Especially since this was just posted because of a news story that was released yesterday about the exact same thing. The other thread (with an actual current news story) already has 300 comments.
You’re probably wondering why this is relevant right now.
> In 2020, an investigation carried out by the Washington Post, Zweites Deutsches Fernsehen (ZDF), and Schweizer Radio und Fernsehen (SRF) revealed that Crypto AG was, in fact, entirely controlled by the CIA and the BND. The project, initially known by codename "Thesaurus" and later as "Rubicon" operated from the end of the Second World War until 2018.
The fact that Crypto AG was an intelligence front has been publicly known since at least the 1990s [1]. Why did the Washington Post rehash this story recently and pass it off as news? I'm glad that they did, because it spreads awareness - I'm just confused as to why.
Because of the new released documents. It says exactly this in their story. And why is it every time some article comes out about US spying, there is always someone complaining that they knew this all along? Good for you?
It's not that "I knew it all along", it's that this was a well-covered story that was already news in the '90s, based on documents as well, e.g. from the Baltimore Sun:
> For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents.
See also the 1992 news stories about the arrest of Hans Buehler [1], further elaborated in a 1998 article in Covert Action Quarterly [2]:
> The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG's marketing representative in Teheran.
Which newly released documents? Quote the article because I can't find anything.
Every article I'm seeing in the past week refers to documents released in 2015. Why the fuck now? It reeks of public manipulation, especially with the US increasing efforts to convince people not to use Huawei equipment.
From the article you linked to. It is new story because there are new details.
> Many details of the arrangements between Crypto and NSA are not known, including when the rigging began, whether it has ended and which machines were involved. The whole story will be told only when secret U.S. documents are declassified, probably well into the next century.
> Crypto rejects the rigging allegations as an invention by disgruntled former employees and denies that its machines were ever designed or altered according to the suggestions of American spies.
Yeah I can concur. I remember hearing about this looong time ago. More than a decade ago. First time I heard about it was from a speech given by Noam Chomsky.
> Why did the Washington Post rehash this story recently and pass it off as news?
They didn't pass it off as news.
It's a long-form journalism story. This form covers more complex stories and aren't limited to new things that just happened. Stories where the facts come out over time or require multiple perspectives can't always be adequately told through a series of "what's new" updates.
But, still, why? The editors of The Washington Post would have to answer that.
The timing is arbitrary. They could have done it months ago or months from now. The author most likely found it, thought it would make a good story and pitched it to his editors (he is likely planning to turn it into a book if it gets some traction). This kind of thing would be a normal part of a journalists job. (Well, most don't get to do deeper stories like this very often, so he's probably pretty senior -- I just checked and he has a couple Pulitzers, so there you go.) I would guess the editors simply agreed with his pitch.
In short: the timing is arbitrary. The people who do this kind of thing just thought it would be an interesting story to tell, in-depth.
What's scary is if they willingly admitted to this, they've secured other means of decryption. American-owned technology can't be trusted any more than Chinese-owned technology.
Personally, I do however have more faith in the secret agencies of western democracies than China. So all things being equal, right now I'd prefer Americans and Germans spied on me.
Further, you are likely to get people to rally against China's spying, whereas a significant fraction of Americans want you to be spied on (because they can't distinguish between the people and their government).
Rights once given away are nearly impossible to get back. All rights, I might add, not just your right to privacy. You may not care about <thing> today but at some point in the future, you may.
Not really. There is an important difference, in my opinion, between covert surveillance conducted for national intelligence purposes, and surveillance conducted for run of the mill police purposes.
There is no real way around the fact that national intelligence agencies need to conduct mass surveillance of various kinds. National intelligence is a competitive zero sum game, and if we don't do it, others will, and we'll be at a disadvantage.
The same is not true for policing, however. The real danger to citizen rights is when the crossover happens. I'm not worried when the CIA spies on me - i'm worried when the FBI does. I'm worried when the tools of international intelligence get turned to more mundane matters. And I think that is the transition that we have to fight tooth and nail. Fighting the "don't spy on me NSA" battle was lost decades ago, and you were never going to win anyway in any material way. Because even if you could stop the NSA from doing it, every other government in the world would be doing it.
What we need to do is fight to keep that surveillance contained within the international intelligence mission, and not let it creep into domestic policing.
