Project Rubicon: The NSA Secretly Sold Flawed Encryption For Decades

There have been a few moments in the past few years, when a conspiracy theory is suddenly demonstrated to be based in fact. Once upon a time, it was an absurd suggestion that the NSA had data taps in AT&T buildings across the country. Just like Snowden’s revelations confirmed those conspiracy theories, a news in February confirmed some theories about Crypto AG, a Swiss cryptography vendor.

The whole story reads like a cold-war era spy thriller, and like many of those novels, it all starts with World War II. As a result of a family investment, Boris Hagelin found himself at the helm of Aktiebolaget Cryptograph, later renamed to Crypto AG (1952), a Swedish company that built and sold cipher machines that competed with the famous Enigma machine. At the start of the war, Hagelin decided that Sweden was not the place to be, and moved to the United States. This was a fortuitous move, as it allowed Hagelin to market his company’s C-38 cipher machine to the US military. That device was designated the M-209 by the army, and became the standard in-the-field encryption machine.

From M-209 to PDP-11

The CX-52
The CX-52, thanks to Rama, Cc-by-sa-2.0-fr

In an interesting intersection of history, the M-209 caught the interest of Dennis Ritchie and Robert Morris, both Unix pioneers who worked at Bell Labs. Together with James Reeds, they wrote a paper on a statistical cryptanalysis of the cipher, and concluded their technique could decipher an unknown message of at least 2500 characters with almost perfect accuracy, in just a few minutes on a pdp-11.

Ritchie’s written recollection of the matter includes a relevant anecdote. As part of preparing the paper for publishing, the authors also submitted it to the NSA for review. It made enough of an impression that Ritchie and Morris got a visit from a “retired gentleman” from the NSA, sometime around 1978.

According to Ritchie:

…the agency didn’t particularly care about the M-209. What they did care about was that the method that Reeds had discovered was applicable to systems that were in current use by particular governments, and that even though it was hard to imagine that these people would find the paper and relate it to their own operations (which used commercially-available crypto machines)…

The result of that visit was a decision to delay publication indefinitely. As cool as it is to see some Unix heroes show up unexpectedly, perhaps the most interesting element of this anecdote is the reasoning for the unofficial request not to publish: Other governments are using commercially-available crypto machines that were vulnerable to this attack, and the NSA wanted to keep that information quiet.

The Handshake with the NSA

After the success of the M-209, Hagelin moved back to Sweden and re-established his company there, before finally moving himself and the company to Switzerland. The CIA and NSA (then called the AFSA) kept tabs on the activities of Hagelin and Crypto AG. A new machine was under development, the CX-52, and that worried the spooks back in the states.

You see, even during the war, it had been discovered that a C-38 encoded message could be broken in just a few hours. The new CX-52 was extremely difficult to decrypt, meaning that the NSA would lose their all-seeing eye into communications around the world. The NSA had a secret weapon in the form of William Friedman, who was chief cryptologist for the NSA, as well as a personal friend to Hagelin. In 1951, at the Cosmos Club in Washington D.C., Friedman made an informal proposal to Hagelin: Crypto AG would restrict sales of the newer, more secure machines to a list of approved customers, and the US would reimburse him for the lost sales. The men shook hands on the gentlemen’s agreement, and then waited for the slow process of making that agreement official.

The wheels of government turn slowly indeed, and it was February of 1955 before the agreement was finalized. In addition to the money and sales restrictions, the NSA would produce the instruction manuals for the improved machines. It’s been suggested that the NSA produced manuals included intentionally misleading instructions, intended to weaken the encryption of Crypto AG machines for specific users.

Building Backdoors

In 1967, Crypto AG released the H-460, an electronic encryption machine. This should have represented another massive leap in encryption strength over the older mechanical models, and it likely would have been such a leap, had the NSA not been the primary designer of the new system. How did they compromise the security of the system? It appears that they manipulated the random number generator at the heart of the system, such that at a known interval, the “random numbers” would repeat. The list of approved customers received units without the compromised generator, but H-460 devices sent to the rest of the world had this intentional weakness built-in from the factory. When the NSA intercepted a communication that had been encrypted using a weakened H-460, they could decrypt it in seconds rather than months.

