1. 84
  1.  

  2. 27

    Takes us back to the days when we had more trust that the NSA and other institutions were genuinely working to keep America safe. We don’t seem to have that anymore. Were they always doing creepily over-broad surveillance? Are they actually worse now than they were then? Or is it just our trust that’s changed, and they’re still mostly the good guys? Maybe all three are true, I don’t know.

    1. 17

      I mean, yes, they always were doing creepily over-broad surveillance. Many of the old allegations about them have since been confirmed by declassified documents. Long after anyone would care, of course…

      When there’s an alleged abuse of power, though, in general I don’t think it’s all that useful to ask, did this specific set of events happen. Instead, a much better question is: What would stop that from happening? What controls are built into the system to make those actions difficult or impossible? Very often, the answer turns out to be that people are nice and wouldn’t do that. When that’s the answer, I think there’s a problem that needs to be addressed, regardless of what can proximately be proven.

      1. 11

        the “good old days” of trusting the intelligence community were artificially extended because watergate dominated the new cycles when COINTELPRO came out.

        1. 13

          Were they always doing creepily over-broad surveillance?

          They also installed brutal dictators throughout the world.

          1. 2

            To be fair, that’s mostly been the CIA’s wheelhouse. Different office.

          2. 6

            Takes us back to the days

            The good old days fallacy; longing for a better time that never really existed.

            1. 1

              I’d strongly suggest (re-)watching “The Good American” documentary to understand the impact that 9/11 had on ethics and priorities at the NSA.

            2. 16

              I guess I see this story differently. It feels deeply unethical that anyone would leave quality cryptography out of a “free” version of software that claims to keep you secure.. and there’s no proof that the person that the NSA was going after was “bad”. The subconscious threat of what would happen if he withheld his source code is the icing on the cake.

              Another argument (as if another was needed) for no backdoors and open crypto for all.

              1. 12

                unethical that anyone would leave quality cryptography out of a “free” version of software

                2000 was the year that US restrictions on exporting “strong” crypto, including symmetric ciphers with more than 40 bit keys, were fully simplified (IIRC not 100% removed for even a couple of years after that). If the software was developed in the US while crypto export was restricted, it makes sense for the “freely available” internationally distributable version to be 40 bit limited: https://en.m.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#PC_era

                (Plus, if the goal was to sell licenses - at least to US citizens - then I can’t imagine the author kept quiet about the weak encryption in the free version.)

                1. 4

                  This is great context I had no idea about, thank you!

                  1. 2

                    Yeah, I was in high school in the 90s and I remember using “international edition” Netscape and vaguely understanding what that meant, but didn’t really understand it until years later.

                    Like other commenters have said, a different time in many ways…

                    1. 1

                      They’d usually even tell you export configuration was different. Sometime’s companies’ attempts to keep keys large and please the NSA got more ridiculous:

                      http://catless.ncl.ac.uk/Risks/19.52.html#subj1

                  2. 2

                    If the NSA can decrypt your encrypted messages just by having access to the source code of the program used to implement the encryption, the conventional wisdom among cryptographers is that that cryptographic system is worthless. Maybe that position is more common now than it was in 2000.

                    Certainly, the idea that the NSA is a legitimate adversary that right-thinking Americans will want to protect their secrets from with strong cryptography is more common now - as Edward Snowden said “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. “

                    1. 14

                      If the NSA can decrypt your encrypted messages just by having access to the source code of the program used to implement the encryption, the conventional wisdom among cryptographers is that that cryptographic system is worthless. Maybe that position is more common now than it was in 2000.

                      I think they wanted the source code to check for any potential bugs that could be used to work-around or break the encryption. I don’t think the author claimed that it’s secure because it’s closed source :)

                    2. 1

                      It feels deeply unethical that anyone would leave quality cryptography out of a “free” version of software that claims to keep you secure

                      I suspect it would have been forthcoming about the limitations of the free encryption, given that the aim of the shareware version was to encourage people to pay for the full version. Hiding that fact would hurt sales.

                      From what I’ve read elsewhere: low-bitdepth encryption software was once much more common in some countries due to legal requirements about max bit levels. There might have been a time period where this culturally stuck around and people were still happy with low levels. Not sure, wasn’t in the public computer scene then.

                      Is releasing anything insecure with the word ‘encryption’ on it unethical? Even if it’s labelled as weak? I’m not sure. From the software author’s point of view: he wanted to hook people onto using his software and wanting more of it. From the public’s point of view: nothing but perfect encryption is acceptable.

                      1. 1

                        In my opinion there should be no free version at all if a free version means an insecure version. As we can see in the story there are clearly people who trust the free version even if it might be labeled as weak.

                        But this post is so old I can see how people might have seen security very differently.

                        1. 3

                          The legal regime was different before 2000, and that also was in play, I am sure.

                          1. 1

                            I know quite enough people who would consider weak crypto ok for use cases. For example preventing family members to read their diary etc.

                            I don’t have a problem with such a consumer product when it was due to legal constraints and communicated as such.

                      2. 9

                        This was 2000. Public awareness towards the topic was much different than it is today.

                        1. 2

                          Basically, everyone who saw Enemy of the State was really worried unless the read enough James Bamford. Then, the NSA proceeded one lesk at a time to undo the goodwill he earned them.

                        2. 5

                          Lesson learned: If SafeHouse was Open Source none of this would have happened.

                          1. 9

                            Considering this is an awesome story to tell at gatherings and he got a free coffee mug, I don’t know that it’s a good argument in favor of Open Source. ;)

                            1. 2

                              yeah, just kidding :)

                          2. 8

                            Nice to see a great story told really well – hook, length, final line all fantastic.

                            1. 3

                              For all I know, they sell those cups in the gift shop.

                              They do .. I have one too :-)