back to article Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

Swiss encryption machine company Crypto AG was secretly owned by the CIA and a West Germany spy agency at the height of the Cold War, according to explosive revelations in Swiss and German media today. Although rumours had swirled for decades around Crypto AG and the backdooring of its products by the West – cough, cough, NSA …

  1. Pascal Monett Silver badge
    Trollface

    "over a hundred states paid billions of dollars for their state secrets to be stolen"

    So, success then !

    And, obviously, it is a "different company" with a "different owner, different management and a different strategy" and found the reports very "distressing"

    Yeah, I'll bet. Their yearly result is likely going to find things "distressing" as well.

    1. TReko

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      makes you wonder about other Swiss privacy and encryption companies, like Proton Mail?

      1. robidy Bronze badge
        Joke

        Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

        But the Chinese didn't know and would never pressure Huawai to do this in the past, present or future. Only the Americans and West Germans would do this ha ha.

        Obviously I'm poking fun at the UK Gov't.

        1. Evil Auditor Silver badge

          Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

          Huawai, Crypto AG or whomever you choose to trust - if it's going to protect my top-secret secrets, I'm not trusting one maker alone. If the information to be protected is that precious, I should probably invest in another layer.

          Now you just have to find independent manufacturers that do not conspire...

      2. Roj Blake Silver badge

        Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

        Or indeed their German counterparts, like Tutanota.

    2. anonymous boring coward Silver badge

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      The new owner should go back to the seller and sue their arses off.

    3. JCitizen
      FAIL

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      And NSA expects us to just roll over and let them do it some more with today's encryption. They would be better off just doing some old fashion gum shoe work, and do what hackers do - infect the devices with malware to spy on the end points. It is probably even more effective, because it keeps the enemy guessing at just how much the opposition knows. Nation state bad actors have been doing it successfully for decades.

  2. This post has been deleted by its author

    1. Claptrap314 Silver badge

      Re: Once again ....

      We go through this every time. Unless "you" have the education--which would be a PhD in Algebra (one particular branch of mathematics) with some post-doc in crypto, "you" don't have the ability to make a secure cyper, period.

      Rough quote from a discussion between Phil Zimmerman and someone at the NSA.

      "We don't let anyone design algorithms until they have 'earned their bones' breaking them for a decade." I remarked that that would disqualify almost everyone. "Indeed. And that makes our work so much easier."

      1. Anonymous Coward
        Anonymous Coward

        Re: Once again ....

        There is a large difference between designing a cipher and implementing one. I have designed ciphers, however, I am not skilled enough to implement them. My collaborators did that. Teamwork – it’s a beautiful thing.

      2. Def Silver badge

        Re: Once again ....

        Education is not the same as intelligence.

      3. John Savard Silver badge

        Re: Once again ....

        Designing a secure cipher is not that hard, provided it's just a secret-key cipher. Of course, secret-key ciphers without a wy to distribute keys securely are next to useless in today's digital world.

        1. Michael Wojcik Silver badge

          Re: Once again ....

          Designing a secure cipher is not that hard, provided it's just a secret-key cipher.

          It's not trivial, either. If it's a block cipher, is it hardened against differential and linear cryptanalysis? What combining mode are you using? If it's a stream cipher, does it suffer from the sort of higher-order correlations that took down RC4? (It's worth noting that RC4's weaknesses are not intuitively obvious; it might be the simplest reasonably-strong machine cipher ever invented.)

          Implementation is worse. Is your implementation secure against timing side channels? Is it secure against generic errors (out-of-bounds operations, for example) which could compromise it?

          Also, key distribution isn't necessarily a problem, because secure anonymous key exchange is available, if you have some post-Kx or out-of-band way to verify identity. PKI isn't the only solution to the key-distribution problem.

          1. Alan Brown Silver badge

            Re: Once again ....

            "PKI isn't the only solution to the key-distribution problem."

            Nonetheless it's a fairly good one - after describing how PGP worked to a few people who happened to be retired spooks, the response I got was "we were doing that in the 1950s. Has it taken this long to catch up?"

    2. 41R

      Re: Once again ....

