Any Lock Can Be Beat If You Own The Keys
February 11, 2020 10:51 AM   Subscribe

The Washington Post reports in a longform feature about Crypto AG - a Swiss firm providing encryption technology to countries around the world world since WWII - all while being owned secretly in a joint venture between the CIA and West German intelligence, allowing them to introduce back doors so that they could easily decode the 'secure' communications of Crypto's customers. (SLWaPo)
posted by NoxAeternum (41 comments total) 35 users marked this as a favorite
 
SETEC ASTRONOMY
posted by Nanukthedog at 10:52 AM on February 11, 2020 [14 favorites]


> SETEC ASTRONOMY

GO CRY APT!
posted by boo_radley at 10:59 AM on February 11, 2020 [2 favorites]


This is why I only smoke homegrown.
posted by os tuberoes at 11:05 AM on February 11, 2020 [6 favorites]


This is why your tech infrastructure should be made up of a mixed network of hardware made by many covertly owned foreign business which will want to disable each others capabilities.
posted by srboisvert at 11:20 AM on February 11, 2020 [32 favorites]


Just another hand of the many armed pocket picker of doom. We are prey, we pay dues for this privilege, being perpetual prey. Yum, yum delicious secrets, how do you pry the dollars off the carcass?

The real sinners in the situation are those who want to spread survival around, by non violent means. Step around the secret idols, the memes, the platforms, the beliefs, and learn how to pickle, without ethanol, do without the cloying tangibles, love, like, feel the sun, keep in contact with the real. Burn your soapbox, turn away from the oxymoronic intelligence. Find your personal intangibles, those which sustain your connection to the all. Live light, know who and what matters to you. Nurture the light in others, nurture joy, nurture peace, nurture the Earth, encouRAGE, as opposed to incur RAGE. Wait, burning my soapbox, now...Besides Crypto AG probably has bled out to more clever users, since WWII, anyway. Who owns the makers of the war machines? They own and create the oxymoronic intelligence.
posted by Oyéah at 11:28 AM on February 11, 2020 [5 favorites]


"The Swiss firm made millions of dollars", oh please, millions? This article starts right up in the penumbra.
posted by Oyéah at 11:30 AM on February 11, 2020


This is exactly the sort of reason conspiracy theorists are so hard to dissuade. This is just fuel on the MK-Ultra fire.
posted by Zudz at 11:51 AM on February 11, 2020 [3 favorites]


This is why your tech infrastructure should be made up of a mixed network of hardware made by many covertly owned foreign business which will want to disable each others capabilities.

Checks and balances, just as the Framers intended!
posted by officer_fred at 12:05 PM on February 11, 2020 [3 favorites]


This is the sort of thing that always creeps into the back of my mind when I turn on NPR and they’re interviewing some neckless US government technocrat about how sinister Huawei is.
posted by Parasite Unseen at 12:10 PM on February 11, 2020 [17 favorites]


how sinister Huawei is

It's because they know how this works.
posted by The 10th Regiment of Foot at 12:13 PM on February 11, 2020 [22 favorites]


Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety.

Lovely.
posted by jquinby at 12:15 PM on February 11, 2020 [1 favorite]


Now you know why they hate Internet encryption. They lost their monopoly and worse yet, they have no backdoor. (At least until the DOJ gets its way.)
posted by CheeseDigestsAll at 12:22 PM on February 11, 2020 [6 favorites]


I am curious to know why they are permitting this information in MSM? Don't 'free press' @me now.
posted by Mrs Potato at 12:35 PM on February 11, 2020 [3 favorites]


A Liechtenstein law firm, Marxer and Goop, helped hide the identities of the new owners of Crypto through a series of shells and “bearer” shares that required no names in registration documents.

Gwyneth Paltrow really has her hands in everything these days.

A CyOne spokesman declined to address any aspect of Crypto AG’s history, but said the new firm has “no ties to any foreign intelligence services.”

Andreas Linde, the chairman of the company that now holds the rights to Crypto’s international products and business, said he had no knowledge of the company’s relationship to the CIA and BND before being confronted with the facts in this story.

“We at Crypto International have never had any relationship with the CIA or BND — and please quote me,” he said in an interview. “If what you are saying is true, then absolutely I feel betrayed, and my family feels betrayed, and I feel there will be a lot of employees who will feel betrayed as well as customers.”

The Swiss government announced on Tuesday that it was launching an investigation of Crypto AG’s ties to the CIA and BND. Earlier this month, Swiss officials revoked Crypto International’s export license.