If someone spied on me, I think it being a government in another country not collaborating with my own and very busy keeping up with their own population seems preferabke
Really? Your local government has far more power over you than China does. I wouldn't be nearly as worried about China unless I was worth stealing from, assassinating, or something like that.
Do you mean in addition to the Chinese tapping it the americans are unable to? I would agree if that is what you mean. I would also add that in hindsight, it looks like Huawei is the same arrangement as Crypto.
The UK government argument has been "we're not putting this stuff where a Chinese wiretap would get them anything", as I understand it, it's isolated to low security contexts. And they want Huawei because it's technically superior (needs fewer masts).
The panicky US response makes most sense if the reply they can't say out loud is "but you're putting it in places where it interferes with our wiretapping!"
There's nothing that prevents the US government from hacking Chinese TelCo equipment. Thus I think it's more likely it's about traditional competition. Of course it's cheaper to put a "NOBUS" backdoor than to hack systems and estabilish presistence on Chinese HW.
Not exactly. Don't get confused by false equivalencies.
This company is a problem because it's controlled by an American intelligence agency. The owners knew that was a problem, of course, and went to great lengths to hide that fact. Note that Crypto AG appeared to be a Swiss company, not an American one.
Typical American companies aren't controlled by the CIA or other government agencies.
Typical Chinese companies are substantially controlled by the Chinese government.
It's a rather important difference when trying to figure out the risks of how much you can trust who you work with. There's subterfuge, of course, so there aren't hard and simple rules. This is an exercise in risk management.
It's a rather large mistake to conclude Chinese Owned == American Owned.
No. That's my exact point. The CIA can't just get control of a company because they want to. Not that it's impossible, but there isn't a reliable mechanism for doing so.
They would need to somehow subvert key executives and subvert key employees to convince them to add back doors and keep quiet about it.
Their levers on such people (carrots and sticks, threats and bribes) aren't that easy to deploy either, especially en mass and in the US. There are a lot of legal hurdles. (The CIA has a lot more legal latitude outside the US than in -- that's very likely an important reason AG Crypto is a Swiss company and not an American one.) Not that the CIA always scrupulously follows the law -- they don't -- but they have to be careful about it.
I suppose you can just believe the CIA hits the "pwn" button anytime they like. But that doesn't have anything to do with the way things work.
"Typical American companies aren't controlled by the CIA or other government agencies."
True but that doesn't mean there aren't national interests in play when it comes to information security companies deploying crypto products. Think RSA e.g. who took bribes and implemented Dual EC DRBG -- a backdoored random number generator for a number of their cryptographic systems.
There are most likely others, thus transparency via open source (and verifiability via reproducible builds to split hairs) is necessary to avoid this ever happening again.
> Buehler was interrogated for nine months but, being completely unaware of any flaw in the machines, was released in January 1993 after Crypto AG posted bail of $1m to Iran.[10] Soon after Buehler's release Crypto AG dismissed him and charged him the $1m.
Interesting list. Besides Palantir, I know these: GitLab, Databricks, MemSQL and mongoDB. I don't think "they" are using these to exfiltrate data "Crypto AG" style - I'd be surprised if "big data"/data science wasn't part of their operations, hence it makes sense to invest into some of their core tools. This ensures sustained development and maybe catering to CIA-specific edge cases.
Judging by the company names: Investments into RF companies also are more likely on the "tools we use" instead of the "rigged" side of things. The amount of Biotech makes me assume the decision-makers think this is an emerging market which will make a good investment.
So answering to GP: No, not compromised. I wouldn't be surprised if there were one or maybe even two hiding in plain sight, but I think for each individual company on that list, it is very, very, very unlikely that this specific company is compromised. If you don't trust them, make your sensitive GitLab and MongoDB instances accessible via Intranet/VPN only - but I suppose that's good practice anyway?
It says Crypto AG relocated to Switzerland to escape being nationalised by the Swedish government. How fun then, that it ended up being wholly state owned anyway.
The really good question is: What are they compromising now?
We can't know for sure, but I'd wager that most quantum cryptography companies have been well greased by spy agencies who expect to be paid back in backdoors.
No worries, though, I'm sure intelligence agencies weren't smart enough to get out ahead of things like search, social networks, password storage services and VPNs.
The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.
Ah. That puts the export on cryptography limitations in perspective. Don't allow new tech to compete with the source of a lot of valuable intel.
Related discussion here in WaPo article that broke some of this story: https://news.ycombinator.com/item?id=22297963
Thank you, I knew I’ve seen this already on HN.