      You can't write something from scratch and use it for communication with other countries...just like you have to use whatsapp/viber/messenger/telegram/etc. instead of your own messaging app

      1. amanfromMars 1 Silver badge

        Re: Once again .... Once more unto the breach, dear friends, once more

        You can't write something from scratch and use it for communication with other countries...just like you have to use whatsapp/viber/messenger/telegram/etc. instead of your own messaging app .... 41R

        Oh? I think one certainly can, 41R, for you have done practically all of that here for everywhere else with your offering above on El Reg.

        IT aint rocket science, for it is much more complicated than that but some things are kept extremely easy for all the best of perfect reasons .......... and relatively free and practically simple solutions for unpleasant and unnecessary problems is just one of them.

        1. 41R

          Re: Once again .... Once more unto the breach, dear friends, once more

          It's not about skills, science, even cost, it's about 'industry' standards and acceptance. You can be corporation/bank with endless resources and in-house-built-from-scratch comm systems but you still have to use skype/slack/webex because of the others. Same goes for criminals (cartels, etc.), governments and other organizations

          1. amanfromMars 1 Silver badge

            Re: Once again .... Once more unto the breach, dear friends, once more

            It's not about skills, science, even cost, it's about 'industry' standards and acceptance. You can be corporation/bank with endless resources and in-house-built-from-scratch comm systems but you still have to use skype/slack/webex because of the others. Same goes for criminals (cartels, etc.), governments and other organizations .... 41R

            Methinks, 41R, that reveals everything revolves around and is fully dependent upon and also catastrophically vulnerable to skills in users that share greater intelligence via ubiquitous means either both secret and exclusive in a private sector or readily widely available and popular with the masses/public sector.

            And skills in users in that regard is really just a euphemism for prime use of considerably more advanced greater intelligence proving itself to be, to that and those in its sights for intervention, impregnable and problematical. Such though is best realised as being a quite normal default progression in the field.

    3. Milton Silver badge

      Re: Once again ....

      No. The whole point of publishing and widely dissmeinating crypto algorithms and code is to bring the broadest, deepest and most expert range of challengers devoted to knocking it down and finding vulnerabilities.

      I would not trust crypto that only I had authored and only I had the opportunity to analyse for weaknesses. That would be crazy.

      I'd bet you good money that even a guru like Bruce Schneier would say exactly the same. The best crypto is utterly transparent in algorithm and code, and has been hammered away at by experts of every stripe.

      I trust crypto which the world's best minds have tried and failed to break—even knowing exactly how it works.

    4. Graham Cobb

      Re: Once again ....

      It is true that you have to trust whoever provides your (and your communication partners') implementations. So that leaves two sensible approaches for (so-called) non-aligned countries to use for diplomatic cables:

      1) Align themselves with one of the big powers (US, Russia, China) and accept that they will be reading all the traffic and act accordingly. This includes realising that they will decide who they will share it with (which could include their enemies, or even the public. if it served a useful purpose for them).

      2) Find an "independent" supplier with a strong reputation, which it will strenuously protect. Crypto AG, and Switzerland, seemed to meet that criterion. However, it turned out they were proxies of the US after all.

      The biggest damage here is to the Swiss reputation for neutrality. The surprise isn't that Crypto AG was backdoored, it is that the Swiss knew about it and let it continue.

      1. Charles 9 Silver badge

        Re: Once again ....

        "The biggest damage here is to the Swiss reputation for neutrality. The surprise isn't that Crypto AG was backdoored, it is that the Swiss knew about it and let it continue."

        The Swiss reputation for neutrality ended when the US browbeat and threatened Switzerland with sanctions over their vaunted bank account privacy.

        1. Graham Cobb

          Re: Once again ....

          Nah. That's just money. Switzerland's (former) reputation for banking privacy made Switzerland a lot of money, which is now reduced.

          Neutrality, however, threatens the safety of their nationals and maybe even the whole existence of their country. In the 20th century wars it was convenient for all protagonists to have a (small) country that was truly neutral. Now that Switzerland has shown itself allied to the US it has become no better than Spain was in WW2 - maybe not an active protagonist but clearly supporting one side.

          If I was Swiss, living in or visiting Iran or Iraq, I would be a lot more worried about being targetted as a suspected US spy now.

        2. CrazyOldCatMan Silver badge

          Re: Once again ....

