still.)
As others have pointed out, the source code isn't endangering the user(s).
Nonetheless, I agree with you. The writer appears emotionally swayed and flattered by the request, like a protagonist in a WWII-era young-adult novel ("Your country needs you!"), and is eager to satisfy the ask immediately without the slightest bit of skepticism or diligence. That's not the kind of temperament one would want an encryption software dev to have.
Better not use any software by Microsoft then. Also definitely none of that scary open source stuff by people who’ll just hand over the code to anyone who asks.
Kind of missing the point, it's not about the source code. It's about the authors willingness to cooperate just because an NSA agent implied "it's important".
No they didn't, but they proved who they were to the OP's satisfaction, and left it to him to decide whether he should help them or not.
To me, this is a bit of a no-brainer. A government agency wants my help to do something. Do I trust them? Do I help them? Well... yes. They're the government. Incompetent sometimes, irrelevant a lot of the time, inefficient, sure. But ultimately there to provide a service for me as a citizen. If they need my help, then I should probably help them.
I understand that Americans don't trust their government like this. I'm not sure why not.
If I ran an neighborhood ISP, and the cops asked me to spy on a neighbor (for reasons they wouldn't even provide), then I'd shut down first.
If they just wanted to search _my_ stuff, sure. But if the only reason that I'm even capable of assisting the government in spying on somebody is that they are my customer, neighbor, friend, or user then I will not offer that assistance. That would be evil. Don't be evil.
Supporting the government in lawful operations is not evil. There are many, many examples of the abuse of power by the government. But at least in the US, there is a system of checks and balances including freedom of the press and an independent judiciary.
If we give up faith in those things then we will succumb to a lawless, might-makes-right society. What makes you think you know better than the duly elected and appointed representatives of the people? Ok, fine. Tell it to a judge. But if you lose, then comply.
TL;DR: I don’t like “the man” either, but in the end, the man is us. We thwart him at our peril.
> Supporting the government in lawful operations is not evil.
No, it often is. I don't think I need to cite examples.
I'm not advocating for anarchy, and I haven't given up faith in the justice system as a whole. However, there are still many things that I will not do, despite being legally compelled. Leveraging my relationships, professional or personal, to help an agency with a dirty track record spy on people is among those things.
Statements like this...
> Tell it to a judge. But if you lose, then comply.
...are extremely problematic. You can argue that most of the time, in a social order that you believe to be a net positive, you should comply rather than rebel. But phrasing it as an absolute perpetuates any existing authority, no matter how corrupt, forever. If you are sufficiently confident that the right thing to do, taking into account all the disruption it may cause, is not to comply, then you are still morally obligated not to comply.
What is right and what is legal do not always agree. And yes, that is still true even in a society that theoretically allows for change "through the proper channels". Even in the US, many of the most important changes to the law have been made by breaking it. Again, I don't feel the need to cite examples, since we have entire days of the year to celebrate most of them.
The government version of "lawful operations" is them just getting some flimsy warrant rubber stamped by a judge who has absolutely no clue (or care) about how technology works.
The great thing about technology is that it doesn't have to put up with things like useless warrants. Using encryption is the equivalent to have a reinforced door protecting you from people who want to do harm to you that ignores all warrants and cannot be broken or talked down. Thank god for encryption that works, it literally saves lives from the current crops of tyrannical governments worldwide.
Of course I'll say yes, and I hope it's true. Thankfully, I probably won't ever have to find out. But if it does come to that, and I choose wrong, I know I won't write a blog post about it.
What are you talking about? What are the odds of this? I mean really, like out of all the CP allegations, how many of them are fabricated by the police?
Does this jump into the "something/nothing to hide" argument?
The idea that there's an intentional backdoor through security for some institution that may or may not be acting in your best interest is enough for me to not want to use it.
Just about everyone has something to hide, but what they're hiding and the reasons they're hiding it may only be used as leverage against them and have nothing that's a threat to anyone else. My encrypted data has some old tax returns and past medical records--nothing too exciting or compromising, but neither are things I want random people having access to should my copy of the data be compromised.