This is the 2nd day that an HN post is just a link to a Wikipedia page (yesterday it was the page about the COVID-19 whistle-blower doctor).
It feels obnoxious, expecting the reader to know the context behind the title.
Especially since this was just posted because of a news story that was released yesterday about the exact same thing. The other thread (with an actual current news story) already has 300 comments.
The context is in the article, as with all posts.
Ah, my mistake. I hadn't seen that post. I read about it this morning in a newsletter and figured I would share the Wiki post.
You’re probably wondering why this is relevant right now.
> In 2020, an investigation carried out by the Washington Post, Zweites Deutsches Fernsehen (ZDF), and Schweizer Radio und Fernsehen (SRF) revealed that Crypto AG was, in fact, entirely controlled by the CIA and the BND. The project, initially known by codename "Thesaurus" and later as "Rubicon" operated from the end of the Second World War until 2018.
And the reason this article came out now is CIA and BND sold their stakes in the company so they are no longer relevant
And crypto.com who bought parts of it now gets the bad press.
I guess they refused to play ball.
The fact that Crypto AG was an intelligence front has been publicly known since at least the 1990s [1]. Why did the Washington Post rehash this story recently and pass it off as news? I'm glad that they did, because it spreads awareness - I'm just confused as to why.
[1] https://www.baltimoresun.com/news/bs-xpm-1995-12-10-19953440...
You can be sure it servers someones agenda.
Because of the new released documents. It says exactly this in their story. And why is it every time some article comes out about US spying, there is always someone complaining that they knew this all along? Good for you?
It's not that "I knew it all along", it's that this was a well-covered story that was already news in the '90s, based on documents as well, e.g. from the Baltimore Sun:
> For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents.
See also the 1992 news stories about the arrest of Hans Buehler [1], further elaborated in a 1998 article in Covert Action Quarterly [2]:
> The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG's marketing representative in Teheran.
[1] https://www.upi.com/Archives/1992/03/30/Iran-arrests-Swiss-m...
[2] http://mediafilter.org/caq/cryptogate/
Yet some nations, companies and the later owner weren't convinced that's the case until much later. As the Post's story mentions.
Isn't there a rather significant difference between NSA and CIA+BND?
Which newly released documents? Quote the article because I can't find anything.
Every article I'm seeing in the past week refers to documents released in 2015. Why the fuck now? It reeks of public manipulation, especially with the US increasing efforts to convince people not to use Huawei equipment.
> Every article I'm seeing in the past week refers to documents released in 2015.
That's correct. The documents were reported on by the BBC in 2015 [1], directly linking to the declassified NSA memos [2][3].
[1] https://www.bbc.com/news/uk-33676028
[2] https://www.nsa.gov/public_info/_files/friedmanDocuments/Cor...
[3] https://www.nsa.gov/public_info/_files/friedmanDocuments/Rep...
GDPR blocked in the EU. Any mirror?
https://outline.com/7h4Wfg
many thanks!
From the article you linked to. It is new story because there are new details.
> Many details of the arrangements between Crypto and NSA are not known, including when the rigging began, whether it has ended and which machines were involved. The whole story will be told only when secret U.S. documents are declassified, probably well into the next century.
> Crypto rejects the rigging allegations as an invention by disgruntled former employees and denies that its machines were ever designed or altered according to the suggestions of American spies.
>Why did the Washington Post rehash this story recently
[tinfoil alert] Word going around in Germany is that Tagesschau waited for the CIA to sell their shares (which happened in 2018) [0]
[0] https://blog.fefe.de/?ts=a0bc69cb
Yeah I can concur. I remember hearing about this looong time ago. More than a decade ago. First time I heard about it was from a speech given by Noam Chomsky.
> Why did the Washington Post rehash this story recently and pass it off as news?
They didn't pass it off as news.
It's a long-form journalism story. This form covers more complex stories and aren't limited to new things that just happened. Stories where the facts come out over time or require multiple perspectives can't always be adequately told through a series of "what's new" updates.
But, still, why? The editors of The Washington Post would have to answer that.
The timing is arbitrary. They could have done it months ago or months from now. The author most likely found it, thought it would make a good story and pitched it to his editors (he is likely planning to turn it into a book if it gets some traction). This kind of thing would be a normal part of a journalists job. (Well, most don't get to do deeper stories like this very often, so he's probably pretty senior -- I just checked and he has a couple Pulitzers, so there you go.) I would guess the editors simply agreed with his pitch.