          The Swiss reputation for neutrality ended when the US browbeat

          No - it ended years before when they essentially bowed down to Nazi Germany in order to stop themselves being invaded..

          1. Charles 9 Silver badge

            Re: Once again ....

            Got proof? Last I checked, Switzerland is notoriously difficult to invade, given it's smack in the middle of the Alps with few ground passes. Trees you can cut down; it's much harder to deal with a mountain.

        3. This post has been deleted by its author

          1. JimboSmith Silver badge

            Re: Once again ....

            The Swiss still have banking secrecy it's only being broken by whistleblowers. Bradley Birkenfeld is a very wanted man in Switzerland. The banking association basically write the laws regarding this. What the Swiss want you to believe is that they'll cooperate with enquiries about account holders. Good luck with that in practice.

    5. robidy Bronze badge

      Re: Once again ....

      Implementation of a publicly scrutinised algorythm, yes.

      Writing your own from scratch...only if very widely peer reviewed.

  3. Saruman the White

    This is really bad news for some companies. I know one country (I will not mention their name) who built a military satcoms system that use CryptoAG kit to provide COMSEC. They must now be wondering whether their entire communications system has been compromised. Some security bods are going to have a *very* bad month ahead of them.

    1. Antron Argaiv Silver badge
      Coat

      You really do have to admire (in the same way as Madoff's ability to keep a pyramid scheme going well past the time it should have collapsed) the con these guys pulled off.

      Respect to masters of their craft.

      // The one with the dagger in the pocket, natch.

    2. stiine Silver badge
      Black Helicopters

      They don't actually have to wonder, it was, unless it was a 5-eyes member, and then its only very likely that it was compromised.

      Finally a use for that icon ------>

      1. Yes Me Silver badge
        Pirate

        6 eyes?

        "unless it was a 5-eyes member"

        Erm, Germany, the part-owner of Crypto AG for many years, was not and is not in 5-eyes. Also, do you seriously believe that 5-eyes is the only intelligence sharing system in operation?

        1. Roj Blake Silver badge

          Re: 6 eyes?

          Germany is a member of 14 Eyes.

          1. Anonymous Coward
            Anonymous Coward

            Re: 6 eyes?

            Or the Society for Processing Information, Decryption, Extraction and Reporting as it's know.

  4. Daedalus Silver badge

    Almost unnecessary

    People in general being too stupid to live, it's not always necessary to compromise the machines. In "Spycatcher", Peter Wright described how the machines at the French Embassy in London leaked the cleartext as electrical noise over the same phone lines used to send the encrypted messages. Then also there was the US Navy spy who simply purloined the paper tapes used in their machines, which were not secured. As he said "KMart has better security than the Navy".

  5. _LC_ Silver badge
    Alert

    For those who don't know GERMany that well

    The BND is just a GERMan speaking CIA outlet. They helped them to start the war against Iraq, by torturing an Iraqi until he told the lie they want him to tell (see: “Curveball”). They started the war in Sudan for the US, by delivering tanks and other weapons to both sides - “rebels” and government (see: “We’re Going to Take out 7 Countries in 5 Years: Iraq, Syria, Lebanon, Libya, Somalia, Sudan & Iran”). They have been spying on their own (strongly forbidden) for the US. All to no avail.

    So this is why Huawei is so evil, eh?

    1. _LC_ Silver badge

      Re: For those who don't know GERMany that well

      Those *unts are fast! *lol*

    2. crayon

      Re: For those who don't know GERMany that well

      "The BND is just a GERMan speaking CIA outlet."

      They were blasted recently (last couple of years?) for releasing a report to the US before releasing it to the German govt.

  6. Claptrap314 Silver badge

    Spies gonna spy

    I just love how the WaPo works so hard to make this sound immoral. What are spies supposed to do? Limit themselves to pawing through garbage?

    Just because the bullets aren't flying by the tens of thousands does not mean that there isn't a war on.

    To those who have been mock the concerns about Huawei--it's been done before.

    Finally, at a country level, crypto is one of those things that you cannot cheap out on, and you must be VERY careful about outsourcing. If your country is poor, I'm sorry.

    1. Kabukiwookie Silver badge

      Re: Spies gonna spy

      What are spies supposed to do? Limit themselves to pawing through garbage?

