back to article Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

Swiss encryption machine company Crypto AG was secretly owned by the CIA and a West Germany spy agency at the height of the Cold War, according to explosive revelations in Swiss and German media today. Although rumours had swirled for decades around Crypto AG and the backdooring of its products by the West – cough, cough, NSA …

Page:

  1. Pascal Monett Silver badge
    Trollface

    "over a hundred states paid billions of dollars for their state secrets to be stolen"

    So, success then !

    And, obviously, it is a "different company" with a "different owner, different management and a different strategy" and found the reports very "distressing"

    Yeah, I'll bet. Their yearly result is likely going to find things "distressing" as well.

    1. TReko Silver badge

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      makes you wonder about other Swiss privacy and encryption companies, like Proton Mail?

      1. robidy
        Joke

        Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

        But the Chinese didn't know and would never pressure Huawai to do this in the past, present or future. Only the Americans and West Germans would do this ha ha.

        Obviously I'm poking fun at the UK Gov't.

        1. Evil Auditor Silver badge

          Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

          Huawai, Crypto AG or whomever you choose to trust - if it's going to protect my top-secret secrets, I'm not trusting one maker alone. If the information to be protected is that precious, I should probably invest in another layer.

          Now you just have to find independent manufacturers that do not conspire...

      2. Roj Blake Silver badge

        Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

        Or indeed their German counterparts, like Tutanota.

    2. anonymous boring coward Silver badge

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      The new owner should go back to the seller and sue their arses off.

    3. JCitizen
      FAIL

      Re: "over a hundred states paid billions of dollars for their state secrets to be stolen"

      And NSA expects us to just roll over and let them do it some more with today's encryption. They would be better off just doing some old fashion gum shoe work, and do what hackers do - infect the devices with malware to spy on the end points. It is probably even more effective, because it keeps the enemy guessing at just how much the opposition knows. Nation state bad actors have been doing it successfully for decades.

  2. This post has been deleted by its author

    1. Claptrap314 Silver badge

      Re: Once again ....

      We go through this every time. Unless "you" have the education--which would be a PhD in Algebra (one particular branch of mathematics) with some post-doc in crypto, "you" don't have the ability to make a secure cyper, period.

      Rough quote from a discussion between Phil Zimmerman and someone at the NSA.

      "We don't let anyone design algorithms until they have 'earned their bones' breaking them for a decade." I remarked that that would disqualify almost everyone. "Indeed. And that makes our work so much easier."

      1. Anonymous Coward
        Anonymous Coward

        Re: Once again ....

        There is a large difference between designing a cipher and implementing one. I have designed ciphers, however, I am not skilled enough to implement them. My collaborators did that. Teamwork – it’s a beautiful thing.

      2. Anonymous Coward
        Anonymous Coward

        Re: Once again ....

        Education is not the same as intelligence.

      3. John Savard

        Re: Once again ....

        Designing a secure cipher is not that hard, provided it's just a secret-key cipher. Of course, secret-key ciphers without a wy to distribute keys securely are next to useless in today's digital world.

        1. Michael Wojcik Silver badge

          Re: Once again ....

          Designing a secure cipher is not that hard, provided it's just a secret-key cipher.

          It's not trivial, either. If it's a block cipher, is it hardened against differential and linear cryptanalysis? What combining mode are you using? If it's a stream cipher, does it suffer from the sort of higher-order correlations that took down RC4? (It's worth noting that RC4's weaknesses are not intuitively obvious; it might be the simplest reasonably-strong machine cipher ever invented.)

          Implementation is worse. Is your implementation secure against timing side channels? Is it secure against generic errors (out-of-bounds operations, for example) which could compromise it?

          Also, key distribution isn't necessarily a problem, because secure anonymous key exchange is available, if you have some post-Kx or out-of-band way to verify identity. PKI isn't the only solution to the key-distribution problem.

          1. Alan Brown Silver badge

            Re: Once again ....

            "PKI isn't the only solution to the key-distribution problem."

            Nonetheless it's a fairly good one - after describing how PGP worked to a few people who happened to be retired spooks, the response I got was "we were doing that in the 1950s. Has it taken this long to catch up?"

    2. 41R

      Re: Once again ....