Can the new buyers sue the previous owners? The company can't be worth much if their reputation is in the trash and they can't sell their products outside of one country. But I can't imagine it would be easy to drag shell companies and blinds into a Swiss courtroom, much less the United States government.
posted by They sucked his brains out! at 12:56 PM on February 11, 2020 [3 favorites]


Wasn't it known that the US was decrypting Iranian radio traffic and passing it on to Iraq during the war? And that Enigma was sold to developing nations without telling them it had been broken after WWII?

Also, the Soviets were sometimes quite successful, as in the case of John Walker, a petty officer who would take binders full of secret documents and hand them to his handlers so they could be copied.
posted by Monday, stony Monday at 1:06 PM on February 11, 2020


> I am curious to know why they are permitting this information in MSM? Don't 'free press' @me now.

Technocrat and extremely wealthy control freak Jeff Bezos owns the Post.
posted by at by at 1:27 PM on February 11, 2020 [2 favorites]


Probably also relevant is that Crypto AG is no more. The government probably doesn't have the same concerns about retired operations as it does about active operations.
posted by at by at 1:28 PM on February 11, 2020 [5 favorites]


some more bg info on the story from an older twitter thread https://mobile.twitter.com/matthew_d_green/status/1147313095586603008?lang=en


an also otherwise incredibly interesting resource: https://www.cryptomuseum.com/intel/cia/rubicon.htm
posted by DreamerFi at 1:35 PM on February 11, 2020 [1 favorite]


Fascinating story, thanks.

Something I'm wondering: Until they hired Widman, the algorithms were apparently so weak that the problems could be detected by statistical tests. Does that mean the Soviets could've/did crack them, too?
posted by clawsoon at 1:39 PM on February 11, 2020 [2 favorites]


Which makes one wonder whether they control any equivalent companies now. Some modern equivalents might be purveyors of encrypted end-to-end messaging systems, like Signal, Wire and Telegram*. (Signal is open-source, though only “blessed” binaries released by the company can connect to the network and there's no way of verifying that they are what the source would build to.)

* though there are rumours that FSB/GRU either control the last one or have a deal with Pavel Durov that he doesn't make it too secure and, in return, nothing horrific will happen to his family/friends in Russia or something.
posted by acb at 1:45 PM on February 11, 2020 [2 favorites]


From the Matthew Green link, there is a link to a Cryptome posting about the Crypto sales rep that Iran had detained over suspicions of selling bad gear:

In the end Crypto AG paid generously the requested bail of about one million German marks (DM), but dismissed the released Buehler a few weeks later. The reason: Buehlers publicity, "especially during and after his return" was harmful for the company. But Buehler started to ask inconvenient questions and got surprising answers.

He apparently received a nice settlement, but people perhaps would have known less about the company he worked for, if they hadn't fired him and then tried to get back from him the bail they paid. Crazy.

Just as fascinating is the story of the heroic engineers who tried to fix flaws that the bosses had deliberately inserted into the products. I wonder what we'll hear from former engineers at Microsoft, down the road.
posted by They sucked his brains out! at 1:50 PM on February 11, 2020 [6 favorites]


It's hard to convey what a big deal this is. Crypto AG was one of the biggest and most important cryptography companies for 30+ years. Between the CIA owning Crypto AG and the NSA totally subverting RSA, Inc, we know now the US government has compromised pretty much all the major cryptography vendors up to ~2010. No reason to think they don't still do that now.
posted by Nelson at 5:10 PM on February 11, 2020 [12 favorites]


Nelson: Between the CIA owning Crypto AG and the NSA totally subverting RSA, Inc, we know now the US government has compromised pretty much all the major cryptography vendors up to ~2010. No reason to think they don't still do that now.

Makes me wonder about the constant drumbeat of, "You should never ever roll your own crypto; it's too complicated, and you will definitely screw it up." Should that sentence end with, "...for our surveillance empire."

Any bad news on PGP?
posted by clawsoon at 5:15 PM on February 11, 2020


You should still never roll your own crypto. You should, however, use open source crypto algorithms and systems that have been well vetted in public by the community.

The tough part is when you need hardware. There's basically no such thing as verified open hardware (although some brave souls are trying). Which is why things like 5G infrastructure vendors are so fraught; you have to trust some company building the devices. But you literally can't trust any of them, nor verify what their hardware is actually doing.
posted by Nelson at 5:23 PM on February 11, 2020 [12 favorites]


This is exactly the sort of reason conspiracy theorists are so hard to dissuade.