      How about acting according to what their governments say they're standing for?

      How are you ever going to trust a government that tramples over all the 'values' it says it stands for whenever it's convenient?

      Aren't we supposed to be the 'good guys'?

      How can you take the moral high ground if you're just as bad (or worse) than the so-called 'bad guys'

      This is pure hypocrisy and hypocrites cannot be trusted with anything. Least of all the freedom and wellbeing of the citizens they are supposed to answer to in a (supposed) democracy.

      1. Brian Miller

        Re: Spies gonna spy

        "moral high ground": There is no high ground in a pig wallow.

        The spies do act for the government they stand for. Thing is, they may stand for a number of governments at any one time. They're just flexible like that.

        1. ds6 Bronze badge
          Gimp

          Re: Spies gonna spy

          Oh yeah baby, I do swing both ways... After all, no matter how you look at it, someone's getting it up theirs.

          — Unknown CIA asset, undercover sex worker

      2. Claptrap314 Silver badge

        Re: Spies gonna spy

        The question of, "who do we trust enough not to **** us that we don't need to worry about what they are really up to?" is a critical (if uncomfortable) question. If that list is not empty, you need to be spying. The fact that the Germans objected to spying on Italy, which betrayed their government in both World Wars is...touching? hilarious? sad? Allies and friends are not the same thing. You don't spy (much) on your friends.

        But if you trust people to be good to you because they say so, your expected lifespan as a nation is quite limited.

        1. Adelio

          Re: Spies gonna spy

          T.B.H. I am not toooo concerned about spy agencies spying on me, as long as it concerned with terrorism, it is more about EVERY OTHER Goverment agency that would want AND get access to all that lovely information and then letting all their industry friends have it as well (for a price or free)

      3. Someone Else Silver badge

        Re: Spies gonna spy

        Aren't we supposed to be the 'good guys'?

        Yes. But then Trump and Boris happened.

        Yes, I know that there were serious questions about our good-guy-itude prior to those two ass-hats. But then they happened, and all such questions were answered....

    2. Antron Argaiv Silver badge
      Thumb Up

      Re: Spies gonna spy

      To those who downvoted him...come back after you've read some John Le Carre.

      The normal rules don't apply. Stealing secrets is a dirty, dirty business, and those with morals need to be flexible in the application of them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spies gonna spy

        No, when you are in the business, "stealing secrets" is not a dirty business, it's just your job. Your boss assures you that it needs to be done for the greater good and it's what your employer pays you for and tells you it's your duty - most of the time you're just doing the work because it needs to be done. There's a reason I'm posting that anonymously because it was once (a very long time ago) my job.

        1. Anonymous Coward
          Anonymous Coward

          Re: Spies gonna spy

          Yeah, right. Just like nazi soldiers/guards were just following orders/doing their jobs...

          1. Anonymous Coward
            Anonymous Coward

            Re: Spies gonna spy

            yep!

            just like merkin, pom, Oz, canuk's and all the others.

            just following orders,

            realy bad thing to hear when you are the one in chains,

            no matter what accent.

        2. Alan Brown Silver badge

          Re: Spies gonna spy

          >> "stealing secrets" is not a dirty business

          90% of the "secrets" are out in the open anyway, for those who care to look and put the pieces together.

          WHich makes it kinda awkward for a spook who accuses someone in open court of blowing open that GCHQ was spying on Turkey to then have it proven that the information being disclosed was actually taken from open sources (including newspapers)..... It's an admission you can't walk back after you've uttered it.

    3. Alan Brown Silver badge

      Re: Spies gonna spy

      " What are spies supposed to do? Limit themselves to pawing through garbage?"

      The vast majority of espionage is done in the public reading rooms of local libraries - looking at local newspapers and correlating stories that don't seem to percolate through to the larger dailies or which seem to abruptly halt, along with checking up on letters to the editor complaining about XYZ activity.

      "Pawing through garbage" is usually done to confirm suspicions rather than to find new stuff.

      As with Duncan Campbell's investigations - there's an awful lot out there in the open that simply needs piecing together - and if you're using "Someone else's crypto" as your sole line of defence then you've probably already been compromised

  7. Wellyboot Silver badge

    The two nations agreed to let Swiss spies in on their secret

    Unless anyone thinks they were let in on the operation because it was "Be nice to the Swiss" week, it sounds to me that the Swiss have a reasonably good security agency over there and found out who the ultimate owners were.