In short: the timing is arbitrary. The people who do this kind of thing just thought it would be an interesting story to tell, in-depth.
What's scary is if they willingly admitted to this, they've secured other means of decryption. American-owned technology can't be trusted any more than Chinese-owned technology.
Personally, I do however have more faith in the secret agencies of western democracies than China. So all things being equal, right now I'd prefer Americans and Germans spied on me.
I'd rather be an American spied on by American secret agencies, than a citizen of China spied on by China.
However, as a citizen and resident of America I'd rather be spied on by China, because it's a lot easier for my own government to make trouble for me.
Further, you are likely to get people to rally against China's spying, whereas a significant fraction of Americans want you to be spied on (because they can't distinguish between the people and their government).
Dont be so sure. Plenty of retribution can be achieved online and unlawfully
The American government is not going to steal your company's secrets and give them to other companies, the Chinese government in fact does.
The US has also engages in economic espionage.
Isn't this just a "...but, I have nothing to hide" argument?
The values of the regimes in control are transient and ever changing. You might be okay with it right now - but maybe not in the near future.
Rights once given away are nearly impossible to get back. All rights, I might add, not just your right to privacy. You may not care about <thing> today but at some point in the future, you may.
Not really. There is an important difference, in my opinion, between covert surveillance conducted for national intelligence purposes, and surveillance conducted for run of the mill police purposes.
There is no real way around the fact that national intelligence agencies need to conduct mass surveillance of various kinds. National intelligence is a competitive zero sum game, and if we don't do it, others will, and we'll be at a disadvantage.
The same is not true for policing, however. The real danger to citizen rights is when the crossover happens. I'm not worried when the CIA spies on me - i'm worried when the FBI does. I'm worried when the tools of international intelligence get turned to more mundane matters. And I think that is the transition that we have to fight tooth and nail. Fighting the "don't spy on me NSA" battle was lost decades ago, and you were never going to win anyway in any material way. Because even if you could stop the NSA from doing it, every other government in the world would be doing it.
What we need to do is fight to keep that surveillance contained within the international intelligence mission, and not let it creep into domestic policing.
If they wanna spy on us without warrants, they should amend the constitution about it; until then, it's treason.
If someone spied on me, I think it being a government in another country not collaborating with my own and very busy keeping up with their own population seems preferabke
It’s almost a False Dilemma - you shouldn’t have to choose between the bad and the worse.
Really? Your local government has far more power over you than China does. I wouldn't be nearly as worried about China unless I was worth stealing from, assassinating, or something like that.
I don't have any trust in any secret agencies :) Their job is literally to deal with all the shady stuff you don't want to see in the news.
Neither China, Germany, nor the USA care about you enough to spy on you.
They only care about what is valuable to protect and advance their geopolitical and commercial interests, which are remarkably similar.
Crypto AG was gold because their products were used by governments and perhaps high level business executives.
Individuals are not the targets here, states are and their preferences may differ according to the prevailing winds of international politics.
I have a strong suspicion this is why they are so down on Huawei, to the point of outright leaning on the British government.
Not because the Chinese are tapping it, but because they aren't.
Do you mean in addition to the Chinese tapping it the americans are unable to? I would agree if that is what you mean. I would also add that in hindsight, it looks like Huawei is the same arrangement as Crypto.
The UK government argument has been "we're not putting this stuff where a Chinese wiretap would get them anything", as I understand it, it's isolated to low security contexts. And they want Huawei because it's technically superior (needs fewer masts).
The panicky US response makes most sense if the reply they can't say out loud is "but you're putting it in places where it interferes with our wiretapping!"
This is probably not accidental.
There's nothing that prevents the US government from hacking Chinese TelCo equipment. Thus I think it's more likely it's about traditional competition. Of course it's cheaper to put a "NOBUS" backdoor than to hack systems and estabilish presistence on Chinese HW.
I'm not sure they willingly admitted it. I read a story[0] that said the information was leaked.
[0] https://www.businessinsider.com/cia-secretly-bought-encrypti...
Not exactly. Don't get confused by false equivalencies.
This company is a problem because it's controlled by an American intelligence agency. The owners knew that was a problem, of course, and went to great lengths to hide that fact. Note that Crypto AG appeared to be a Swiss company, not an American one.