There are plenty of valid reasons not to want a government agency to be able to pry into every aspect of it's citizens lives. I'd say most people hiding things do it for a lot of social/cultural purposes that aren't too significant at least not in terms of national security.
Take most peoples' browser history--few people want others crawling through searches that might make them feel stupid or insecure for whatever reason. Perhaps they looked at someone's public profile they're interested in dating and don't want to be labeled a 'creep' or perhaps they've been making great use of the free PornHub Premium access lately. People have rights to secure/hide those things and they're no real threat to national security.
That’s not the question. The question is, why would opening source to the NSA cause you to lose trust in the quality of work.
You seem to have answered the question, “Why is privacy good?” Your answer, at least to me, seems valid, but if you are answering other questions, I would ask, “Can you imagine situations in which individual liberties are trumped by physical safety of a large number of folks?” How have you reacted to CoVID-19 restrictions? Are those two things really so different?
>>I probed again, this time about their capability at 40 bits; maybe that reduced level wasn’t such a State secret. But again, Dave was mum.
I recall that 40 bit encrypted Word documents obtained from Al-Qaeda safe houses in Afghanistan after 9/11 were successfully cracked. It was reported in the media, so it was an open secret after that.
Well they do have mugs in the gift store, and the one in the third picture [1] from the end looks like a nice one, although not exactly the same. Of course the picture there is 16 years later.
Sounds like a fun social engineering trick though, if you can subvert the local phone switch. Probably would make more of an impression if the FBI/etc knocked on your door and handed you the phone...
I have been to the NSA gift shop, and they do sell the blue mugs there. But you have to have the right clearances to even get to where the gift shop is...
This isn't true, unless it's changed in recent years. There's a gift shop at the Cryptologic museum on Ft. Meade. I've taken my folks there before, although I haven't worked there in almost a decade, so maybe it's not there anymore. There are gift shops inside the buildings though, but they sell the same stuff as the other one. You don't necessarily have to be cleared to get to those, you just have to have a reason to be in the building (i.e. interviewing)
Now the CIA has a gift shop you can't get to without being able to get into the building. ;)
Since the source code could not help with decryption and the file was trivial to decrypt anyway, the NSA was either playing four dimensional chess that requires making a pointless midnight phone call or it's actually fallible.
Rather than fairly justified suspicion of the NSA, we might want to apply Hanlon's razor in this case.
I’ve had the pleasure of working in some organisations that had mountains of legacy applications that didn’t always have any source code. When I’ve had to fix bugs that involved those apps, reverse engineering them was always tedious and time consuming, and having the original engineers on hand to answer questions always sped things up. Regardless of the NSAs technical capabilities, it seems all he helped them do was something they could have done without his help, only faster.
Agreed, the NSA is a large organization with many moving parts. If the guys who suddenly find themselves needing to break encryption have natural talents that lend themselves more toward tracking people down and talking things out of them, it makes perfect sense for them to start chasing some weird leads.
I think the NSA was rather asking him if there was a backdoor. A phone call will always be cheaper and faster than bruteforcing [current decade] cryptography.
July 2000 is I guess a pre-Google world...so how would "Call 411 and ask for the number of main naval base in Bethesda, MD" work? Just curious how the operator did these lookups?
Unless I'm remembering wrong, 411 only gave directory assistance for your area code. To get the phone number for a naval base in another state, he would need to dial that area code plus 555-1212 to contact the local directory assistance for that location. Might be wrong though. Where I grew up there was a charge for using directory assistance so my parent prohibited us from ever using it instead of the phone book.
Haha. I remember phone charges for stuff like that. *69 to see who called you was 50 cents. So many nickel and dime charges. Of course, back then, monthly phone bills weren’t equal to a healthy percentage of a car payment.
No they weren’t yet, you still had Yahoo, Alta Vista, Excite, Ask Jeeves and many others. Yahoo was probably the dominate one. Most households used AOL who just purchased MapQuest.
I remember my dad telling me about google and me telling him metacrawler.com FTW. This is the same guy who showed me the WWW on a lynx browser, and I scoffed that FTP was where it’s at.
Adam Savage (Myth Busters) once got a call from FBI because of a Star Wars movie prop (thermal detonator) he was making for a project.