    1. Claptrap314 Silver badge

      Re: The two nations agreed to let Swiss spies in on their secret

      It sounds to me more like, "we don't want to **** off the Swiss, so let's read them in at the beginning". But in either event, I would expect the Swiss to have a pretty solid security service. You really cannot keep their reputation without it.

      1. Doctor Syntax Silver badge

        Re: The two nations agreed to let Swiss spies in on their secret

        "You really cannot keep their reputation without it."

        This hasn't done that reputation much good.

        1. Claptrap314 Silver badge

          Re: The two nations agreed to let Swiss spies in on their secret

          Your understand of their reputation and mine are rather different, apparently.

    2. phuzz Silver badge

      Re: The two nations agreed to let Swiss spies in on their secret

      The Swiss were unlikely to become direct enemies of Germany and the US, so why not chat to some of their top spies, let them in on the idea, and probably sweeten the deal by promising to let them in on anything that might concern them, all they have to do is look the other way...

      What's the chances that the finances for the whole operation went through some Swiss banks as well, that way everyone gets their cut.

  8. Marketing Hack Silver badge
    Joke

    "over a hundred states paid billions of dollars for their state secrets to be stolen"

    So kind of like being a Microsoft shop, then? :)

    (Thank you!! I'm here all week!!!)

    1. Paul Crawford Silver badge
      Devil

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      You are welcome. But I'm here till the end of time =>

  9. cantankerous swineherd Silver badge

    have to wonder about the likes of threema and protonmail trumpeting their swissness...

  10. Long John Silver
    Pirate

    Perhaps I misunderstood but ...

    Some of the discussion concerns feasibility of governments, commerce, etc., creating in-house encryption technology rather than reliance upon external suppliers. I grasp how such reliance may have been necessary for all but very big players during the early Cold War period but not in its latter days nor now.

    Enigma machines were mechanical and, presumably, later variations on the theme were electromechanical. Given expected large traffic flow, pre-WW2 encryption/decryption using cypher clerks with pencil and paper became impracticable, so mechanical aids were introduced. Design and manufacture was both a highly skilled task and very expensive. Recipients of these devices would indeed be unwise to attempt their own modifications to the mechanism, there being risk of a botched job increasing vulnerability rather than improving security.

    Gradual post-WW2 introduction of digital computers could not at its early stages easily benefit people engaged in encrypted/obfuscated communication. National agencies in some NATO countries and in the USSR immediately latched onto the new technology as aid to breaking encryption but rarely could deploy it to enhance encryption when messages were transmitted between local 'head office' and remote outposts; early digital computers were expensive, took up a lot of space, were temperamental, and required dedicated technicians to keep them operating: hardly things to be installed in the average embassy and consulate. Similarly, for military communication it may have been feasible to house digital computers on aircraft carriers for secure communication with base but not on aircraft, submarines, or with mobile ground forces.

    Only upon advent of minicomputers and especially of what now are known as desktop devices could centres communicate at higher levels of security with peripheries, and could outstations thus communicate amongst themselves.

    Software mediated encryption/decoding changed the game utterly. It cannot have been widespread much before the 80's and soon thereafter it became common in commercial settings and eventually for individual users. As someone here mentioned, home-brew encryption algorithms are fraught with dangers unless devised, and evaluated, by highly skilled and experienced people. However, there is little need for this other than in centres like the NSA, GHQ, and equivalents elsewhere. Open source algorithms, most scrutinised by many people outside state agencies, have been available for three decades and more. None such can be declared free of vulnerabilities, these either intrinsic or arising from a range of code-breaking techniques some of which are brute force and others more subtle; as supercomputer technology advances and becomes more cheaply available then so must feasibility of even brute force methods.

    Yet, that's not the point. Nobody, professional or amateur, need fiddle with extant algorithms or attempt to make new ones in a hurry. A set of algorithms can easily be assembled to sequentially encrypt/decrypt. Indeed, this nowadays is commonly done. For very secure communication among designated individuals the chosen algorithms and their order of use can be kept private. For general use, openly published combinations offer considerable resistance to brute force attack. Nowadays simple 'consumer' devices are capable of immensely complicated computation with multiple algorithms.