1950’s era Crypto AG Device. Image by Cory Doctorow, CC BY-SA 2.0

Does a weakened random number generator sound familiar? How about the RDRAND instruction in Intel processors, just a few years ago? It was suggested that the random number generating instruction in Intel chips was untrustworthy. There were fireworks in the Linux kernel development, but ultimately, several different communities began treating RDRAND output as untrustworthy.

The Buyout

Though it wasn’t entirely without conflict, the agreement between the NSA and Hagelin lasted until his retirement. Boris Hagelin had planned to pass his company to his son, Bo Hagelin, but Bo died in a car crash in the Washington D.C. area in 1970. Shortly after this event, Boris Hagelin stepped down from leadership of the company, and a buyout of the company was carried out. A series of shell companies were used to mask the identity of the new owners of Crypto AG, but recently declassified documentation reveals the truth of the matter. Crypto AG was purchased in a joint venture between the CIA and the West German BND. From 1970 until 2018, one of the foremost providers of encryption equipment for governments around the world was secretly a covert operation run by these two intelligence agencies. This operation was eventually known as Rubicon.

The details of Rubicon were chased down by a group of journalists, as well as the Crypto Museum in the Netherlands. Most of the information presented here is distilled from the Crypto Museum and The Washington Post story. You may be looking for a link to the declassified CIA documentation, but unfortunately only snippets are available. From the Washington Post: “The Post was able to read all of the documents, but the source of the material insisted that only excerpts be published.”

An unexpected benefit was that Crypto AG was a profitable business. The paperwork of the business was handled by the BND, who then shared the profits with the CIA. This arrangement persisted until 1993, when the CIA bought out the German involvement in the project. By this time, the financial profitability of Crypto AG had faded, but many governments were still using their products.

Real World Uses of the Crypto AG Backdoor

We have a few glimpses into the intelligence that Crypto AG helped to gather: In 1978, the Egyptian president came to Camp David to negotiate a peace accord, and his communications were “secured” using Crypto AG hardware. In 1979, after the Iranians captured American hostages, president Carter’s negotiations relied heavily on intelligence captured through Crypto AG hardware.

An example that included some fallout was the bombing of a West Berlin club in 1986. Because of this program, the NSA was able to conclusively determine that Libya was behind the bombing. The decision was made to be precise when revealing what the US knew about the bombing coordination, giving hints to the nature of NSA capabilities.

Leaking Information

As you might imagine, it was impossible to keep the NSA’s involvement in Crypto AG a perfect secret. Peter Frutiger, for example, was an engineer for the company who figured out that something was wrong with Crypto AG products. He made a trip to Syria to troubleshoot complaints, and proceeded to fix the vulnerable devices he found there. For his trouble, the Crypto AG CEO fired Frutiger as soon as his fix was discovered.

Mengia Caflisch was another employee, too smart for her own good, who made life difficult for her unseen overlords. Together with other researchers from the company, she discovered some of the weaknesses of Crypto AG’s products, and tried to improve their security.

In response to company engineers doing their job too well, the CIA began looking for someone to keep the engineers in line. They settled on Kjell-Ove Widman, A mathematics professor from a Swedish university. More importantly, Widman was a famous cryptographer was sympathetic to the US. His recruitment in 1979 was rather straightforward, and Widman served as the CIA’s man until 1994. As a somewhat famous cryptographer, his word became law in the company, keeping the rest of the company in line. Widman helped to develop the next generation of compromised algorithms, aiming for flaws that wouldn’t show up in a statistical analysis, and yet could be easily explained as human error. He got more than he bargained for, as Widman was one of the representatives that went to Argentina in 1982, to explain vulnerabilities in Crypto AG devices. The gambit worked — the vulnerable algorithm was replaced by a more advanced, but still vulnerable cipher, and Argentina remained a Crypto AG customer.