It keeps turning out that the conspiracy nuts aren't nutty enough.
posted by Western Infidels at 6:28 PM on February 11, 2020 [2 favorites]


Whereas now everyone just pipes their comms through the US as a matter of course.
posted by pompomtom at 7:38 PM on February 11, 2020


Makes me wonder about the constant drumbeat of, "You should never ever roll your own crypto; it's too complicated, and you will definitely screw it up."

If you roll your own crypto, breaking that is almost certainly less work for the CIA than running a plausible front/business. I imagine they'd appreciate the help, though.
posted by ethand at 9:26 PM on February 11, 2020 [5 favorites]


Mind numbing in a way, and another very good indication that many other current companies and products are compromised. I mean, in addition there was the sim factory that the US spooks had the keys to and the fact that many computer and internet startups including Google were at least partly indirectly financed by the NSA, etc., plus all the Snowden revelations about backdoors everywhere, and much more.
posted by blue shadows at 10:31 PM on February 11, 2020 [1 favorite]


Apparently this has been known for 25 years. Here's Schneier's note.

This is exactly the sort of reason conspiracy theorists are so hard to dissuade.

I get the point but wish there was another word than "conspiracy."

This (basically "CIA and NSA try lots of tricks to spy on foreign governments") strikes as a conspiracy theory in the same vein as "billionaires donate money to influence people to lower taxes, cripple unions, and admit billionaires' kids to college." They involve people doing exactly what they say they intend to do.
posted by mark k at 12:25 AM on February 12, 2020 [6 favorites]


I assume all my emails are stored/scanned by the man, including proton. Nothing I can do other than to accept that privacy is just a one way street and I'm going the wrong direction.
posted by Beholder at 1:37 AM on February 12, 2020 [2 favorites]


> I am curious to know why they are permitting this information in MSM? Don't 'free press' @me now.

Technocrat and extremely wealthy control freak Jeff Bezos owns the Post.


Perhaps Bezos has concluded that Prince Bin Salman got the sophisticated exploit Bin Salman used to hack Bezos' phone — the information from which Salman used to try to blackmail Bezos into stopping the Post from writing negative storys about the Prince's role in Kashoggi's murder as well as other crimes, and which also led to fairly lurid stories in the National Enquirer about Bezos' affair — from an intelligence agency in Trump's government which knew exactly what Salman planned to do with it, if in fact they didn't come up with the whole idea in the first place.

Because that's what I thought when I read the linked Guardian story, and I'd give it about a 90% probability.
posted by jamjam at 2:34 AM on February 12, 2020 [4 favorites]


no such thing as verified open hardware

Much worse than that, between smartphone proliferation and Intel ME, for more than a decade practically every consumer computing device available for purchase is definitely backdoored.
posted by Bangaioh at 3:20 AM on February 12, 2020 [1 favorite]


for more than a decade practically every consumer computing device available for purchase is definitely backdoored.

The John Wick franchise loves to point out that the assassins guild prefers Old Tech to avoid being compromised.

/sorry
posted by Beholder at 4:33 AM on February 12, 2020


Because that's what I thought when I read the linked Guardian story, and I'd give it about a 90% probability.

It was 'allowed' in the press because it was already well known. It was reported by the Baltimore Sun in 1995! You don't need to guess at Bezos' motivations or credit his power as a billionaire for the story.

Why the '95 story couldn't be or wasn't squelched is maybe a more interesting story. Probably a combination of timing (it was two years after the Germans had bailed on the project for having little remaining value) and the difficulty of keeping a secret for 20 years (lots of people, e.g. engineers and others, not in the CIA and NSA knew something was up.)
posted by mark k at 7:26 AM on February 12, 2020 [2 favorites]


My fridge told me in advance, I shouldn't buy the lettuce from Stockton. This whole article was written to use, The Byzantine Laws of Lichtenstein in a sentence. If I could afford a sock puppet account just now, this name would be mine.

A long time ago someone, a friend of a friend, whom I have never met, showed me how all internet entries, every.one.of.them, ran through a company with local headquarters in an insignificant small town in Northern State Where I Was Living. I was up in that area once, signs for that town were everywhere but there, 20 miles to the west, over there somewhere, no not here etc. The internet is a feast, and just like any other, some may eat all they want at the buffet, and not others. They get a little here, or a taste of this, a promise for a ticket next time, some lick the plates. The big joke is cryptography at all. There are no secrets. The algorithms write themselves, basic human needs, met/unmet, brokers, thieves, borrowers, nurturers, bullies, marks, minions, mistresses, inducements, enticements, entertainments; the grand disaster is running out of breeders, so breeding will become the new law of the land. I am cynical, but not depressed.