    One assumes agencies intent on decrypting private communications (military, diplomatic, commercial, personal, and criminal) have developed elaborate automated means for digging into encrypted communications to gain insight into the techniques used and to best target known means of attack. However, even these tools can be stymied, as we shall see, by very simple means when communication is between designated persons/agencies (e.g. embassies) each in possession of the master template.

    What fool would these days use letter substitution? A non-fool might incorporate this obfuscation technique in his sequence of algorithms. What's more letter mappings could be triggered to differ according to some simple circumstance dictated by the message sender and known to the recipient. Incorporating naive obfuscation methods, of which there are many, into sequential encryption makes more difficult the task of code-breakers imagining their opponents to be highly technologically orientated. Another, rather better, simple minded approach entails taking the entire message as a sequence of binary digits and then interleaving the digits according to specified (changeable between messages) rules. Even should the attacker be able to break complicated individual algorithms by subtle means he is obliged to consider need for brute force at unspecified stages in the decryption process; the longer the message (perhaps padded) the greater the force needed. The upshot being of simple obfuscation, not necessarily resource intensive, adding confusion to the mix.

    1. Peerie

      Re: Perhaps I misunderstood but ...

      The spy agencies don't really need your crypto keys since they already own the operating system, be it Windows, Unix or whatnot.

      But they like to collect them just the same. Do you remember that five years ago the NSA & British GCHQ hacked a SIM card maker to steal encryption keys.

    2. Cave-Homme

      Re: Perhaps I misunderstood but ...

      “What fool would these days use letter substitution?“

      These “fools” who are yet to be deciphered, some after hundreds of years?

      https://en.wikipedia.org/wiki/Category:Undeciphered_historical_codes_and_ciphers

    3. Arthur Daily

      Re: Perhaps I misunderstood but ...

      You DONT have to roll your own. WireGuard / Salsa is sufficient if you have good key hygiene.

      Paranoid? Other crypto libraries are available. Just make sure you compile SSL and ONLY have three or so algorithms and nothing to fall back to. The three letter mobs have enjoyed complicated protocol fallbacks and defective checksum/certificate checking . Failing that, auto updates can be another way in for difficult punters. Plus horrible 'Management' chips on the motherboards. That screams compromised.

      Plus the IOT thing means you can impose a raspberry PI as a pass through router/encryption box with keys on USB sticks that NEVER touch your main computer. But if paranoid, compile a passthrough on an obsolete CPU type with no baggage, no onboard bootstraps, and no cpu buffer speculative execution leaks such as MIPS.

      Then get a zener diode and a transistor and generate lots of random noise, and pretend to swap torrents. If you buy off the shelf, all bets are off.

    4. phuzz Silver badge

      Re: Perhaps I misunderstood but ...

      "Enigma machines were mechanical and, presumably, later variations on the theme were electromechanical."

      Enigma machines were electro-mechanical. Each of the code wheels was full of wires, and each time it turned it changed what was (electricially) connected where, thus scrambling the input.

  11. First Light

    Ireland?

    I assume spying on Ireland had to do with NI-related stuff. Otherwise in the old days, I can't see how it was that interesting (I grew up there).

    Nowadays with all the data centres, it might be worth a look-see from an intelligence agency's perspective.

    1. GrumpyKiwi

      Re: Ireland?

      Also Ireland is not, and never has been a NATO member.

      1. Yet Another Anonymous coward Silver badge

        Re: Ireland?

        So it was important to know, in the event of a Nato/cccp thermonuclear war in Europe, which bloc Eire would throw its military weight behind

        1. GrumpyKiwi

          Re: Ireland?

          Yes those 10 armoured cars and five aircraft would make a real difference.

  12. Version 1.0 Silver badge
    Big Brother

    It is not news

    Come on, you would have to be a typical innocent to have ever thought that every encryption corporation was not "owned" in some way. Every government is pushing for backdoors in all encryption methods because they can't break the encryption - MRDA applies and has always applied.

    But encryption is OK, most common encryption methods are not broken in public at least - you might be safe from the wife, your employer, or the police but someone somewhere can read it if they want to but they are never going to admit it in public.