The tensions between Crypto AG and customers came to a head in 1992. Iranian communications had been vulnerable for a decade, and Iran was slowly becoming wise to the con. Hans Buehler, a Crypto AG sales rep, was detained in Tehran, and interrogated about company products. The only problem? As far as Buehler knew, his company was legitimate. Nine months passed while the CIA and German BND argued over what to do. The US policy was to never pay ransom demands, so the CIA was unwilling to be a part of bailing out Buehler. Finally the German agency opted to provide the ransom money, and secured Buehler’s release. This event proved to be the beginning of the end for the CIA-BND partnership. In 1994, the CIA bought out the BND’s ownership of Crypto AG.

The End of the Story?

The declassified information dries up around this era. Thanks to news reporting in 1995 and the 2014 release of the Friedman archives, some of this story was already known. The 2018 sale of the remaining Crypto AG assets seems to have been the end of the CIA’s involvement with the company. Two companies, CyOne and Crypto International AG, were created from the ashes of Crypto AG. While it appears that neither of these new companies are actively compromised, their products may still contain compromised cryptography, and so should still be considered untrustworthy.

It’s unclear whether any governments are still using CIA-era Crypto AG hardware for their communications, but the inertia of governments and red tape would lead one to assume that these products are still in use somewhere. Beyond that possibility, we have to wonder whether other proprietary encryption products have been similarly compromised. It’s even conceivable that an open source encryption product has been subtly designed to be vulnerable.

Operation Rubicon was considered “the intelligence coup of the century” by the CIA, and it’s not hard to understand why. The question we are left with, is what the intelligence coup of the 21st century will look like, and will we see it coming, or only learn about it years later.

78 thoughts on “Project Rubicon: The NSA Secretly Sold Flawed Encryption For Decades

      1. US unilaterally broke the nuclear-treaty with Iran and they try to force the rest of the world to keep to sanctions against Iran. US just forces sovereign states to obey US law outside of US territory just by means of extortion and blackmail.
        Huawei is not accountable to the US or their law in their international business.
        Therefore I am sure US just want other countries to keep using backdoored US encryption and not some other – possibly – backdoored by someone else. Of course also because they know, what is possible.
        I would not trust China more than US, but that’s not very much anyway.

        1. Loool.

          The US opted out of a useless treaty that didn’t close centrifuges or reactors… they just fed them xenon, zinc and germanium instead of uranium, leaving them open for weapons-grade enrichment after a ten year expiry.

          Why is it that the US is the only sovereign state that can’t practice its sovereignty?

          You don’t have much of an argument…

          1. Doesnt change the fact that US tries to forcefeed their crap and paranoia to other sovereign nations that would rather do business than wave their dicks around like the yanks do.

          2. It’s quite foolish to think that WITHOUT the treaty, all problems are solved at once. Trump opted out of the treaty. So the problem is back (if it ever was away to begin with). What is Trump doing to fix the problem?

            Apart from threatening with a war, of course, which would hurt everyone, the US not the least.

            An atom bomb is not a device for war. Not anymore since more than one country has one, and countries can mutually annihilate each other with those bombs.

            An atom bomb is a device for diplomacy. If you have an atom bomb, everyone will have to listen to you. You get to play with the big guys, once you have one. You can’t be shoved aside anymore.

            That’s the reason why Pakistan and North Korea wanted to have their atom bomb. And that’s the reason why Iran wants to have their atom bomb.

            Nobody listens to anyone from the Middle East. And that’s why it’s such a big mess. If one of them would have an atomic bomb, then that country will have the power to make itself listened to. And that will be the start of stabilisation in that region. Iran would play the leading role in stabilising the Middle East.

            The scary thing is not that Iran might throw an atomic bomb without any reason. The real scary thing is: can we trust Iran to keep their atomic bombs safe so they will not fall in the hands of terrorists.