Then this particular company built a big, obvious, center of operations, and about that time, some guy that no one ever met, showed up in South Jordan Utah and build a largish for privately funded, Russian Orthodox church, all concrete, with golden onion domes, centered exactly between that new company headquarters, and the black airport, and maybe it was then the F-16s a couple of them, augered in on the Great Salt Lake bed. I figure they figured out how the radar from a nearby establishment worked. No one seemed to take notice of this.

This is what happens when intelligence services selectively hire for loyalty, disconnect, eager-to-pleasishness, no one notices anything, because they are paid not to notice, because all of the expensive algorithms they have bought, will do the heavy intellectual lifting, and pass the info upward to the loyal and brilliant minions of whomever? Overwhelmed minions mostly plan for whatever posh real job they will get when they retire. That data goes up the power pyramid, and who will make sense of it?

With the advent of Apocalypse planning as a feature of our daily White House prayers...well there won't even be ragged claws scuttling across the floors of silent seas, not anymore. Everyone talks about the back door, what a joke to believe there is a back door you can close, when the whole thing is predicated upon people willingly opening their front door, and even installing a doorbell that surveys their every move. "Helpers," Siri, Cortana, Google assist, and whomever else, who listen and offer suggestions; even if you turn off these helpers, it doesn't mean they don't listen anyway. My bones are not quite picked clean, finding insignificance, however, delicious. The views are splendid.

I particularly loved how the Bezo's handled the turd, after all, it was gold plated...as I understand it, the 1% is very happy, a defining characteristic.
posted by Oyéah at 8:45 AM on February 12, 2020 [2 favorites]


The John Wick franchise loves to point out that the assassins guild prefers Old Tech to avoid being compromised.

That didn't exactly work out for them the way they had hoped.
posted by srboisvert at 11:19 AM on February 12, 2020


Crypto AG had also been in the business of selling versions of the [German WWII] ENIGMA cipher machines to developing for quite some time while "the ULTRA secret" (the fact that the Allies had been able to defeat it) was kept. Selling known-defeated crypto was not new to them.

"Britain's cracking of the Enigma cypher was not revealed for 30 years because electronic versions of the Enigma cypher were being sold to Third World countries by European firms such as Crypto AG of Switzerland-and thus were an easy target for GCHO and NSA codebreakers" - Duncan Campbell, in his article The Eavesdroppers [PDF], in May of 1976.

In his "Interception Capabilities 2000" report to the European Parliament in 1999, Duncan also called out NSA directly working with Crypto AG to rig their own products (PDF of that report, relevant Crypto AG stuff is at the top of pdf-page 34).

(Full disclosure of interests - that same Duncan Campbell is also now my husband.)
posted by BuxtonTheRed at 2:06 PM on February 12, 2020 [6 favorites]


"Britain's cracking of the Enigma cypher was not revealed for 30 years because electronic versions of the Enigma cypher were being sold to Third World countries by European firms such as Crypto AG of Switzerland-and thus were an easy target for GCHO and NSA codebreakers" - Duncan Campbell, in his article The Eavesdroppers [PDF], in May of 1976.

When I visited Bletchley Park in 2002 or so, the ex-MI5 officer giving the tour told us about as much.
posted by acb at 2:23 PM on February 12, 2020 [1 favorite]


I get the point but wish there was another word than "conspiracy."

This (basically "CIA and NSA try lots of tricks to spy on foreign governments") strikes as a conspiracy theory in the same vein as "billionaires donate money to influence people to lower taxes, cripple unions, and admit billionaires' kids to college." They involve people doing exactly what they say they intend to do.


Yeah, I agree. This isn't that surprising. Espionage agencies gonna espionage. But it makes it that much harder to detect the line between "plausible government activity" and "totally looney crackpot theory". After all, if we sold our enemies crypto gear that we had keys to, why couldn't we...

(That should be an especially ominous ellipsis, but I'm not sure what the ASCII for that is.)
posted by Zudz at 9:10 AM on February 13, 2020


I assume all my emails are stored/scanned by the man, including proton. Nothing I can do

gpg -ea -r recipient_name -o send_this.txt message.txt

posted by pompomtom at 6:41 PM on February 13, 2020


Interesting thing about protonmail - if you ever need to reset your password, your existing email becomes unreadable. I mean, you can still see all the message in your inbox, but they're all gpg-encrypted. You can decrypt them if you can find your old password, but you're sort of hosed otherwise. This happened to my wife early after her migration from gmail -> protonmail. Luckily there wasn't a ton of mail in there yet.
posted by jquinby at 5:52 AM on February 14, 2020


« Older Science Writing - Behind the Scene   |   Nothing at Stake Newer »


This thread has been archived and is closed to new comments