    1. Anonymous Coward
      Anonymous Coward

      Re: It is not news

      "Come on, you would have to be a typical innocent to have ever thought that every encryption corporation was not "owned" in some way."

      Um...what about THEIR OWN communications? Don't they want THOSE to be secure? And they can't trust ANY encryption with a backdoor to remain secure because they always have to worry about a double agent.

  13. Anonymous Coward
    Anonymous Coward

    What's so bad about private ciphers?

    1. Just use a book cipher. One of the Beale Papers has still not been deciphered after more than 100 years.

    2. Make sure that the message has unknowable end points (such as a post in El Reg -- from an AC, readable by who-knows-who).

    *

    0mWt1CZe1LuS0WCe14SX0j8A12dO0i9H1Bkg0w27

    10V11H3G01BS0zcr1D8b0BOu19l71Hxo0dso1X6O

    0XvY08Y90E9Q1PZG1AL61Zk=1Xn21XUu1iMr1V4Y

    1VOg17CB09Y1095Y0osf0byJ0i0e0X4F0Ucc0VQc

    0kjV0w3O18Br04XO0f$x1LuZ11yg0Olk0s6z0ouP

    0Lwm0wIn0P220RcK14eT0heb1jY$16Z50MrH0Nvc

    0Xsz17421UhC0hBs0ISx0U$q0NqD0wK51MGK171X

    0=Po0oCz1SOG1n0C1j0o1MQg0S=A16Uy0yRD0fyn

    18fo17CI1M3W1gwO0k480Zzi1Iub0XFy0Asd0lBW

    0sxL1Exg1maQ0K3q1hfP1CBR0mW71Blu0LRH0KdX

    0bvb0qco0XTn0j2$1MEq0J=Y1emt0Ww30zfH1PP0

    1ReF0atJ0OqQ1WdZ0UtS05FN0nY=12ve1DzZ1XlR

    05yb0sTr02oF1E2Q0oC21dg01Vu$0vLH0=3D0vwT

    0Sv50Xys0yy11VD81cB2163g0XOd0o1=08dH1LQ=

    12ZE0M$X0VVg02ke1HjU1H9y0=cm0H4M0=rg0PSe

    0tSq1JLI0x4M0AET1kS30NiD1eVq1Lms19r30WOn

    0W2S0x6V0jDG0sil0$C41V6Y10Ki1Zbr0VHR0VY8

    05cS09ew1WSb0RIn1B$j0UhW1liB0H$B19K71aPN

    1J6l0Xum1TJQ0gWc0qJg0TgI0qtL05$G1LIq0C7I

    1cKT1iXx1L4j0TIw0fZb0lln0CdA05IF1fgD1F13

    0c8P086H1JJJ18531GyW00P00GE40P9Y

    *

    1. Anonymous Coward
      Anonymous Coward

      Re: What's so bad about private ciphers?

      1. If one of the Beale Papers hasn't been decoded by now, odds are it can never be decoded as the key to it has probably been lost, meaning it's useless.

      2. The key to a book cipher is to use something all parties have in common, and it pretty much can't be something an outside party has access (so nothing available to the Library of Congress, for example; it would have to be something like an unpublished text). As for dead-dropping, the availability of timestamping just about anything on the Internet, publicly-posted or not, can allow for time correlation, which is one known way of identifying accomplices.

      PS. How resistant is a book cipher against a quantum computer and Shor's Algorithm?

      1. Anonymous Coward
        Anonymous Coward

        Re: What's so bad about private ciphers?

        Item #1. The point is that the message has not been deciphered IN PUBLIC. This does not mean that no one has read it....SOMEONE out there may know what it says! So....not necessarily "useless"!

        Item #2. Shor's Algorithm is about finding the prime factors of some huge number...i.e. looking to break ciphers like PGP or RSA. But suppose a book cipher is used......no huge prime numbers. And suppose that the book has been randomised. In that case the snooper (if they know which book) has to search through a very large number of possible random sequences. In the case of a "book" like linux.words, the number of possible random sequences is a number two million decimal characters long. Good luck with that!

        *

        And you ddn't comment about unknown end points. Having the deciphered message is one thing....knowing who is involved is quite another thing.