      You can't write something from scratch and use it for communication with other countries...just like you have to use whatsapp/viber/messenger/telegram/etc. instead of your own messaging app

      1. amanfromMars 1 Silver badge

        Re: Once again .... Once more unto the breach, dear friends, once more

        You can't write something from scratch and use it for communication with other countries...just like you have to use whatsapp/viber/messenger/telegram/etc. instead of your own messaging app .... 41R

        Oh? I think one certainly can, 41R, for you have done practically all of that here for everywhere else with your offering above on El Reg.

        IT aint rocket science, for it is much more complicated than that but some things are kept extremely easy for all the best of perfect reasons .......... and relatively free and practically simple solutions for unpleasant and unnecessary problems is just one of them.

        1. 41R

          Re: Once again .... Once more unto the breach, dear friends, once more

          It's not about skills, science, even cost, it's about 'industry' standards and acceptance. You can be corporation/bank with endless resources and in-house-built-from-scratch comm systems but you still have to use skype/slack/webex because of the others. Same goes for criminals (cartels, etc.), governments and other organizations

          1. amanfromMars 1 Silver badge

            Re: Once again .... Once more unto the breach, dear friends, once more

            It's not about skills, science, even cost, it's about 'industry' standards and acceptance. You can be corporation/bank with endless resources and in-house-built-from-scratch comm systems but you still have to use skype/slack/webex because of the others. Same goes for criminals (cartels, etc.), governments and other organizations .... 41R

            Methinks, 41R, that reveals everything revolves around and is fully dependent upon and also catastrophically vulnerable to skills in users that share greater intelligence via ubiquitous means either both secret and exclusive in a private sector or readily widely available and popular with the masses/public sector.

            And skills in users in that regard is really just a euphemism for prime use of considerably more advanced greater intelligence proving itself to be, to that and those in its sights for intervention, impregnable and problematical. Such though is best realised as being a quite normal default progression in the field.

    3. Milton

      Re: Once again ....

      No. The whole point of publishing and widely dissmeinating crypto algorithms and code is to bring the broadest, deepest and most expert range of challengers devoted to knocking it down and finding vulnerabilities.

      I would not trust crypto that only I had authored and only I had the opportunity to analyse for weaknesses. That would be crazy.

      I'd bet you good money that even a guru like Bruce Schneier would say exactly the same. The best crypto is utterly transparent in algorithm and code, and has been hammered away at by experts of every stripe.

      I trust crypto which the world's best minds have tried and failed to break—even knowing exactly how it works.

    4. Graham Cobb Silver badge

      Re: Once again ....

      It is true that you have to trust whoever provides your (and your communication partners') implementations. So that leaves two sensible approaches for (so-called) non-aligned countries to use for diplomatic cables:

      1) Align themselves with one of the big powers (US, Russia, China) and accept that they will be reading all the traffic and act accordingly. This includes realising that they will decide who they will share it with (which could include their enemies, or even the public. if it served a useful purpose for them).

      2) Find an "independent" supplier with a strong reputation, which it will strenuously protect. Crypto AG, and Switzerland, seemed to meet that criterion. However, it turned out they were proxies of the US after all.

      The biggest damage here is to the Swiss reputation for neutrality. The surprise isn't that Crypto AG was backdoored, it is that the Swiss knew about it and let it continue.

      1. Charles 9

        Re: Once again ....

        "The biggest damage here is to the Swiss reputation for neutrality. The surprise isn't that Crypto AG was backdoored, it is that the Swiss knew about it and let it continue."

        The Swiss reputation for neutrality ended when the US browbeat and threatened Switzerland with sanctions over their vaunted bank account privacy.

        1. Graham Cobb Silver badge

          Re: Once again ....

          Nah. That's just money. Switzerland's (former) reputation for banking privacy made Switzerland a lot of money, which is now reduced.

          Neutrality, however, threatens the safety of their nationals and maybe even the whole existence of their country. In the 20th century wars it was convenient for all protagonists to have a (small) country that was truly neutral. Now that Switzerland has shown itself allied to the US it has become no better than Spain was in WW2 - maybe not an active protagonist but clearly supporting one side.

          If I was Swiss, living in or visiting Iran or Iraq, I would be a lot more worried about being targetted as a suspected US spy now.