He meant to call his supervisor to leave a voicemail regarding the thermal detonator prop used in Star Wars, but apparently it was left at a wrong number. And that random person called FBI because he heard thermal detonator in the voicemail.
I can't help but feel like the author sounds excessively credulous.
I had to stop reading after he wrote "I could tell something big was up and there simply wasn’t time to debate the merits of handing over my source code to the NSA", because at that point my eyes rolled so hard they fell right out the back of my head.
After I put them back in, I skipped down to the comments. I have a hard time not agreeing vehemently with the top comment on the post, which says:
"You took time off your vacation to help the shadiest government agency on the planet do God-knows-what, as well as give them your IP for free. In addition, your ignorance and glee motivated you write this propaganda post, helping their cause, all for the price of a mug with a fancy sticker on it."
I'm also okay with the author's response, which is, for the record:
"I’ve seen a lot of commentary like this. It was a different time back then. Just one year later the Towers came down. If in 2002 I got that same call, people would hate me for not cooperating. I didn’t invent the ciphers — those are public. I gave up nothing important. I’m okay with my decisions."
KGB doesn't exist anymore - you might mean the FSB or GRU?
Anyways, plenty of countries have security agencies whose main job is to violently protect the local kleptocrats these days. China might be a better example to point to for even worse behavior, with their balkanized net and mass surveillance being used to carry out the mass internment and repression of ethnic minorities in regions like Xinjiang.
> KGB doesn't exist anymore - you might mean the FSB or GRU?
The Russians have definitely gone back to the old ways, I'm not sure the distinction between the old and new matters much any more (The GRU is the same organization, the FSB still reside in the Lubyanka - "the tallest building in Moscow")
You might be able to point to a regional power and say yes, these guys are pretty shady. What you have to remember though, is that the USA is a global power with global reach, so any shadiness is more scalable. Also, don't forget that the US often does stuff like hand people over to another agency knowing they'll be tortured.
EDIT: Don't forget that NSA acquires data to create actionable intelligence that can be passed onto another actor. Whatever you think about them, their work is being used in many cases ultimately by another agency or government.
> I'm sorry but if you think the NSA is the shadiest
You're right about the detail (probably) and also very wrong to be focusing on that particular detail instead of interpreting it as just barely mild hyperbole.
You've gone to "it's not the absolute worst, therefore I dismiss the statement" instead of "it's not the absolute worst, but it's still really fucking bad so I'm going to recognize the premise and move on".
Not really, a comparison was implied. They didn't say "shady agency", they said "shadiest", which makes a claim and invites dispute about the others' relative shadiness.
I felt like “shadiest” was hyperbole meant to mean “very shady”. Also while the others mentioned might be bad, the NSA is probably the “best” at being covert and probably the most active of all of them. So they might truly be the “shadiest” by sheer volume of covert things they do.
It's not whataboutism if the claim is making a comparison against all other possibilities. "shadiest government agency on the planet" may be an objectively false statement as applied to the NSA. You can compare the NSA to other contenders for "most shady" using any number of metrics and create an ordered list. None of that is whataboutism.
I thought this was a really good example. I see the word, whataboutism, thrown around a lot and have a hard time understanding what is/isn't. So, thank you.
HN is so paranoid. All government is bad, anyone from a spy agency is some double/triple/quadruple agent who's actually a terrorist child soldier working for Facebook on the side.
There is no foil on my head, but ... it is very reasonable to be paranoid, right?
They are not talking about the Office of Information and Regulatory Affairs or the Office of the Comptroller of the currency... It is a comment on the NSA. From what we know, everything they do is a bit creepy. Far from "All government is bad" ... The comment is about an agency that Snowden warned us about.
Also, historically speaking the US government (various departments) has done a lot of really shady things.
"They" are not going to let us know all of the shenanigans they are up to. The list of mischievous things we are aware of surely isn't everything. Are we aware of 70%? 60%? I'm going to bet lower.
So you have a opaque organization with a fairly long list of misdeeds and (this is just my sense of things) a growing boldness. NSA programs, patriot act, etc - those are bold programs they have in place. Those are not the "top secret" things we don't get to know about.
It does not take a lot of imagination to make that leap.