            Given that it’s 100% sure that they will have an atomic bomb one day (it’s inevitable, don’t put yourself to sleep with thoughts otherwise), it’s a better strategy to start negotiations and cooperation, and offer them help to keep their atomic bombs safe from stealing by criminals and terrorists.

            They WILL have their atomic bomb. There is no doubt. If they can not make their own enriched uranium, they can always get it from some other country. China, North Korea, Pakistan, or whoever else has the technology to enrich uranium and will benefit from Iran having an atomic bomb. It’s how it went in Pakistan.

            So, the US thinks they can prevent Iran from making an atomic bomb, although their track record with Pakistan tells us that they can’t. The EU thinks that this is the time to start the negotiations and cooperation to at least make sure that the atomic bomb stays in the hands of sane people and the world will stay safe.

            Which is the better tactic, do you think? Letting Iran get their atomic bomb in 10 years, without treaties, cooperation and any control over those bombs whatsoever. Or letting Iran get their atomic bomb in 5 years, but being a world community member with safely stored-away atomic bombs and settled diplomatic channels to make them feel that they are taken serious in the world?

          3. WTH? This has nothing to do with the sovereignty of the United States of America’s sovereignty, no one, hast impinge on US since Japan attacked Hawaii. That’ the most easil visable, althou Russian interferance in the US elect is reall the lat time, Hwecer US Conservatives like to deny that Lake many nations the USA is guilty of, impiningg of the sovereignty of other nations. That would include the US impinging on Ran’ sovernty in the early ’50’s. Back to Japan, the US impinged on Japan’s sovereignty in the Mid 18th century, and it also impinged on Mexico’s sovereignty in that era as well.

          4. Well atleast we can thank Trump for uniting a nation to follow a stupid government and putting the whole cultural changing proces back with a few years. It really shows what a great nation like the US is capable of…

        2. Sorry, not ratified by the Senate. In fact not even sent to the Senate for ratification. Not a treaty. The Iranians made an agreement with the previous tenant who thought he was authorized to negotiate for the landlord. The new tenant said “Scr3w that noize.” It happens.

          1. And i would say you should start evicting the current tenant. Fast.
            Maybe this time the next tenant is someone for the people and not for the upper 10k.
            And yes, if i could i would vote for Sanders.

    1. That’s exactly it to, the modern portion of the phone has a self contained operating system that is completely a black box that gives unlimited access to everything contained in your phone.

  1. There’s still black boxes in every major data center, finding people to talk about it is difficult as all large data centers have heavy duty NDAs for all staff. Independent data center operators getting big, will maybe get the soft approach, for the country, for the children, if that fails, there’s the usual “we found terrorism and/or snuff and/or pedo stuff on your servers” brands of blackmail and coercion.

    Watch out for problems with Starlink when it transpires that subscriber to subscriber ground station connections are possible without going through an earthbound NSA asset. Either that or the satellite sizes will double, number per launch halve, for “reliability” or other concerns with very vague tech details. If Musk is fighting this, expect regulatory issues with his other concerns. The other competitors in this field, if they look to have a smooth ride or get preferential treatment, probably had an agreement in place early on, or may get similar problems.

    1. One easy way for NSA to eavesdrop on everyone is to have shell companies that sell cheap internet backbone transport. They don’t need Room 641A. ISP, business etc would sign up because of cost and everyone ended up sitting on their assets.

      1. Yes, when you point out the finger in one pie, one has to remember they’ve got 9 other fingers. They are also suspected of gaming peering arrangements to make sure traffic goes through their nodes.

      2. There are a few places around the world where internet traffic flows in the wrong direction (the cheapest path) instead of the most direct route (shortest physical distance). And one logical reason is that some country is paying the difference to have full access to the metadata.