        2. CrazyOldCatMan Silver badge

          Re: Once again ....

          The Swiss reputation for neutrality ended when the US browbeat

          No - it ended years before when they essentially bowed down to Nazi Germany in order to stop themselves being invaded..

          1. Charles 9

            Re: Once again ....

            Got proof? Last I checked, Switzerland is notoriously difficult to invade, given it's smack in the middle of the Alps with few ground passes. Trees you can cut down; it's much harder to deal with a mountain.

        3. This post has been deleted by its author

          1. JimboSmith

            Re: Once again ....

            The Swiss still have banking secrecy it's only being broken by whistleblowers. Bradley Birkenfeld is a very wanted man in Switzerland. The banking association basically write the laws regarding this. What the Swiss want you to believe is that they'll cooperate with enquiries about account holders. Good luck with that in practice.

    5. robidy

      Re: Once again ....

      Implementation of a publicly scrutinised algorythm, yes.

      Writing your own from scratch...only if very widely peer reviewed.

  3. Saruman the White Silver badge

    This is really bad news for some companies. I know one country (I will not mention their name) who built a military satcoms system that use CryptoAG kit to provide COMSEC. They must now be wondering whether their entire communications system has been compromised. Some security bods are going to have a *very* bad month ahead of them.

    1. Antron Argaiv Silver badge
      Coat

      You really do have to admire (in the same way as Madoff's ability to keep a pyramid scheme going well past the time it should have collapsed) the con these guys pulled off.

      Respect to masters of their craft.

      // The one with the dagger in the pocket, natch.

    2. stiine Silver badge
      Black Helicopters

      They don't actually have to wonder, it was, unless it was a 5-eyes member, and then its only very likely that it was compromised.

      Finally a use for that icon ------>

      1. Yes Me Silver badge
        Pirate

        6 eyes?

        "unless it was a 5-eyes member"

        Erm, Germany, the part-owner of Crypto AG for many years, was not and is not in 5-eyes. Also, do you seriously believe that 5-eyes is the only intelligence sharing system in operation?

        1. Roj Blake Silver badge

          Re: 6 eyes?

          Germany is a member of 14 Eyes.

          1. Anonymous Coward
            Anonymous Coward

            Re: 6 eyes?

            Or the Society for Processing Information, Decryption, Extraction and Reporting as it's know.

  4. Daedalus

    Almost unnecessary

    People in general being too stupid to live, it's not always necessary to compromise the machines. In "Spycatcher", Peter Wright described how the machines at the French Embassy in London leaked the cleartext as electrical noise over the same phone lines used to send the encrypted messages. Then also there was the US Navy spy who simply purloined the paper tapes used in their machines, which were not secured. As he said "KMart has better security than the Navy".

  5. _LC_
    Alert

    For those who don't know GERMany that well

    The BND is just a GERMan speaking CIA outlet. They helped them to start the war against Iraq, by torturing an Iraqi until he told the lie they want him to tell (see: “Curveball”). They started the war in Sudan for the US, by delivering tanks and other weapons to both sides - “rebels” and government (see: “We’re Going to Take out 7 Countries in 5 Years: Iraq, Syria, Lebanon, Libya, Somalia, Sudan & Iran”). They have been spying on their own (strongly forbidden) for the US. All to no avail.

    So this is why Huawei is so evil, eh?

    1. _LC_

      Re: For those who don't know GERMany that well

      Those *unts are fast! *lol*

    2. crayon

      Re: For those who don't know GERMany that well

      "The BND is just a GERMan speaking CIA outlet."

      They were blasted recently (last couple of years?) for releasing a report to the US before releasing it to the German govt.

  6. Claptrap314 Silver badge

    Spies gonna spy

    I just love how the WaPo works so hard to make this sound immoral. What are spies supposed to do? Limit themselves to pawing through garbage?

    Just because the bullets aren't flying by the tens of thousands does not mean that there isn't a war on.

    To those who have been mock the concerns about Huawei--it's been done before.

    Finally, at a country level, crypto is one of those things that you cannot cheap out on, and you must be VERY careful about outsourcing. If your country is poor, I'm sorry.