I suppose thinking about it like an antenna, it would aplify. But I would think the bowl shape on my head would reflect my thoughts back into my head. Where a bowl upside-down on my head would act more like a dish to collect external waves.
Pretty sure anyone listening to my thoughts would get bored. Have the gold fishes song stuck in there since the 90's.
Is it really paranoia if the evidence of mass surveillance and abuse of power is right in front of our eyes? It isn't 2012 anymore, Snowden kind of made it quite clear what's actually going on behind the curtain.
Is that surprising? They do stuff that is rather paranoia-inducing, like: illegitimate dragnet spying on our populous, breaking into networks to eavesdrop and gather secret keys/intel, backdooring random number generators, etc.
Even all these years later, he doesn't even consider the possibility that he was manipulated. He betrayed all of his users at the drop of a hat, and all it cost the NSA was a single phone call. Crazy stuff.
Assuming he implemented the cryptography correctly, but if he didn't then his users weren't secure anyway, and the source code would have just saved the NSA a little time.
What I find interesting about this article is that the poster was apparently permitted by the NSA to share his experience publicly...
Compare and contrast this with National Security Letters, which apparently (based on the ones that I have seen, that have been publicly posted on the Internet by other people) request or require absolute secrecy...
Interesting read. I wonder whether this was an attempt at social engineering†? While we tend to think of the NSA (or other foreign agencies in this field) working on intercepting information only through electronic means, sometimes a direct approach is often easier (obligatory - xkcd: https://xkcd.com/538/).
Perhaps all they wanted was the source code of his application to repackage (after introducing a backdoor) and distribute it on the internet or directly to targets of interest ... perhaps it was part of his training ...
"Perhaps all they wanted was the source code of his application to repackage (after introducing a backdoor)"
A counterargument against that is A: if the goal is to produce a version with a backdoor, they don't need the source to accomplish that and B: if that was the goal, they wouldn't want to give the original author any reason to know they were asking about it, so that when the backdoor is found in the wild he can pipe up and go "Oh, yeah, that reminds me, the NSA got my source code a few months ago..."
Why? OP got instructions on how to get to Dave's house and there were several steps involved. Somewhere in Bethesta base there may be an NSA staff member sitting there who receives the call from OP and routes it accordingly. No hacking of any kind is required, just a functioning chain of command.
I meant perhaps NSA agents are trained in social engineering too. Or it may not have been the NSA, but FBI or CIA or even Military Intelligence too, pretending to be NSA.
I meant it may have been a real NSA agent, acting on actual orders, but that he may have lied to get access to source code. If so he wouldn't need to do any MitM attack.
Or if someone who worked for 411 or a hacker changed the number for the naval base to be one they controlled. Dave could be the CEO of 411 for all I know.
> Or if someone who worked for 411 or a hacker changed the number for the naval base to be one they controlled. Dave could be the CEO of 411 for all I know.
Agreed. A couple of ideas for better authenticating the NSA boogeyman.
1. Verify the number in a phone book.
2. Call a friend and ask them to follow the 411 protocol.
3. Drive to a hotel in a different state then follow the 411 protocol.
4. Overnight a cell phone to the NSA headquarters and wait for Dave to call you from it.
Also wonder if the correct number to dial would have been 301-555-1212 as that's directory assistance in Bethesda rather than local directory assistance.
I'd say yes. Stirring up mud about issues not remotely related to the context by presenting a false dilemma (that resources were applied to a instead of hindsight worthy b)
Where NSA is lauded for breaking the law, I will criticize NSA for breaking the law. The way to avoid this criticism is to stop lauding NSA for breaking the law.
I didn't post TFA. What NSA are described as doing in TFA (investigating some "dumb criminal") is clearly outside the mission granted them by statute. Furthermore, they so regularly act in contravention of law that there is a commonly-known phrase that describes this activity: "parallel construction". Furthermore, they are lauded rather than criticized in TFA for this unlawful behavior. Furthermore, they regularly pay "journalists" and "influencers" to publish pro-NSA anti-liberty BS in the media and online. Furthermore, if they had better management in 2000 they might have transferred resources from the Overnight Cross-Country Dumb Criminal Parallel Construction Department to the Prevent Terrorism Department.