      3. No, the whole point of end-to-end encryption, SSL, TOR, etc, is that it doesn’t matter if the man in the middle is tapping the line. This site here is https, if the spooks want to find out the contents of this post, they’ll have to load it from the web page like everyone else. Paranoid nerds still run the Internet, something as simple as man in the middle hasn’t been any use for a long time. It’s why there’s the big push to SSL, or TLA or whatever it’s called now.

        That is, assuming SSL works. But that’s not germane to tapping backbones.

        1. Oh there’s a little bit of everything, the subtly tweaked implementations, the keys seeded with their favorite numbers, the cryptanalysis 10 years ahead of academia, the use of the same keys on copious amounts of static content (known plaintext) as private content, the same confidence the nazis had in enigma, while you’re worrying about evil maids, Bob is screwing Carol behind your back.

          1. if you are telling us that the US has installed its spies into the development teams of every TLS implementation then you have really been drinking too much kool-aid.

        2. I think your statement is exactly the opposite of the article.

          Those governments thought they were using encrypted transmission (same as https, ssl, etc) but due to intentionally weakend encryption, what should have been computationally unfeasible became trivial.

          That’s literally the story of this article.

          Are you sure your https or ssl is as secure as you think?

          1. Letsencrypt does not perform any function that touches the secrets. They never see your private key. It could be that it is a malicious CA that will sign things they shouldn’t, but then being free to the end user doesn’t matter. Even an internal use CA that is not open to the public can do that.

          2. It might disagree with the article but the point I was making was relating to the post I replied to. Tekkieneet stating that the TLAs buying up backbones meant man-in-the-middle attacks would be common. They wouldn’t because that problem was solved ages ago with end-to-end encryption.

            Although, yes, whether it’s solved in practice is a different matter. And yep that’s relevant to the article absolutely. Is HTTPS safe? I dunno. It’s open-source though which means cleverer people than me are all competing to out-nitpick each other over it. Much more likely to be safe than something that comes with the NSA Guarantee!

            Is any software safe? Was it Kernigham, Ritchie, or Thompson who pointed out that to trust your software, you have to trust your compiler? And to trust that, you have to trust the compiler it was compiled with. Even if it was eventually self-compiled, the bootstrap compiler could’ve sneaked something sinister in.

            So there’s that, and also the fact I’m utterly unqualified to judge HTTPS or any encryption source code beyond maybe adding 2 letters together, that mean I don’t know. I dunno, I confess. I have to decide who to trust and I trust the Internet’s brave nerds more than the bloody NSA. Although there’s several naughty-person organisations I’d trust before the NSA. I’m not gonna name them though cos I’m sure this post has already flagged deep in some enormous number cruncher with the entire Internet coming in a pipe on the side. Just for mentioning those three letters.

            “What can I do about it?” is always a relevant question in cases like these. “What difference does it make?”. Sure it pisses me off and irritates my freedom membranes, but it’s not even in the top 10 worst as far as that’s concerned. I’d never be daft enough to buy encryption like that, but in the days before PGP I suppose that’s what people had to do. Still PGP etc exist now, yet people still buy “security” chips. Suppose it’s horses for courses, and the engineers who put those chips in products don’t have to use them personally.

    2. This is accurate. The small DC I used to work at had 2 cabs rumored to be FBI. Colocated hardware, a couple of 10gbit fiber, no metrics on the network monitors. VIP customer, do not touch. We eventually lost access to view the account/assets in the management portal.

      1. Hm, maybe more Puzzle Palace than FBI. 10GB fibre means large amounts of data, and crunching that is that NSA’s style. You wouldn’t need that capacity just for spying on the odd brown person’s email. The cabinets might have had a bit of local supercomputing built-in or maybe just some database stuff to let them select basic chunks of possibly-relevant info and then send them back home.

        Physical access trumps all software security! Even though it doesn’t. But it does a bit. Would’ve been good to hear of some angry employee getting drunk one night and taking a crowbar to the cabinet, breaking out a length of fibre, and having a bit of a sniff. Maybe the hard disks in there aren’t encrypted, since if they’re doing heavy data crunching they wouldn’t want the de- and re-cryption slowing them down.