Typical American companies aren't controlled by the CIA or other government agencies.
Typical Chinese companies are substantially controlled by the Chinese government.
It's a rather important difference when trying to figure out the risks of how much you can trust who you work with. There's subterfuge, of course, so there aren't hard and simple rules. This is an exercise in risk management.
It's a rather large mistake to conclude Chinese Owned == American Owned.
You can't say definitely that American companies are or are not controlled by government agencies.
No, you can't. His point is that you can say definitively that Chinese companies are controlled by government agencies, though.
What does "controlled by government agencies" mean?
Well, don't foget In-Q-Tel: the CIA's very own venture capital company. What better way to launder look-away money, or insert code.
Have a gander at the companies they have had their paws on: Palantir, Inktomi, Docker, ArcSight, etc.
[1] https://en.wikipedia.org/wiki/In-Q-Tel
> Typical American companies aren't controlled by the CIA or other government agencies.
Unless the CIA has any interest in them, in which they get pwned pretty quickly.
No. That's my exact point. The CIA can't just get control of a company because they want to. Not that it's impossible, but there isn't a reliable mechanism for doing so.
They would need to somehow subvert key executives and subvert key employees to convince them to add back doors and keep quiet about it.
Their levers on such people (carrots and sticks, threats and bribes) aren't that easy to deploy either, especially en mass and in the US. There are a lot of legal hurdles. (The CIA has a lot more legal latitude outside the US than in -- that's very likely an important reason AG Crypto is a Swiss company and not an American one.) Not that the CIA always scrupulously follows the law -- they don't -- but they have to be careful about it.
I suppose you can just believe the CIA hits the "pwn" button anytime they like. But that doesn't have anything to do with the way things work.
"Typical American companies aren't controlled by the CIA or other government agencies."
True but that doesn't mean there aren't national interests in play when it comes to information security companies deploying crypto products. Think RSA e.g. who took bribes and implemented Dual EC DRBG -- a backdoored random number generator for a number of their cryptographic systems.
There are most likely others, thus transparency via open source (and verifiability via reproducible builds to split hairs) is necessary to avoid this ever happening again.
You should try living for a while in a country with no rule of law and no judicial system. I suspect you would quickly change your views.
> Buehler was interrogated for nine months but, being completely unaware of any flaw in the machines, was released in January 1993 after Crypto AG posted bail of $1m to Iran.[10] Soon after Buehler's release Crypto AG dismissed him and charged him the $1m.
Well that was an asshole move.
So can we assume that companies touched by In-Q-Tel are compromised to the same level as Crypto AG was? I'd like to collate a list.
Well that's easy, they've done it for you: https://www.iqt.org/portfolio/
The number of companies I've never heard of there is quite amazing. I'd really like to know how many of these are about data science/analytics.
Interesting list. Besides Palantir, I know these: GitLab, Databricks, MemSQL and mongoDB. I don't think "they" are using these to exfiltrate data "Crypto AG" style - I'd be surprised if "big data"/data science wasn't part of their operations, hence it makes sense to invest into some of their core tools. This ensures sustained development and maybe catering to CIA-specific edge cases.
Judging by the company names: Investments into RF companies also are more likely on the "tools we use" instead of the "rigged" side of things. The amount of Biotech makes me assume the decision-makers think this is an emerging market which will make a good investment.
So answering to GP: No, not compromised. I wouldn't be surprised if there were one or maybe even two hiding in plain sight, but I think for each individual company on that list, it is very, very, very unlikely that this specific company is compromised. If you don't trust them, make your sensitive GitLab and MongoDB instances accessible via Intranet/VPN only - but I suppose that's good practice anyway?
In-Q-Tel is for companies that spy brazenly and legally without trying to hide it
It says Crypto AG relocated to Switzerland to escape being nationalised by the Swedish government. How fun then, that it ended up being wholly state owned anyway.
The really good question is: What are they compromising now?
We can't know for sure, but I'd wager that most quantum cryptography companies have been well greased by spy agencies who expect to be paid back in backdoors.
No worries, though, I'm sure intelligence agencies weren't smart enough to get out ahead of things like search, social networks, password storage services and VPNs.
Like Facebook taking money from CIA In-Q-Tel?
The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.
Ah. That puts the export on cryptography limitations in perspective. Don't allow new tech to compete with the source of a lot of valuable intel.
A timely reminder that democracies should avoid using voting machines....