So yeah, I'm the one trolling.
ps: It's also interesting to note that comments like that above start out with four or five upvotes, from honest HN users. Within ten minutes, however, they're downvoted into oblivion. USA-MIC has a strong HN game.
You do realize regardless of resources they had at their disposal, the reason 9/11 happened was because of inter-agency competition and the lack of knowledge sharing between said agencies?
This is the primary reason the Department of Homeland Security was created in the first place.
I'm not nearly as certain as you seem to be, about any of the claims you make here.
I remember the debate about creating "Homeland Security". (Starting with the neo-Nazi name...) No one with any management experience, including Bush the Lesser, thought it was a good idea. Organizations that have lost their way due to bureaucratic bullshit are not made more effective by more layers of bureaucratic bullshit. Congress was convinced, however, and W's handlers didn't want to "waste" political capital preventing an obvious disaster. Before this debacle, FEMA had been an effective organization (that incidentally had nothing to do with "security"), largely due to its relative independence from the rest of the executive branch. After this debacle, Hurricane Katrina happened. Everybody agreed to blame the hapless "heck of a job" guy because they hoped we stupid voters would forget when they torpedoed the agency two years before the storm.
Why are we supposed to believe that "inter-agency competition" was the cause of 9/11? The guy who did it, ObL, claimed it was in response to USA military presence on the Peninsula. Why don't we blame that? If we don't blame our stupid military decisions, why not blame the intelligence community for not noticing potential consequences of those stupid decisions, a single decade after they didn't predict the most important thing that ever happened with respect to their "mission"? The unsupervised services are just like the military, in this respect: WWII was a long time ago, and they've never once been judged on their performance since that time. (JFK tried to hold them to a standard, but not for long...) All they have to do is spend money, and at that they excel. 9/11 itself helped them spend a great deal more than they ever had before.
Anyway, even the goofs at NSA could have figured it out in time, if they hadn't just axed ThinThread in favor of Trailblazer. That was a human lapse in judgment that could have taken place at any bureaucratic level. When they make a similar mistake in the next decade, the interference of "Homeland Security" won't have done a thing to prevent it.
So, if his encryption was implemented perfectly the source code would do nothing to speed up decryption. Author admits this in the 2018 thread. If there was some bug or oversight, he gave the NSA a way to break into millions of machines. So should we conclude author doesn't trust his own software as advertised?
Without even getting into the social engineering possibility. I don't see a way this looks good for the author.
> But seriously, this laptop idiot was planning to blow up a building, or something equally as bad, but wasn’t smart enough or flush enough to pop for the $39.99 to step up to the maximum-strength encryption?
Says the developer who could have been social engineered to give away what he had done by being rushed in a way that others would perhaps call 'not smart enough'.
And where does the skill set of knowing about encryption come close to what someone needs to know in order to 'blow up a building'? Why would you expect that someone understands the difference or the risk? Or should? After all it's risky to begin with what they are doing. This is just another and different risk.
Now the question is if you were the NSA and of course I have no clue how they operate but maybe it would have made more sense to send the local police to a house to deliver the message AND the other part 'call this number' etc. And who knows how that could have been fake for that matter (it all hinged on calling 411 as being definitive and/or someone not intercepting a legit call). Sure someone could social engineer the local police to show up (I would think that would be easy for someone who knows how they operate or with whoever is on shift at that time).
Also the coffee cup is strange. Secretive agency but they send a gift as a thank you with their name so you have some kind of proof that allows you to detail how they operate and that they did this? Would make more sense that they got you to agree to not reveal they had requested the info not that they gave you some kind of bragging rights and story.
A few weeks into this, I get a summons to get down to the local police station ASAP. The commissioner then gives me a good verbal beating for being such a stupid kid; apparently someone had dialled into the uVAX by mistake or wardialling, figured it was a real DoD machine, had reported the security breach and had gotten all sorts of gears moving.
He wound up the sermon by telling me whoever had called him from the relevant department at military intelligence had chuckled and told him they kind of found it funny - but could he please get hold of me and tell me to stop doing it immediately, or else have my landline terminated?