        1. In service provider world, 10G is not high speed.

          Most first world SPs are running varieties of 100G ethernet (ratified in 2012, became economically feasable in 2014-15ish), and with 400G ethernet (IEEE 802.3BS) now coming online we’ll see widespread use of that. Single mode ER and ZR optics allow fibre lengths of 40km and 80km respectively.

          In SP world, it’s purely an economics game. The first 100GBASE-LR4 CFP transceiver I worked with in 2013 had a list price of USD$89495, compared to the equivalent 10GBASE-LR transceiver at USD$1245 (figures from a 2013 price list). So that’s a 7.2x cost premium. When the QSFP28 transceivers dropped the price they became interesting.

          But it’s not just the transceiver cost: you also have to consider the number and availability of lanes supported by the standard (which means how many fibres you need), the cost of the line cards on the switches and routers, upgrading the monitoring tools to assure service levels and security, the cost of money (see the next sentence), and many other factors. Service providers are massively CAPEX-exposed, with upgrades being a huge CAPEX expense amortized over many years and subject to market fluctuations and risk, which is what I mean by “cost of money”.

          Here’s a really nice figure to ponder: at 100G, a 64 byte packet arrives every 6.7nS. For 400G ethernet, it’s every 1.7nS. You can’t even allocate a row of the faster DDR4 memory in those times, so think about the sorts of infrastructure you need to process data streams like that.

          No disrespect meant to Greenaum at all, but I found it really funny to hear 10G presented as high speed. It’s low end stuff these days.

          1. Sure, but the FBI wouldn’t be interested in routing it, would they? From one half the Internet to the other, which is what routers do. They’ll want to analyse it locally to some degree, even if just as far as setting a few criteria to select which packets to ship down the special invisible optical fibre. The FBI aren’t technically an ISP, though if you counted them by packets transmitted they might actually be.

            If, as you point out, you can’t even pile it into RAM that fast, how are you going to ever crack it or whatever? So 10GB for just a couple of cabinets, for the sort of thing a TLA would want to do, is actually quite a bit, compared to say what Pornhub do with their gigabits.

            How much email do you think the world’s terrorists write each day? How much pr0n do you think they watch?

            No disrespect to you, mate, but how fast they’re making NICs these days doesn’t have anything to do with this issue.

      1. Yeah, especially in the form of:

        “OK Google, do “, or
        “Alexa, do “, or
        “Hey Siri, do ”

        Even stuff like Roomba, where the things (in their default state) will map your home and send data to who-knows-where.

        Used to be the government had to bug people through clandestine physical attacks… now we just do it for them.

    1. I wondered, but there hasn’t been any evidence of anything other than an accident. I’m sure there are folks looking back at that crash now, so we’ll see if anything shows up.

    2. If it had happened a good few years before Boris expected to hand over, then you could say so with little doubt. But since Boris was 78 at the time, it looks like Bo was going to take over imminently, which raises a lot of suspicions. In Pre-Watergate 1970, were they arrogant enough to crap on their own doorstep? Probably, also had all kinds of help to clamp down on it, due to Vietnam war happening, extra powers, and distraction value of same such that enterprising journalists might not even ask too many questions.

    3. Coincidence? Doubt it! Was it a 2-car accident? What happened to the other driver, did they catch him? Or if it was Car vs Wall, was Bo’s blood tested for drugs? Carbon monoxide?

      Yeah as “accidents” go it worked out fantastically well for the NSA, the spookiest and sneakiest of the spooks. Those people tend to hate and fear change, they must’ve put a lot of effort into bringing Boris round, in their usual sneaky and quiet way. So having to condition Bo from scratch would’ve been a pain in the arse. Presumably Bo was kept in the dark along with nearly everyone else so he could honestly deny anything was wrong.

      Then again if his family’s in the crypto business there must have been a United Nations’ worth of spies hanging out of the trees in his back garden, in the dustbin, behind the shed, etc. Couldn’t open the fridge without a couple of the bastards in there hiding behind the margarine.