  14. Arachnoid

    Without a key the source is difficult

    "Is de Gaulle's prick//Twelve inches thick//Can it rise//To the size//Of a proud flag-pole//And does the sun shine//From his arse-hole?"

  15. Steve Crook

    Explosive docs?

    So Q has been at it again?

  16. Mike 137 Silver badge

    So much for banning Huawei

    In view of the US ban on Huawei kit, the message seems to be "Only we are allowed to spy on people". Gooooooogle seem to be saying much the same when they bark about the importance of user privacy. What a world we've inherited.

  17. Arachnoid

    dead-dropping

    Set up a battery powered pseudo mobile Wifi Hotspot near say the local Mcdonalds with onboard storage , all the sender and recipient has to do is log in to transfer the data with little risk of interception as it never hits the NSA internet servers.

    1. Graham Cobb

      Re: dead-dropping

      Doesn't sound any better than just leaving the SD card in a flowerpot outside said McDonalds. If the opposition know it is there it is trivial for them to replace with their own hotspot and capture all sorts of info about the device which connect to it. If they don't, then the sdcard on the ground is just as good.

  18. Toilet Duk

    And this why I trust no electronic comms whatsoever. Every VPN, every "secure" service is compromised, usually by design. Face-to-face communications, couriers and one-time pads are the way to go.

    1. Claptrap314 Silver badge

      Key management for one-time pads is a bear.

      Just sayin'.

    2. Anonymous Coward
      Anonymous Coward

      Not to mention face-to-face communications may have you seeing Mallory or Gene pretending to be Bob. Plus couriers and even top-tier men can be tailed or doubled. Remember how they got bin Laden...

  19. one crazy media

    Lesson is very simple.

    It is known fact that every country spies on every other country, friend of foe.

    If you want to keep your national secrets, secret make your own.

    This is not the end or the beginning and spying will continue unabated and intensively.

    No one trusts anyone.

    We humans are selfish, greedy untrustworthy animals!

  20. Jake Maverick

    old news...but these days it's irrelevant as their isn't an operating system available that hasn't been compromised/ back doors builtin by these 'people' :-(

  21. John Savard Silver badge

    Out of Control

    I have to wonder why this was leaked.

    It's not as if you can call it whistleblowing. This isn't the CIA or NSA doing something that involves monitoring ordinary citizens of the U.S. to create a surveillance state - or even ordinary citizens of other countries. This is eavesdropping on the secret communications of foreign governments, particularly including hostile ones.

    I thought that constitutes doing their job. So what is the motive for the leak? To ruin Donald Trump's morning? To make a big spectacle of Trump going after their source that is presumed to be damaging to him electorally?

    It would serve the public interest if thie were evidence the CIA and/or NSA were out of control, trying to subvert U.S. democracy. There doesn't appear to be anything of the sort to see here, however.

    1. Claptrap314 Silver badge

      Re: Out of Control

      Embarrassing Republican administrations is a WaPo specialty.

    2. werdsmith Silver badge

      Re: Out of Control

      I would say that the timing of the revelation is interesting considering what’s going on with Huawei right now.

  22. Anonymous Coward
    Anonymous Coward

    RE. Out of Control

    I note that the folks at Cheltenham have yet to decode the chip(s) I sent them.

    Intriguingly it suggested a possible BIOS, optical drive and USB malware that is otherwise unknown and alas I sent them the only sample that wasn't in use (now isolated and offline!)

    Not sure but could the issue with FTDI have been some sort of experiment that went wrong? It was once suggested that the whole FTDIGate fiasco was actually a secret project to prevent counterfeit chips with possible embedded spyware from stealing valuable information.

  23. herman Silver badge
    Black Helicopters

    Old hat

    This is very old news - fossilized fish wrap. It was documented in Cryptome - remember Cryptome grampaw? Yes, it is that old.

  24. HammerOn1024

    Ladies and Gentleman...

    Ladies and Gentleman... HAHAHAHAHAHAHHAHAHAHAHAHAHahahaahahaahahaahahaha!

    AAAAAAahahhahahahahaahahahahahahahahahahahahahahahaahahahahahahaaaaa!

    <falls to floor>

    SUCKERS!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020