What I'm going to talk about will self destruct in 60 seconds 😛
I've read an article on Medium called Why the NSA Called Me After Midnight and Req...
For further actions, you may consider blocking this person and/or reporting abuse
In theory having the source code doesn't help with breaking the encryption (unless he made a mistake in the implementation, which could well be what the NSA were hoping to find). So it's not as if he gave them the keys to the kingdom based on a 1am phone call, but it's still not a great look.
From the article:
I am more inclined to side with the author in this situation. As you stated, the encryption algorithms are public, very well-known algorithms and the source code should reveal nothing, and the NSA employee asked to see the source code. The agent proved himself as reputable, and he did not demand to see the source code. All he did was ask for help in a matter of national security.
Ask yourself this: if a government agency asked for help in a matter of national security that wasn't about encryption would you help them? For a contrived example, say the FBI showed up and said there was a bomb buried under your house. They could dig to it from the street, or get to it much faster by digging to it from your basement. I think you'd be inclined to let them dig through your basement.
Also, keep in mind that what the NSA asked of the author is not the same as what they asked of Apple. They simply wanted to see the source code for an encryption algorithm here, but they were asking Apply to modify their code and add a backdoor that only the NSA could use. Again, going back to the contrived example, that is more akin to agreeing to let a government agent to live in your basement, so that they are ready to defuse a bomb should one be found. Completely different situation.
yeah, I think so. I read the comments on the Medium post (after writing this) and in one he says the cyphers were public domain, but it doesn't really go past that. In another comment he says he probably just saved them a few hours of work (?). In another one yet again he reveals he didn't hand them the entire source code (not enough to compile a working version because he supposedly left out the UX code) "like other people think" (why didn't he say that in the article?). I don't know, it all sounds shady, even his analysis 18 years later :D
I gave up reading comments after that, there's a lot of trolling and name calling involved.
For a more inspiring example of "what to do as a security provider when a three-letter agency calls you in the dead of night", there's always Lavabit.
That took guts! No wonder Proton Mail is based in Switzerland, outside of US and EU.
I'm so glad we don't have three letter agencies in Italy. I mean, we do have intelligence agencies but they have four letters: AISI and AISE. Both used to have 5 letters in their acronyms :D
On the one hand, it's a breach of trust between him and the users of his software. They trusted that by using his software, their data would be safe from anyone who wanted access to it, even if those people were, ignoring any post-Snowden sentiments for the sake of argument, the good guys. On the other hand, a midnight call from the NSA. Tough to stand there on the phone in your jim-jams at one in the morning and "speak truth to power."
I'm with you, though, the timings and the fact that they knew where he was is pretty strange. I wouldn't be surprised if they waited until he was on holiday precisely to catch him off guard and make him more likely to agree to any requests without thinking too deeply about it.
Was there an emergency at all, or did they just want the source code? I expect we'll never know for sure, but I honestly wouldn't be surprised either way.
Exactly. If they knew about the algorithm, knew where he was in the middle of nowhere without a cell phone. Why didn't they way to call him "monday at the office" :D ?
As you say:
Me too. Glad I wasn't the only one left a bit uncomfortable there. The author doesn't spend even a moment discussing the ethical gravity - and to be fair, I'm not sure how quickly I'd process a midnight call from the NSA either. But glossing over it in the post-mortem is odd, for sure.
You're right, I didn't think about this. Why are you not writing a more comprehensive article about something like this 18 years later? It seems like he just wanted pats on the back for doing a good thing but he totally didn't expect the backlash on the various aggregating sites knowingly full well how the perspective around helping government agencies breaking into people's computers has changed.
By reading his response in the comments section it seems like he was fine ethically. Again, it was a different time.
Agreed, that's how I read it too. It was jarring because as a result of that changed climate I had originally clicked the article expecting an interesting discussion about this exact moral quandary, and instead it wasn't even mentioned in passing.
That article popped up in my Pocket recommendations, and the title immediately made me feel a bit weird. Interested to hear everyone's thoughts!
Unless security through obscurity is your only protection model, handing over source code wouldn't give them anything.
you're right Meghan, unless there were bugs in the implementation as Dian hinted at.
Another thing: the encryption used by the shareware version the laptop had installed was 40 bit and that is subject to brute force. The author of the article hints to information they asked for such as "headers layout" and other things.
I feel like the NSA already was brute forcing the encryption and asked for the source code just to make their lives easier.