    4. “Frutiger redet über den tödlichen Autounfall 1970 von Bo Hagelin, dem Sohn des Firmengründers. Er habe es als problematisch eingestuft, manipulierte Geräte zu verkaufen. «Er sagte dem Vater, er dürfe das nicht tun», erzählt Frutiger. «Die beiden sind mehrmals aneinandergeraten.» Später mochte der Vater nicht glauben, dass sein Sohn – «ein guter Autofahrer» – verunfallt sei. Vergebens versuchte er, die Umstände herauszufinden.”
      https://nzzas.nzz.ch/hintergrund/der-informant-der-aus-der-deckung-kommt-ld.1540802

      -His son thought it problematic to sell manipulated encryption equipment. He told his dad he must not do that. They fought about it several times. Later, the dad didn’t believe that his son ‘a good driver’ had an accident. He tried to find out the circumstances to no avail.

      For the german speakers there are a few good articles in the nzz newspaper.
      https://www.nzz.ch/schweiz/warum-immer-zug-die-skandaltraechtigsten-239-quadratkilometer-der-schweiz-ld.1540263

  2. Anyone who complains about how other countries steal US “trade secrets”, note how the US has been doing this for decades, and maybe we deserve to have our stuff stolen. Any “moral superiority” we had is clearly gone, we have no right to complain any more.

    1. Did you put quotes around “trade secrets” because you actually mean intelligence information, or as a confusing means of emphasizing those words? Because I don’t see any discussion of theft/interception of business trade secrets or IP here.

      We can discuss the ethics of the US approach to intelligence operations, but equating Rubicon to intentional theft of business IP for profit purposes (i.e., as opposed to stealing info from businesses for national security interests) just confuses the legitimate issues.

    2. On the other hand, as a foreigner I’d rather have my trade secrets stolen by the US than other countries. The West seems to have a nicer attitude with this sort of stuff.

      1. Well as European I prefer EU to spy on me than foreign powers, even if we are talking about USA – we are friends but stay on your side of Atlantic I like the distance. But I guess if i was citizen of other country say Belarus I’d prefer my data to be spied by EU or USA than Russia, China or god forbid Belarus.

        1. Purely academic, since the russians, chinese and yanks already have any relevant information about you that they would desire. This has been going on ever since wwII with no end in sight.

          1. Henry L Stimson, early code-breaking pioneer. He was referring to countries not spying on the communications of their close allies. He was American, so covered by the Constitution, although I believe that document only applies to the behaviour of the US Government towards it’s own people.

            I don’t see what point you’re making, but for the record I think 98% of spying is dickery. Nowadays we don’t spy on our own people, we have our allies do that for us, then trade notes about it afterwards. So each government can claim, in some weird variety of honesty, not to spy on their own people.

            I bet overall the people of the world would be better off without “intelligence” services than with them.

  3. “Once upon a time, it was an absurd suggestion that the NSA had data taps in AT&T buildings across the country. Just like Snowden’s revelations confirmed those conspiracy theories”

    Yeah, uh, oops. That story was broken by James Bamford no later than 2008, well before Snowden was even a thing.

  4. I know someone at Cisco that works on low level hardware that is used in many of those international data transit points, nothing you send from inside conus is free from sigint monitoring. The only thing that could save you is encryption but they still control the route so they know when and where just not what at that point.

    1. Yeah. This is why you countermeasure that all. Broadcast style communication, relays, beacons, etc. send all the time and not just when you have something to say. It’s nothing new, radio communications have had the exact same problems and countermeasures for decades.

  5. Respectfully, it wasn’t flawed, it was backdoored. Those are different things, although if you do the backdoor well enough, they will look like a flaw (aka. “plausible deniability”.)

    Most of the details of Crypto AG have been known for some years, and the backdoor was always rumored to be in the RNG, which generated large numbers which had very little actual entropy (I’ve heard rumors of ~32 bits of actual entropy, but the source was dubious, so YMMV.)