    1. Kabukiwookie

      Re: Spies gonna spy

      What are spies supposed to do? Limit themselves to pawing through garbage?

      How about acting according to what their governments say they're standing for?

      How are you ever going to trust a government that tramples over all the 'values' it says it stands for whenever it's convenient?

      Aren't we supposed to be the 'good guys'?

      How can you take the moral high ground if you're just as bad (or worse) than the so-called 'bad guys'

      This is pure hypocrisy and hypocrites cannot be trusted with anything. Least of all the freedom and wellbeing of the citizens they are supposed to answer to in a (supposed) democracy.

      1. Brian Miller

        Re: Spies gonna spy

        "moral high ground": There is no high ground in a pig wallow.

        The spies do act for the government they stand for. Thing is, they may stand for a number of governments at any one time. They're just flexible like that.

        1. ds6 Silver badge
          Gimp

          Re: Spies gonna spy

          Oh yeah baby, I do swing both ways... After all, no matter how you look at it, someone's getting it up theirs.

          — Unknown CIA asset, undercover sex worker

      2. Claptrap314 Silver badge

        Re: Spies gonna spy

        The question of, "who do we trust enough not to **** us that we don't need to worry about what they are really up to?" is a critical (if uncomfortable) question. If that list is not empty, you need to be spying. The fact that the Germans objected to spying on Italy, which betrayed their government in both World Wars is...touching? hilarious? sad? Allies and friends are not the same thing. You don't spy (much) on your friends.

        But if you trust people to be good to you because they say so, your expected lifespan as a nation is quite limited.

        1. Adelio

          Re: Spies gonna spy

          T.B.H. I am not toooo concerned about spy agencies spying on me, as long as it concerned with terrorism, it is more about EVERY OTHER Goverment agency that would want AND get access to all that lovely information and then letting all their industry friends have it as well (for a price or free)

      3. Someone Else Silver badge

        Re: Spies gonna spy

        Aren't we supposed to be the 'good guys'?

        Yes. But then Trump and Boris happened.

        Yes, I know that there were serious questions about our good-guy-itude prior to those two ass-hats. But then they happened, and all such questions were answered....

    2. Antron Argaiv Silver badge
      Thumb Up

      Re: Spies gonna spy

      To those who downvoted him...come back after you've read some John Le Carre.

      The normal rules don't apply. Stealing secrets is a dirty, dirty business, and those with morals need to be flexible in the application of them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spies gonna spy

        No, when you are in the business, "stealing secrets" is not a dirty business, it's just your job. Your boss assures you that it needs to be done for the greater good and it's what your employer pays you for and tells you it's your duty - most of the time you're just doing the work because it needs to be done. There's a reason I'm posting that anonymously because it was once (a very long time ago) my job.

        1. Anonymous Coward
          Anonymous Coward

          Re: Spies gonna spy

          Yeah, right. Just like nazi soldiers/guards were just following orders/doing their jobs...

          1. Anonymous Coward
            Anonymous Coward

            Re: Spies gonna spy

            yep!

            just like merkin, pom, Oz, canuk's and all the others.

            just following orders,

            realy bad thing to hear when you are the one in chains,

            no matter what accent.

        2. Alan Brown Silver badge

          Re: Spies gonna spy

          >> "stealing secrets" is not a dirty business

          90% of the "secrets" are out in the open anyway, for those who care to look and put the pieces together.

          WHich makes it kinda awkward for a spook who accuses someone in open court of blowing open that GCHQ was spying on Turkey to then have it proven that the information being disclosed was actually taken from open sources (including newspapers)..... It's an admission you can't walk back after you've uttered it.

    3. Alan Brown Silver badge

      Re: Spies gonna spy

      " What are spies supposed to do? Limit themselves to pawing through garbage?"

      The vast majority of espionage is done in the public reading rooms of local libraries - looking at local newspapers and correlating stories that don't seem to percolate through to the larger dailies or which seem to abruptly halt, along with checking up on letters to the editor complaining about XYZ activity.

      "Pawing through garbage" is usually done to confirm suspicions rather than to find new stuff.

      As with Duncan Campbell's investigations - there's an awful lot out there in the open that simply needs piecing together - and if you're using "Someone else's crypto" as your sole line of defence then you've probably already been compromised

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon