loading...

Doing the wrong thing with good intentions

rhymes profile image rhymes ・2 min read

What I'm going to talk about will self destruct in 60 seconds πŸ˜›

I've read an article on Medium called Why the NSA Called Me After Midnight and Requested My Source Code.

The author narrates an episode of his life in which the NSA called him at night because they needed to break into encrypted (256-bit encryption) files on someone's laptop.

The files were encrypted with a piece of shareware software the author wrote. During the call the author find out the files were actually encrypted with the trial version, which, according to him, encrypts "only" with a 40-bit encryption algorithm.

The NSA asked him to turn over the source code so they could decrypt the files quickly.

The author seems to be a genuinely good guy called to do his "civic duty" by the government.

Still, there are a couple of things that bug me. Keep in mind that it was in the year 2000, way before Snowden's revelations or the standoff between Apple and the FBI over iPhones encryption. Probably NSA's reputation was stellar back then.

First: the guy believed the NSA operative right away. He was called at night, so it must have been super urgent. The operative gave little info, so it must have been something life or death. Given that it could have been true and I would have probably fell for the same thing, between the lines I can't possibly not notice the masterful social engineering put in place by the government. They knew where he was, so they must have been aware of this issue with the encrypter files for a while, tracked the info of the software creator and then his movements (he was physically in a place only his family knew about). There were no smartphones back in the day so I can assume knowing at all times where a person is (a person which is not the subject of the investigation) must have been something that was planned (this is my diet of american TV shows put to work). Still, he believed the situation was dire and time was scarce.

The part of the story that really bugs me though is the turning over of the source code of the encryption app. He developed an app to protect users's privacy and then with a phone call to his colleague he undid everything without even thinking deeply that he wasn't just going to help them catch "a bad guy" but he was also giving them the keys to ALL other files encrypted with his program forever and ever.

He humble brags that he receives a mug as a token for his cooperation... A mug!?

He had the best intentions but I believe he did the wrong thing. I'm not sure I could have said no the the NSA if I were in his shoes but I think this article is good food for tought.

What do you think?

Posted on Nov 23 '18 by:

rhymes profile

rhymes

@rhymes

Software developer @ DEV

Discussion

markdown guide
 

In theory having the source code doesn't help with breaking the encryption (unless he made a mistake in the implementation, which could well be what the NSA were hoping to find). So it's not as if he gave them the keys to the kingdom based on a 1am phone call, but it's still not a great look.

 

unless he made a mistake in the implementation, which could well be what the NSA were hoping to find

yeah, I think so. I read the comments on the Medium post (after writing this) and in one he says the cyphers were public domain, but it doesn't really go past that. In another comment he says he probably just saved them a few hours of work (?). In another one yet again he reveals he didn't hand them the entire source code (not enough to compile a working version because he supposedly left out the UX code) "like other people think" (why didn't he say that in the article?). I don't know, it all sounds shady, even his analysis 18 years later :D

I gave up reading comments after that, there's a lot of trolling and name calling involved.

 

For a more inspiring example of "what to do as a security provider when a three-letter agency calls you in the dead of night", there's always Lavabit.

For a more inspiring example of "what to do as a security provider when a three-letter agency calls you in the dead of night", there's always Lavabit.

That took guts! No wonder Proton Mail is based in Switzerland, outside of US and EU.

I'm so glad we don't have three letter agencies in Italy. I mean, we do have intelligence agencies but they have four letters: AISI and AISE. Both used to have 5 letters in their acronyms :D

 

From the article:

He seemed predisposed or prepared for me to say no.

I am more inclined to side with the author in this situation. As you stated, the encryption algorithms are public, very well-known algorithms and the source code should reveal nothing, and the NSA employee asked to see the source code. The agent proved himself as reputable, and he did not demand to see the source code. All he did was ask for help in a matter of national security.

Ask yourself this: if a government agency asked for help in a matter of national security that wasn't about encryption would you help them? For a contrived example, say the FBI showed up and said there was a bomb buried under your house. They could dig to it from the street, or get to it much faster by digging to it from your basement. I think you'd be inclined to let them dig through your basement.

Also, keep in mind that what the NSA asked of the author is not the same as what they asked of Apple. They simply wanted to see the source code for an encryption algorithm here, but they were asking Apply to modify their code and add a backdoor that only the NSA could use. Again, going back to the contrived example, that is more akin to agreeing to let a government agent to live in your basement, so that they are ready to defuse a bomb should one be found. Completely different situation.

 

On the one hand, it's a breach of trust between him and the users of his software. They trusted that by using his software, their data would be safe from anyone who wanted access to it, even if those people were, ignoring any post-Snowden sentiments for the sake of argument, the good guys. On the other hand, a midnight call from the NSA. Tough to stand there on the phone in your jim-jams at one in the morning and "speak truth to power."

I'm with you, though, the timings and the fact that they knew where he was is pretty strange. I wouldn't be surprised if they waited until he was on holiday precisely to catch him off guard and make him more likely to agree to any requests without thinking too deeply about it.

Was there an emergency at all, or did they just want the source code? I expect we'll never know for sure, but I honestly wouldn't be surprised either way.

 

I'm with you, though, the timings and the fact that they knew where he was is pretty strange. I wouldn't be surprised if they waited until he was on holiday precisely to catch him off guard and make him more likely to agree to any requests without thinking too deeply about it.

Exactly. If they knew about the algorithm, knew where he was in the middle of nowhere without a cell phone. Why didn't they way to call him "monday at the office" :D ?

As you say:

we'll never know for sure, but I honestly wouldn't be surprised either way.

 

Me too. Glad I wasn't the only one left a bit uncomfortable there. The author doesn't spend even a moment discussing the ethical gravity - and to be fair, I'm not sure how quickly I'd process a midnight call from the NSA either. But glossing over it in the post-mortem is odd, for sure.

 

But glossing over it in the post-mortem is odd, for sure.

You're right, I didn't think about this. Why are you not writing a more comprehensive article about something like this 18 years later? It seems like he just wanted pats on the back for doing a good thing but he totally didn't expect the backlash on the various aggregating sites knowingly full well how the perspective around helping government agencies breaking into people's computers has changed.

By reading his response in the comments section it seems like he was fine ethically. Again, it was a different time.

 

Agreed, that's how I read it too. It was jarring because as a result of that changed climate I had originally clicked the article expecting an interesting discussion about this exact moral quandary, and instead it wasn't even mentioned in passing.

 

That article popped up in my Pocket recommendations, and the title immediately made me feel a bit weird. Interested to hear everyone's thoughts!

 

Unless security through obscurity is your only protection model, handing over source code wouldn't give them anything.

 

you're right Meghan, unless there were bugs in the implementation as Dian hinted at.

Another thing: the encryption used by the shareware version the laptop had installed was 40 bit and that is subject to brute force. The author of the article hints to information they asked for such as "headers layout" and other things.

I feel like the NSA already was brute forcing the encryption and asked for the source code just to make their lives easier.