    1. Yes, I vaguely remember a published source in the 80s, said something along the lines of the enigma machines being allowed to be sold surplus after war, so UK could keep taps on South American and 3rd World countries, and it was all in the phrasing, but it said a Swiss firm continued developing the tech flaws and all, into electronic age for sale to designated customers.

        1. Well you sell the official government your 2nd rate arms, you sell the communist rebels collected up, or black copied kalashnikovs, and the fascist or freedom faction the south african, Israeli or other European manufactured stuff, then whoever is in control of whatever resource you’re interested in at the moment hopefully owes you or your middleman a favor.

      1. Not sure about them being sold, but there was considerable push back over announcing the break.

        The first public discussion of the Enigma cryptoanalysis happened either in the late 70’s or early 80’s (I’m struggling to find a concrete history, and I can’t find my copy of Khan right now), but the Poles were definitely discussing their role in this success by 1981, correctly believing that they don’t get nearly enough credit for their involvement.

        Prior to that those individuals involved had kept the secret, and I’ve personally spoken to people who admitted to me that it was really frustrating that they had to lie to their families and say they had some mid-level admin position and couldn’t disclose what they did in the war.

        Anyway, one of the reasons there was push back against this was because several third world nations were still using enigma-like rotor machines, which were being successfully exploited by first world SIGINT agencies. The concern was that public discussion of that would clue them into the fact that what they were using was insecure, and force them to change machines.

        Really good site on Enigma, if you’re curious:

        https://www.cryptomuseum.com/crypto/enigma/hist.htm

        And on Crypto AG’s many products:

        https://www.cryptomuseum.com/crypto/hagelin/index.htm

        Ross Anderson from Cambridge also wrote a paper called “A Modern Rotor Machine”, where he talked about defeating some of the attacks against rotor machines which are publicly known, and speculated that many of them could have been defeated. Is it possible to make a modern rotor machine secure? Maybe. I can’t help but feel there was a bit of tongue in cheek with that one.

  6. “Buehler, a Crypto AG sales rep, was detained in Tehran, and interrogated about company products. The only problem? As far as Buehler knew, his company was legitimate. Nine months passed while the CIA and German BND argued over what to do. The US policy was to never pay ransom demands, so the CIA was unwilling to be a part of bailing out Buehler.”

    So they tricked him into being an asset, he got caught, and they wouldn’t bail him out. What a bunch of asshats.

  7. I’ve recently met the guys from crypto museum. They are amazing guys and know a lot about crypto.
    At Hack42 they gave a talk on Rubicon, more in dept than the articles.

    They announced there will be more information available after the 19th of March.

  8. This State and Government hardware tinkering should hardly be a surprise and, using encryption of any kind as a malice in userland J.Doe just sends red flags up several flagpoles, domestically and globally. Don’t forget who “helped finance” and “assisted in design” of our TOR networks, not secure for anyone anywhere for any reason, also PGP’s tinkering (not all versions however) it’s always been and will remain a game where the players are pawns in yet another arena beyond most participants control. just 2 cents. Trust noone and don’t believe for one moment anything you consider secured is anthing but an illusion. Peace. ;)

  9. Its funny- this article popped up right as I was inspecting a secret machine, a Hamilton differential gear hobbing mill, in private collection, used for cutting the gears in what might have been one of these machines.

    I was told it cut the gears on an Enigma machine, and was ordered with every attachment and spare part known, so as to not create any further sales records during wartime (ww2), and was kept in a secret department in a naval shipyard on the west coast.

    It was in perfect condition and being actively used by the owner. Where it is now and who has it I’ll never say :)

    1. Haha, I wish it was mine!

      A private and prominent but low key toolmaker horologist collector know to bespoke restorers. His shop is the most insane thing I’ve ever seen.

      If I hit the lottery tho….I’d buy every antique high precision manual machine in America and start a makerspace for watchmakers with them

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.